]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
18 from utils
import HwsimSkip
, alloc_fail
19 from wpasupplicant
import WpaSupplicant
20 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev
, method
):
27 res
= dev
.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method
)
31 def check_subject_match_support(dev
):
32 tls
= dev
.request("GET tls_library")
33 if not tls
.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
36 def check_altsubject_match_support(dev
):
37 tls
= dev
.request("GET tls_library")
38 if not tls
.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
41 def check_domain_match_full(dev
):
42 tls
= dev
.request("GET tls_library")
43 if not tls
.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
46 def check_cert_probe_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
52 with
open(fname
, "r") as f
:
63 return base64
.b64decode(cert
)
65 def eap_connect(dev
, ap
, method
, identity
,
66 sha256
=False, expect_failure
=False, local_error_report
=False,
68 hapd
= hostapd
.Hostapd(ap
['ifname'])
69 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
70 eap
=method
, identity
=identity
,
71 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
73 eap_check_auth(dev
, method
, True, sha256
=sha256
,
74 expect_failure
=expect_failure
,
75 local_error_report
=local_error_report
)
78 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
80 raise Exception("No connection event received from hostapd")
83 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
84 expect_failure
=False, local_error_report
=False):
85 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
87 raise Exception("Association and EAP start timed out")
88 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
90 raise Exception("EAP method selection timed out")
92 raise Exception("Unexpected EAP method")
94 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
96 raise Exception("EAP failure timed out")
97 ev
= dev
.wait_disconnected(timeout
=10)
98 if not local_error_report
:
99 if "reason=23" not in ev
:
100 raise Exception("Proper reason code for disconnection not reported")
102 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
104 raise Exception("EAP success timed out")
107 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
109 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
111 raise Exception("Association with the AP timed out")
112 status
= dev
.get_status()
113 if status
["wpa_state"] != "COMPLETED":
114 raise Exception("Connection not completed")
116 if status
["suppPortStatus"] != "Authorized":
117 raise Exception("Port not authorized")
118 if method
not in status
["selectedMethod"]:
119 raise Exception("Incorrect EAP method status")
121 e
= "WPA2-EAP-SHA256"
123 e
= "WPA2/IEEE 802.1X/EAP"
125 e
= "WPA/IEEE 802.1X/EAP"
126 if status
["key_mgmt"] != e
:
127 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
130 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
131 dev
.request("REAUTHENTICATE")
132 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
133 expect_failure
=expect_failure
)
135 def test_ap_wpa2_eap_sim(dev
, apdev
):
136 """WPA2-Enterprise connection using EAP-SIM"""
137 check_hlr_auc_gw_support()
138 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
139 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
140 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
141 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
142 hwsim_utils
.test_connectivity(dev
[0], hapd
)
143 eap_reauth(dev
[0], "SIM")
145 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000001",
146 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
147 eap_connect(dev
[2], apdev
[0], "SIM", "1232010000000002",
148 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
151 logger
.info("Negative test with incorrect key")
152 dev
[0].request("REMOVE_NETWORK all")
153 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
154 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
157 logger
.info("Invalid GSM-Milenage key")
158 dev
[0].request("REMOVE_NETWORK all")
159 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
160 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
163 logger
.info("Invalid GSM-Milenage key(2)")
164 dev
[0].request("REMOVE_NETWORK all")
165 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
166 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
169 logger
.info("Invalid GSM-Milenage key(3)")
170 dev
[0].request("REMOVE_NETWORK all")
171 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
172 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
175 logger
.info("Invalid GSM-Milenage key(4)")
176 dev
[0].request("REMOVE_NETWORK all")
177 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
178 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
181 logger
.info("Missing key configuration")
182 dev
[0].request("REMOVE_NETWORK all")
183 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
186 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
187 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
188 check_hlr_auc_gw_support()
192 raise HwsimSkip("No sqlite3 module available")
193 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
194 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
195 params
['auth_server_port'] = "1814"
196 hostapd
.add_ap(apdev
[0]['ifname'], params
)
197 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
198 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
200 logger
.info("SIM fast re-authentication")
201 eap_reauth(dev
[0], "SIM")
203 logger
.info("SIM full auth with pseudonym")
206 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
207 eap_reauth(dev
[0], "SIM")
209 logger
.info("SIM full auth with permanent identity")
212 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
213 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
214 eap_reauth(dev
[0], "SIM")
216 logger
.info("SIM reauth with mismatching MK")
219 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
220 eap_reauth(dev
[0], "SIM", expect_failure
=True)
221 dev
[0].request("REMOVE_NETWORK all")
223 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
224 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
227 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
228 eap_reauth(dev
[0], "SIM")
231 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
232 logger
.info("SIM reauth with mismatching counter")
233 eap_reauth(dev
[0], "SIM")
234 dev
[0].request("REMOVE_NETWORK all")
236 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
237 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
240 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
241 logger
.info("SIM reauth with max reauth count reached")
242 eap_reauth(dev
[0], "SIM")
244 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
245 """EAP-SIM configuration options"""
246 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
247 hostapd
.add_ap(apdev
[0]['ifname'], params
)
248 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
249 identity
="1232010000000000",
250 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
251 phase1
="sim_min_num_chal=1",
252 wait_connect
=False, scan_freq
="2412")
253 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
255 raise Exception("No EAP error message seen")
256 dev
[0].request("REMOVE_NETWORK all")
258 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
259 identity
="1232010000000000",
260 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
261 phase1
="sim_min_num_chal=4",
262 wait_connect
=False, scan_freq
="2412")
263 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
265 raise Exception("No EAP error message seen (2)")
266 dev
[0].request("REMOVE_NETWORK all")
268 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
269 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
270 phase1
="sim_min_num_chal=2")
271 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
272 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
273 anonymous_identity
="345678")
275 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
276 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
278 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
280 dev
[0].request("SET external_sim 0")
282 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
283 check_hlr_auc_gw_support()
284 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
285 hostapd
.add_ap(apdev
[0]['ifname'], params
)
286 dev
[0].request("SET external_sim 1")
287 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
288 identity
="1232010000000000",
289 wait_connect
=False, scan_freq
="2412")
290 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
292 raise Exception("Network connected timed out")
294 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
296 raise Exception("Wait for external SIM processing request timed out")
298 if p
[1] != "GSM-AUTH":
299 raise Exception("Unexpected CTRL-REQ-SIM type")
300 rid
= p
[0].split('-')[3]
303 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
304 # This will fail during processing, but the ctrl_iface command succeeds
305 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
306 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
308 raise Exception("EAP failure not reported")
309 dev
[0].request("DISCONNECT")
310 dev
[0].wait_disconnected()
313 dev
[0].select_network(id, freq
="2412")
314 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
316 raise Exception("Wait for external SIM processing request timed out")
318 if p
[1] != "GSM-AUTH":
319 raise Exception("Unexpected CTRL-REQ-SIM type")
320 rid
= p
[0].split('-')[3]
321 # This will fail during GSM auth validation
322 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
323 raise Exception("CTRL-RSP-SIM failed")
324 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
326 raise Exception("EAP failure not reported")
327 dev
[0].request("DISCONNECT")
328 dev
[0].wait_disconnected()
331 dev
[0].select_network(id, freq
="2412")
332 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
334 raise Exception("Wait for external SIM processing request timed out")
336 if p
[1] != "GSM-AUTH":
337 raise Exception("Unexpected CTRL-REQ-SIM type")
338 rid
= p
[0].split('-')[3]
339 # This will fail during GSM auth validation
340 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
341 raise Exception("CTRL-RSP-SIM failed")
342 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
344 raise Exception("EAP failure not reported")
345 dev
[0].request("DISCONNECT")
346 dev
[0].wait_disconnected()
349 dev
[0].select_network(id, freq
="2412")
350 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
352 raise Exception("Wait for external SIM processing request timed out")
354 if p
[1] != "GSM-AUTH":
355 raise Exception("Unexpected CTRL-REQ-SIM type")
356 rid
= p
[0].split('-')[3]
357 # This will fail during GSM auth validation
358 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
359 raise Exception("CTRL-RSP-SIM failed")
360 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
362 raise Exception("EAP failure not reported")
363 dev
[0].request("DISCONNECT")
364 dev
[0].wait_disconnected()
367 dev
[0].select_network(id, freq
="2412")
368 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
370 raise Exception("Wait for external SIM processing request timed out")
372 if p
[1] != "GSM-AUTH":
373 raise Exception("Unexpected CTRL-REQ-SIM type")
374 rid
= p
[0].split('-')[3]
375 # This will fail during GSM auth validation
376 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
377 raise Exception("CTRL-RSP-SIM failed")
378 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
380 raise Exception("EAP failure not reported")
381 dev
[0].request("DISCONNECT")
382 dev
[0].wait_disconnected()
385 dev
[0].select_network(id, freq
="2412")
386 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
388 raise Exception("Wait for external SIM processing request timed out")
390 if p
[1] != "GSM-AUTH":
391 raise Exception("Unexpected CTRL-REQ-SIM type")
392 rid
= p
[0].split('-')[3]
393 # This will fail during GSM auth validation
394 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
395 raise Exception("CTRL-RSP-SIM failed")
396 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
398 raise Exception("EAP failure not reported")
399 dev
[0].request("DISCONNECT")
400 dev
[0].wait_disconnected()
403 dev
[0].select_network(id, freq
="2412")
404 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
406 raise Exception("Wait for external SIM processing request timed out")
408 if p
[1] != "GSM-AUTH":
409 raise Exception("Unexpected CTRL-REQ-SIM type")
410 rid
= p
[0].split('-')[3]
411 # This will fail during GSM auth validation
412 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
413 raise Exception("CTRL-RSP-SIM failed")
414 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
416 raise Exception("EAP failure not reported")
418 def test_ap_wpa2_eap_aka(dev
, apdev
):
419 """WPA2-Enterprise connection using EAP-AKA"""
420 check_hlr_auc_gw_support()
421 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
422 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
423 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
424 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
425 hwsim_utils
.test_connectivity(dev
[0], hapd
)
426 eap_reauth(dev
[0], "AKA")
428 logger
.info("Negative test with incorrect key")
429 dev
[0].request("REMOVE_NETWORK all")
430 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
431 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
434 logger
.info("Invalid Milenage key")
435 dev
[0].request("REMOVE_NETWORK all")
436 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
437 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
440 logger
.info("Invalid Milenage key(2)")
441 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
442 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
445 logger
.info("Invalid Milenage key(3)")
446 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
447 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
450 logger
.info("Invalid Milenage key(4)")
451 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
452 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
455 logger
.info("Invalid Milenage key(5)")
456 dev
[0].request("REMOVE_NETWORK all")
457 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
458 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
461 logger
.info("Invalid Milenage key(6)")
462 dev
[0].request("REMOVE_NETWORK all")
463 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
464 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
467 logger
.info("Missing key configuration")
468 dev
[0].request("REMOVE_NETWORK all")
469 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
472 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
473 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
474 check_hlr_auc_gw_support()
478 raise HwsimSkip("No sqlite3 module available")
479 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
480 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
481 params
['auth_server_port'] = "1814"
482 hostapd
.add_ap(apdev
[0]['ifname'], params
)
483 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
484 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
486 logger
.info("AKA fast re-authentication")
487 eap_reauth(dev
[0], "AKA")
489 logger
.info("AKA full auth with pseudonym")
492 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
493 eap_reauth(dev
[0], "AKA")
495 logger
.info("AKA full auth with permanent identity")
498 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
499 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
500 eap_reauth(dev
[0], "AKA")
502 logger
.info("AKA reauth with mismatching MK")
505 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
506 eap_reauth(dev
[0], "AKA", expect_failure
=True)
507 dev
[0].request("REMOVE_NETWORK all")
509 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
510 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
513 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
514 eap_reauth(dev
[0], "AKA")
517 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
518 logger
.info("AKA reauth with mismatching counter")
519 eap_reauth(dev
[0], "AKA")
520 dev
[0].request("REMOVE_NETWORK all")
522 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
523 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
526 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
527 logger
.info("AKA reauth with max reauth count reached")
528 eap_reauth(dev
[0], "AKA")
530 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
531 """EAP-AKA configuration options"""
532 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
533 hostapd
.add_ap(apdev
[0]['ifname'], params
)
534 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
535 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
536 anonymous_identity
="2345678")
538 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
539 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
