]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2019, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
20 import socketserver
as SocketServer
25 from hwsim
import HWSimRadio
27 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
, require_under_vm
28 from wpasupplicant
import WpaSupplicant
29 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
33 openssl_imported
= True
35 openssl_imported
= False
37 def check_hlr_auc_gw_support():
38 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
39 raise HwsimSkip("No hlr_auc_gw available")
41 def check_eap_capa(dev
, method
):
42 res
= dev
.get_capability("eap")
44 raise HwsimSkip("EAP method %s not supported in the build" % method
)
46 def check_subject_match_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
49 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
51 def check_check_cert_subject_support(dev
):
52 tls
= dev
.request("GET tls_library")
53 if not tls
.startswith("OpenSSL"):
54 raise HwsimSkip("check_cert_subject not supported with this TLS library: " + tls
)
56 def check_altsubject_match_support(dev
):
57 tls
= dev
.request("GET tls_library")
58 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
59 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
61 def check_domain_match(dev
):
62 tls
= dev
.request("GET tls_library")
63 if tls
.startswith("internal"):
64 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
66 def check_domain_suffix_match(dev
):
67 tls
= dev
.request("GET tls_library")
68 if tls
.startswith("internal"):
69 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
71 def check_domain_match_full(dev
):
72 tls
= dev
.request("GET tls_library")
73 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
74 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
76 def check_cert_probe_support(dev
):
77 tls
= dev
.request("GET tls_library")
78 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
79 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
81 def check_ext_cert_check_support(dev
):
82 tls
= dev
.request("GET tls_library")
83 if not tls
.startswith("OpenSSL"):
84 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
86 def check_ocsp_support(dev
):
87 tls
= dev
.request("GET tls_library")
88 #if tls.startswith("internal"):
89 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
90 #if "BoringSSL" in tls:
91 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
92 if tls
.startswith("wolfSSL"):
93 raise HwsimSkip("OCSP not supported with this TLS library: " + tls
)
95 def check_pkcs5_v15_support(dev
):
96 tls
= dev
.request("GET tls_library")
97 if "BoringSSL" in tls
or "GnuTLS" in tls
:
98 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
100 def check_ocsp_multi_support(dev
):
101 tls
= dev
.request("GET tls_library")
102 if not tls
.startswith("internal"):
103 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
104 as_hapd
= hostapd
.Hostapd("as")
105 res
= as_hapd
.request("GET tls_library")
107 if not res
.startswith("internal"):
108 raise HwsimSkip("Authentication server does not support ocsp_multi")
110 def check_pkcs12_support(dev
):
111 tls
= dev
.request("GET tls_library")
112 #if tls.startswith("internal"):
113 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
114 if tls
.startswith("wolfSSL"):
115 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls
)
117 def check_dh_dsa_support(dev
):
118 tls
= dev
.request("GET tls_library")
119 if tls
.startswith("internal"):
120 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
123 with
open(fname
, "r") as f
:
124 lines
= f
.readlines()
132 if "-----BEGIN" in l
:
134 return base64
.b64decode(cert
)
136 def eap_connect(dev
, hapd
, method
, identity
,
137 sha256
=False, expect_failure
=False, local_error_report
=False,
138 maybe_local_error
=False, report_failure
=False,
139 expect_cert_error
=None, **kwargs
):
140 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
141 eap
=method
, identity
=identity
,
142 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
144 eap_check_auth(dev
, method
, True, sha256
=sha256
,
145 expect_failure
=expect_failure
,
146 local_error_report
=local_error_report
,
147 maybe_local_error
=maybe_local_error
,
148 report_failure
=report_failure
,
149 expect_cert_error
=expect_cert_error
)
152 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
154 raise Exception("No connection event received from hostapd")
157 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
158 expect_failure
=False, local_error_report
=False,
159 maybe_local_error
=False, report_failure
=False,
160 expect_cert_error
=None):
161 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
163 raise Exception("Association and EAP start timed out")
164 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
165 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
167 raise Exception("EAP method selection timed out")
168 if "CTRL-EVENT-EAP-FAILURE" in ev
:
169 if maybe_local_error
:
171 raise Exception("Could not select EAP method")
173 raise Exception("Unexpected EAP method")
174 if expect_cert_error
is not None:
175 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
176 "CTRL-EVENT-EAP-FAILURE",
177 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
178 if ev
is None or "reason=%d " % expect_cert_error
not in ev
:
