]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: WPA2-Enterprise connection using EAP-PSK and OOM
[thirdparty/hostap.git] / tests / hwsim / test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
4 #
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
7
8 import base64
9 import binascii
10 import time
11 import subprocess
12 import logging
13 logger = logging.getLogger()
14 import os
15
16 import hwsim_utils
17 import hostapd
18 from utils import HwsimSkip, alloc_fail
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
21
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
25
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
28 if method not in res:
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
30
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
35
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
40
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
45
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
50
51 def read_pem(fname):
52 with open(fname, "r") as f:
53 lines = f.readlines()
54 copy = False
55 cert = ""
56 for l in lines:
57 if "-----END" in l:
58 break
59 if copy:
60 cert = cert + l
61 if "-----BEGIN" in l:
62 copy = True
63 return base64.b64decode(cert)
64
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
67 **kwargs):
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
72 **kwargs)
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report)
76 if expect_failure:
77 return id
78 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
79 if ev is None:
80 raise Exception("No connection event received from hostapd")
81 return id
82
83 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
84 expect_failure=False, local_error_report=False):
85 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
86 if ev is None:
87 raise Exception("Association and EAP start timed out")
88 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
89 if ev is None:
90 raise Exception("EAP method selection timed out")
91 if method not in ev:
92 raise Exception("Unexpected EAP method")
93 if expect_failure:
94 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
95 if ev is None:
96 raise Exception("EAP failure timed out")
97 ev = dev.wait_disconnected(timeout=10)
98 if not local_error_report:
99 if "reason=23" not in ev:
100 raise Exception("Proper reason code for disconnection not reported")
101 return
102 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
103 if ev is None:
104 raise Exception("EAP success timed out")
105
106 if initial:
107 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
108 else:
109 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
110 if ev is None:
111 raise Exception("Association with the AP timed out")
112 status = dev.get_status()
113 if status["wpa_state"] != "COMPLETED":
114 raise Exception("Connection not completed")
115
116 if status["suppPortStatus"] != "Authorized":
117 raise Exception("Port not authorized")
118 if method not in status["selectedMethod"]:
119 raise Exception("Incorrect EAP method status")
120 if sha256:
121 e = "WPA2-EAP-SHA256"
122 elif rsn:
123 e = "WPA2/IEEE 802.1X/EAP"
124 else:
125 e = "WPA/IEEE 802.1X/EAP"
126 if status["key_mgmt"] != e:
127 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
128 return status
129
130 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
131 dev.request("REAUTHENTICATE")
132 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
133 expect_failure=expect_failure)
134
135 def test_ap_wpa2_eap_sim(dev, apdev):
136 """WPA2-Enterprise connection using EAP-SIM"""
137 check_hlr_auc_gw_support()
138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
139 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
140 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
141 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
142 hwsim_utils.test_connectivity(dev[0], hapd)
143 eap_reauth(dev[0], "SIM")
144
145 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
146 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
147 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
148 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
149 expect_failure=True)
150
151 logger.info("Negative test with incorrect key")
152 dev[0].request("REMOVE_NETWORK all")
153 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
154 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
155 expect_failure=True)
156
157 logger.info("Invalid GSM-Milenage key")
158 dev[0].request("REMOVE_NETWORK all")
159 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
160 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
161 expect_failure=True)
162
163 logger.info("Invalid GSM-Milenage key(2)")
164 dev[0].request("REMOVE_NETWORK all")
165 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
166 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
167 expect_failure=True)
168
169 logger.info("Invalid GSM-Milenage key(3)")
170 dev[0].request("REMOVE_NETWORK all")
171 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
172 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
173 expect_failure=True)
174
175 logger.info("Invalid GSM-Milenage key(4)")
176 dev[0].request("REMOVE_NETWORK all")
177 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
178 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
179 expect_failure=True)
180
181 logger.info("Missing key configuration")
182 dev[0].request("REMOVE_NETWORK all")
183 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
184 expect_failure=True)
185
186 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
187 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
188 check_hlr_auc_gw_support()
189 try:
190 import sqlite3
191 except ImportError:
192 raise HwsimSkip("No sqlite3 module available")
193 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
194 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
195 params['auth_server_port'] = "1814"
196 hostapd.add_ap(apdev[0]['ifname'], params)
197 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
198 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
199
200 logger.info("SIM fast re-authentication")
201 eap_reauth(dev[0], "SIM")
202
203 logger.info("SIM full auth with pseudonym")
204 with con:
205 cur = con.cursor()
206 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
207 eap_reauth(dev[0], "SIM")
208
209 logger.info("SIM full auth with permanent identity")
210 with con:
211 cur = con.cursor()
212 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
213 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
214 eap_reauth(dev[0], "SIM")
215
216 logger.info("SIM reauth with mismatching MK")
217 with con:
218 cur = con.cursor()
219 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
220 eap_reauth(dev[0], "SIM", expect_failure=True)
221 dev[0].request("REMOVE_NETWORK all")
222
223 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
224 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
225 with con:
226 cur = con.cursor()
227 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
228 eap_reauth(dev[0], "SIM")
229 with con:
230 cur = con.cursor()
231 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
232 logger.info("SIM reauth with mismatching counter")
233 eap_reauth(dev[0], "SIM")
234 dev[0].request("REMOVE_NETWORK all")
235
236 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
237 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
238 with con:
239 cur = con.cursor()
240 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
241 logger.info("SIM reauth with max reauth count reached")
242 eap_reauth(dev[0], "SIM")
243
244 def test_ap_wpa2_eap_sim_config(dev, apdev):
245 """EAP-SIM configuration options"""
246 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
247 hostapd.add_ap(apdev[0]['ifname'], params)
248 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
249 identity="1232010000000000",
250 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
251 phase1="sim_min_num_chal=1",
252 wait_connect=False, scan_freq="2412")
253 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
254 if ev is None:
255 raise Exception("No EAP error message seen")
256 dev[0].request("REMOVE_NETWORK all")
257
258 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
259 identity="1232010000000000",
260 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
261 phase1="sim_min_num_chal=4",
262 wait_connect=False, scan_freq="2412")
263 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
264 if ev is None:
265 raise Exception("No EAP error message seen (2)")
266 dev[0].request("REMOVE_NETWORK all")
267
268 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
269 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
270 phase1="sim_min_num_chal=2")
271 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
272 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
273 anonymous_identity="345678")
274
275 def test_ap_wpa2_eap_sim_ext(dev, apdev):
276 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
277 try:
278 _test_ap_wpa2_eap_sim_ext(dev, apdev)
279 finally:
280 dev[0].request("SET external_sim 0")
281
282 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
283 check_hlr_auc_gw_support()
284 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
285 hostapd.add_ap(apdev[0]['ifname'], params)
286 dev[0].request("SET external_sim 1")
287 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
288 identity="1232010000000000",
289 wait_connect=False, scan_freq="2412")
290 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
291 if ev is None:
292 raise Exception("Network connected timed out")
293
294 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
295 if ev is None:
296 raise Exception("Wait for external SIM processing request timed out")
297 p = ev.split(':', 2)
298 if p[1] != "GSM-AUTH":
299 raise Exception("Unexpected CTRL-REQ-SIM type")
300 rid = p[0].split('-')[3]
301
302 # IK:CK:RES
303 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
304 # This will fail during processing, but the ctrl_iface command succeeds
305 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
306 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
307 if ev is None:
308 raise Exception("EAP failure not reported")
309 dev[0].request("DISCONNECT")
310 dev[0].wait_disconnected()
311 time.sleep(0.1)
312
313 dev[0].select_network(id, freq="2412")
314 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
315 if ev is None:
316 raise Exception("Wait for external SIM processing request timed out")
317 p = ev.split(':', 2)
318 if p[1] != "GSM-AUTH":
319 raise Exception("Unexpected CTRL-REQ-SIM type")
320 rid = p[0].split('-')[3]
321 # This will fail during GSM auth validation
322 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
323 raise Exception("CTRL-RSP-SIM failed")
324 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
325 if ev is None:
326 raise Exception("EAP failure not reported")
327 dev[0].request("DISCONNECT")
328 dev[0].wait_disconnected()
329 time.sleep(0.1)
330
331 dev[0].select_network(id, freq="2412")
332 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
333 if ev is None:
334 raise Exception("Wait for external SIM processing request timed out")
335 p = ev.split(':', 2)
336 if p[1] != "GSM-AUTH":
337 raise Exception("Unexpected CTRL-REQ-SIM type")
338 rid = p[0].split('-')[3]
339 # This will fail during GSM auth validation
340 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
341 raise Exception("CTRL-RSP-SIM failed")
342 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
343 if ev is None:
344 raise Exception("EAP failure not reported")
345 dev[0].request("DISCONNECT")
346 dev[0].wait_disconnected()
347 time.sleep(0.1)
348
349 dev[0].select_network(id, freq="2412")
350 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
351 if ev is None:
352 raise Exception("Wait for external SIM processing request timed out")
353 p = ev.split(':', 2)
354 if p[1] != "GSM-AUTH":
355 raise Exception("Unexpected CTRL-REQ-SIM type")
356 rid = p[0].split('-')[3]
357 # This will fail during GSM auth validation
358 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
359 raise Exception("CTRL-RSP-SIM failed")
360 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
361 if ev is None:
362 raise Exception("EAP failure not reported")
363 dev[0].request("DISCONNECT")
364 dev[0].wait_disconnected()
365 time.sleep(0.1)
366
367 dev[0].select_network(id, freq="2412")
368 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
369 if ev is None:
370 raise Exception("Wait for external SIM processing request timed out")
371 p = ev.split(':', 2)
372 if p[1] != "GSM-AUTH":
373 raise Exception("Unexpected CTRL-REQ-SIM type")
374 rid = p[0].split('-')[3]
375 # This will fail during GSM auth validation
376 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
377 raise Exception("CTRL-RSP-SIM failed")
378 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
379 if ev is None:
380 raise Exception("EAP failure not reported")
381 dev[0].request("DISCONNECT")
382 dev[0].wait_disconnected()
383 time.sleep(0.1)
384
385 dev[0].select_network(id, freq="2412")
386 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
387 if ev is None:
388 raise Exception("Wait for external SIM processing request timed out")
389 p = ev.split(':', 2)
390 if p[1] != "GSM-AUTH":
391 raise Exception("Unexpected CTRL-REQ-SIM type")
392 rid = p[0].split('-')[3]
393 # This will fail during GSM auth validation
394 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
395 raise Exception("CTRL-RSP-SIM failed")
396 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
397 if ev is None:
398 raise Exception("EAP failure not reported")
399 dev[0].request("DISCONNECT")
400 dev[0].wait_disconnected()
401 time.sleep(0.1)
402
403 dev[0].select_network(id, freq="2412")
404 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
405 if ev is None:
406 raise Exception("Wait for external SIM processing request timed out")
407 p = ev.split(':', 2)
408 if p[1] != "GSM-AUTH":
409 raise Exception("Unexpected CTRL-REQ-SIM type")
410 rid = p[0].split('-')[3]
411 # This will fail during GSM auth validation
412 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
413 raise Exception("CTRL-RSP-SIM failed")
414 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
415 if ev is None:
416 raise Exception("EAP failure not reported")
417
418 def test_ap_wpa2_eap_aka(dev, apdev):
419 """WPA2-Enterprise connection using EAP-AKA"""
420 check_hlr_auc_gw_support()
421 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
422 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
423 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
424 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
425 hwsim_utils.test_connectivity(dev[0], hapd)
426 eap_reauth(dev[0], "AKA")
427
428 logger.info("Negative test with incorrect key")
429 dev[0].request("REMOVE_NETWORK all")
430 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
431 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
432 expect_failure=True)
433
434 logger.info("Invalid Milenage key")
435 dev[0].request("REMOVE_NETWORK all")
436 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
437 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
438 expect_failure=True)
439
440 logger.info("Invalid Milenage key(2)")
441 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
442 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
443 expect_failure=True)
444
445 logger.info("Invalid Milenage key(3)")
446 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
447 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
448 expect_failure=True)
449
450 logger.info("Invalid Milenage key(4)")
451 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
452 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
453 expect_failure=True)
454
455 logger.info("Invalid Milenage key(5)")
456 dev[0].request("REMOVE_NETWORK all")
457 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
458 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
459 expect_failure=True)
460
461 logger.info("Invalid Milenage key(6)")
462 dev[0].request("REMOVE_NETWORK all")
463 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
464 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
465 expect_failure=True)
466
467 logger.info("Missing key configuration")
468 dev[0].request("REMOVE_NETWORK all")
469 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
470 expect_failure=True)
471
472 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
473 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
474 check_hlr_auc_gw_support()
475 try:
476 import sqlite3
477 except ImportError:
478 raise HwsimSkip("No sqlite3 module available")
479 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
480 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
481 params['auth_server_port'] = "1814"
482 hostapd.add_ap(apdev[0]['ifname'], params)
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
485
486 logger.info("AKA fast re-authentication")
487 eap_reauth(dev[0], "AKA")
488
489 logger.info("AKA full auth with pseudonym")
490 with con:
491 cur = con.cursor()
492 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
493 eap_reauth(dev[0], "AKA")
494
495 logger.info("AKA full auth with permanent identity")
496 with con:
497 cur = con.cursor()
498 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
499 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
500 eap_reauth(dev[0], "AKA")
501
502 logger.info("AKA reauth with mismatching MK")
503 with con:
504 cur = con.cursor()
505 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
506 eap_reauth(dev[0], "AKA", expect_failure=True)
507 dev[0].request("REMOVE_NETWORK all")
508
509 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
510 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
511 with con:
512 cur = con.cursor()
513 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
514 eap_reauth(dev[0], "AKA")
515 with con:
516 cur = con.cursor()
517 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
518 logger.info("AKA reauth with mismatching counter")
519 eap_reauth(dev[0], "AKA")
520 dev[0].request("REMOVE_NETWORK all")
521
522 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
523 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
524 with con:
525 cur = con.cursor()
526 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
527 logger.info("AKA reauth with max reauth count reached")
528 eap_reauth(dev[0], "AKA")
529
530 def test_ap_wpa2_eap_aka_config(dev, apdev):
531 """EAP-AKA configuration options"""
532 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
533 hostapd.add_ap(apdev[0]['ifname'], params)
534 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
535 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
536 anonymous_identity="2345678")
537
538 def test_ap_wpa2_eap_aka_ext(dev, apdev):
539 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
540 try:
541 _test_ap_wpa2_eap_aka_ext(dev, apdev)
542 finally:
543 dev[0].request("SET external_sim 0")
544
545 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
546 check_hlr_auc_gw_support()
547 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
548 hostapd.add_ap(apdev[0]['ifname'], params)
549 dev[0].request("SET external_sim 1")
550 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
551 identity="0232010000000000",
552 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
553 wait_connect=False, scan_freq="2412")
554 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
555 if ev is None:
556 raise Exception("Network connected timed out")
557
558 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
559 if ev is None:
560 raise Exception("Wait for external SIM processing request timed out")
561 p = ev.split(':', 2)
562 if p[1] != "UMTS-AUTH":
563 raise Exception("Unexpected CTRL-REQ-SIM type")
564 rid = p[0].split('-')[3]
565
566 # IK:CK:RES
567 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
568 # This will fail during processing, but the ctrl_iface command succeeds
569 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
570 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
571 if ev is None:
572 raise Exception("EAP failure not reported")
573 dev[0].request("DISCONNECT")
574 dev[0].wait_disconnected()
575 time.sleep(0.1)
576
577 dev[0].select_network(id, freq="2412")
578 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
579 if ev is None:
580 raise Exception("Wait for external SIM processing request timed out")
581 p = ev.split(':', 2)
582 if p[1] != "UMTS-AUTH":
583 raise Exception("Unexpected CTRL-REQ-SIM type")
584 rid = p[0].split('-')[3]
585 # This will fail during UMTS auth validation
586 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
587 raise Exception("CTRL-RSP-SIM failed")
588 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
589 if ev is None:
590 raise Exception("Wait for external SIM processing request timed out")
591 p = ev.split(':', 2)
592 if p[1] != "UMTS-AUTH":
593 raise Exception("Unexpected CTRL-REQ-SIM type")
594 rid = p[0].split('-')[3]
595 # This will fail during UMTS auth validation
596 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
597 raise Exception("CTRL-RSP-SIM failed")
598 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
599 if ev is None:
600 raise Exception("EAP failure not reported")
601 dev[0].request("DISCONNECT")
602 dev[0].wait_disconnected()
603 time.sleep(0.1)
604
605 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
606 ":UMTS-AUTH:34",
607 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
608 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
609 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
610 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
611 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
612 for t in tests:
613 dev[0].select_network(id, freq="2412")
614 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
615 if ev is None:
616 raise Exception("Wait for external SIM processing request timed out")
617 p = ev.split(':', 2)
618 if p[1] != "UMTS-AUTH":
619 raise Exception("Unexpected CTRL-REQ-SIM type")
620 rid = p[0].split('-')[3]
621 # This will fail during UMTS auth validation
622 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
623 raise Exception("CTRL-RSP-SIM failed")
624 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
625 if ev is None:
626 raise Exception("EAP failure not reported")
627 dev[0].request("DISCONNECT")
628 dev[0].wait_disconnected()
629 time.sleep(0.1)
630
631 def test_ap_wpa2_eap_aka_prime(dev, apdev):
632 """WPA2-Enterprise connection using EAP-AKA'"""
633 check_hlr_auc_gw_support()
634 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
635 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
636 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
637 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
638 hwsim_utils.test_connectivity(dev[0], hapd)
639 eap_reauth(dev[0], "AKA'")
640
641 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
642 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
643 identity="6555444333222111@both",
644 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
645 wait_connect=False, scan_freq="2412")
646 dev[1].wait_connected(timeout=15)
647
648 logger.info("Negative test with incorrect key")
649 dev[0].request("REMOVE_NETWORK all")
650 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
651 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
652 expect_failure=True)
653
654 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
655 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
656 check_hlr_auc_gw_support()
657 try:
658 import sqlite3
659 except ImportError:
660 raise HwsimSkip("No sqlite3 module available")
661 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
662 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
663 params['auth_server_port'] = "1814"
664 hostapd.add_ap(apdev[0]['ifname'], params)
665 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
666 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
667
668 logger.info("AKA' fast re-authentication")
669 eap_reauth(dev[0], "AKA'")
670
671 logger.info("AKA' full auth with pseudonym")
672 with con:
673 cur = con.cursor()
674 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
675 eap_reauth(dev[0], "AKA'")
676
677 logger.info("AKA' full auth with permanent identity")
678 with con:
679 cur = con.cursor()
680 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
681 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
682 eap_reauth(dev[0], "AKA'")
683
684 logger.info("AKA' reauth with mismatching k_aut")
685 with con:
686 cur = con.cursor()
687 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
688 eap_reauth(dev[0], "AKA'", expect_failure=True)
689 dev[0].request("REMOVE_NETWORK all")
690
691 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
692 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
693 with con:
694 cur = con.cursor()
695 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
696 eap_reauth(dev[0], "AKA'")
697 with con:
698 cur = con.cursor()
699 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
700 logger.info("AKA' reauth with mismatching counter")
701 eap_reauth(dev[0], "AKA'")
702 dev[0].request("REMOVE_NETWORK all")
703
704 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
705 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
706 with con:
707 cur = con.cursor()
708 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
709 logger.info("AKA' reauth with max reauth count reached")
710 eap_reauth(dev[0], "AKA'")
711
712 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
713 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
715 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
716 key_mgmt = hapd.get_config()['key_mgmt']
717 if key_mgmt.split(' ')[0] != "WPA-EAP":
718 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
719 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
720 anonymous_identity="ttls", password="password",
721 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
722 hwsim_utils.test_connectivity(dev[0], hapd)
723 eap_reauth(dev[0], "TTLS")
724 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
725 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
726
727 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
728 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
729 check_subject_match_support(dev[0])
730 check_altsubject_match_support(dev[0])
731 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
732 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
733 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
734 anonymous_identity="ttls", password="password",
735 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
736 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
737 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
738 eap_reauth(dev[0], "TTLS")
739
740 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
741 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
744 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
745 anonymous_identity="ttls", password="wrong",
746 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
747 expect_failure=True)
748 eap_connect(dev[1], apdev[0], "TTLS", "user",
749 anonymous_identity="ttls", password="password",
750 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
751 expect_failure=True)
752
753 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
754 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
755 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
756 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
757 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
758 anonymous_identity="ttls", password="password",
759 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
760 hwsim_utils.test_connectivity(dev[0], hapd)
761 eap_reauth(dev[0], "TTLS")
762
763 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
764 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
765 check_altsubject_match_support(dev[0])
766 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
767 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
768 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
769 anonymous_identity="ttls", password="password",
770 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
771 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
772 eap_reauth(dev[0], "TTLS")
773
774 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
775 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
776 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
777 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
778 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
779 anonymous_identity="ttls", password="wrong",
780 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
781 expect_failure=True)
782 eap_connect(dev[1], apdev[0], "TTLS", "user",
783 anonymous_identity="ttls", password="password",
784 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
785 expect_failure=True)
786
787 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
788 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
789 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
790 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
791 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
792 anonymous_identity="ttls", password="password",
793 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
794 domain_suffix_match="server.w1.fi")
795 hwsim_utils.test_connectivity(dev[0], hapd)
796 eap_reauth(dev[0], "TTLS")
797 dev[0].request("REMOVE_NETWORK all")
798 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
799 anonymous_identity="ttls", password="password",
800 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
801 fragment_size="200")
802
803 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
804 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
805 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
806 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
807 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
808 anonymous_identity="ttls", password="wrong",
809 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
810 expect_failure=True)
811 eap_connect(dev[1], apdev[0], "TTLS", "user",
812 anonymous_identity="ttls", password="password",
813 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
814 expect_failure=True)
815 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
816 anonymous_identity="ttls", password="password",
817 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
818 expect_failure=True)
819
820 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
821 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
823 hostapd.add_ap(apdev[0]['ifname'], params)
824 hapd = hostapd.Hostapd(apdev[0]['ifname'])
825 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
826 anonymous_identity="ttls", password="password",
827 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
828 domain_suffix_match="server.w1.fi")
829 hwsim_utils.test_connectivity(dev[0], hapd)
830 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
831 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
832 eap_reauth(dev[0], "TTLS")
833 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
834 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
835 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
836 raise Exception("dot1xAuthEapolFramesRx did not increase")
837 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
838 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
839 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
840 raise Exception("backendAuthSuccesses did not increase")
841
842 logger.info("Password as hash value")
843 dev[0].request("REMOVE_NETWORK all")
844 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
845 anonymous_identity="ttls",
846 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
847 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
848
849 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
850 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
851 check_domain_match_full(dev[0])
852 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
853 hostapd.add_ap(apdev[0]['ifname'], params)
854 hapd = hostapd.Hostapd(apdev[0]['ifname'])
855 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
856 anonymous_identity="ttls", password="password",
857 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
858 domain_suffix_match="w1.fi")
859 hwsim_utils.test_connectivity(dev[0], hapd)
860 eap_reauth(dev[0], "TTLS")
861
862 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
863 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
864 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
865 hostapd.add_ap(apdev[0]['ifname'], params)
866 hapd = hostapd.Hostapd(apdev[0]['ifname'])
867 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
868 anonymous_identity="ttls", password="password",
869 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
870 domain_match="Server.w1.fi")
871 hwsim_utils.test_connectivity(dev[0], hapd)
872 eap_reauth(dev[0], "TTLS")
873
874 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
875 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
876 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
877 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
878 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
879 anonymous_identity="ttls", password="password1",
880 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
881 expect_failure=True)
882 eap_connect(dev[1], apdev[0], "TTLS", "user",
883 anonymous_identity="ttls", password="password",
884 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
885 expect_failure=True)
886
887 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
888 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
889 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
890 hostapd.add_ap(apdev[0]['ifname'], params)
891 hapd = hostapd.Hostapd(apdev[0]['ifname'])
892 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
893 anonymous_identity="ttls", password="secret-åäö-€-password",
894 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
895 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
896 anonymous_identity="ttls",
897 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
898 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
899
900 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
901 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
902 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
903 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
904 eap_connect(dev[0], apdev[0], "TTLS", "user",
905 anonymous_identity="ttls", password="password",
906 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
907 hwsim_utils.test_connectivity(dev[0], hapd)
908 eap_reauth(dev[0], "TTLS")
909
910 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
911 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
912 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
913 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
914 eap_connect(dev[0], apdev[0], "TTLS", "user",
915 anonymous_identity="ttls", password="wrong",
916 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
917 expect_failure=True)
918
919 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
920 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
921 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
922 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
923 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
924 anonymous_identity="ttls", password="password",
925 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
926 expect_failure=True)
927
928 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
929 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
930 params = int_eap_server_params()
931 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
932 with alloc_fail(hapd, 1, "eap_gtc_init"):
933 eap_connect(dev[0], apdev[0], "TTLS", "user",
934 anonymous_identity="ttls", password="password",
935 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
936 expect_failure=True)
937 dev[0].request("REMOVE_NETWORK all")
938
939 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
940 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
941 eap="TTLS", identity="user",
942 anonymous_identity="ttls", password="password",
943 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
944 wait_connect=False, scan_freq="2412")
945 # This would eventually time out, but we can stop after having reached
946 # the allocation failure.