541 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
543 dev
[0].request("SET external_sim 0")
545 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
546 check_hlr_auc_gw_support()
547 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
548 hostapd
.add_ap(apdev
[0]['ifname'], params
)
549 dev
[0].request("SET external_sim 1")
550 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
551 identity
="0232010000000000",
552 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
553 wait_connect
=False, scan_freq
="2412")
554 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
556 raise Exception("Network connected timed out")
558 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
560 raise Exception("Wait for external SIM processing request timed out")
562 if p
[1] != "UMTS-AUTH":
563 raise Exception("Unexpected CTRL-REQ-SIM type")
564 rid
= p
[0].split('-')[3]
567 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
568 # This will fail during processing, but the ctrl_iface command succeeds
569 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
570 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
572 raise Exception("EAP failure not reported")
573 dev
[0].request("DISCONNECT")
574 dev
[0].wait_disconnected()
577 dev
[0].select_network(id, freq
="2412")
578 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
580 raise Exception("Wait for external SIM processing request timed out")
582 if p
[1] != "UMTS-AUTH":
583 raise Exception("Unexpected CTRL-REQ-SIM type")
584 rid
= p
[0].split('-')[3]
585 # This will fail during UMTS auth validation
586 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
587 raise Exception("CTRL-RSP-SIM failed")
588 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
590 raise Exception("Wait for external SIM processing request timed out")
592 if p
[1] != "UMTS-AUTH":
593 raise Exception("Unexpected CTRL-REQ-SIM type")
594 rid
= p
[0].split('-')[3]
595 # This will fail during UMTS auth validation
596 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
597 raise Exception("CTRL-RSP-SIM failed")
598 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
600 raise Exception("EAP failure not reported")
601 dev
[0].request("DISCONNECT")
602 dev
[0].wait_disconnected()
605 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
607 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
608 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
609 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
610 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
611 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
613 dev
[0].select_network(id, freq
="2412")
614 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
616 raise Exception("Wait for external SIM processing request timed out")
618 if p
[1] != "UMTS-AUTH":
619 raise Exception("Unexpected CTRL-REQ-SIM type")
620 rid
= p
[0].split('-')[3]
621 # This will fail during UMTS auth validation
622 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
623 raise Exception("CTRL-RSP-SIM failed")
624 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
626 raise Exception("EAP failure not reported")
627 dev
[0].request("DISCONNECT")
628 dev
[0].wait_disconnected()
631 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
632 """WPA2-Enterprise connection using EAP-AKA'"""
633 check_hlr_auc_gw_support()
634 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
635 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
636 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
637 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
638 hwsim_utils
.test_connectivity(dev
[0], hapd
)
639 eap_reauth(dev
[0], "AKA'")
641 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
642 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
643 identity
="6555444333222111@both",
644 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
645 wait_connect
=False, scan_freq
="2412")
646 dev
[1].wait_connected(timeout
=15)
648 logger
.info("Negative test with incorrect key")
649 dev
[0].request("REMOVE_NETWORK all")
650 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
651 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
654 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
655 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
656 check_hlr_auc_gw_support()
660 raise HwsimSkip("No sqlite3 module available")
661 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
662 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
663 params
['auth_server_port'] = "1814"
664 hostapd
.add_ap(apdev
[0]['ifname'], params
)
665 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
666 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
668 logger
.info("AKA' fast re-authentication")
669 eap_reauth(dev
[0], "AKA'")
671 logger
.info("AKA' full auth with pseudonym")
674 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
675 eap_reauth(dev
[0], "AKA'")
677 logger
.info("AKA' full auth with permanent identity")
680 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
681 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
682 eap_reauth(dev
[0], "AKA'")
684 logger
.info("AKA' reauth with mismatching k_aut")
687 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
688 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
689 dev
[0].request("REMOVE_NETWORK all")
691 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
692 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
695 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
696 eap_reauth(dev
[0], "AKA'")
699 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
700 logger
.info("AKA' reauth with mismatching counter")
701 eap_reauth(dev
[0], "AKA'")
702 dev
[0].request("REMOVE_NETWORK all")
704 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
705 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
708 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
709 logger
.info("AKA' reauth with max reauth count reached")
710 eap_reauth(dev
[0], "AKA'")
712 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
713 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
714 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
715 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
716 key_mgmt
= hapd
.get_config()['key_mgmt']
717 if key_mgmt
.split(' ')[0] != "WPA-EAP":
718 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
719 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
720 anonymous_identity
="ttls", password
="password",
721 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
722 hwsim_utils
.test_connectivity(dev
[0], hapd
)
723 eap_reauth(dev
[0], "TTLS")
724 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
725 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
727 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
728 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
729 check_subject_match_support(dev
[0])
730 check_altsubject_match_support(dev
[0])
731 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
732 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
733 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
734 anonymous_identity
="ttls", password
="password",
735 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
736 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
737 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
738 eap_reauth(dev
[0], "TTLS")
740 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
741 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
742 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
743 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
744 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
745 anonymous_identity
="ttls", password
="wrong",
746 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
748 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
749 anonymous_identity
="ttls", password
="password",
750 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
753 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
754 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
755 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
756 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
757 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
758 anonymous_identity
="ttls", password
="password",
759 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
760 hwsim_utils
.test_connectivity(dev
[0], hapd
)
761 eap_reauth(dev
[0], "TTLS")
763 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
764 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
765 check_altsubject_match_support(dev
[0])
766 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
767 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
768 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
769 anonymous_identity
="ttls", password
="password",
770 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
771 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
772 eap_reauth(dev
[0], "TTLS")
774 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
775 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
776 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
777 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
778 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
779 anonymous_identity
="ttls", password
="wrong",
780 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
782 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
783 anonymous_identity
="ttls", password
="password",
784 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
787 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
788 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
789 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
790 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
791 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
792 anonymous_identity
="ttls", password
="password",
793 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
794 domain_suffix_match
="server.w1.fi")
795 hwsim_utils
.test_connectivity(dev
[0], hapd
)
796 eap_reauth(dev
[0], "TTLS")
797 dev
[0].request("REMOVE_NETWORK all")
798 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
799 anonymous_identity
="ttls", password
="password",
800 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
803 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
804 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
805 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
806 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
807 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
808 anonymous_identity
="ttls", password
="wrong",
809 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
811 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
812 anonymous_identity
="ttls", password
="password",
813 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
815 eap_connect(dev
[2], apdev
[0], "TTLS", "no such user",
816 anonymous_identity
="ttls", password
="password",
817 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
820 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
821 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
822 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
823 hostapd
.add_ap(apdev
[0]['ifname'], params
)
824 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
825 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
826 anonymous_identity
="ttls", password
="password",
827 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
828 domain_suffix_match
="server.w1.fi")
829 hwsim_utils
.test_connectivity(dev
[0], hapd
)
830 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
831 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
832 eap_reauth(dev
[0], "TTLS")
833 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
834 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
835 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
836 raise Exception("dot1xAuthEapolFramesRx did not increase")
837 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
838 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
839 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
840 raise Exception("backendAuthSuccesses did not increase")
842 logger
.info("Password as hash value")
843 dev
[0].request("REMOVE_NETWORK all")
844 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
845 anonymous_identity
="ttls",
846 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
847 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
849 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
850 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
851 check_domain_match_full(dev
[0])
852 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
853 hostapd
.add_ap(apdev
[0]['ifname'], params
)
854 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
855 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
856 anonymous_identity
="ttls", password
="password",
857 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
858 domain_suffix_match
="w1.fi")
859 hwsim_utils
.test_connectivity(dev
[0], hapd
)
860 eap_reauth(dev
[0], "TTLS")
862 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
863 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
864 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
865 hostapd
.add_ap(apdev
[0]['ifname'], params
)
866 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
867 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
868 anonymous_identity
="ttls", password
="password",
869 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
870 domain_match
="Server.w1.fi")
871 hwsim_utils
.test_connectivity(dev
[0], hapd
)
872 eap_reauth(dev
[0], "TTLS")
874 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
875 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
876 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
877 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
878 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
879 anonymous_identity
="ttls", password
="password1",
880 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
882 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
883 anonymous_identity
="ttls", password
="password",
884 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
887 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
888 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
889 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
890 hostapd
.add_ap(apdev
[0]['ifname'], params
)
891 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
892 eap_connect(dev
[0], apdev
[0], "TTLS", "utf8-user-hash",
893 anonymous_identity
="ttls", password
="secret-åäö-€-password",
894 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
895 eap_connect(dev
[1], apdev
[0], "TTLS", "utf8-user",
896 anonymous_identity
="ttls",
897 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
898 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
900 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
901 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
902 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
903 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
904 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
905 anonymous_identity
="ttls", password
="password",
906 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
907 hwsim_utils
.test_connectivity(dev
[0], hapd
)
908 eap_reauth(dev
[0], "TTLS")
910 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
911 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
912 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
913 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
914 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
915 anonymous_identity
="ttls", password
="wrong",
916 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
919 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
920 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
921 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
922 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
923 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
924 anonymous_identity
="ttls", password
="password",
925 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
928 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
929 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
930 params
= int_eap_server_params()
931 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
932 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
933 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
934 anonymous_identity
="ttls", password
="password",
935 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
937 dev
[0].request("REMOVE_NETWORK all")
939 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
940 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
941 eap
="TTLS", identity
="user",
942 anonymous_identity
="ttls", password
="password",
943 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
944 wait_connect
=False, scan_freq
="2412")
945 # This would eventually time out, but we can stop after having reached
946 # the allocation failure.