179 raise Exception("Expected certificate error not reported")
181 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE",
182 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
184 raise Exception("EAP failure timed out")
185 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
186 raise Exception("Unexpected EAP success")
187 ev
= dev
.wait_disconnected(timeout
=10)
188 if maybe_local_error
and "locally_generated=1" in ev
:
190 if not local_error_report
:
191 if "reason=23" not in ev
:
192 raise Exception("Proper reason code for disconnection not reported")
195 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
196 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
198 raise Exception("EAP success timed out")
199 if "CTRL-EVENT-EAP-SUCCESS" not in ev
:
200 raise Exception("EAP failed")
202 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
204 raise Exception("EAP success timed out")
207 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
209 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
211 raise Exception("Association with the AP timed out")
212 status
= dev
.get_status()
213 if status
["wpa_state"] != "COMPLETED":
214 raise Exception("Connection not completed")
216 if status
["suppPortStatus"] != "Authorized":
217 raise Exception("Port not authorized")
218 if "selectedMethod" not in status
:
219 logger
.info("Status: " + str(status
))
220 raise Exception("No selectedMethod in status")
221 if method
not in status
["selectedMethod"]:
222 raise Exception("Incorrect EAP method status")
224 e
= "WPA2-EAP-SHA256"
226 e
= "WPA2/IEEE 802.1X/EAP"
228 e
= "WPA/IEEE 802.1X/EAP"
229 if status
["key_mgmt"] != e
:
230 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
233 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
234 dev
.request("REAUTHENTICATE")
235 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
236 expect_failure
=expect_failure
)
238 def test_ap_wpa2_eap_sim(dev
, apdev
):
239 """WPA2-Enterprise connection using EAP-SIM"""
240 check_hlr_auc_gw_support()
241 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
242 hapd
= hostapd
.add_ap(apdev
[0], params
)
243 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
244 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
245 hwsim_utils
.test_connectivity(dev
[0], hapd
)
246 eap_reauth(dev
[0], "SIM")
248 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
249 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
250 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
251 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
254 logger
.info("Negative test with incorrect key")
255 dev
[0].request("REMOVE_NETWORK all")
256 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
257 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
260 logger
.info("Invalid GSM-Milenage key")
261 dev
[0].request("REMOVE_NETWORK all")
262 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
263 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
266 logger
.info("Invalid GSM-Milenage key(2)")
267 dev
[0].request("REMOVE_NETWORK all")
268 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
269 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
272 logger
.info("Invalid GSM-Milenage key(3)")
273 dev
[0].request("REMOVE_NETWORK all")
274 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
275 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
278 logger
.info("Invalid GSM-Milenage key(4)")
279 dev
[0].request("REMOVE_NETWORK all")
280 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
281 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
284 logger
.info("Missing key configuration")
285 dev
[0].request("REMOVE_NETWORK all")
286 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
289 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
290 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
291 check_hlr_auc_gw_support()
295 raise HwsimSkip("No sqlite3 module available")
296 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
297 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
298 params
['auth_server_port'] = "1814"
299 hapd
= hostapd
.add_ap(apdev
[0], params
)
300 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
301 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
303 logger
.info("SIM fast re-authentication")
304 eap_reauth(dev
[0], "SIM")
306 logger
.info("SIM full auth with pseudonym")
309 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
310 eap_reauth(dev
[0], "SIM")
312 logger
.info("SIM full auth with permanent identity")
315 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
316 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
317 eap_reauth(dev
[0], "SIM")
319 logger
.info("SIM reauth with mismatching MK")
322 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
323 eap_reauth(dev
[0], "SIM", expect_failure
=True)
324 dev
[0].request("REMOVE_NETWORK all")
326 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
327 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
330 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
331 eap_reauth(dev
[0], "SIM")
334 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
335 logger
.info("SIM reauth with mismatching counter")
336 eap_reauth(dev
[0], "SIM")
337 dev
[0].request("REMOVE_NETWORK all")