947 for i in range(20):
948 time.sleep(0.1)
949 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
950 break
951
952 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
953 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
954 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
955 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
956 eap_connect(dev[0], apdev[0], "TTLS", "user",
957 anonymous_identity="ttls", password="password",
958 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
959 hwsim_utils.test_connectivity(dev[0], hapd)
960 eap_reauth(dev[0], "TTLS")
961
962 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
963 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
964 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
965 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
966 eap_connect(dev[0], apdev[0], "TTLS", "user",
967 anonymous_identity="ttls", password="wrong",
968 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
969 expect_failure=True)
970
971 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
972 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
973 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
974 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
975 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
976 anonymous_identity="ttls", password="password",
977 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
978 expect_failure=True)
979
980 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
981 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
982 params = int_eap_server_params()
983 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
984 with alloc_fail(hapd, 1, "eap_md5_init"):
985 eap_connect(dev[0], apdev[0], "TTLS", "user",
986 anonymous_identity="ttls", password="password",
987 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
988 expect_failure=True)
989 dev[0].request("REMOVE_NETWORK all")
990
991 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
992 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
993 eap="TTLS", identity="user",
994 anonymous_identity="ttls", password="password",
995 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
996 wait_connect=False, scan_freq="2412")
997 # This would eventually time out, but we can stop after having reached
998 # the allocation failure.
999 for i in range(20):
1000 time.sleep(0.1)
1001 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1002 break
1003
1004 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1005 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1006 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1007 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1008 eap_connect(dev[0], apdev[0], "TTLS", "user",
1009 anonymous_identity="ttls", password="password",
1010 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1011 hwsim_utils.test_connectivity(dev[0], hapd)
1012 eap_reauth(dev[0], "TTLS")
1013
1014 logger.info("Negative test with incorrect password")
1015 dev[0].request("REMOVE_NETWORK all")
1016 eap_connect(dev[0], apdev[0], "TTLS", "user",
1017 anonymous_identity="ttls", password="password1",
1018 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1019 expect_failure=True)
1020
1021 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1022 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1023 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1024 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1025 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1026 anonymous_identity="ttls", password="password",
1027 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1028 expect_failure=True)
1029
1030 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1031 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1032 params = int_eap_server_params()
1033 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1034 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1035 eap_connect(dev[0], apdev[0], "TTLS", "user",
1036 anonymous_identity="ttls", password="password",
1037 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1038 expect_failure=True)
1039 dev[0].request("REMOVE_NETWORK all")
1040
1041 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1042 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1043 eap="TTLS", identity="user",
1044 anonymous_identity="ttls", password="password",
1045 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1046 wait_connect=False, scan_freq="2412")
1047 # This would eventually time out, but we can stop after having reached
1048 # the allocation failure.
1049 for i in range(20):
1050 time.sleep(0.1)
1051 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1052 break
1053 dev[0].request("REMOVE_NETWORK all")
1054
1055 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1056 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1057 eap="TTLS", identity="user",
1058 anonymous_identity="ttls", password="password",
1059 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1060 wait_connect=False, scan_freq="2412")
1061 # This would eventually time out, but we can stop after having reached
1062 # the allocation failure.
1063 for i in range(20):
1064 time.sleep(0.1)
1065 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1066 break
1067 dev[0].request("REMOVE_NETWORK all")
1068
1069 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1070 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1071 eap="TTLS", identity="user",
1072 anonymous_identity="ttls", password="wrong",
1073 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1074 wait_connect=False, scan_freq="2412")
1075 # This would eventually time out, but we can stop after having reached
1076 # the allocation failure.
1077 for i in range(20):
1078 time.sleep(0.1)
1079 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1080 break
1081 dev[0].request("REMOVE_NETWORK all")
1082
1083 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1084 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1085 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1086 hostapd.add_ap(apdev[0]['ifname'], params)
1087 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1088 anonymous_identity="0232010000000000@ttls",
1089 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1090 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1091
1092 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1093 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1094 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1095 hostapd.add_ap(apdev[0]['ifname'], params)
1096 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1097 anonymous_identity="0232010000000000@peap",
1098 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1099 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1100
1101 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1102 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1103 check_eap_capa(dev[0], "FAST")
1104 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1105 hostapd.add_ap(apdev[0]['ifname'], params)
1106 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1107 anonymous_identity="0232010000000000@fast",
1108 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1109 phase1="fast_provisioning=2",
1110 pac_file="blob://fast_pac_auth_aka",
1111 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1112
1113 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1114 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1115 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1116 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1117 eap_connect(dev[0], apdev[0], "PEAP", "user",
1118 anonymous_identity="peap", password="password",
1119 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1120 hwsim_utils.test_connectivity(dev[0], hapd)
1121 eap_reauth(dev[0], "PEAP")
1122 dev[0].request("REMOVE_NETWORK all")
1123 eap_connect(dev[0], apdev[0], "PEAP", "user",
1124 anonymous_identity="peap", password="password",
1125 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1126 fragment_size="200")
1127
1128 logger.info("Password as hash value")
1129 dev[0].request("REMOVE_NETWORK all")
1130 eap_connect(dev[0], apdev[0], "PEAP", "user",
1131 anonymous_identity="peap",
1132 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1133 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1134
1135 logger.info("Negative test with incorrect password")
1136 dev[0].request("REMOVE_NETWORK all")
1137 eap_connect(dev[0], apdev[0], "PEAP", "user",
1138 anonymous_identity="peap", password="password1",
1139 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1140 expect_failure=True)
1141
1142 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1143 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1144 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1145 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1146 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1147 anonymous_identity="peap", password="password",
1148 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1149 hwsim_utils.test_connectivity(dev[0], hapd)
1150 eap_reauth(dev[0], "PEAP")
1151
1152 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1153 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1154 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1155 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1156 eap_connect(dev[0], apdev[0], "PEAP", "user",
1157 anonymous_identity="peap", password="wrong",
1158 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1159 expect_failure=True)
1160
1161 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1162 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1163 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1164 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1165 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1166 ca_cert="auth_serv/ca.pem",
1167 phase1="peapver=0 crypto_binding=2",
1168 phase2="auth=MSCHAPV2")
1169 hwsim_utils.test_connectivity(dev[0], hapd)
1170 eap_reauth(dev[0], "PEAP")
1171
1172 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1173 ca_cert="auth_serv/ca.pem",
1174 phase1="peapver=0 crypto_binding=1",
1175 phase2="auth=MSCHAPV2")
1176 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1177 ca_cert="auth_serv/ca.pem",
1178 phase1="peapver=0 crypto_binding=0",
1179 phase2="auth=MSCHAPV2")
1180
1181 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1182 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1183 params = int_eap_server_params()
1184 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1185 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1186 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1187 ca_cert="auth_serv/ca.pem",
1188 phase1="peapver=0 crypto_binding=2",
1189 phase2="auth=MSCHAPV2",
1190 expect_failure=True, local_error_report=True)
1191
1192 def test_ap_wpa2_eap_peap_params(dev, apdev):
1193 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1194 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1195 hostapd.add_ap(apdev[0]['ifname'], params)
1196 eap_connect(dev[0], apdev[0], "PEAP", "user",
1197 anonymous_identity="peap", password="password",
1198 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1199 phase1="peapver=0 peaplabel=1",
1200 expect_failure=True)
1201 dev[0].request("REMOVE_NETWORK all")
1202 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1203 ca_cert="auth_serv/ca.pem",
1204 phase1="peap_outer_success=1",
1205 phase2="auth=MSCHAPV2")
1206 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1207 ca_cert="auth_serv/ca.pem",
1208 phase1="peap_outer_success=2",
1209 phase2="auth=MSCHAPV2")
1210 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1211 identity="user",
1212 anonymous_identity="peap", password="password",
1213 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1214 phase1="peapver=1 peaplabel=1",
1215 wait_connect=False, scan_freq="2412")
1216 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1217 if ev is None:
1218 raise Exception("No EAP success seen")
1219 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1220 if ev is not None:
1221 raise Exception("Unexpected connection")
1222
1223 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1224 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1225 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1226 hostapd.add_ap(apdev[0]['ifname'], params)
1227 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1228 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1229 ca_cert2="auth_serv/ca.pem",
1230 client_cert2="auth_serv/user.pem",
1231 private_key2="auth_serv/user.key")
1232 eap_reauth(dev[0], "PEAP")
1233
1234 def test_ap_wpa2_eap_tls(dev, apdev):
1235 """WPA2-Enterprise connection using EAP-TLS"""
1236 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1237 hostapd.add_ap(apdev[0]['ifname'], params)
1238 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1239 client_cert="auth_serv/user.pem",
1240 private_key="auth_serv/user.key")
1241 eap_reauth(dev[0], "TLS")
1242
1243 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1244 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1245 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1246 hostapd.add_ap(apdev[0]['ifname'], params)
1247 cert = read_pem("auth_serv/ca.pem")
1248 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1249 raise Exception("Could not set cacert blob")
1250 cert = read_pem("auth_serv/user.pem")
1251 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1252 raise Exception("Could not set usercert blob")
1253 key = read_pem("auth_serv/user.rsa-key")
1254 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1255 raise Exception("Could not set cacert blob")
1256 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1257 client_cert="blob://usercert",
1258 private_key="blob://userkey")
1259
1260 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1261 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1262 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1263 hostapd.add_ap(apdev[0]['ifname'], params)
1264 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1265 private_key="auth_serv/user.pkcs12",
1266 private_key_passwd="whatever")
1267 dev[0].request("REMOVE_NETWORK all")
1268 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1269 identity="tls user",