949 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
952 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
953 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
954 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
955 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
956 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
957 anonymous_identity
="ttls", password
="password",
958 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
959 hwsim_utils
.test_connectivity(dev
[0], hapd
)
960 eap_reauth(dev
[0], "TTLS")
962 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
963 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
964 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
965 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
966 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
967 anonymous_identity
="ttls", password
="wrong",
968 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
971 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
972 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
973 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
974 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
975 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
976 anonymous_identity
="ttls", password
="password",
977 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
980 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
981 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
982 params
= int_eap_server_params()
983 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
984 with
alloc_fail(hapd
, 1, "eap_md5_init"):
985 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
986 anonymous_identity
="ttls", password
="password",
987 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
989 dev
[0].request("REMOVE_NETWORK all")
991 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
992 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
993 eap
="TTLS", identity
="user",
994 anonymous_identity
="ttls", password
="password",
995 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
996 wait_connect
=False, scan_freq
="2412")
997 # This would eventually time out, but we can stop after having reached
998 # the allocation failure.
1001 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1004 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1005 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1006 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1007 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1008 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1009 anonymous_identity
="ttls", password
="password",
1010 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1011 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1012 eap_reauth(dev
[0], "TTLS")
1014 logger
.info("Negative test with incorrect password")
1015 dev
[0].request("REMOVE_NETWORK all")
1016 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1017 anonymous_identity
="ttls", password
="password1",
1018 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1019 expect_failure
=True)
1021 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1022 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1023 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1024 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1025 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
1026 anonymous_identity
="ttls", password
="password",
1027 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1028 expect_failure
=True)
1030 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1031 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1032 params
= int_eap_server_params()
1033 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1034 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1035 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1036 anonymous_identity
="ttls", password
="password",
1037 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1038 expect_failure
=True)
1039 dev
[0].request("REMOVE_NETWORK all")
1041 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1042 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1043 eap
="TTLS", identity
="user",
1044 anonymous_identity
="ttls", password
="password",
1045 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1046 wait_connect
=False, scan_freq
="2412")
1047 # This would eventually time out, but we can stop after having reached
1048 # the allocation failure.
1051 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1053 dev
[0].request("REMOVE_NETWORK all")
1055 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1056 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1057 eap
="TTLS", identity
="user",
1058 anonymous_identity
="ttls", password
="password",
1059 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1060 wait_connect
=False, scan_freq
="2412")
1061 # This would eventually time out, but we can stop after having reached
1062 # the allocation failure.
1065 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1067 dev
[0].request("REMOVE_NETWORK all")
1069 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1070 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1071 eap
="TTLS", identity
="user",
1072 anonymous_identity
="ttls", password
="wrong",
1073 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1074 wait_connect
=False, scan_freq
="2412")
1075 # This would eventually time out, but we can stop after having reached
1076 # the allocation failure.
1079 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1081 dev
[0].request("REMOVE_NETWORK all")
1083 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1084 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1085 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1086 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1087 eap_connect(dev
[0], apdev
[0], "TTLS", "0232010000000000",
1088 anonymous_identity
="0232010000000000@ttls",
1089 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1090 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1092 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1093 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1094 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1095 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1096 eap_connect(dev
[0], apdev
[0], "PEAP", "0232010000000000",
1097 anonymous_identity
="0232010000000000@peap",
1098 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1099 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1101 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1102 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1103 check_eap_capa(dev
[0], "FAST")
1104 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1105 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1106 eap_connect(dev
[0], apdev
[0], "FAST", "0232010000000000",
1107 anonymous_identity
="0232010000000000@fast",
1108 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1109 phase1
="fast_provisioning=2",
1110 pac_file
="blob://fast_pac_auth_aka",
1111 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1113 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1114 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1115 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1116 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1117 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1118 anonymous_identity
="peap", password
="password",
1119 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1120 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1121 eap_reauth(dev
[0], "PEAP")
1122 dev
[0].request("REMOVE_NETWORK all")
1123 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1124 anonymous_identity
="peap", password
="password",
1125 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1126 fragment_size
="200")
1128 logger
.info("Password as hash value")
1129 dev
[0].request("REMOVE_NETWORK all")
1130 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1131 anonymous_identity
="peap",
1132 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1133 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1135 logger
.info("Negative test with incorrect password")
1136 dev
[0].request("REMOVE_NETWORK all")
1137 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1138 anonymous_identity
="peap", password
="password1",
1139 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1140 expect_failure
=True)
1142 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1143 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1144 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1145 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1146 eap_connect(dev
[0], apdev
[0], "PEAP", "DOMAIN\user3",
1147 anonymous_identity
="peap", password
="password",
1148 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1149 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1150 eap_reauth(dev
[0], "PEAP")
1152 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1153 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1154 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1155 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1156 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1157 anonymous_identity
="peap", password
="wrong",
1158 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1159 expect_failure
=True)
1161 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1162 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1163 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1164 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1165 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1166 ca_cert
="auth_serv/ca.pem",
1167 phase1
="peapver=0 crypto_binding=2",
1168 phase2
="auth=MSCHAPV2")
1169 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1170 eap_reauth(dev
[0], "PEAP")
1172 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1173 ca_cert
="auth_serv/ca.pem",
1174 phase1
="peapver=0 crypto_binding=1",
1175 phase2
="auth=MSCHAPV2")
1176 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1177 ca_cert
="auth_serv/ca.pem",
1178 phase1
="peapver=0 crypto_binding=0",
1179 phase2
="auth=MSCHAPV2")
1181 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1182 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1183 params
= int_eap_server_params()
1184 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1185 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1186 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1187 ca_cert
="auth_serv/ca.pem",
1188 phase1
="peapver=0 crypto_binding=2",
1189 phase2
="auth=MSCHAPV2",
1190 expect_failure
=True, local_error_report
=True)
1192 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1193 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1194 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1195 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1196 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1197 anonymous_identity
="peap", password
="password",
1198 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1199 phase1
="peapver=0 peaplabel=1",
1200 expect_failure
=True)
1201 dev
[0].request("REMOVE_NETWORK all")
1202 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1203 ca_cert
="auth_serv/ca.pem",
1204 phase1
="peap_outer_success=1",
1205 phase2
="auth=MSCHAPV2")
1206 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1207 ca_cert
="auth_serv/ca.pem",
1208 phase1
="peap_outer_success=2",
1209 phase2
="auth=MSCHAPV2")
1210 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1212 anonymous_identity
="peap", password
="password",
1213 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1214 phase1
="peapver=1 peaplabel=1",
1215 wait_connect
=False, scan_freq
="2412")
1216 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1218 raise Exception("No EAP success seen")
1219 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1221 raise Exception("Unexpected connection")
1223 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
1224 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1225 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1226 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1227 eap_connect(dev
[0], apdev
[0], "PEAP", "cert user",
1228 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
1229 ca_cert2
="auth_serv/ca.pem",
1230 client_cert2
="auth_serv/user.pem",
1231 private_key2
="auth_serv/user.key")
1232 eap_reauth(dev
[0], "PEAP")
1234 def test_ap_wpa2_eap_tls(dev
, apdev
):
1235 """WPA2-Enterprise connection using EAP-TLS"""
1236 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1237 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1238 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1239 client_cert
="auth_serv/user.pem",
1240 private_key
="auth_serv/user.key")
1241 eap_reauth(dev
[0], "TLS")
1243 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
1244 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1245 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1246 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1247 cert
= read_pem("auth_serv/ca.pem")
1248 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1249 raise Exception("Could not set cacert blob")
1250 cert
= read_pem("auth_serv/user.pem")
1251 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
1252 raise Exception("Could not set usercert blob")
1253 key
= read_pem("auth_serv/user.rsa-key")
1254 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
1255 raise Exception("Could not set cacert blob")
1256 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1257 client_cert
="blob://usercert",
1258 private_key
="blob://userkey")
1260 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