339 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
340 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
343 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
344 logger
.info("SIM reauth with max reauth count reached")
345 eap_reauth(dev
[0], "SIM")
347 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
348 """EAP-SIM configuration options"""
349 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
350 hapd
= hostapd
.add_ap(apdev
[0], params
)
351 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
352 identity
="1232010000000000",
353 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
354 phase1
="sim_min_num_chal=1",
355 wait_connect
=False, scan_freq
="2412")
356 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
358 raise Exception("No EAP error message seen")
359 dev
[0].request("REMOVE_NETWORK all")
361 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
362 identity
="1232010000000000",
363 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
364 phase1
="sim_min_num_chal=4",
365 wait_connect
=False, scan_freq
="2412")
366 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
368 raise Exception("No EAP error message seen (2)")
369 dev
[0].request("REMOVE_NETWORK all")
371 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
372 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
373 phase1
="sim_min_num_chal=2")
374 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
375 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
376 anonymous_identity
="345678")
378 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
379 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
381 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
383 dev
[0].request("SET external_sim 0")
385 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
386 check_hlr_auc_gw_support()
387 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
388 hostapd
.add_ap(apdev
[0], params
)
389 dev
[0].request("SET external_sim 1")
390 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
391 identity
="1232010000000000",
392 wait_connect
=False, scan_freq
="2412")
393 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
395 raise Exception("Network connected timed out")
397 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
399 raise Exception("Wait for external SIM processing request timed out")
401 if p
[1] != "GSM-AUTH":
402 raise Exception("Unexpected CTRL-REQ-SIM type")
403 rid
= p
[0].split('-')[3]
406 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
407 # This will fail during processing, but the ctrl_iface command succeeds
408 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
409 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
411 raise Exception("EAP failure not reported")
412 dev
[0].request("DISCONNECT")
413 dev
[0].wait_disconnected()
416 dev
[0].select_network(id, freq
="2412")
417 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
419 raise Exception("Wait for external SIM processing request timed out")
421 if p
[1] != "GSM-AUTH":
422 raise Exception("Unexpected CTRL-REQ-SIM type")
423 rid
= p
[0].split('-')[3]
424 # This will fail during GSM auth validation
425 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
426 raise Exception("CTRL-RSP-SIM failed")
427 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
429 raise Exception("EAP failure not reported")
430 dev
[0].request("DISCONNECT")
431 dev
[0].wait_disconnected()
434 dev
[0].select_network(id, freq
="2412")
435 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
437 raise Exception("Wait for external SIM processing request timed out")
439 if p
[1] != "GSM-AUTH":
440 raise Exception("Unexpected CTRL-REQ-SIM type")
441 rid
= p
[0].split('-')[3]
442 # This will fail during GSM auth validation
443 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
444 raise Exception("CTRL-RSP-SIM failed")
445 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
447 raise Exception("EAP failure not reported")
448 dev
[0].request("DISCONNECT")
449 dev
[0].wait_disconnected()
452 dev
[0].select_network(id, freq
="2412")
453 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
455 raise Exception("Wait for external SIM processing request timed out")
457 if p
[1] != "GSM-AUTH":
458 raise Exception("Unexpected CTRL-REQ-SIM type")
459 rid
= p
[0].split('-')[3]
460 # This will fail during GSM auth validation
461 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
462 raise Exception("CTRL-RSP-SIM failed")
463 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
465 raise Exception("EAP failure not reported")
466 dev
[0].request("DISCONNECT")
467 dev
[0].wait_disconnected()
470 dev
[0].select_network(id, freq
="2412")
471 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
473 raise Exception("Wait for external SIM processing request timed out")
475 if p
[1] != "GSM-AUTH":
476 raise Exception("Unexpected CTRL-REQ-SIM type")
477 rid
= p
[0].split('-')[3]
478 # This will fail during GSM auth validation
479 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
480 raise Exception("CTRL-RSP-SIM failed")
481 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
483 raise Exception("EAP failure not reported")
484 dev
[0].request("DISCONNECT")
485 dev
[0].wait_disconnected()
488 dev
[0].select_network(id, freq
="2412")