1270 ca_cert="auth_serv/ca.pem",
1271 private_key="auth_serv/user.pkcs12",
1272 wait_connect=False, scan_freq="2412")
1273 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1274 if ev is None:
1275 raise Exception("Request for private key passphrase timed out")
1276 id = ev.split(':')[0].split('-')[-1]
1277 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1278 dev[0].wait_connected(timeout=10)
1279
1280 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1281 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1282 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1283 hostapd.add_ap(apdev[0]['ifname'], params)
1284 cert = read_pem("auth_serv/ca.pem")
1285 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1286 raise Exception("Could not set cacert blob")
1287 with open("auth_serv/user.pkcs12", "rb") as f:
1288 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1289 raise Exception("Could not set pkcs12 blob")
1290 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1291 private_key="blob://pkcs12",
1292 private_key_passwd="whatever")
1293
1294 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1295 """WPA2-Enterprise negative test - incorrect trust root"""
1296 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1297 hostapd.add_ap(apdev[0]['ifname'], params)
1298 cert = read_pem("auth_serv/ca-incorrect.pem")
1299 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1300 raise Exception("Could not set cacert blob")
1301 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1302 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1303 password="password", phase2="auth=MSCHAPV2",
1304 ca_cert="blob://cacert",
1305 wait_connect=False, scan_freq="2412")
1306 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1307 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1308 password="password", phase2="auth=MSCHAPV2",
1309 ca_cert="auth_serv/ca-incorrect.pem",
1310 wait_connect=False, scan_freq="2412")
1311
1312 for dev in (dev[0], dev[1]):
1313 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1314 if ev is None:
1315 raise Exception("Association and EAP start timed out")
1316
1317 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1318 if ev is None:
1319 raise Exception("EAP method selection timed out")
1320 if "TTLS" not in ev:
1321 raise Exception("Unexpected EAP method")
1322
1323 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1324 "CTRL-EVENT-EAP-SUCCESS",
1325 "CTRL-EVENT-EAP-FAILURE",
1326 "CTRL-EVENT-CONNECTED",
1327 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1328 if ev is None:
1329 raise Exception("EAP result timed out")
1330 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1331 raise Exception("TLS certificate error not reported")
1332
1333 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1334 "CTRL-EVENT-EAP-FAILURE",
1335 "CTRL-EVENT-CONNECTED",
1336 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1337 if ev is None:
1338 raise Exception("EAP result(2) timed out")
1339 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1340 raise Exception("EAP failure not reported")
1341
1342 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1343 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1344 if ev is None:
1345 raise Exception("EAP result(3) timed out")
1346 if "CTRL-EVENT-DISCONNECTED" not in ev:
1347 raise Exception("Disconnection not reported")
1348
1349 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1350 if ev is None:
1351 raise Exception("Network block disabling not reported")
1352
1353 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1354 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1355 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1356 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1357 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1358 identity="pap user", anonymous_identity="ttls",
1359 password="password", phase2="auth=PAP",
1360 ca_cert="auth_serv/ca.pem",
1361 wait_connect=True, scan_freq="2412")
1362 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1363 identity="pap user", anonymous_identity="ttls",
1364 password="password", phase2="auth=PAP",
1365 ca_cert="auth_serv/ca-incorrect.pem",
1366 only_add_network=True, scan_freq="2412")
1367
1368 dev[0].request("DISCONNECT")
1369 dev[0].wait_disconnected()
1370 dev[0].dump_monitor()
1371 dev[0].select_network(id, freq="2412")
1372
1373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1374 if ev is None:
1375 raise Exception("EAP-TTLS not re-started")
1376
1377 ev = dev[0].wait_disconnected(timeout=15)
1378 if "reason=23" not in ev:
1379 raise Exception("Proper reason code for disconnection not reported")
1380
1381 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1382 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1383 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1384 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1385 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1386 identity="pap user", anonymous_identity="ttls",
1387 password="password", phase2="auth=PAP",
1388 wait_connect=True, scan_freq="2412")
1389 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1390 identity="pap user", anonymous_identity="ttls",
1391 password="password", phase2="auth=PAP",
1392 ca_cert="auth_serv/ca-incorrect.pem",
1393 only_add_network=True, scan_freq="2412")
1394
1395 dev[0].request("DISCONNECT")
1396 dev[0].wait_disconnected()
1397 dev[0].dump_monitor()
1398 dev[0].select_network(id, freq="2412")
1399
1400 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1401 if ev is None:
1402 raise Exception("EAP-TTLS not re-started")
1403
1404 ev = dev[0].wait_disconnected(timeout=15)
1405 if "reason=23" not in ev:
1406 raise Exception("Proper reason code for disconnection not reported")
1407
1408 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1409 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1410 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1411 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1412 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1413 identity="pap user", anonymous_identity="ttls",
1414 password="password", phase2="auth=PAP",
1415 ca_cert="auth_serv/ca.pem",
1416 wait_connect=True, scan_freq="2412")
1417 dev[0].request("DISCONNECT")
1418 dev[0].wait_disconnected()
1419 dev[0].dump_monitor()
1420 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1421 dev[0].select_network(id, freq="2412")
1422
1423 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1424 if ev is None:
1425 raise Exception("EAP-TTLS not re-started")
1426
1427 ev = dev[0].wait_disconnected(timeout=15)
1428 if "reason=23" not in ev:
1429 raise Exception("Proper reason code for disconnection not reported")
1430
1431 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1432 """WPA2-Enterprise negative test - domain suffix mismatch"""
1433 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1434 hostapd.add_ap(apdev[0]['ifname'], params)
1435 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1436 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1437 password="password", phase2="auth=MSCHAPV2",
1438 ca_cert="auth_serv/ca.pem",
1439 domain_suffix_match="incorrect.example.com",
1440 wait_connect=False, scan_freq="2412")
1441
1442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1443 if ev is None:
1444 raise Exception("Association and EAP start timed out")
1445
1446 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1447 if ev is None:
1448 raise Exception("EAP method selection timed out")
1449 if "TTLS" not in ev:
1450 raise Exception("Unexpected EAP method")
1451
1452 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1453 "CTRL-EVENT-EAP-SUCCESS",
1454 "CTRL-EVENT-EAP-FAILURE",
1455 "CTRL-EVENT-CONNECTED",
1456 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1457 if ev is None:
1458 raise Exception("EAP result timed out")
1459 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1460 raise Exception("TLS certificate error not reported")
1461 if "Domain suffix mismatch" not in ev:
1462 raise Exception("Domain suffix mismatch not reported")
1463
1464 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1465 "CTRL-EVENT-EAP-FAILURE",
1466 "CTRL-EVENT-CONNECTED",
1467 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1468 if ev is None:
1469 raise Exception("EAP result(2) timed out")
1470 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1471 raise Exception("EAP failure not reported")
1472
1473 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1474 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1475 if ev is None:
1476 raise Exception("EAP result(3) timed out")
1477 if "CTRL-EVENT-DISCONNECTED" not in ev:
1478 raise Exception("Disconnection not reported")
1479
1480 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1481 if ev is None:
1482 raise Exception("Network block disabling not reported")
1483
1484 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1485 """WPA2-Enterprise negative test - domain mismatch"""
1486 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1487 hostapd.add_ap(apdev[0]['ifname'], params)
1488 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1489 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1490 password="password", phase2="auth=MSCHAPV2",
1491 ca_cert="auth_serv/ca.pem",
1492 domain_match="w1.fi",
1493 wait_connect=False, scan_freq="2412")
1494
1495 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1496 if ev is None:
1497 raise Exception("Association and EAP start timed out")
1498
1499 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1500 if ev is None:
1501 raise Exception("EAP method selection timed out")
1502 if "TTLS" not in ev:
1503 raise Exception("Unexpected EAP method")
1504
1505 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1506 "CTRL-EVENT-EAP-SUCCESS",
1507 "CTRL-EVENT-EAP-FAILURE",
1508 "CTRL-EVENT-CONNECTED",
1509 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1510 if ev is None:
1511 raise Exception("EAP result timed out")
1512 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1513 raise Exception("TLS certificate error not reported")
1514 if "Domain mismatch" not in ev:
1515 raise Exception("Domain mismatch not reported")
1516
1517 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1518 "CTRL-EVENT-EAP-FAILURE",
1519 "CTRL-EVENT-CONNECTED",
1520 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1521 if ev is None:
1522 raise Exception("EAP result(2) timed out")
1523 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1524 raise Exception("EAP failure not reported")
1525
1526 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1527 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1528 if ev is None:
1529 raise Exception("EAP result(3) timed out")
1530 if "CTRL-EVENT-DISCONNECTED" not in ev:
1531 raise Exception("Disconnection not reported")
1532
1533 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1534 if ev is None:
1535 raise Exception("Network block disabling not reported")
1536
1537 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1538 """WPA2-Enterprise negative test - subject mismatch"""
1539 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1540 hostapd.add_ap(apdev[0]['ifname'], params)
1541 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1542 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1543 password="password", phase2="auth=MSCHAPV2",
1544 ca_cert="auth_serv/ca.pem",
1545 subject_match="/C=FI/O=w1.fi/CN=example.com",
1546 wait_connect=False, scan_freq="2412")
1547
1548 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1549 if ev is None:
1550 raise Exception("Association and EAP start timed out")
1551
1552 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1553 "EAP: Failed to initialize EAP method"], timeout=10)
1554 if ev is None:
1555 raise Exception("EAP method selection timed out")
1556 if "EAP: Failed to initialize EAP method" in ev:
1557 tls = dev[0].request("GET tls_library")
1558 if tls.startswith("OpenSSL"):
1559 raise Exception("Failed to select EAP method")
1560 logger.info("subject_match not supported - connection failed, so test succeeded")
1561 return
1562 if "TTLS" not in ev:
1563 raise Exception("Unexpected EAP method")
1564
1565 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1566 "CTRL-EVENT-EAP-SUCCESS",
1567 "CTRL-EVENT-EAP-FAILURE",
1568 "CTRL-EVENT-CONNECTED",
1569 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1570 if ev is None:
1571 raise Exception("EAP result timed out")
1572 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1573 raise Exception("TLS certificate error not reported")
1574 if "Subject mismatch" not in ev:
1575 raise Exception("Subject mismatch not reported")
1576
1577 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1578 "CTRL-EVENT-EAP-FAILURE",
1579 "CTRL-EVENT-CONNECTED",
1580 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1581 if ev is None:
1582 raise Exception("EAP result(2) timed out")
1583 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1584 raise Exception("EAP failure not reported")
1585
1586 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1587 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1588 if ev is None:
1589 raise Exception("EAP result(3) timed out")
1590 if "CTRL-EVENT-DISCONNECTED" not in ev:
1591 raise Exception("Disconnection not reported")
1592
1593 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1594 if ev is None:
1595 raise Exception("Network block disabling not reported")
1596
1597 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1598 """WPA2-Enterprise negative test - altsubject mismatch"""
1599 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1600 hostapd.add_ap(apdev[0]['ifname'], params)
1601
1602 tests = [ "incorrect.example.com",
1603 "DNS:incorrect.example.com",
1604 "DNS:w1.fi",
1605 "DNS:erver.w1.fi" ]
1606 for match in tests:
1607 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1608
1609 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1610 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1611 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1612 password="password", phase2="auth=MSCHAPV2",
1613 ca_cert="auth_serv/ca.pem",
1614 altsubject_match=match,
1615 wait_connect=False, scan_freq="2412")
1616
1617 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1618 if ev is None:
1619 raise Exception("Association and EAP start timed out")
1620
1621 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1622 "EAP: Failed to initialize EAP method"], timeout=10)
1623 if ev is None:
1624 raise Exception("EAP method selection timed out")
1625 if "EAP: Failed to initialize EAP method" in ev:
1626 tls = dev[0].request("GET tls_library")
1627 if tls.startswith("OpenSSL"):
1628 raise Exception("Failed to select EAP method")
1629 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1630 return
1631 if "TTLS" not in ev:
1632 raise Exception("Unexpected EAP method")
1633
1634 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1635 "CTRL-EVENT-EAP-SUCCESS",
1636 "CTRL-EVENT-EAP-FAILURE",
1637 "CTRL-EVENT-CONNECTED",
1638 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1639 if ev is None:
1640 raise Exception("EAP result timed out")
1641 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1642 raise Exception("TLS certificate error not reported")
1643 if "AltSubject mismatch" not in ev:
1644 raise Exception("altsubject mismatch not reported")
1645
1646 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1647 "CTRL-EVENT-EAP-FAILURE",
1648 "CTRL-EVENT-CONNECTED",
1649 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1650 if ev is None:
1651 raise Exception("EAP result(2) timed out")
1652 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1653 raise Exception("EAP failure not reported")
1654
1655 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1656 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1657 if ev is None:
1658 raise Exception("EAP result(3) timed out")
1659 if "CTRL-EVENT-DISCONNECTED" not in ev:
1660 raise Exception("Disconnection not reported")
1661
1662 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1663 if ev is None:
1664 raise Exception("Network block disabling not reported")
1665
1666 dev[0].request("REMOVE_NETWORK all")
1667
1668 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1669 """WPA2-Enterprise connection using UNAUTH-TLS"""
1670 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1671 hostapd.add_ap(apdev[0]['ifname'], params)
1672 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1673 ca_cert="auth_serv/ca.pem")
1674 eap_reauth(dev[0], "UNAUTH-TLS")
1675
1676 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1677 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1678 check_cert_probe_support(dev[0])
1679 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1680 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1681 hostapd.add_ap(apdev[0]['ifname'], params)
1682 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1683 identity="probe", ca_cert="probe://",
1684 wait_connect=False, scan_freq="2412")
1685 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1686 if ev is None:
1687 raise Exception("Association and EAP start timed out")
1688 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1689 if ev is None:
1690 raise Exception("No peer server certificate event seen")
1691 if "hash=" + srv_cert_hash not in ev:
1692 raise Exception("Expected server certificate hash not reported")
1693 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1694 if ev is None:
1695 raise Exception("EAP result timed out")
1696 if "Server certificate chain probe" not in ev:
1697 raise Exception("Server certificate probe not reported")
1698 dev[0].wait_disconnected(timeout=10)
1699 dev[0].request("REMOVE_NETWORK all")
1700
1701 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1702 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1703 password="password", phase2="auth=MSCHAPV2",
1704 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1705 wait_connect=False, scan_freq="2412")
1706 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1707 if ev is None:
1708 raise Exception("Association and EAP start timed out")
1709 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1710 if ev is None:
1711 raise Exception("EAP result timed out")
1712 if "Server certificate mismatch" not in ev:
1713 raise Exception("Server certificate mismatch not reported")
1714 dev[0].wait_disconnected(timeout=10)
1715 dev[0].request("REMOVE_NETWORK all")
1716
1717 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1718 anonymous_identity="ttls", password="password",
1719 ca_cert="hash://server/sha256/" + srv_cert_hash,
1720 phase2="auth=MSCHAPV2")
1721
1722 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1723 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1724 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1725 hostapd.add_ap(apdev[0]['ifname'], params)
1726 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1727 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1728 password="password", phase2="auth=MSCHAPV2",
1729 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1730 wait_connect=False, scan_freq="2412")
1731 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1732 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1733 password="password", phase2="auth=MSCHAPV2",
1734 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1735 wait_connect=False, scan_freq="2412")
1736 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1737 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1738 password="password", phase2="auth=MSCHAPV2",
1739 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1740 wait_connect=False, scan_freq="2412")
1741 for i in range(0, 3):
1742 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1743 if ev is None:
1744 raise Exception("Association and EAP start timed out")
1745 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1746 if ev is None:
1747 raise Exception("Did not report EAP method initialization failure")
1748
1749 def test_ap_wpa2_eap_pwd(dev, apdev):
1750 """WPA2-Enterprise connection using EAP-pwd"""
1751 check_eap_capa(dev[0], "PWD")
1752 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1753 hostapd.add_ap(apdev[0]['ifname'], params)
1754 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1755 eap_reauth(dev[0], "PWD")
1756 dev[0].request("REMOVE_NETWORK all")
1757
1758 eap_connect(dev[1], apdev[0], "PWD",
1759 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1760 password="secret password",
1761 fragment_size="90")
1762
1763 logger.info("Negative test with incorrect password")
1764 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1765 expect_failure=True, local_error_report=True)
1766
1767 eap_connect(dev[0], apdev[0], "PWD",
1768 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1769 password="secret password",
1770 fragment_size="31")
1771
1772 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1773 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1774 check_eap_capa(dev[0], "PWD")
1775 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1776 hostapd.add_ap(apdev[0]['ifname'], params)
1777 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1778 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1779 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1780 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1781 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1782 expect_failure=True, local_error_report=True)
1783
1784 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1785 """WPA2-Enterprise connection using various EAP-pwd groups"""
1786 check_eap_capa(dev[0], "PWD")
1787 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1788 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1789 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1790 for i in [ 19, 20, 21, 25, 26 ]:
1791 params['pwd_group'] = str(i)
1792 hostapd.add_ap(apdev[0]['ifname'], params)
1793 dev[0].request("REMOVE_NETWORK all")
1794 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1795
1796 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1797 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1798 check_eap_capa(dev[0], "PWD")
1799 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1800 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1801 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1802 params['pwd_group'] = "0"
1803 hostapd.add_ap(apdev[0]['ifname'], params)
1804 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1805 identity="pwd user", password="secret password",
1806 scan_freq="2412", wait_connect=False)
1807 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1808 if ev is None:
1809 raise Exception("Timeout on EAP failure report")
1810
1811 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1812 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1813 check_eap_capa(dev[0], "PWD")
1814 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1815 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1816 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1817 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1818 "pwd_group": "19", "fragment_size": "40" }
1819 hostapd.add_ap(apdev[0]['ifname'], params)
1820 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1821
1822 def test_ap_wpa2_eap_gpsk(dev, apdev):
1823 """WPA2-Enterprise connection using EAP-GPSK"""
1824 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1825 hostapd.add_ap(apdev[0]['ifname'], params)
1826 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1827 password="abcdefghijklmnop0123456789abcdef")
1828 eap_reauth(dev[0], "GPSK")
1829
1830 logger.info("Test forced algorithm selection")
1831 for phase1 in [ "cipher=1", "cipher=2" ]:
1832 dev[0].set_network_quoted(id, "phase1", phase1)
1833 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1834 if ev is None:
1835 raise Exception("EAP success timed out")
1836 dev[0].wait_connected(timeout=10)
1837
1838 logger.info("Test failed algorithm negotiation")
1839 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1840 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1841 if ev is None:
1842 raise Exception("EAP failure timed out")
1843
1844 logger.info("Negative test with incorrect password")
1845 dev[0].request("REMOVE_NETWORK all")
1846 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1847 password="ffcdefghijklmnop0123456789abcdef",
1848 expect_failure=True)
1849
1850 def test_ap_wpa2_eap_sake(dev, apdev):
1851 """WPA2-Enterprise connection using EAP-SAKE"""
1852 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1853 hostapd.add_ap(apdev[0]['ifname'], params)
1854 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1855 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1856 eap_reauth(dev[0], "SAKE")
1857
1858 logger.info("Negative test with incorrect password")
1859 dev[0].request("REMOVE_NETWORK all")
1860 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1861 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1862 expect_failure=True)
1863
1864 def test_ap_wpa2_eap_eke(dev, apdev):
1865 """WPA2-Enterprise connection using EAP-EKE"""
1866 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1867 hostapd.add_ap(apdev[0]['ifname'], params)
1868 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1869 eap_reauth(dev[0], "EKE")
1870
1871 logger.info("Test forced algorithm selection")
1872 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1873 "dhgroup=4 encr=1 prf=2 mac=2",
1874 "dhgroup=3 encr=1 prf=2 mac=2",
1875 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1876 dev[0].set_network_quoted(id, "phase1", phase1)
1877 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1878 if ev is None:
1879 raise Exception("EAP success timed out")
1880 dev[0].wait_connected(timeout=10)
1881
1882 logger.info("Test failed algorithm negotiation")
1883 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1884 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1885 if ev is None:
1886 raise Exception("EAP failure timed out")
1887
1888 logger.info("Negative test with incorrect password")
1889 dev[0].request("REMOVE_NETWORK all")
1890 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1891 expect_failure=True)
1892
1893 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1894 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1895 params = int_eap_server_params()
1896 params['server_id'] = 'example.server@w1.fi'
1897 hostapd.add_ap(apdev[0]['ifname'], params)
1898 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1899
1900 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1901 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1902 params = int_eap_server_params()
1903 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1904 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1905
1906 for count,func in [ (1, "eap_eke_build_commit"),
1907 (2, "eap_eke_build_commit"),
1908 (3, "eap_eke_build_commit"),
1909 (1, "eap_eke_build_confirm"),
1910 (2, "eap_eke_build_confirm"),
1911 (1, "eap_eke_process_commit"),
1912 (2, "eap_eke_process_commit"),
1913 (1, "eap_eke_process_confirm"),
1914 (1, "eap_eke_process_identity"),
1915 (2, "eap_eke_process_identity"),
1916 (3, "eap_eke_process_identity"),
1917 (4, "eap_eke_process_identity") ]:
1918 with alloc_fail(hapd, count, func):
1919 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
1920 expect_failure=True)
1921 dev[0].request("REMOVE_NETWORK all")
1922
1923 for count,func,pw in [ (1, "eap_eke_init", "hello"),
1924 (1, "eap_eke_get_session_id", "hello"),
1925 (1, "eap_eke_getKey", "hello"),
1926 (1, "eap_eke_build_msg", "hello"),
1927 (1, "eap_eke_build_failure", "wrong"),
1928 (1, "eap_eke_build_identity", "hello"),
1929 (2, "eap_eke_build_identity", "hello") ]:
1930 with alloc_fail(hapd, count, func):
1931 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1932 eap="EKE", identity="eke user", password=pw,
1933 wait_connect=False, scan_freq="2412")
1934 # This would eventually time out, but we can stop after having
1935 # reached the allocation failure.
1936 for i in range(20):
1937 time.sleep(0.1)
1938 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1939 break
1940 dev[0].request("REMOVE_NETWORK all")
1941
1942 for count in range(1, 1000):
1943 try:
1944 with alloc_fail(hapd, count, "eap_server_sm_step"):
1945 dev[0].connect("test-wpa2-eap",
1946 key_mgmt="WPA-EAP WPA-EAP-SHA256",
1947 eap="EKE", identity="eke user", password=pw,
1948 wait_connect=False, scan_freq="2412")
1949 # This would eventually time out, but we can stop after having
1950 # reached the allocation failure.