1261 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1262 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1263 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1264 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1265 private_key
="auth_serv/user.pkcs12",
1266 private_key_passwd
="whatever")
1267 dev
[0].request("REMOVE_NETWORK all")
1268 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1269 identity
="tls user",
1270 ca_cert
="auth_serv/ca.pem",
1271 private_key
="auth_serv/user.pkcs12",
1272 wait_connect
=False, scan_freq
="2412")
1273 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1275 raise Exception("Request for private key passphrase timed out")
1276 id = ev
.split(':')[0].split('-')[-1]
1277 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1278 dev
[0].wait_connected(timeout
=10)
1280 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
1281 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1282 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1283 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1284 cert
= read_pem("auth_serv/ca.pem")
1285 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1286 raise Exception("Could not set cacert blob")
1287 with
open("auth_serv/user.pkcs12", "rb") as f
:
1288 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
1289 raise Exception("Could not set pkcs12 blob")
1290 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1291 private_key
="blob://pkcs12",
1292 private_key_passwd
="whatever")
1294 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
1295 """WPA2-Enterprise negative test - incorrect trust root"""
1296 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1297 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1298 cert
= read_pem("auth_serv/ca-incorrect.pem")
1299 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1300 raise Exception("Could not set cacert blob")
1301 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1302 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1303 password
="password", phase2
="auth=MSCHAPV2",
1304 ca_cert
="blob://cacert",
1305 wait_connect
=False, scan_freq
="2412")
1306 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1307 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1308 password
="password", phase2
="auth=MSCHAPV2",
1309 ca_cert
="auth_serv/ca-incorrect.pem",
1310 wait_connect
=False, scan_freq
="2412")
1312 for dev
in (dev
[0], dev
[1]):
1313 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1315 raise Exception("Association and EAP start timed out")
1317 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1319 raise Exception("EAP method selection timed out")
1320 if "TTLS" not in ev
:
1321 raise Exception("Unexpected EAP method")
1323 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1324 "CTRL-EVENT-EAP-SUCCESS",
1325 "CTRL-EVENT-EAP-FAILURE",
1326 "CTRL-EVENT-CONNECTED",
1327 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1329 raise Exception("EAP result timed out")
1330 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1331 raise Exception("TLS certificate error not reported")
1333 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1334 "CTRL-EVENT-EAP-FAILURE",
1335 "CTRL-EVENT-CONNECTED",
1336 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1338 raise Exception("EAP result(2) timed out")
1339 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1340 raise Exception("EAP failure not reported")
1342 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
1343 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1345 raise Exception("EAP result(3) timed out")
1346 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1347 raise Exception("Disconnection not reported")
1349 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1351 raise Exception("Network block disabling not reported")
1353 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
1354 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1355 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1356 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1357 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1358 identity
="pap user", anonymous_identity
="ttls",
1359 password
="password", phase2
="auth=PAP",
1360 ca_cert
="auth_serv/ca.pem",
1361 wait_connect
=True, scan_freq
="2412")
1362 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1363 identity
="pap user", anonymous_identity
="ttls",
1364 password
="password", phase2
="auth=PAP",
1365 ca_cert
="auth_serv/ca-incorrect.pem",
1366 only_add_network
=True, scan_freq
="2412")
1368 dev
[0].request("DISCONNECT")
1369 dev
[0].wait_disconnected()
1370 dev
[0].dump_monitor()
1371 dev
[0].select_network(id, freq
="2412")
1373 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1375 raise Exception("EAP-TTLS not re-started")
1377 ev
= dev
[0].wait_disconnected(timeout
=15)
1378 if "reason=23" not in ev
:
1379 raise Exception("Proper reason code for disconnection not reported")
1381 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
1382 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1383 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1384 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1385 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1386 identity
="pap user", anonymous_identity
="ttls",
1387 password
="password", phase2
="auth=PAP",
1388 wait_connect
=True, scan_freq
="2412")
1389 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1390 identity
="pap user", anonymous_identity
="ttls",
1391 password
="password", phase2
="auth=PAP",
1392 ca_cert
="auth_serv/ca-incorrect.pem",
1393 only_add_network
=True, scan_freq
="2412")
1395 dev
[0].request("DISCONNECT")
1396 dev
[0].wait_disconnected()
1397 dev
[0].dump_monitor()
1398 dev
[0].select_network(id, freq
="2412")
1400 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1402 raise Exception("EAP-TTLS not re-started")
1404 ev
= dev
[0].wait_disconnected(timeout
=15)
1405 if "reason=23" not in ev
:
1406 raise Exception("Proper reason code for disconnection not reported")
1408 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
1409 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1410 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1411 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1412 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1413 identity
="pap user", anonymous_identity
="ttls",
1414 password
="password", phase2
="auth=PAP",
1415 ca_cert
="auth_serv/ca.pem",
1416 wait_connect
=True, scan_freq
="2412")
1417 dev
[0].request("DISCONNECT")
1418 dev
[0].wait_disconnected()
1419 dev
[0].dump_monitor()
1420 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1421 dev
[0].select_network(id, freq
="2412")
1423 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1425 raise Exception("EAP-TTLS not re-started")
1427 ev
= dev
[0].wait_disconnected(timeout
=15)
1428 if "reason=23" not in ev
:
1429 raise Exception("Proper reason code for disconnection not reported")
1431 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
1432 """WPA2-Enterprise negative test - domain suffix mismatch"""
1433 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1434 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1435 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1436 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1437 password
="password", phase2
="auth=MSCHAPV2",
1438 ca_cert
="auth_serv/ca.pem",
1439 domain_suffix_match
="incorrect.example.com",
1440 wait_connect
=False, scan_freq
="2412")
1442 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1444 raise Exception("Association and EAP start timed out")
1446 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1448 raise Exception("EAP method selection timed out")
1449 if "TTLS" not in ev
:
1450 raise Exception("Unexpected EAP method")
1452 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1453 "CTRL-EVENT-EAP-SUCCESS",
1454 "CTRL-EVENT-EAP-FAILURE",
1455 "CTRL-EVENT-CONNECTED",
1456 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1458 raise Exception("EAP result timed out")
1459 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1460 raise Exception("TLS certificate error not reported")
1461 if "Domain suffix mismatch" not in ev
:
1462 raise Exception("Domain suffix mismatch not reported")
1464 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1465 "CTRL-EVENT-EAP-FAILURE",
1466 "CTRL-EVENT-CONNECTED",
1467 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1469 raise Exception("EAP result(2) timed out")
1470 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1471 raise Exception("EAP failure not reported")
1473 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1474 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1476 raise Exception("EAP result(3) timed out")
1477 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1478 raise Exception("Disconnection not reported")
1480 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1482 raise Exception("Network block disabling not reported")
1484 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
1485 """WPA2-Enterprise negative test - domain mismatch"""
1486 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1487 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1488 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1489 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1490 password
="password", phase2
="auth=MSCHAPV2",
1491 ca_cert
="auth_serv/ca.pem",
1492 domain_match
="w1.fi",
1493 wait_connect
=False, scan_freq
="2412")
1495 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1497 raise Exception("Association and EAP start timed out")
1499 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1501 raise Exception("EAP method selection timed out")
1502 if "TTLS" not in ev
:
1503 raise Exception("Unexpected EAP method")
1505 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1506 "CTRL-EVENT-EAP-SUCCESS",
1507 "CTRL-EVENT-EAP-FAILURE",
1508 "CTRL-EVENT-CONNECTED",
1509 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1511 raise Exception("EAP result timed out")
1512 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1513 raise Exception("TLS certificate error not reported")
1514 if "Domain mismatch" not in ev
:
1515 raise Exception("Domain mismatch not reported")
1517 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1518 "CTRL-EVENT-EAP-FAILURE",
1519 "CTRL-EVENT-CONNECTED",
1520 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1522 raise Exception("EAP result(2) timed out")
1523 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1524 raise Exception("EAP failure not reported")
1526 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1527 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1529 raise Exception("EAP result(3) timed out")
1530 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1531 raise Exception("Disconnection not reported")
1533 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1535 raise Exception("Network block disabling not reported")
1537 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
1538 """WPA2-Enterprise negative test - subject mismatch"""
1539 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1540 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1541 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1542 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1543 password
="password", phase2
="auth=MSCHAPV2",
1544 ca_cert
="auth_serv/ca.pem",
1545 subject_match
="/C=FI/O=w1.fi/CN=example.com",
1546 wait_connect
=False, scan_freq
="2412")
1548 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1550 raise Exception("Association and EAP start timed out")
1552 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1553 "EAP: Failed to initialize EAP method"], timeout
=10)
1555 raise Exception("EAP method selection timed out")
1556 if "EAP: Failed to initialize EAP method" in ev
:
1557 tls
= dev
[0].request("GET tls_library")
1558 if tls
.startswith("OpenSSL"):
1559 raise Exception("Failed to select EAP method")
1560 logger
.info("subject_match not supported - connection failed, so test succeeded")
1562 if "TTLS" not in ev
:
1563 raise Exception("Unexpected EAP method")
1565 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1566 "CTRL-EVENT-EAP-SUCCESS",
1567 "CTRL-EVENT-EAP-FAILURE",
1568 "CTRL-EVENT-CONNECTED",
1569 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1571 raise Exception("EAP result timed out")
1572 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1573 raise Exception("TLS certificate error not reported")
1574 if "Subject mismatch" not in ev
:
1575 raise Exception("Subject mismatch not reported")
1577 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1578 "CTRL-EVENT-EAP-FAILURE",
1579 "CTRL-EVENT-CONNECTED",
1580 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1582 raise Exception("EAP result(2) timed out")
1583 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1584 raise Exception("EAP failure not reported")
1586 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1587 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1589 raise Exception("EAP result(3) timed out")
1590 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1591 raise Exception("Disconnection not reported")
1593 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1595 raise Exception("Network block disabling not reported")
1597 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
1598 """WPA2-Enterprise negative test - altsubject mismatch"""
1599 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1600 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1602 tests
= [ "incorrect.example.com",
1603 "DNS:incorrect.example.com",
1607 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
1609 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
1610 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1611 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1612 password