489 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
491 raise Exception("Wait for external SIM processing request timed out")
493 if p
[1] != "GSM-AUTH":
494 raise Exception("Unexpected CTRL-REQ-SIM type")
495 rid
= p
[0].split('-')[3]
496 # This will fail during GSM auth validation
497 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
498 raise Exception("CTRL-RSP-SIM failed")
499 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
501 raise Exception("EAP failure not reported")
502 dev
[0].request("DISCONNECT")
503 dev
[0].wait_disconnected()
506 dev
[0].select_network(id, freq
="2412")
507 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
509 raise Exception("Wait for external SIM processing request timed out")
511 if p
[1] != "GSM-AUTH":
512 raise Exception("Unexpected CTRL-REQ-SIM type")
513 rid
= p
[0].split('-')[3]
514 # This will fail during GSM auth validation
515 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
516 raise Exception("CTRL-RSP-SIM failed")
517 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
519 raise Exception("EAP failure not reported")
521 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
522 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
524 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
526 dev
[0].request("SET external_sim 0")
528 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
529 check_hlr_auc_gw_support()
530 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
531 hostapd
.add_ap(apdev
[0], params
)
532 dev
[0].request("SET external_sim 1")
533 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
534 identity
="1232010000000000",
535 wait_connect
=False, scan_freq
="2412")
537 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
539 raise Exception("Wait for external SIM processing request timed out")
541 if p
[1] != "GSM-AUTH":
542 raise Exception("Unexpected CTRL-REQ-SIM type")
543 rid
= p
[0].split('-')[3]
544 rand
= p
[2].split(' ')[0]
546 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
548 "auth_serv/hlr_auc_gw.milenage_db",
549 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
550 if "GSM-AUTH-RESP" not in res
:
551 raise Exception("Unexpected hlr_auc_gw response")
552 resp
= res
.split(' ')[2].rstrip()
554 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
555 dev
[0].wait_connected(timeout
=15)
556 dev
[0].request("DISCONNECT")
557 dev
[0].wait_disconnected()
559 # Replace SIM, but forget to drop the previous pseudonym identity
560 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
561 dev
[0].select_network(id, freq
="2412")
563 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
565 raise Exception("Wait for external SIM processing request timed out")
567 if p
[1] != "GSM-AUTH":
568 raise Exception("Unexpected CTRL-REQ-SIM type")
569 rid
= p
[0].split('-')[3]
570 rand
= p
[2].split(' ')[0]
572 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
574 "auth_serv/hlr_auc_gw.milenage_db",
575 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
576 if "GSM-AUTH-RESP" not in res
:
577 raise Exception("Unexpected hlr_auc_gw response")
578 resp
= res
.split(' ')[2].rstrip()
580 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
581 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
583 raise Exception("EAP-Failure not reported")
584 dev
[0].request("DISCONNECT")
585 dev
[0].wait_disconnected()
587 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
588 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
590 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
592 dev
[0].request("SET external_sim 0")
594 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
595 check_hlr_auc_gw_support()
596 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
597 hostapd
.add_ap(apdev
[0], params
)
598 dev
[0].request("SET external_sim 1")
599 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
600 identity
="1232010000000000",
601 wait_connect
=False, scan_freq
="2412")
603 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
605 raise Exception("Wait for external SIM processing request timed out")
607 if p
[1] != "GSM-AUTH":
608 raise Exception("Unexpected CTRL-REQ-SIM type")
609 rid
= p
[0].split('-')[3]
610 rand
= p
[2].split(' ')[0]
612 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
614 "auth_serv/hlr_auc_gw.milenage_db",
615 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
616 if "GSM-AUTH-RESP" not in res
:
617 raise Exception("Unexpected hlr_auc_gw response")
618 resp
= res
.split(' ')[2].rstrip()
620 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
621 dev
[0].wait_connected(timeout
=15)
622 dev
[0].request("DISCONNECT")
623 dev
[0].wait_disconnected()
625 # Replace SIM and drop the previous pseudonym identity
626 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
627 dev
[0].set_network(id, "anonymous_identity", "NULL")
628 dev
[0].select_network(id, freq
="2412")
630 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
632 raise Exception("Wait for external SIM processing request timed out")
634 if p
[1] != "GSM-AUTH":
635 raise Exception("Unexpected CTRL-REQ-SIM type")
636 rid
= p
[0].split('-')[3]
637 rand
= p
[2].split(' ')[0]
639 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
641 "auth_serv/hlr_auc_gw.milenage_db",