1951 for i in range(10):
1952 time.sleep(0.1)
1953 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1954 break
1955 dev[0].request("REMOVE_NETWORK all")
1956 except Exception, e:
1957 if str(e) == "Allocation failure did not trigger":
1958 if count < 30:
1959 raise Exception("Too few allocation failures")
1960 logger.info("%d allocation failures tested" % (count - 1))
1961 break
1962 raise e
1963
1964 def test_ap_wpa2_eap_ikev2(dev, apdev):
1965 """WPA2-Enterprise connection using EAP-IKEv2"""
1966 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1967 hostapd.add_ap(apdev[0]['ifname'], params)
1968 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1969 password="ike password")
1970 eap_reauth(dev[0], "IKEV2")
1971 dev[0].request("REMOVE_NETWORK all")
1972 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1973 password="ike password", fragment_size="50")
1974
1975 logger.info("Negative test with incorrect password")
1976 dev[0].request("REMOVE_NETWORK all")
1977 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1978 password="ike-password", expect_failure=True)
1979
1980 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
1981 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1982 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1983 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1984 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1985 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1986 "fragment_size": "50" }
1987 hostapd.add_ap(apdev[0]['ifname'], params)
1988 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1989 password="ike password")
1990 eap_reauth(dev[0], "IKEV2")
1991
1992 def test_ap_wpa2_eap_pax(dev, apdev):
1993 """WPA2-Enterprise connection using EAP-PAX"""
1994 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1995 hostapd.add_ap(apdev[0]['ifname'], params)
1996 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1997 password_hex="0123456789abcdef0123456789abcdef")
1998 eap_reauth(dev[0], "PAX")
1999
2000 logger.info("Negative test with incorrect password")
2001 dev[0].request("REMOVE_NETWORK all")
2002 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2003 password_hex="ff23456789abcdef0123456789abcdef",
2004 expect_failure=True)
2005
2006 def test_ap_wpa2_eap_psk(dev, apdev):
2007 """WPA2-Enterprise connection using EAP-PSK"""
2008 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2009 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2010 params["ieee80211w"] = "2"
2011 hostapd.add_ap(apdev[0]['ifname'], params)
2012 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2013 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2014 eap_reauth(dev[0], "PSK", sha256=True)
2015 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2016 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2017
2018 bss = dev[0].get_bss(apdev[0]['bssid'])
2019 if 'flags' not in bss:
2020 raise Exception("Could not get BSS flags from BSS table")
2021 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2022 raise Exception("Unexpected BSS flags: " + bss['flags'])
2023
2024 logger.info("Negative test with incorrect password")
2025 dev[0].request("REMOVE_NETWORK all")
2026 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2027 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2028 expect_failure=True)
2029
2030 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2031 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2032 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2033 hostapd.add_ap(apdev[0]['ifname'], params)
2034 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2035 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2036 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2037 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2038 (1, "=aes_128_eax_encrypt"),
2039 (1, "omac1_aes_vector"),
2040 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2041 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2042 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2043 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2044 (1, "=aes_128_eax_decrypt") ]
2045 for count, func in tests:
2046 with alloc_fail(dev[0], count, func):
2047 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2048 identity="psk.user@example.com",
2049 password_hex="0123456789abcdef0123456789abcdef",
2050 wait_connect=False, scan_freq="2412")
2051 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2052 if ev is None:
2053 raise Exception("EAP method not selected")
2054 for i in range(10):
2055 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2056 break
2057 time.sleep(0.02)
2058 dev[0].request("REMOVE_NETWORK all")
2059
2060 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2061 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2062 identity="psk.user@example.com",
2063 password_hex="0123456789abcdef0123456789abcdef",
2064 wait_connect=False, scan_freq="2412")
2065 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2066 if ev is None:
2067 raise Exception("EAP method failure not reported")
2068 dev[0].request("REMOVE_NETWORK all")
2069
2070 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2071 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2072 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2073 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2074 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2075 identity="user", password="password", phase2="auth=MSCHAPV2",
2076 ca_cert="auth_serv/ca.pem", wait_connect=False,
2077 scan_freq="2412")
2078 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2079 hwsim_utils.test_connectivity(dev[0], hapd)
2080 eap_reauth(dev[0], "PEAP", rsn=False)
2081 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2082 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2083 status = dev[0].get_status(extra="VERBOSE")
2084 if 'portControl' not in status:
2085 raise Exception("portControl missing from STATUS-VERBOSE")
2086 if status['portControl'] != 'Auto':
2087 raise Exception("Unexpected portControl value: " + status['portControl'])
2088 if 'eap_session_id' not in status:
2089 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2090 if not status['eap_session_id'].startswith("19"):
2091 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2092
2093 def test_ap_wpa2_eap_interactive(dev, apdev):
2094 """WPA2-Enterprise connection using interactive identity/password entry"""
2095 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2096 hostapd.add_ap(apdev[0]['ifname'], params)
2097 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2098
2099 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2100 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2101 None, "password"),
2102 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2103 "TTLS", "ttls", None, "auth=MSCHAPV2",
2104 "DOMAIN\mschapv2 user", "password"),
2105 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2106 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2107 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2108 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2109 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2110 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2111 ("Connection with dynamic PEAP/EAP-GTC password entry",
2112 "PEAP", None, "user", "auth=GTC", None, "password") ]
2113 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2114 logger.info(desc)
2115 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2116 anonymous_identity=anon, identity=identity,
2117 ca_cert="auth_serv/ca.pem", phase2=phase2,
2118 wait_connect=False, scan_freq="2412")
2119 if req_id:
2120 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2121 if ev is None:
2122 raise Exception("Request for identity timed out")
2123 id = ev.split(':')[0].split('-')[-1]
2124 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2125 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2126 if ev is None:
2127 raise Exception("Request for password timed out")
2128 id = ev.split(':')[0].split('-')[-1]
2129 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2130 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2131 dev[0].wait_connected(timeout=10)
2132 dev[0].request("REMOVE_NETWORK all")
2133
2134 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2135 """WPA2-Enterprise connection using EAP vendor test"""
2136 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2137 hostapd.add_ap(apdev[0]['ifname'], params)
2138 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2139 eap_reauth(dev[0], "VENDOR-TEST")
2140 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2141 password="pending")
2142
2143 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2144 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2145 check_eap_capa(dev[0], "FAST")
2146 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2147 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2148 eap_connect(dev[0], apdev[0], "FAST", "user",
2149 anonymous_identity="FAST", password="password",
2150 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2151 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2152 hwsim_utils.test_connectivity(dev[0], hapd)
2153 res = eap_reauth(dev[0], "FAST")
2154 if res['tls_session_reused'] != '1':
2155 raise Exception("EAP-FAST could not use PAC session ticket")
2156
2157 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2158 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2159 check_eap_capa(dev[0], "FAST")
2160 pac_file = os.path.join(params['logdir'], "fast.pac")
2161 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2162 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2163 hostapd.add_ap(apdev[0]['ifname'], params)
2164
2165 try:
2166 eap_connect(dev[0], apdev[0], "FAST", "user",
2167 anonymous_identity="FAST", password="password",
2168 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2169 phase1="fast_provisioning=1", pac_file=pac_file)
2170 with open(pac_file, "r") as f:
2171 data = f.read()
2172 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2173 raise Exception("PAC file header missing")
2174 if "PAC-Key=" not in data:
2175 raise Exception("PAC-Key missing from PAC file")
2176 dev[0].request("REMOVE_NETWORK all")
2177 eap_connect(dev[0], apdev[0], "FAST", "user",
2178 anonymous_identity="FAST", password="password",
2179 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2180 pac_file=pac_file)
2181
2182 eap_connect(dev[1], apdev[0], "FAST", "user",
2183 anonymous_identity="FAST", password="password",
2184 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2185 phase1="fast_provisioning=1 fast_pac_format=binary",
2186 pac_file=pac_file2)
2187 dev[1].request("REMOVE_NETWORK all")
2188 eap_connect(dev[1], apdev[0], "FAST", "user",
2189 anonymous_identity="FAST", password="password",
2190 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2191 phase1="fast_pac_format=binary",
2192 pac_file=pac_file2)
2193 finally:
2194 try:
2195 os.remove(pac_file)
2196 except:
2197 pass
2198 try:
2199 os.remove(pac_file2)
2200 except:
2201 pass
2202
2203 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2204 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2205 check_eap_capa(dev[0], "FAST")
2206 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2207 hostapd.add_ap(apdev[0]['ifname'], params)
2208 eap_connect(dev[0], apdev[0], "FAST", "user",
2209 anonymous_identity="FAST", password="password",
2210 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2211 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2212 pac_file="blob://fast_pac_bin")
2213 res = eap_reauth(dev[0], "FAST")
2214 if res['tls_session_reused'] != '1':
2215 raise Exception("EAP-FAST could not use PAC session ticket")
2216
2217 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2218 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2219 check_eap_capa(dev[0], "FAST")
2220 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2221 hostapd.add_ap(apdev[0]['ifname'], params)
2222
2223 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2224 identity="user", anonymous_identity="FAST",
2225 password="password",
2226 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2227 pac_file="blob://fast_pac_not_in_use",
2228 wait_connect=False, scan_freq="2412")
2229 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2230 if ev is None:
2231 raise Exception("Timeout on EAP failure report")
2232 dev[0].request("REMOVE_NETWORK all")
2233
2234 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2235 identity="user", anonymous_identity="FAST",
2236 password="password",
2237 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2238 wait_connect=False, scan_freq="2412")
2239 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2240 if ev is None:
2241 raise Exception("Timeout on EAP failure report")
2242
2243 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2244 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2245 check_eap_capa(dev[0], "FAST")
2246 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2247 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2248 eap_connect(dev[0], apdev[0], "FAST", "user",
2249 anonymous_identity="FAST", password="password",
2250 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2251 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2252 hwsim_utils.test_connectivity(dev[0], hapd)
2253 res = eap_reauth(dev[0], "FAST")
2254 if res['tls_session_reused'] != '1':
2255 raise Exception("EAP-FAST could not use PAC session ticket")
2256
2257 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2258 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2259 check_eap_capa(dev[0], "FAST")
2260 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2261 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2262 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2263 anonymous_identity="FAST", password="password",
2264 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2265 phase1="fast_provisioning=2",
2266 pac_file="blob://fast_pac_auth")
2267 dev[0].set_network_quoted(id, "identity", "user2")
2268 dev[0].wait_disconnected()
2269 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2270 if ev is None:
2271 raise Exception("EAP-FAST not started")
2272 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2273 if ev is None:
2274 raise Exception("EAP failure not reported")
2275 dev[0].wait_disconnected()
2276
2277 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2278 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2279 check_eap_capa(dev[0], "FAST")
2280 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2281 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2282 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2283 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2284 identity="user", anonymous_identity="FAST",
2285 password="password", ca_cert="auth_serv/ca.pem",
2286 phase2="auth=GTC",
2287 phase1="fast_provisioning=2",
2288 pac_file="blob://fast_pac_auth",
2289 wait_connect=False, scan_freq="2412")
2290 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2291 if ev is None:
2292 raise Exception("EAP failure not reported")
2293 dev[0].request("DISCONNECT")
2294
2295 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2296 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2297 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2298 hostapd.add_ap(apdev[0]['ifname'], params)