="password", phase2
="auth=MSCHAPV2",
1613 ca_cert
="auth_serv/ca.pem",
1614 altsubject_match
=match
,
1615 wait_connect
=False, scan_freq
="2412")
1617 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1619 raise Exception("Association and EAP start timed out")
1621 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1622 "EAP: Failed to initialize EAP method"], timeout
=10)
1624 raise Exception("EAP method selection timed out")
1625 if "EAP: Failed to initialize EAP method" in ev
:
1626 tls
= dev
[0].request("GET tls_library")
1627 if tls
.startswith("OpenSSL"):
1628 raise Exception("Failed to select EAP method")
1629 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
1631 if "TTLS" not in ev
:
1632 raise Exception("Unexpected EAP method")
1634 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1635 "CTRL-EVENT-EAP-SUCCESS",
1636 "CTRL-EVENT-EAP-FAILURE",
1637 "CTRL-EVENT-CONNECTED",
1638 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1640 raise Exception("EAP result timed out")
1641 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1642 raise Exception("TLS certificate error not reported")
1643 if "AltSubject mismatch" not in ev
:
1644 raise Exception("altsubject mismatch not reported")
1646 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1647 "CTRL-EVENT-EAP-FAILURE",
1648 "CTRL-EVENT-CONNECTED",
1649 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1651 raise Exception("EAP result(2) timed out")
1652 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1653 raise Exception("EAP failure not reported")
1655 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1656 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1658 raise Exception("EAP result(3) timed out")
1659 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1660 raise Exception("Disconnection not reported")
1662 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1664 raise Exception("Network block disabling not reported")
1666 dev
[0].request("REMOVE_NETWORK all")
1668 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
1669 """WPA2-Enterprise connection using UNAUTH-TLS"""
1670 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1671 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1672 eap_connect(dev
[0], apdev
[0], "UNAUTH-TLS", "unauth-tls",
1673 ca_cert
="auth_serv/ca.pem")
1674 eap_reauth(dev
[0], "UNAUTH-TLS")
1676 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
1677 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1678 check_cert_probe_support(dev
[0])
1679 srv_cert_hash
= "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1680 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1681 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1682 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1683 identity
="probe", ca_cert
="probe://",
1684 wait_connect
=False, scan_freq
="2412")
1685 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1687 raise Exception("Association and EAP start timed out")
1688 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
1690 raise Exception("No peer server certificate event seen")
1691 if "hash=" + srv_cert_hash
not in ev
:
1692 raise Exception("Expected server certificate hash not reported")
1693 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1695 raise Exception("EAP result timed out")
1696 if "Server certificate chain probe" not in ev
:
1697 raise Exception("Server certificate probe not reported")
1698 dev
[0].wait_disconnected(timeout
=10)
1699 dev
[0].request("REMOVE_NETWORK all")
1701 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1702 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1703 password
="password", phase2
="auth=MSCHAPV2",
1704 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1705 wait_connect
=False, scan_freq
="2412")
1706 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1708 raise Exception("Association and EAP start timed out")
1709 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1711 raise Exception("EAP result timed out")
1712 if "Server certificate mismatch" not in ev
:
1713 raise Exception("Server certificate mismatch not reported")
1714 dev
[0].wait_disconnected(timeout
=10)
1715 dev
[0].request("REMOVE_NETWORK all")
1717 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
1718 anonymous_identity
="ttls", password
="password",
1719 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
1720 phase2
="auth=MSCHAPV2")
1722 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
1723 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1724 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1725 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1726 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1727 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1728 password
="password", phase2
="auth=MSCHAPV2",
1729 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1730 wait_connect
=False, scan_freq
="2412")
1731 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1732 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1733 password
="password", phase2
="auth=MSCHAPV2",
1734 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1735 wait_connect
=False, scan_freq
="2412")
1736 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1737 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1738 password
="password", phase2
="auth=MSCHAPV2",
1739 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1740 wait_connect
=False, scan_freq
="2412")
1741 for i
in range(0, 3):
1742 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1744 raise Exception("Association and EAP start timed out")
1745 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
1747 raise Exception("Did not report EAP method initialization failure")
1749 def test_ap_wpa2_eap_pwd(dev
, apdev
):
1750 """WPA2-Enterprise connection using EAP-pwd"""
1751 check_eap_capa(dev
[0], "PWD")
1752 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1753 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1754 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1755 eap_reauth(dev
[0], "PWD")
1756 dev
[0].request("REMOVE_NETWORK all")
1758 eap_connect(dev
[1], apdev
[0], "PWD",
1759 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1760 password
="secret password",
1763 logger
.info("Negative test with incorrect password")
1764 eap_connect(dev
[2], apdev
[0], "PWD", "pwd user", password
="secret-password",
1765 expect_failure
=True, local_error_report
=True)
1767 eap_connect(dev
[0], apdev
[0], "PWD",
1768 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1769 password
="secret password",
1772 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
1773 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1774 check_eap_capa(dev
[0], "PWD")
1775 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1776 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1777 eap_connect(dev
[0], apdev
[0], "PWD", "pwd-hash", password
="secret password")
1778 eap_connect(dev
[1], apdev
[0], "PWD", "pwd-hash",
1779 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
1780 eap_connect(dev
[2], apdev
[0], "PWD", "pwd user",
1781 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
1782 expect_failure
=True, local_error_report
=True)
1784 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
1785 """WPA2-Enterprise connection using various EAP-pwd groups"""
1786 check_eap_capa(dev
[0], "PWD")
1787 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1788 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1789 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1790 for i
in [ 19, 20, 21, 25, 26 ]:
1791 params
['pwd_group'] = str(i
)
1792 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1793 dev
[0].request("REMOVE_NETWORK all")
1794 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1796 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
1797 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1798 check_eap_capa(dev
[0], "PWD")
1799 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1800 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1801 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1802 params
['pwd_group'] = "0"
1803 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1804 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
1805 identity
="pwd user", password
="secret password",
1806 scan_freq
="2412", wait_connect
=False)
1807 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1809 raise Exception("Timeout on EAP failure report")
1811 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
1812 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1813 check_eap_capa(dev
[0], "PWD")
1814 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1815 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1816 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1817 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1818 "pwd_group": "19", "fragment_size": "40" }
1819 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1820 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1822 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
1823 """WPA2-Enterprise connection using EAP-GPSK"""
1824 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1825 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1826 id = eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
1827 password
="abcdefghijklmnop0123456789abcdef")
1828 eap_reauth(dev
[0], "GPSK")
1830 logger
.info("Test forced algorithm selection")
1831 for phase1
in [ "cipher=1", "cipher=2" ]:
1832 dev
[0].set_network_quoted(id, "phase1", phase1
)
1833 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
1835 raise Exception("EAP success timed out")
1836 dev
[0].wait_connected(timeout
=10)
1838 logger
.info("Test failed algorithm negotiation")
1839 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
1840 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
1842 raise Exception("EAP failure timed out")
1844 logger
.info("Negative test with incorrect password")
1845 dev
[0].request("REMOVE_NETWORK all")
1846 eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
1847 password
="ffcdefghijklmnop0123456789abcdef",
1848 expect_failure
=True)
1850 def test_ap_wpa2_eap_sake(dev
, apdev
):
1851 """WPA2-Enterprise connection using EAP-SAKE"""
1852 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1853 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1854 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
1855 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1856 eap_reauth(dev
[0], "SAKE")
1858 logger
.info("Negative test with incorrect password")
1859 dev
[0].request("REMOVE_NETWORK all")
1860 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
1861 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1862 expect_failure
=True)
1864 def test_ap_wpa2_eap_eke(dev
, apdev
):
1865 """WPA2-Enterprise connection using EAP-EKE"""
1866 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1867 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1868 id = eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
1869 eap_reauth(dev
[0], "EKE")
1871 logger
.info("Test forced algorithm selection")
1872 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
1873 "dhgroup=4 encr=1 prf=2 mac=2",
1874 "dhgroup=3 encr=1 prf=2 mac=2",
1875 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1876 dev
[0].set_network_quoted(id, "phase1", phase1
)
1877 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
1879 raise Exception("EAP success timed out")
1880 dev
[0].wait_connected(timeout
=10)
1882 logger
.info("Test failed algorithm negotiation")
1883 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1884 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
1886 raise Exception("EAP failure timed out")
1888 logger
.info("Negative test with incorrect password")
1889 dev
[0].request("REMOVE_NETWORK all")
1890 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello1",
1891 expect_failure
=True)
1893 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
1894 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1895 params
= int_eap_server_params()
1896 params
['server_id'] = 'example.server@w1.fi'
1897 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1898 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
1900 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
1901 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1902 params
= int_eap_server_params()
1903 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1904 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
1906 for count
,func
in [ (1, "eap_eke_build_commit"),
1907 (2, "eap_eke_build_commit"),
1908 (3, "eap_eke_build_commit"),
1909 (1, "eap_eke_build_confirm"),
1910 (2, "eap_eke_build_confirm"),
1911 (1, "eap_eke_process_commit"),
1912 (2, "eap_eke_process_commit"),
1913 (1, "eap_eke_process_confirm"),
1914 (1, "eap_eke_process_identity"),
1915 (2, "eap_eke_process_identity"),
1916 (3, "eap_eke_process_identity"),
1917 (4, "eap_eke_process_identity") ]:
1918 with
alloc_fail(hapd
, count
, func
):
1919 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello",
1920 expect_failure
=True)
1921 dev
[0].request("REMOVE_NETWORK all")
1923 for count
,func
,pw
in [ (1, "eap_eke_init", "hello"),
1924 (1, "eap_eke_get_session_id", "hello"),
1925 (1, "eap_eke_getKey", "hello"),
1926 (1, "eap_eke_build_msg", "hello"),
1927 (1, "eap_eke_build_failure", "wrong"),
1928 (1, "eap_eke_build_identity", "hello"),
1929 (2, "eap_eke_build_identity", "hello") ]:
1930 with
alloc_fail(hapd
, count
, func
):
1931 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1932 eap
="EKE", identity
="eke user", password
=pw
,
1933 wait_connect
=False, scan_freq
="2412")
1934 # This would eventually time out, but we can stop after having
1935 # reached the allocation failure.