642 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
643 if "GSM-AUTH-RESP" not in res
:
644 raise Exception("Unexpected hlr_auc_gw response")
645 resp
= res
.split(' ')[2].rstrip()
647 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
648 dev
[0].wait_connected()
649 dev
[0].request("DISCONNECT")
650 dev
[0].wait_disconnected()
652 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
653 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
655 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
657 dev
[0].request("SET external_sim 0")
659 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
660 check_hlr_auc_gw_support()
661 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
662 hostapd
.add_ap(apdev
[0], params
)
663 dev
[0].request("SET external_sim 1")
664 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
665 wait_connect
=False, scan_freq
="2412")
667 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
669 raise Exception("Request for identity timed out")
670 rid
= ev
.split(':')[0].split('-')[-1]
671 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
673 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
675 raise Exception("Wait for external SIM processing request timed out")
677 if p
[1] != "GSM-AUTH":
678 raise Exception("Unexpected CTRL-REQ-SIM type")
679 rid
= p
[0].split('-')[3]
680 rand
= p
[2].split(' ')[0]
682 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
684 "auth_serv/hlr_auc_gw.milenage_db",
685 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
686 if "GSM-AUTH-RESP" not in res
:
687 raise Exception("Unexpected hlr_auc_gw response")
688 resp
= res
.split(' ')[2].rstrip()
690 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
691 dev
[0].wait_connected(timeout
=15)
692 dev
[0].request("DISCONNECT")
693 dev
[0].wait_disconnected()
695 # Replace SIM and drop the previous permanent and pseudonym identities
696 dev
[0].set_network(id, "identity", "NULL")
697 dev
[0].set_network(id, "anonymous_identity", "NULL")
698 dev
[0].select_network(id, freq
="2412")
700 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
702 raise Exception("Request for identity timed out")
703 rid
= ev
.split(':')[0].split('-')[-1]
704 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
706 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
708 raise Exception("Wait for external SIM processing request timed out")
710 if p
[1] != "GSM-AUTH":
711 raise Exception("Unexpected CTRL-REQ-SIM type")
712 rid
= p
[0].split('-')[3]
713 rand
= p
[2].split(' ')[0]
715 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
717 "auth_serv/hlr_auc_gw.milenage_db",
718 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
719 if "GSM-AUTH-RESP" not in res
:
720 raise Exception("Unexpected hlr_auc_gw response")
721 resp
= res
.split(' ')[2].rstrip()
723 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
724 dev
[0].wait_connected()
725 dev
[0].request("DISCONNECT")
726 dev
[0].wait_disconnected()
728 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
729 """EAP-SIM with external GSM auth and auth failing"""
731 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
733 dev
[0].request("SET external_sim 0")
735 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
736 check_hlr_auc_gw_support()
737 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
738 hostapd
.add_ap(apdev
[0], params
)
739 dev
[0].request("SET external_sim 1")
740 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
741 identity
="1232010000000000",
742 wait_connect
=False, scan_freq
="2412")
744 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
746 raise Exception("Wait for external SIM processing request timed out")
748 rid
= p
[0].split('-')[3]
749 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
750 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
752 raise Exception("EAP failure not reported")
753 dev
[0].request("REMOVE_NETWORK all")
754 dev
[0].wait_disconnected()
756 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
757 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
759 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
761 dev
[0].request("SET external_sim 0")
763 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
764 check_hlr_auc_gw_support()
765 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
766 hostapd
.add_ap(apdev
[0], params
)
767 dev
[0].request("SET external_sim 1")
768 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
769 identity
="1232010000000000",
770 wait_connect
=False, scan_freq
="2412")
772 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
774 raise Exception("Wait for external SIM processing request timed out")
776 if p
[1] != "GSM-AUTH":
777 raise Exception("Unexpected CTRL-REQ-SIM type")
778 rid
= p
[0].split('-')[3]
779 rand
= p
[2].split(' ')[0]
781 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
783 "auth_serv/hlr_auc_gw.milenage_db",
784 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
785 if "GSM-AUTH-RESP" not in res
:
786 raise Exception("Unexpected hlr_auc_gw response")
787 resp
= res
.split(' ')[2].rstrip()
789 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
790 dev
[0].wait_connected(timeout
=15)
792 # Verify that EAP-SIM Reauthentication can be used after a profile change
793 # that does not affect EAP parameters.