2299 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2300 private_key="auth_serv/user.pkcs12",
2301 private_key_passwd="whatever", ocsp=2)
2302
2303 def int_eap_server_params():
2304 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2305 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2306 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2307 "ca_cert": "auth_serv/ca.pem",
2308 "server_cert": "auth_serv/server.pem",
2309 "private_key": "auth_serv/server.key" }
2310 return params
2311
2312 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2313 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2314 params = int_eap_server_params()
2315 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2316 hostapd.add_ap(apdev[0]['ifname'], params)
2317 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2318 identity="tls user", ca_cert="auth_serv/ca.pem",
2319 private_key="auth_serv/user.pkcs12",
2320 private_key_passwd="whatever", ocsp=2,
2321 wait_connect=False, scan_freq="2412")
2322 count = 0
2323 while True:
2324 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2325 if ev is None:
2326 raise Exception("Timeout on EAP status")
2327 if 'bad certificate status response' in ev:
2328 break
2329 count = count + 1
2330 if count > 10:
2331 raise Exception("Unexpected number of EAP status messages")
2332
2333 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2334 if ev is None:
2335 raise Exception("Timeout on EAP failure report")
2336
2337 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2338 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2339 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2340 if not os.path.exists(ocsp):
2341 raise HwsimSkip("No OCSP response available")
2342 params = int_eap_server_params()
2343 params["ocsp_stapling_response"] = ocsp
2344 hostapd.add_ap(apdev[0]['ifname'], params)
2345 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2346 identity="pap user", ca_cert="auth_serv/ca.pem",
2347 anonymous_identity="ttls", password="password",
2348 phase2="auth=PAP", ocsp=2,
2349 wait_connect=False, scan_freq="2412")
2350 count = 0
2351 while True:
2352 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2353 if ev is None:
2354 raise Exception("Timeout on EAP status")
2355 if 'bad certificate status response' in ev:
2356 break
2357 if 'certificate revoked' in ev:
2358 break
2359 count = count + 1
2360 if count > 10:
2361 raise Exception("Unexpected number of EAP status messages")
2362
2363 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2364 if ev is None:
2365 raise Exception("Timeout on EAP failure report")
2366
2367 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2368 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2369 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2370 if not os.path.exists(ocsp):
2371 raise HwsimSkip("No OCSP response available")
2372 params = int_eap_server_params()
2373 params["ocsp_stapling_response"] = ocsp
2374 hostapd.add_ap(apdev[0]['ifname'], params)
2375 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2376 identity="pap user", ca_cert="auth_serv/ca.pem",
2377 anonymous_identity="ttls", password="password",
2378 phase2="auth=PAP", ocsp=2,
2379 wait_connect=False, scan_freq="2412")
2380 count = 0
2381 while True:
2382 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2383 if ev is None:
2384 raise Exception("Timeout on EAP status")
2385 if 'bad certificate status response' in ev:
2386 break
2387 count = count + 1
2388 if count > 10:
2389 raise Exception("Unexpected number of EAP status messages")
2390
2391 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2392 if ev is None:
2393 raise Exception("Timeout on EAP failure report")
2394
2395 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2396 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2397 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2398 if not os.path.exists(ocsp):
2399 raise HwsimSkip("No OCSP response available")
2400 params = int_eap_server_params()
2401 params["ocsp_stapling_response"] = ocsp
2402 hostapd.add_ap(apdev[0]['ifname'], params)
2403 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2404 identity="pap user", ca_cert="auth_serv/ca.pem",
2405 anonymous_identity="ttls", password="password",
2406 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2407
2408 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2409 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2410 params = int_eap_server_params()
2411 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2412 params["private_key"] = "auth_serv/server-no-dnsname.key"
2413 hostapd.add_ap(apdev[0]['ifname'], params)
2414 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2415 identity="tls user", ca_cert="auth_serv/ca.pem",
2416 private_key="auth_serv/user.pkcs12",
2417 private_key_passwd="whatever",
2418 domain_suffix_match="server3.w1.fi",
2419 scan_freq="2412")
2420
2421 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2422 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2423 params = int_eap_server_params()
2424 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2425 params["private_key"] = "auth_serv/server-no-dnsname.key"
2426 hostapd.add_ap(apdev[0]['ifname'], params)
2427 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2428 identity="tls user", ca_cert="auth_serv/ca.pem",
2429 private_key="auth_serv/user.pkcs12",
2430 private_key_passwd="whatever",
2431 domain_match="server3.w1.fi",
2432 scan_freq="2412")
2433
2434 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2435 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2436 check_domain_match_full(dev[0])
2437 params = int_eap_server_params()
2438 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2439 params["private_key"] = "auth_serv/server-no-dnsname.key"
2440 hostapd.add_ap(apdev[0]['ifname'], params)
2441 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2442 identity="tls user", ca_cert="auth_serv/ca.pem",
2443 private_key="auth_serv/user.pkcs12",
2444 private_key_passwd="whatever",
2445 domain_suffix_match="w1.fi",
2446 scan_freq="2412")
2447
2448 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2449 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2450 params = int_eap_server_params()
2451 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2452 params["private_key"] = "auth_serv/server-no-dnsname.key"
2453 hostapd.add_ap(apdev[0]['ifname'], params)
2454 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2455 identity="tls user", ca_cert="auth_serv/ca.pem",
2456 private_key="auth_serv/user.pkcs12",
2457 private_key_passwd="whatever",
2458 domain_suffix_match="example.com",
2459 wait_connect=False,
2460 scan_freq="2412")
2461 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2462 identity="tls user", ca_cert="auth_serv/ca.pem",
2463 private_key="auth_serv/user.pkcs12",
2464 private_key_passwd="whatever",
2465 domain_suffix_match="erver3.w1.fi",
2466 wait_connect=False,
2467 scan_freq="2412")
2468 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2469 if ev is None:
2470 raise Exception("Timeout on EAP failure report")
2471 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2472 if ev is None:
2473 raise Exception("Timeout on EAP failure report (2)")
2474
2475 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2476 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2477 params = int_eap_server_params()
2478 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2479 params["private_key"] = "auth_serv/server-no-dnsname.key"
2480 hostapd.add_ap(apdev[0]['ifname'], params)
2481 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2482 identity="tls user", ca_cert="auth_serv/ca.pem",
2483 private_key="auth_serv/user.pkcs12",
2484 private_key_passwd="whatever",
2485 domain_match="example.com",
2486 wait_connect=False,
2487 scan_freq="2412")
2488 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2489 identity="tls user", ca_cert="auth_serv/ca.pem",
2490 private_key="auth_serv/user.pkcs12",
2491 private_key_passwd="whatever",
2492 domain_match="w1.fi",
2493 wait_connect=False,
2494 scan_freq="2412")
2495 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2496 if ev is None:
2497 raise Exception("Timeout on EAP failure report")
2498 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2499 if ev is None:
2500 raise Exception("Timeout on EAP failure report (2)")
2501
2502 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2503 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2504 params = int_eap_server_params()
2505 params["server_cert"] = "auth_serv/server-expired.pem"
2506 params["private_key"] = "auth_serv/server-expired.key"
2507 hostapd.add_ap(apdev[0]['ifname'], params)
2508 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2509 identity="mschap user", password="password",
2510 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2511 wait_connect=False,
2512 scan_freq="2412")
2513 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2514 if ev is None:
2515 raise Exception("Timeout on EAP certificate error report")
2516 if "reason=4" not in ev or "certificate has expired" not in ev:
2517 raise Exception("Unexpected failure reason: " + ev)
2518 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2519 if ev is None:
2520 raise Exception("Timeout on EAP failure report")
2521
2522 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2523 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2524 params = int_eap_server_params()
2525 params["server_cert"] = "auth_serv/server-expired.pem"
2526 params["private_key"] = "auth_serv/server-expired.key"
2527 hostapd.add_ap(apdev[0]['ifname'], params)
2528 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2529 identity="mschap user", password="password",
2530 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2531 phase1="tls_disable_time_checks=1",
2532 scan_freq="2412")
2533
2534 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2535 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2536 params = int_eap_server_params()
2537 params["server_cert"] = "auth_serv/server-long-duration.pem"
2538 params["private_key"] = "auth_serv/server-long-duration.key"
2539 hostapd.add_ap(apdev[0]['ifname'], params)
2540 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2541 identity="mschap user", password="password",
2542 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2543 scan_freq="2412")
2544
2545 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2546 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2547 params = int_eap_server_params()
2548 params["server_cert"] = "auth_serv/server-eku-client.pem"
2549 params["private_key"] = "auth_serv/server-eku-client.key"
2550 hostapd.add_ap(apdev[0]['ifname'], params)
2551 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2552 identity="mschap user", password="password",
2553 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2554 wait_connect=False,
2555 scan_freq="2412")
2556 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2557 if ev is None:
2558 raise Exception("Timeout on EAP failure report")
2559
2560 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2561 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2562 params = int_eap_server_params()
2563 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2564 params["private_key"] = "auth_serv/server-eku-client-server.key"
2565 hostapd.add_ap(apdev[0]['ifname'], params)
2566 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2567 identity="mschap user", password="password",
2568 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2569 scan_freq="2412")
2570
2571 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2572 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2573 params = int_eap_server_params()
2574 del params["server_cert"]
2575 params["private_key"] = "auth_serv/server.pkcs12"
2576 hostapd.add_ap(apdev[0]['ifname'], params)
2577 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2578 identity="mschap user", password="password",
2579 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2580 scan_freq="2412")
2581
2582 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2583 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2584 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2585 hostapd.add_ap(apdev[0]['ifname'], params)
2586 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2587 anonymous_identity="ttls", password="password",
2588 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2589 dh_file="auth_serv/dh.conf")
2590
2591 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2592 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2593 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2594 hostapd.add_ap(apdev[0]['ifname'], params)
2595 dh = read_pem("auth_serv/dh2.conf")
2596 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2597 raise Exception("Could not set dhparams blob")
2598 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2599 anonymous_identity="ttls", password="password",
2600 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2601 dh_file="blob://dhparams")
2602
2603 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2604 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2605 params = int_eap_server_params()
2606 params["dh_file"] = "auth_serv/dh2.conf"
2607 hostapd.add_ap(apdev[0]['ifname'], params)
2608 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2609 anonymous_identity="ttls", password="password",
2610 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
2611
2612 def test_ap_wpa2_eap_reauth(dev, apdev):
2613 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2614 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2615 params['eap_reauth_period'] = '2'
2616 hostapd.add_ap(apdev[0]['ifname'], params)
2617 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2618 password_hex="0123456789abcdef0123456789abcdef")
2619 logger.info("Wait for reauthentication")
2620 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2621 if ev is None:
2622 raise Exception("Timeout on reauthentication")
2623 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2624 if ev is None:
2625 raise Exception("Timeout on reauthentication")
2626 for i in range(0, 20):
2627 state = dev[0].get_status_field("wpa_state")
2628 if state == "COMPLETED":
2629 break
2630 time.sleep(0.1)
2631 if state != "COMPLETED":
2632 raise Exception("Reauthentication did not complete")
2633
2634 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2635 """Optional displayable message in EAP Request-Identity"""
2636 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2637 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2638 hostapd.add_ap(apdev[0]['ifname'], params)
2639 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2640 password_hex="0123456789abcdef0123456789abcdef")
2641
2642 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2643 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2644 check_hlr_auc_gw_support()
2645 params = int_eap_server_params()
2646 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2647 params['eap_sim_aka_result_ind'] = "1"
2648 hostapd.add_ap(apdev[0]['ifname'], params)
2649
2650 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2651 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2652 phase1="result_ind=1")
2653 eap_reauth(dev[0], "SIM")