1938 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1940 dev
[0].request("REMOVE_NETWORK all")
1942 for count
in range(1, 1000):
1944 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
1945 dev
[0].connect("test-wpa2-eap",
1946 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1947 eap
="EKE", identity
="eke user", password
=pw
,
1948 wait_connect
=False, scan_freq
="2412")
1949 # This would eventually time out, but we can stop after having
1950 # reached the allocation failure.
1953 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1955 dev
[0].request("REMOVE_NETWORK all")
1956 except Exception, e
:
1957 if str(e
) == "Allocation failure did not trigger":
1959 raise Exception("Too few allocation failures")
1960 logger
.info("%d allocation failures tested" % (count
- 1))
1964 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
1965 """WPA2-Enterprise connection using EAP-IKEv2"""
1966 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1967 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1968 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1969 password
="ike password")
1970 eap_reauth(dev
[0], "IKEV2")
1971 dev
[0].request("REMOVE_NETWORK all")
1972 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1973 password
="ike password", fragment_size
="50")
1975 logger
.info("Negative test with incorrect password")
1976 dev
[0].request("REMOVE_NETWORK all")
1977 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1978 password
="ike-password", expect_failure
=True)
1980 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
1981 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1982 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1983 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1984 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1985 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1986 "fragment_size": "50" }
1987 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1988 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1989 password
="ike password")
1990 eap_reauth(dev
[0], "IKEV2")
1992 def test_ap_wpa2_eap_pax(dev
, apdev
):
1993 """WPA2-Enterprise connection using EAP-PAX"""
1994 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1995 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1996 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
1997 password_hex
="0123456789abcdef0123456789abcdef")
1998 eap_reauth(dev
[0], "PAX")
2000 logger
.info("Negative test with incorrect password")
2001 dev
[0].request("REMOVE_NETWORK all")
2002 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2003 password_hex
="ff23456789abcdef0123456789abcdef",
2004 expect_failure
=True)
2006 def test_ap_wpa2_eap_psk(dev
, apdev
):
2007 """WPA2-Enterprise connection using EAP-PSK"""
2008 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2009 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2010 params
["ieee80211w"] = "2"
2011 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2012 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
2013 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
2014 eap_reauth(dev
[0], "PSK", sha256
=True)
2015 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2016 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2018 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
2019 if 'flags' not in bss
:
2020 raise Exception("Could not get BSS flags from BSS table")
2021 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
2022 raise Exception("Unexpected BSS flags: " + bss
['flags'])
2024 logger
.info("Negative test with incorrect password")
2025 dev
[0].request("REMOVE_NETWORK all")
2026 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
2027 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
2028 expect_failure
=True)
2030 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
2031 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2032 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2033 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2034 tests
= [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2035 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2036 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2037 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2038 (1, "=aes_128_eax_encrypt"),
2039 (1, "omac1_aes_vector"),
2040 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2041 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2042 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2043 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2044 (1, "=aes_128_eax_decrypt") ]
2045 for count
, func
in tests
:
2046 with
alloc_fail(dev
[0], count
, func
):
2047 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2048 identity
="psk.user@example.com",
2049 password_hex
="0123456789abcdef0123456789abcdef",
2050 wait_connect
=False, scan_freq
="2412")
2051 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2053 raise Exception("EAP method not selected")
2055 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2058 dev
[0].request("REMOVE_NETWORK all")
2060 with
alloc_fail(dev
[0], 1, "aes_128_encrypt_block"):
2061 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2062 identity
="psk.user@example.com",
2063 password_hex
="0123456789abcdef0123456789abcdef",
2064 wait_connect
=False, scan_freq
="2412")
2065 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2067 raise Exception("EAP method failure not reported")
2068 dev
[0].request("REMOVE_NETWORK all")
2070 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
2071 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2072 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
2073 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2074 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2075 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
2076 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
2078 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
2079 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2080 eap_reauth(dev
[0], "PEAP", rsn
=False)
2081 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2082 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2083 status
= dev
[0].get_status(extra
="VERBOSE")
2084 if 'portControl' not in status
:
2085 raise Exception("portControl missing from STATUS-VERBOSE")
2086 if status
['portControl'] != 'Auto':
2087 raise Exception("Unexpected portControl value: " + status
['portControl'])
2088 if 'eap_session_id' not in status
:
2089 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2090 if not status
['eap_session_id'].startswith("19"):
2091 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
2093 def test_ap_wpa2_eap_interactive(dev
, apdev
):
2094 """WPA2-Enterprise connection using interactive identity/password entry"""
2095 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2096 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2097 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
2099 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2100 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2102 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2103 "TTLS", "ttls", None, "auth=MSCHAPV2",
2104 "DOMAIN\mschapv2 user", "password"),
2105 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2106 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2107 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2108 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2109 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2110 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2111 ("Connection with dynamic PEAP/EAP-GTC password entry",
2112 "PEAP", None, "user", "auth=GTC", None, "password") ]
2113 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
2115 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
2116 anonymous_identity
=anon
, identity
=identity
,
2117 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
2118 wait_connect
=False, scan_freq
="2412")
2120 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
2122 raise Exception("Request for identity timed out")
2123 id = ev
.split(':')[0].split('-')[-1]
2124 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
2125 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2127 raise Exception("Request for password timed out")
2128 id = ev
.split(':')[0].split('-')[-1]
2129 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
2130 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
2131 dev
[0].wait_connected(timeout
=10)
2132 dev
[0].request("REMOVE_NETWORK all")
2134 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
2135 """WPA2-Enterprise connection using EAP vendor test"""
2136 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2137 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2138 eap_connect(dev
[0], apdev
[0], "VENDOR-TEST", "vendor-test")
2139 eap_reauth(dev
[0], "VENDOR-TEST")
2140 eap_connect(dev
[1], apdev
[0], "VENDOR-TEST", "vendor-test",
2143 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
2144 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2145 check_eap_capa(dev
[0], "FAST")
2146 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2147 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2148 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2149 anonymous_identity
="FAST", password
="password",
2150 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2151 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
2152 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2153 res
= eap_reauth(dev
[0], "FAST")
2154 if res
['tls_session_reused'] != '1':
2155 raise Exception("EAP-FAST could not use PAC session ticket")
2157 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
2158 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2159 check_eap_capa(dev
[0], "FAST")
2160 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
2161 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
2162 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2163 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2166 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2167 anonymous_identity
="FAST", password
="password",
2168 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2169 phase1
="fast_provisioning=1", pac_file
=pac_file
)
2170 with
open(pac_file
, "r") as f
:
2172 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
2173 raise Exception("PAC file header missing")
2174 if "PAC-Key=" not in data
:
2175 raise Exception("PAC-Key missing from PAC file")
2176 dev
[0].request("REMOVE_NETWORK all")
2177 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2178 anonymous_identity
="FAST", password
="password",
2179 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2182 eap_connect(dev
[1], apdev
[0], "FAST", "user",
2183 anonymous_identity
="FAST", password
="password",
2184 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2185 phase1
="fast_provisioning=1 fast_pac_format=binary",
2187 dev
[1].request("REMOVE_NETWORK all")
2188 eap_connect(dev
[1], apdev
[0], "FAST", "user",
2189 anonymous_identity
="FAST", password
="password",
2190 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2191 phase1
="fast_pac_format=binary",
2199 os
.remove(pac_file2
)
2203 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
2204 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2205 check_eap_capa(dev
[0], "FAST")
2206 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2207 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2208 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2209 anonymous_identity
="FAST", password
="password",
2210 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2211 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2212 pac_file
="blob://fast_pac_bin")
2213 res
= eap_reauth(dev
[0], "FAST")
2214 if res
['tls_session_reused'] != '1':
2215 raise Exception("EAP-FAST could not use PAC session ticket")
2217 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
2218 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2219 check_eap_capa(dev
[0], "FAST")
2220 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2221 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2223 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2224 identity
="user", anonymous_identity
="FAST",
2225 password
="password",
2226 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2227 pac_file
="blob://fast_pac_not_in_use",
2228 wait_connect
=False, scan_freq
="2412")
2229 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2231 raise Exception("Timeout on EAP failure report")
2232 dev
[0].request("REMOVE_NETWORK all")
2234 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2235 identity
="user", anonymous_identity
="FAST",
2236 password
="password",
2237 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2238 wait_connect
=False, scan_freq
="2412")
2239 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2241 raise Exception("Timeout on EAP failure report")
2243 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
2244 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2245 check_eap_capa(dev
[0], "FAST")
2246 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2247 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2248 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2249 anonymous_identity
="FAST", password
="password",
2250 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
2251 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
2252 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2253 res
= eap_reauth(dev
[0], "FAST")
2254 if res
['tls_session_reused'] != '1':
2255 raise Exception("EAP-FAST could not use PAC session ticket")
2257 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
2258 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2259 check_eap_capa(dev
[0], "FAST")
2260 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2261 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2262 id = eap_connect(dev
[0], apdev
[0], "FAST", "user",
2263 anonymous_identity
="FAST", password
="password",
2264 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
2265 phase1
="fast_provisioning=2",
2266 pac_file
="blob://fast_pac_auth")
2267 dev
[0].set_network_quoted(id, "identity", "user2")
2268 dev
[0].wait_disconnected()
2269 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
2271 raise Exception("EAP-FAST not started")
2272 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
2274 raise Exception("EAP failure not reported")
2275 dev
[0].wait_disconnected()
2277 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
2278 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2279 check_eap_capa(dev
[0], "FAST")
2280 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2281 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2282 with
alloc_fail(dev
[0], 2, "openssl_tls_prf"):