794 dev
[0].set_network(id, "bssid", "any")
795 eap_reauth(dev
[0], "SIM")
797 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
798 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
800 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
802 dev
[0].request("SET external_sim 0")
804 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
805 check_hlr_auc_gw_support()
806 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
807 hostapd
.add_ap(apdev
[0], params
)
808 dev
[0].request("SET external_sim 1")
809 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
810 identity
="1232010000000000",
811 wait_connect
=False, scan_freq
="2412")
813 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
815 raise Exception("Wait for external SIM processing request timed out")
817 if p
[1] != "GSM-AUTH":
818 raise Exception("Unexpected CTRL-REQ-SIM type")
819 rid
= p
[0].split('-')[3]
820 rand
= p
[2].split(' ')[0]
822 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
824 "auth_serv/hlr_auc_gw.milenage_db",
825 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
826 if "GSM-AUTH-RESP" not in res
:
827 raise Exception("Unexpected hlr_auc_gw response")
828 resp
= res
.split(' ')[2].rstrip()
830 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
831 dev
[0].wait_connected(timeout
=15)
833 # Verify that EAP-SIM Reauthentication can be used after network profile
834 # SET_NETWORK commands that do not actually change previously set
836 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
837 dev
[0].set_network(id, "eap", "SIM")
838 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
839 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
840 eap_reauth(dev
[0], "SIM")
842 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
843 """EAP-SIM and OOM"""
844 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
845 hostapd
.add_ap(apdev
[0], params
)
846 tests
= [ (1, "milenage_f2345"),
847 (2, "milenage_f2345"),
848 (3, "milenage_f2345"),
849 (4, "milenage_f2345"),
850 (5, "milenage_f2345"),
851 (6, "milenage_f2345"),
852 (7, "milenage_f2345"),
853 (8, "milenage_f2345"),
854 (9, "milenage_f2345"),
855 (10, "milenage_f2345"),
856 (11, "milenage_f2345"),
857 (12, "milenage_f2345") ]
858 for count
, func
in tests
:
859 with
fail_test(dev
[0], count
, func
):
860 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
861 identity
="1232010000000000",
862 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
863 wait_connect
=False, scan_freq
="2412")
864 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
866 raise Exception("EAP method not selected")
867 dev
[0].wait_disconnected()
868 dev
[0].request("REMOVE_NETWORK all")
870 def test_ap_wpa2_eap_aka(dev
, apdev
):
871 """WPA2-Enterprise connection using EAP-AKA"""
872 check_hlr_auc_gw_support()
873 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
874 hapd
= hostapd
.add_ap(apdev
[0], params
)
875 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
876 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
877 hwsim_utils
.test_connectivity(dev
[0], hapd
)
878 eap_reauth(dev
[0], "AKA")
880 logger
.info("Negative test with incorrect key")
881 dev
[0].request("REMOVE_NETWORK all")
882 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
883 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
886 logger
.info("Invalid Milenage key")
887 dev
[0].request("REMOVE_NETWORK all")
888 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
889 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
892 logger
.info("Invalid Milenage key(2)")
893 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
894 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
897 logger
.info("Invalid Milenage key(3)")
898 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
899 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
902 logger
.info("Invalid Milenage key(4)")
903 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
904 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
907 logger
.info("Invalid Milenage key(5)")
908 dev
[0].request("REMOVE_NETWORK all")
909 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
910 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
913 logger
.info("Invalid Milenage key(6)")
914 dev
[0].request("REMOVE_NETWORK all")
915 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
916 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
919 logger
.info("Missing key configuration")
920 dev
[0].request("REMOVE_NETWORK all")
921 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
924 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
925 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
926 check_hlr_auc_gw_support()
930 raise HwsimSkip("No sqlite3 module available")
931 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
932 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
933 params
['auth_server_port'] = "1814"
934 hapd
= hostapd
.add_ap(apdev
[0], params
)
935 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
936 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
938 logger
.info("AKA fast re-authentication")
939 eap_reauth(dev
[0], "AKA")
941 logger
.info("AKA full auth with pseudonym")
944 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
945 eap_reauth(dev
[0], "AKA")
947 logger
.info("AKA full auth with permanent identity")
950 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
951 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
952 eap_reauth(dev
[0], "AKA")
954 logger
.info("AKA reauth with mismatching MK")
957 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
958 eap_reauth(dev
[0], "AKA", expect_failure
=True)
959 dev
[0].request("REMOVE_NETWORK all")
961 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
962 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
965 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
966 eap_reauth(dev
[0], "AKA")
969 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
970 logger
.info("AKA reauth with mismatching counter")
971 eap_reauth(dev
[0], "AKA")
972 dev
[0].request("REMOVE_NETWORK all")