2654 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2655 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2656
2657 dev[0].request("REMOVE_NETWORK all")
2658 dev[1].request("REMOVE_NETWORK all")
2659
2660 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2661 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2662 phase1="result_ind=1")
2663 eap_reauth(dev[0], "AKA")
2664 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2665 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2666
2667 dev[0].request("REMOVE_NETWORK all")
2668 dev[1].request("REMOVE_NETWORK all")
2669
2670 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2671 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2672 phase1="result_ind=1")
2673 eap_reauth(dev[0], "AKA'")
2674 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2675 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2676
2677 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2678 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2679 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2680 hostapd.add_ap(apdev[0]['ifname'], params)
2681 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2682 eap="TTLS", identity="mschap user",
2683 wait_connect=False, scan_freq="2412", ieee80211w="1",
2684 anonymous_identity="ttls", password="password",
2685 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2686 fragment_size="10")
2687 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2688 if ev is None:
2689 raise Exception("EAP roundtrip limit not reached")
2690
2691 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2692 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2693 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2694 hostapd.add_ap(apdev[0]['ifname'], params)
2695 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2696 eap="PSK", identity="vendor-test",
2697 password_hex="ff23456789abcdef0123456789abcdef",
2698 wait_connect=False)
2699
2700 found = False
2701 for i in range(0, 5):
2702 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2703 if ev is None:
2704 raise Exception("Association and EAP start timed out")
2705 if "refuse proposed method" in ev:
2706 found = True
2707 break
2708 if not found:
2709 raise Exception("Unexpected EAP status: " + ev)
2710
2711 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2712 if ev is None:
2713 raise Exception("EAP failure timed out")
2714
2715 def test_ap_wpa2_eap_sql(dev, apdev, params):
2716 """WPA2-Enterprise connection using SQLite for user DB"""
2717 try:
2718 import sqlite3
2719 except ImportError:
2720 raise HwsimSkip("No sqlite3 module available")
2721 dbfile = os.path.join(params['logdir'], "eap-user.db")
2722 try:
2723 os.remove(dbfile)
2724 except:
2725 pass
2726 con = sqlite3.connect(dbfile)
2727 with con:
2728 cur = con.cursor()
2729 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2730 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2731 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2732 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2733 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2734 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2735 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2736 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2737
2738 try:
2739 params = int_eap_server_params()
2740 params["eap_user_file"] = "sqlite:" + dbfile
2741 hostapd.add_ap(apdev[0]['ifname'], params)
2742 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2743 anonymous_identity="ttls", password="password",
2744 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
2745 dev[0].request("REMOVE_NETWORK all")
2746 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
2747 anonymous_identity="ttls", password="password",
2748 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
2749 dev[1].request("REMOVE_NETWORK all")
2750 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
2751 anonymous_identity="ttls", password="password",
2752 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
2753 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
2754 anonymous_identity="ttls", password="password",
2755 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2756 finally:
2757 os.remove(dbfile)
2758
2759 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
2760 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2761 params = int_eap_server_params()
2762 hostapd.add_ap(apdev[0]['ifname'], params)
2763 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2764 identity="\x80", password="password", wait_connect=False)
2765 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2766 identity="a\x80", password="password", wait_connect=False)
2767 for i in range(0, 2):
2768 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2769 if ev is None:
2770 raise Exception("Association and EAP start timed out")
2771 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2772 if ev is None:
2773 raise Exception("EAP method selection timed out")
2774
2775 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
2776 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2777 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2778 hostapd.add_ap(apdev[0]['ifname'], params)
2779 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2780 identity="\x80", password="password", wait_connect=False)
2781 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2782 identity="a\x80", password="password", wait_connect=False)
2783 for i in range(0, 2):
2784 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2785 if ev is None:
2786 raise Exception("Association and EAP start timed out")
2787 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2788 if ev is None:
2789 raise Exception("EAP method selection timed out")
2790
2791 def test_openssl_cipher_suite_config_wpas(dev, apdev):
2792 """OpenSSL cipher suite configuration on wpa_supplicant"""
2793 tls = dev[0].request("GET tls_library")
2794 if not tls.startswith("OpenSSL"):
2795 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
2796 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2797 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2798 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2799 anonymous_identity="ttls", password="password",
2800 openssl_ciphers="AES128",
2801 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2802 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2803 anonymous_identity="ttls", password="password",
2804 openssl_ciphers="EXPORT",
2805 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2806 expect_failure=True)
2807
2808 def test_openssl_cipher_suite_config_hapd(dev, apdev):
2809 """OpenSSL cipher suite configuration on hostapd"""
2810 tls = dev[0].request("GET tls_library")
2811 if not tls.startswith("OpenSSL"):
2812 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
2813 params = int_eap_server_params()
2814 params['openssl_ciphers'] = "AES256"
2815 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2816 tls = hapd.request("GET tls_library")
2817 if not tls.startswith("OpenSSL"):
2818 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
2819 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2820 anonymous_identity="ttls", password="password",
2821 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2822 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2823 anonymous_identity="ttls", password="password",
2824 openssl_ciphers="AES128",
2825 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2826 expect_failure=True)
2827 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
2828 anonymous_identity="ttls", password="password",
2829 openssl_ciphers="HIGH:!ADH",
2830 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2831
2832 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
2833 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
2834 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2835 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
2836 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
2837 pid = find_wpas_process(dev[0])
2838 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
2839 anonymous_identity="ttls", password=password,
2840 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2841 time.sleep(1)
2842 buf = read_process_memory(pid, password)
2843
2844 dev[0].request("DISCONNECT")
2845 dev[0].wait_disconnected()
2846
2847 dev[0].relog()
2848 msk = None
2849 emsk = None
2850 pmk = None
2851 ptk = None
2852 gtk = None
2853 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
2854 for l in f.readlines():
2855 if "EAP-TTLS: Derived key - hexdump" in l:
2856 val = l.strip().split(':')[3].replace(' ', '')
2857 msk = binascii.unhexlify(val)
2858 if "EAP-TTLS: Derived EMSK - hexdump" in l:
2859 val = l.strip().split(':')[3].replace(' ', '')
2860 emsk = binascii.unhexlify(val)
2861 if "WPA: PMK - hexdump" in l:
2862 val = l.strip().split(':')[3].replace(' ', '')
2863 pmk = binascii.unhexlify(val)
2864 if "WPA: PTK - hexdump" in l:
2865 val = l.strip().split(':')[3].replace(' ', '')
2866 ptk = binascii.unhexlify(val)
2867 if "WPA: Group Key - hexdump" in l:
2868 val = l.strip().split(':')[3].replace(' ', '')
2869 gtk = binascii.unhexlify(val)
2870 if not msk or not emsk or not pmk or not ptk or not gtk:
2871 raise Exception("Could not find keys from debug log")
2872 if len(gtk) != 16:
2873 raise Exception("Unexpected GTK length")
2874
2875 kck = ptk[0:16]
2876 kek = ptk[16:32]
2877 tk = ptk[32:48]
2878
2879 fname = os.path.join(params['logdir'],
2880 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
2881
2882 logger.info("Checking keys in memory while associated")
2883 get_key_locations(buf, password, "Password")
2884 get_key_locations(buf, pmk, "PMK")
2885 get_key_locations(buf, msk, "MSK")
2886 get_key_locations(buf, emsk, "EMSK")
2887 if password not in buf:
2888 raise HwsimSkip("Password not found while associated")
2889 if pmk not in buf:
2890 raise HwsimSkip("PMK not found while associated")
2891 if kck not in buf:
2892 raise Exception("KCK not found while associated")
2893 if kek not in buf:
2894 raise Exception("KEK not found while associated")
2895 if tk in buf:
2896 raise Exception("TK found from memory")
2897 if gtk in buf:
2898 raise Exception("GTK found from memory")
2899
2900 logger.info("Checking keys in memory after disassociation")
2901 buf = read_process_memory(pid, password)
2902
2903 # Note: Password is still present in network configuration
2904 # Note: PMK is in PMKSA cache and EAP fast re-auth data
2905
2906 get_key_locations(buf, password, "Password")
2907 get_key_locations(buf, pmk, "PMK")
2908 get_key_locations(buf, msk, "MSK")
2909 get_key_locations(buf, emsk, "EMSK")
2910 verify_not_present(buf, kck, fname, "KCK")
2911 verify_not_present(buf, kek, fname, "KEK")
2912 verify_not_present(buf, tk, fname, "TK")
2913 verify_not_present(buf, gtk, fname, "GTK")
2914
2915 dev[0].request("PMKSA_FLUSH")
2916 dev[0].set_network_quoted(id, "identity", "foo")
2917 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
2918 buf = read_process_memory(pid, password)
2919 get_key_locations(buf, password, "Password")
2920 get_key_locations(buf, pmk, "PMK")
2921 get_key_locations(buf, msk, "MSK")
2922 get_key_locations(buf, emsk, "EMSK")
2923 verify_not_present(buf, pmk, fname, "PMK")
2924
2925 dev[0].request("REMOVE_NETWORK all")
2926
2927 logger.info("Checking keys in memory after network profile removal")
2928 buf = read_process_memory(pid, password)
2929
2930 get_key_locations(buf, password, "Password")
2931 get_key_locations(buf, pmk, "PMK")
2932 get_key_locations(buf, msk, "MSK")
2933 get_key_locations(buf, emsk, "EMSK")
2934 verify_not_present(buf, password, fname, "password")
2935 verify_not_present(buf, pmk, fname, "PMK")
2936 verify_not_present(buf, kck, fname, "KCK")
2937 verify_not_present(buf, kek, fname, "KEK")
2938 verify_not_present(buf, tk, fname, "TK")
2939 verify_not_present(buf, gtk, fname, "GTK")
2940 verify_not_present(buf, msk, fname, "MSK")
2941 verify_not_present(buf, emsk, fname, "EMSK")
2942
2943 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
2944 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
2945 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2946 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2947 bssid = apdev[0]['bssid']
2948 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2949 anonymous_identity="ttls", password="password",
2950 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2951
2952 # Send unexpected WEP EAPOL-Key; this gets dropped
2953 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
2954 if "OK" not in res:
2955 raise Exception("EAPOL_RX to wpa_supplicant failed")
2956
2957 def test_ap_wpa2_eap_in_bridge(dev, apdev):
2958 """WPA2-EAP and wpas interface in a bridge"""
2959 br_ifname='sta-br0'
2960 ifname='wlan5'
2961 try:
2962 _test_ap_wpa2_eap_in_bridge(dev, apdev)
2963 finally:
2964 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
2965 subprocess.call(['brctl', 'delif', br_ifname, ifname])
2966 subprocess.call(['brctl', 'delbr', br_ifname])
2967 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
2968
2969 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
2970 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2971 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2972
2973 br_ifname='sta-br0'
2974 ifname='wlan5'
2975 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
2976 subprocess.call(['brctl', 'addbr', br_ifname])
2977 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
2978 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
2979 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
2980 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
2981 wpas.interface_add(ifname, br_ifname=br_ifname)
2982
2983 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
2984 password_hex="0123456789abcdef0123456789abcdef")
2985 eap_reauth(wpas, "PAX")
2986 # Try again as a regression test for packet socket workaround
2987 eap_reauth(wpas, "PAX")
2988 wpas.request("DISCONNECT")
2989 wpas.wait_disconnected()
2990 wpas.request("RECONNECT")
2991 wpas.wait_connected()
2992
2993 def test_ap_wpa2_eap_session_ticket(dev, apdev):
2994 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
2995 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2996 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2997 key_mgmt = hapd.get_config()['key_mgmt']
2998 if key_mgmt.split(' ')[0] != "WPA-EAP":
2999 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3000 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3001 anonymous_identity="ttls", password="password",
3002 ca_cert="auth_serv/ca.pem",
3003 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3004 eap_reauth(dev[0], "TTLS")
3005
3006 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3007 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3008 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3009 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3010 key_mgmt = hapd.get_config()['key_mgmt']
3011 if key_mgmt.split(' ')[0] != "WPA-EAP":
3012 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3013 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3014 anonymous_identity="ttls", password="password",
3015 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3016 phase2="auth=PAP")
3017 eap_reauth(dev[0], "TTLS")
Unnamed repository; edit this file 'description' to name the repository.