2283 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2284 identity
="user", anonymous_identity
="FAST",
2285 password
="password", ca_cert
="auth_serv/ca.pem",
2287 phase1
="fast_provisioning=2",
2288 pac_file
="blob://fast_pac_auth",
2289 wait_connect
=False, scan_freq
="2412")
2290 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
2292 raise Exception("EAP failure not reported")
2293 dev
[0].request("DISCONNECT")
2295 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
2296 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2297 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2298 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2299 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2300 private_key
="auth_serv/user.pkcs12",
2301 private_key_passwd
="whatever", ocsp
=2)
2303 def int_eap_server_params():
2304 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2305 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2306 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2307 "ca_cert": "auth_serv/ca.pem",
2308 "server_cert": "auth_serv/server.pem",
2309 "private_key": "auth_serv/server.key" }
2312 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
2313 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2314 params
= int_eap_server_params()
2315 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2316 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2317 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2318 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2319 private_key
="auth_serv/user.pkcs12",
2320 private_key_passwd
="whatever", ocsp
=2,
2321 wait_connect
=False, scan_freq
="2412")
2324 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2326 raise Exception("Timeout on EAP status")
2327 if 'bad certificate status response' in ev
:
2331 raise Exception("Unexpected number of EAP status messages")
2333 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2335 raise Exception("Timeout on EAP failure report")
2337 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
2338 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2339 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
2340 if not os
.path
.exists(ocsp
):
2341 raise HwsimSkip("No OCSP response available")
2342 params
= int_eap_server_params()
2343 params
["ocsp_stapling_response"] = ocsp
2344 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2345 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2346 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2347 anonymous_identity
="ttls", password
="password",
2348 phase2
="auth=PAP", ocsp
=2,
2349 wait_connect
=False, scan_freq
="2412")
2352 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2354 raise Exception("Timeout on EAP status")
2355 if 'bad certificate status response' in ev
:
2357 if 'certificate revoked' in ev
:
2361 raise Exception("Unexpected number of EAP status messages")
2363 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2365 raise Exception("Timeout on EAP failure report")
2367 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
2368 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2369 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2370 if not os
.path
.exists(ocsp
):
2371 raise HwsimSkip("No OCSP response available")
2372 params
= int_eap_server_params()
2373 params
["ocsp_stapling_response"] = ocsp
2374 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2375 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2376 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2377 anonymous_identity
="ttls", password
="password",
2378 phase2
="auth=PAP", ocsp
=2,
2379 wait_connect
=False, scan_freq
="2412")
2382 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2384 raise Exception("Timeout on EAP status")
2385 if 'bad certificate status response' in ev
:
2389 raise Exception("Unexpected number of EAP status messages")
2391 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2393 raise Exception("Timeout on EAP failure report")
2395 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
2396 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2397 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2398 if not os
.path
.exists(ocsp
):
2399 raise HwsimSkip("No OCSP response available")
2400 params
= int_eap_server_params()
2401 params
["ocsp_stapling_response"] = ocsp
2402 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2403 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2404 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2405 anonymous_identity
="ttls", password
="password",
2406 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
2408 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
2409 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2410 params
= int_eap_server_params()
2411 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2412 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2413 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2414 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2415 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2416 private_key
="auth_serv/user.pkcs12",
2417 private_key_passwd
="whatever",
2418 domain_suffix_match
="server3.w1.fi",
2421 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
2422 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2423 params
= int_eap_server_params()
2424 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2425 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2426 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2427 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2428 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2429 private_key
="auth_serv/user.pkcs12",
2430 private_key_passwd
="whatever",
2431 domain_match
="server3.w1.fi",
2434 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
2435 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2436 check_domain_match_full(dev
[0])
2437 params
= int_eap_server_params()
2438 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2439 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2440 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2441 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2442 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2443 private_key
="auth_serv/user.pkcs12",
2444 private_key_passwd
="whatever",
2445 domain_suffix_match
="w1.fi",
2448 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
2449 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2450 params
= int_eap_server_params()
2451 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2452 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2453 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2454 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2455 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2456 private_key
="auth_serv/user.pkcs12",
2457 private_key_passwd
="whatever",
2458 domain_suffix_match
="example.com",
2461 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2462 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2463 private_key
="auth_serv/user.pkcs12",
2464 private_key_passwd
="whatever",
2465 domain_suffix_match
="erver3.w1.fi",
2468 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2470 raise Exception("Timeout on EAP failure report")
2471 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2473 raise Exception("Timeout on EAP failure report (2)")
2475 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
2476 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2477 params
= int_eap_server_params()
2478 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2479 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2480 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2481 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2482 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2483 private_key
="auth_serv/user.pkcs12",
2484 private_key_passwd
="whatever",
2485 domain_match
="example.com",
2488 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2489 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2490 private_key
="auth_serv/user.pkcs12",
2491 private_key_passwd
="whatever",
2492 domain_match
="w1.fi",
2495 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2497 raise Exception("Timeout on EAP failure report")
2498 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2500 raise Exception("Timeout on EAP failure report (2)")
2502 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
2503 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2504 params
= int_eap_server_params()
2505 params
["server_cert"] = "auth_serv/server-expired.pem"
2506 params
["private_key"] = "auth_serv/server-expired.key"
2507 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2508 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2509 identity
="mschap user", password
="password",
2510 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2513 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2515 raise Exception("Timeout on EAP certificate error report")
2516 if "reason=4" not in ev
or "certificate has expired" not in ev
:
2517 raise Exception("Unexpected failure reason: " + ev
)
2518 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2520 raise Exception("Timeout on EAP failure report")
2522 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
2523 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2524 params
= int_eap_server_params()
2525 params
["server_cert"] = "auth_serv/server-expired.pem"
2526 params
["private_key"] = "auth_serv/server-expired.key"
2527 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2528 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2529 identity
="mschap user", password
="password",
2530 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2531 phase1
="tls_disable_time_checks=1",
2534 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
2535 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2536 params
= int_eap_server_params()
2537 params
["server_cert"] = "auth_serv/server-long-duration.pem"
2538 params
["private_key"] = "auth_serv/server-long-duration.key"
2539 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2540 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2541 identity
="mschap user", password
="password",
2542 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2545 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
2546 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2547 params
= int_eap_server_params()
2548 params
["server_cert"] = "auth_serv/server-eku-client.pem"
2549 params
["private_key"] = "auth_serv/server-eku-client.key"
2550 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2551 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2552 identity
="mschap user", password
="password",
2553 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2556 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2558 raise Exception("Timeout on EAP failure report")
2560 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
2561 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2562 params
= int_eap_server_params()
2563 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
2564 params
["private_key"] = "auth_serv/server-eku-client-server.key"
2565 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2566 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2567 identity
="mschap user", password
="password",
2568 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2571 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
2572 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2573 params
= int_eap_server_params()
2574 del params
["server_cert"]
2575 params
["private_key"] = "auth_serv/server.pkcs12"
2576 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2577 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2578 identity
="mschap user", password
="password",
2579 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2582 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
2583 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2584 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2585 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2586 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
2587 anonymous_identity
="ttls", password
="password",
2588 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
2589 dh_file
="auth_serv/dh.conf")
2591 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
2592 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2593 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2594 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2595 dh
= read_pem("auth_serv/dh2.conf")
2596 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
2597 raise Exception("Could not set dhparams blob")
2598 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
2599 anonymous_identity
="ttls", password
="password",
2600 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
2601 dh_file
="blob://dhparams")
2603 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
2604 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2605 params
= int_eap_server_params()
2606 params
["dh_file"] = "auth_serv/dh2.conf"
2607 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2608 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
2609 anonymous_identity
="ttls", password
="password",
2610 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
2612 def test_ap_wpa2_eap_reauth(dev
, apdev
):
2613 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2614 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2615 params
['eap_reauth_period'] = '2'
2616 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2617 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2618 password_hex
="0123456789abcdef0123456789abcdef")
2619 logger
.info("Wait for reauthentication")
2620 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
2622 raise Exception("Timeout on reauthentication")
2623 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2625 raise Exception("Timeout on reauthentication")
2626 for i
in range(0, 20):
2627 state
= dev
[0].get_status_field("wpa_state")
2628 if state
== "COMPLETED":
2631 if state
!= "COMPLETED":
2632 raise Exception("Reauthentication did not complete")
2634 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
2635 """Optional displayable message in EAP Request-Identity"""
2636 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2637 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2638 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2639 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2640 password_hex
="0123456789abcdef0123456789abcdef")
2642 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
2643 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2644 check_hlr_auc_gw_support()
2645 params
= int_eap_server_params()
2646 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2647 params