974 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
975 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
978 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
979 logger
.info("AKA reauth with max reauth count reached")
980 eap_reauth(dev
[0], "AKA")
982 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
983 """EAP-AKA configuration options"""
984 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
985 hapd
= hostapd
.add_ap(apdev
[0], params
)
986 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
987 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
988 anonymous_identity
="2345678")
990 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
991 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
993 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
995 dev
[0].request("SET external_sim 0")
997 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
998 check_hlr_auc_gw_support()
999 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1000 hostapd
.add_ap(apdev
[0], params
)
1001 dev
[0].request("SET external_sim 1")
1002 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1003 identity
="0232010000000000",
1004 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1005 wait_connect
=False, scan_freq
="2412")
1006 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1008 raise Exception("Network connected timed out")
1010 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1012 raise Exception("Wait for external SIM processing request timed out")
1013 p
= ev
.split(':', 2)
1014 if p
[1] != "UMTS-AUTH":
1015 raise Exception("Unexpected CTRL-REQ-SIM type")
1016 rid
= p
[0].split('-')[3]
1019 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
1020 # This will fail during processing, but the ctrl_iface command succeeds
1021 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1022 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1024 raise Exception("EAP failure not reported")
1025 dev
[0].request("DISCONNECT")
1026 dev
[0].wait_disconnected()
1028 dev
[0].dump_monitor()
1030 dev
[0].select_network(id, freq
="2412")
1031 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1033 raise Exception("Wait for external SIM processing request timed out")
1034 p
= ev
.split(':', 2)
1035 if p
[1] != "UMTS-AUTH":
1036 raise Exception("Unexpected CTRL-REQ-SIM type")
1037 rid
= p
[0].split('-')[3]
1038 # This will fail during UMTS auth validation
1039 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1040 raise Exception("CTRL-RSP-SIM failed")
1041 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1043 raise Exception("Wait for external SIM processing request timed out")
1044 p
= ev
.split(':', 2)
1045 if p
[1] != "UMTS-AUTH":
1046 raise Exception("Unexpected CTRL-REQ-SIM type")
1047 rid
= p
[0].split('-')[3]
1048 # This will fail during UMTS auth validation
1049 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1050 raise Exception("CTRL-RSP-SIM failed")
1051 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1053 raise Exception("EAP failure not reported")
1054 dev
[0].request("DISCONNECT")
1055 dev
[0].wait_disconnected()
1057 dev
[0].dump_monitor()
1059 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1061 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1062 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1063 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1064 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1065 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1067 dev
[0].select_network(id, freq
="2412")
1068 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1070 raise Exception("Wait for external SIM processing request timed out")
1071 p
= ev
.split(':', 2)
1072 if p
[1] != "UMTS-AUTH":
1073 raise Exception("Unexpected CTRL-REQ-SIM type")
1074 rid
= p
[0].split('-')[3]
1075 # This will fail during UMTS auth validation
1076 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1077 raise Exception("CTRL-RSP-SIM failed")
1078 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1080 raise Exception("EAP failure not reported")
1081 dev
[0].request("DISCONNECT")
1082 dev
[0].wait_disconnected()
1084 dev
[0].dump_monitor()
1086 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1087 """EAP-AKA with external UMTS auth and auth failing"""
1089 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1091 dev
[0].request("SET external_sim 0")
1093 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1094 check_hlr_auc_gw_support()
1095 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1096 hostapd
.add_ap(apdev
[0], params
)
1097 dev
[0].request("SET external_sim 1")
1098 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1099 identity
="0232010000000000",
1100 wait_connect
=False, scan_freq
="2412")
1102 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1104 raise Exception("Wait for external SIM processing request timed out")
1105 p
= ev
.split(':', 2)
1106 rid
= p
[0].split('-')[3]
1107 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1108 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1110 raise Exception("EAP failure not reported")
1111 dev
[0].request("REMOVE_NETWORK all")
1112 dev
[0].wait_disconnected()
1114 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1115 """WPA2-Enterprise connection using EAP-AKA'"""
1116 check_hlr_auc_gw_support()
1117 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1118 hapd
= hostapd
.add_ap(apdev
[0], params
)
1119 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1120 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1121 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1122 eap_reauth(dev
[0], "AKA'")
1124 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1125 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1126 identity
="6555444333222111@both",
1127 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1128 wait_connect
=False, scan_freq
="2412")
1129 dev
[1].wait_connected(timeout
=15)
1131 logger
.info("Negative test with incorrect key")
1132 dev
[0].request("REMOVE_NETWORK all")