['eap_sim_aka_result_ind'] = "1"
2648 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2650 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
2651 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2652 phase1
="result_ind=1")
2653 eap_reauth(dev
[0], "SIM")
2654 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
2655 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2657 dev
[0].request("REMOVE_NETWORK all")
2658 dev
[1].request("REMOVE_NETWORK all")
2660 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
2661 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2662 phase1
="result_ind=1")
2663 eap_reauth(dev
[0], "AKA")
2664 eap_connect(dev
[1], apdev
[0], "AKA", "0232010000000000",
2665 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2667 dev
[0].request("REMOVE_NETWORK all")
2668 dev
[1].request("REMOVE_NETWORK all")
2670 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
2671 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2672 phase1
="result_ind=1")
2673 eap_reauth(dev
[0], "AKA'")
2674 eap_connect(dev
[1], apdev
[0], "AKA'", "6555444333222111",
2675 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2677 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
2678 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2679 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2680 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2681 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2682 eap
="TTLS", identity
="mschap user",
2683 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
2684 anonymous_identity
="ttls", password
="password",
2685 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2687 ev
= dev
[0].wait_event(["EAP: more than"], timeout
=20)
2689 raise Exception("EAP roundtrip limit not reached")
2691 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
2692 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2693 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2694 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2695 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2696 eap
="PSK", identity
="vendor-test",
2697 password_hex
="ff23456789abcdef0123456789abcdef",
2701 for i
in range(0, 5):
2702 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=10)
2704 raise Exception("Association and EAP start timed out")
2705 if "refuse proposed method" in ev
:
2709 raise Exception("Unexpected EAP status: " + ev
)
2711 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2713 raise Exception("EAP failure timed out")
2715 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
2716 """WPA2-Enterprise connection using SQLite for user DB"""
2720 raise HwsimSkip("No sqlite3 module available")
2721 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
2726 con
= sqlite3
.connect(dbfile
)
2729 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2730 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2731 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2732 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2733 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2734 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2735 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2736 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2739 params
= int_eap_server_params()
2740 params
["eap_user_file"] = "sqlite:" + dbfile
2741 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2742 eap_connect(dev
[0], apdev
[0], "TTLS", "user-mschapv2",
2743 anonymous_identity
="ttls", password
="password",
2744 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
2745 dev
[0].request("REMOVE_NETWORK all")
2746 eap_connect(dev
[1], apdev
[0], "TTLS", "user-mschap",
2747 anonymous_identity
="ttls", password
="password",
2748 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
2749 dev
[1].request("REMOVE_NETWORK all")
2750 eap_connect(dev
[0], apdev
[0], "TTLS", "user-chap",
2751 anonymous_identity
="ttls", password
="password",
2752 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
2753 eap_connect(dev
[1], apdev
[0], "TTLS", "user-pap",
2754 anonymous_identity
="ttls", password
="password",
2755 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2759 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
2760 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2761 params
= int_eap_server_params()
2762 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2763 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2764 identity
="\x80", password
="password", wait_connect
=False)
2765 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2766 identity
="a\x80", password
="password", wait_connect
=False)
2767 for i
in range(0, 2):
2768 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
2770 raise Exception("Association and EAP start timed out")
2771 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2773 raise Exception("EAP method selection timed out")
2775 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
2776 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2777 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2778 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2779 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2780 identity
="\x80", password
="password", wait_connect
=False)
2781 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2782 identity
="a\x80", password
="password", wait_connect
=False)
2783 for i
in range(0, 2):
2784 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
2786 raise Exception("Association and EAP start timed out")
2787 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2789 raise Exception("EAP method selection timed out")
2791 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
2792 """OpenSSL cipher suite configuration on wpa_supplicant"""
2793 tls
= dev
[0].request("GET tls_library")
2794 if not tls
.startswith("OpenSSL"):
2795 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
2796 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2797 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2798 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
2799 anonymous_identity
="ttls", password
="password",
2800 openssl_ciphers
="AES128",
2801 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2802 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
2803 anonymous_identity
="ttls", password
="password",
2804 openssl_ciphers
="EXPORT",
2805 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
2806 expect_failure
=True)
2808 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
2809 """OpenSSL cipher suite configuration on hostapd"""
2810 tls
= dev
[0].request("GET tls_library")
2811 if not tls
.startswith("OpenSSL"):
2812 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
2813 params
= int_eap_server_params()
2814 params
['openssl_ciphers'] = "AES256"
2815 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2816 tls
= hapd
.request("GET tls_library")
2817 if not tls
.startswith("OpenSSL"):
2818 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
2819 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
2820 anonymous_identity
="ttls", password
="password",
2821 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2822 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
2823 anonymous_identity
="ttls", password
="password",
2824 openssl_ciphers
="AES128",
2825 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
2826 expect_failure
=True)
2827 eap_connect(dev
[2], apdev
[0], "TTLS", "pap user",
2828 anonymous_identity
="ttls", password
="password",
2829 openssl_ciphers
="HIGH:!ADH",
2830 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2832 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
2833 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
2834 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2835 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], p
)
2836 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
2837 pid
= find_wpas_process(dev
[0])
2838 id = eap_connect(dev
[0], apdev
[0], "TTLS", "pap-secret",
2839 anonymous_identity
="ttls", password
=password
,
2840 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2842 buf
= read_process_memory(pid
, password
)
2844 dev
[0].request("DISCONNECT")
2845 dev
[0].wait_disconnected()
2853 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
2854 for l
in f
.readlines():
2855 if "EAP-TTLS: Derived key - hexdump" in l
:
2856 val
= l
.strip().split(':')[3].replace(' ', '')
2857 msk
= binascii
.unhexlify(val
)
2858 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
2859 val
= l
.strip().split(':')[3].replace(' ', '')
2860 emsk
= binascii
.unhexlify(val
)
2861 if "WPA: PMK - hexdump" in l
:
2862 val
= l
.strip().split(':')[3].replace(' ', '')
2863 pmk
= binascii
.unhexlify(val
)
2864 if "WPA: PTK - hexdump" in l
:
2865 val
= l
.strip().split(':')[3].replace(' ', '')
2866 ptk
= binascii
.unhexlify(val
)
2867 if "WPA: Group Key - hexdump" in l
:
2868 val
= l
.strip().split(':')[3].replace(' ', '')
2869 gtk
= binascii
.unhexlify(val
)
2870 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
2871 raise Exception("Could not find keys from debug log")
2873 raise Exception("Unexpected GTK length")
2879 fname
= os
.path
.join(params
['logdir'],
2880 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
2882 logger
.info("Checking keys in memory while associated")
2883 get_key_locations(buf
, password
, "Password")
2884 get_key_locations(buf
, pmk
, "PMK")
2885 get_key_locations(buf
, msk
, "MSK")
2886 get_key_locations(buf
, emsk
, "EMSK")
2887 if password
not in buf
:
2888 raise HwsimSkip("Password not found while associated")
2890 raise HwsimSkip("PMK not found while associated")
2892 raise Exception("KCK not found while associated")
2894 raise Exception("KEK not found while associated")
2896 raise Exception("TK found from memory")
2898 raise Exception("GTK found from memory")
2900 logger
.info("Checking keys in memory after disassociation")
2901 buf
= read_process_memory(pid
, password
)
2903 # Note: Password is still present in network configuration
2904 # Note: PMK is in PMKSA cache and EAP fast re-auth data
2906 get_key_locations(buf
, password
, "Password")
2907 get_key_locations(buf
, pmk
, "PMK")
2908 get_key_locations(buf
, msk
, "MSK")
2909 get_key_locations(buf
, emsk
, "EMSK")
2910 verify_not_present(buf
, kck
, fname
, "KCK")
2911 verify_not_present(buf
, kek
, fname
, "KEK")
2912 verify_not_present(buf
, tk
, fname
, "TK")
2913 verify_not_present(buf
, gtk
, fname
, "GTK")
2915 dev
[0].request("PMKSA_FLUSH")
2916 dev
[0].set_network_quoted(id, "identity", "foo")
2917 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
2918 buf
= read_process_memory(pid
, password
)
2919 get_key_locations(buf
, password
, "Password")
2920 get_key_locations(buf
, pmk
, "PMK")
2921 get_key_locations(buf
, msk
, "MSK")
2922 get_key_locations(buf
, emsk
, "EMSK")
2923 verify_not_present(buf
, pmk
, fname
, "PMK")
2925 dev
[0].request("REMOVE_NETWORK all")
2927 logger
.info("Checking keys in memory after network profile removal")
2928 buf
= read_process_memory(pid
, password
)
2930 get_key_locations(buf
, password
, "Password")
2931 get_key_locations(buf
, pmk
, "PMK")
2932 get_key_locations(buf
, msk
, "MSK")
2933 get_key_locations(buf
, emsk
, "EMSK")
2934 verify_not_present(buf
, password
, fname
, "password")
2935 verify_not_present(buf
, pmk
, fname
, "PMK")
2936 verify_not_present(buf
, kck
, fname
, "KCK")
2937 verify_not_present(buf
, kek
, fname
, "KEK")
2938 verify_not_present(buf
, tk
, fname
, "TK")
2939 verify_not_present(buf
, gtk
, fname
, "GTK")
2940 verify_not_present(buf
, msk
, fname
, "MSK")
2941 verify_not_present(buf
, emsk
, fname
, "EMSK")
2943 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
2944 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
2945 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2946 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2947 bssid
= apdev
[0]['bssid']
2948 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
2949 anonymous_identity
="ttls", password
="password",
2950 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2952 # Send unexpected WEP EAPOL-Key; this gets dropped
2953 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
2955 raise Exception("EAPOL_RX to wpa_supplicant failed")
2957 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
2958 """WPA2-EAP and wpas interface in a bridge"""
2962 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
2964 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
2965 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
2966 subprocess
.call(['brctl', 'delbr', br_ifname
])
2967 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
2969 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
2970 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2971 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2975 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
2976 subprocess
.call(['brctl', 'addbr', br_ifname
])
2977 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
2978 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
2979 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
2980 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
2981 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
2983 id = eap_connect(wpas
, apdev
[0], "PAX", "pax.user@example.com",
2984 password_hex
="0123456789abcdef0123456789abcdef")
2985 eap_reauth(wpas
, "PAX")
2986 # Try again as a regression test for packet socket workaround
2987 eap_reauth(wpas
, "PAX")
2988 wpas
.request("DISCONNECT")
2989 wpas
.wait_disconnected()
2990 wpas
.request("RECONNECT")
2991 wpas
.wait_connected()
2993 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
2994 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
2995 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2996 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2997 key_mgmt
= hapd
.get_config()['key_mgmt']
2998 if key_mgmt
.split(' ')[0] != "WPA-EAP":
2999 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
3000 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3001 anonymous_identity
="ttls", password
="password",
3002 ca_cert
="auth_serv/ca.pem",
3003 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
3004 eap_reauth(dev
[0], "TTLS")
3006 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
3007 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3008 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3009 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3010 key_mgmt
= hapd
.get_config()['key_mgmt']
3011 if key_mgmt
.split(' ')[0] != "WPA-EAP":
3012 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
3013 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3014 anonymous_identity
="ttls", password
="password",
3015 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
3017 eap_reauth(dev
[0], "TTLS")