1133 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1134 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1135 expect_failure
=True)
1137 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1138 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1139 check_hlr_auc_gw_support()
1143 raise HwsimSkip("No sqlite3 module available")
1144 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1145 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1146 params
['auth_server_port'] = "1814"
1147 hapd
= hostapd
.add_ap(apdev
[0], params
)
1148 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1149 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1151 logger
.info("AKA' fast re-authentication")
1152 eap_reauth(dev
[0], "AKA'")
1154 logger
.info("AKA' full auth with pseudonym")
1157 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1158 eap_reauth(dev
[0], "AKA'")
1160 logger
.info("AKA' full auth with permanent identity")
1163 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1164 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1165 eap_reauth(dev
[0], "AKA'")
1167 logger
.info("AKA' reauth with mismatching k_aut")
1170 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1171 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1172 dev
[0].request("REMOVE_NETWORK all")
1174 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1175 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1178 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1179 eap_reauth(dev
[0], "AKA'")
1182 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1183 logger
.info("AKA' reauth with mismatching counter")
1184 eap_reauth(dev
[0], "AKA'")
1185 dev
[0].request("REMOVE_NETWORK all")
1187 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1188 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1191 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1192 logger
.info("AKA' reauth with max reauth count reached")
1193 eap_reauth(dev
[0], "AKA'")
1195 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1196 """EAP-AKA' with external UMTS auth and auth failing"""
1198 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1200 dev
[0].request("SET external_sim 0")
1202 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1203 check_hlr_auc_gw_support()
1204 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1205 hostapd
.add_ap(apdev
[0], params
)
1206 dev
[0].request("SET external_sim 1")
1207 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1208 identity
="6555444333222111",
1209 wait_connect
=False, scan_freq
="2412")
1211 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1213 raise Exception("Wait for external SIM processing request timed out")
1214 p
= ev
.split(':', 2)
1215 rid
= p
[0].split('-')[3]
1216 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1217 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1219 raise Exception("EAP failure not reported")
1220 dev
[0].request("REMOVE_NETWORK all")
1221 dev
[0].wait_disconnected()
1223 def test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1224 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1226 _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
)
1228 dev
[0].request("SET external_sim 0")
1230 def _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1231 check_hlr_auc_gw_support()
1232 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1233 hostapd
.add_ap(apdev
[0], params
)
1234 dev
[0].request("SET external_sim 1")
1235 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1236 identity
="6555444333222111",
1237 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1238 wait_connect
=False, scan_freq
="2412")
1239 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1241 raise Exception("Network connected timed out")
1243 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1245 raise Exception("Wait for external SIM processing request timed out")
1246 p
= ev
.split(':', 2)
1247 if p
[1] != "UMTS-AUTH":
1248 raise Exception("Unexpected CTRL-REQ-SIM type")
1249 rid
= p
[0].split('-')[3]
1250 # This will fail during UMTS auth validation
1251 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1252 raise Exception("CTRL-RSP-SIM failed")
1253 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1255 raise Exception("Wait for external SIM processing request timed out")
1257 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1258 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1259 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1260 hapd
= hostapd
.add_ap(apdev
[0], params
)
1261 key_mgmt
= hapd
.get_config()['key_mgmt']
1262 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1263 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1264 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1265 anonymous_identity
="ttls", password
="password",
1266 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1267 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1268 eap_reauth(dev
[0], "TTLS")
1269 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1270 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1272 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1273 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1274 check_subject_match_support(dev
[0])
1275 check_altsubject_match_support(dev
[0])
1276 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1277 hapd
= hostapd
.add_ap(apdev
[0], params
)
1278 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1279 anonymous_identity
="ttls", password
="password",
1280 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1281 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1282 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1283 eap_reauth(dev
[0], "TTLS")
1285 def test_ap_wpa2_eap_ttls_pap_check_cert_subject(dev
, apdev
):
1286 """EAP-TTLS/PAP and check_cert_subject"""
1287 check_check_cert_subject_support(dev
[0])
1288 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1289 hapd
= hostapd
.add_ap(apdev
[0], params
)
1290 tests
= [ "C=FI/O=w1.fi/CN=server.w1.fi",
1292 "C=FI/CN=server.w1.fi",
1293 "O=w1.fi/CN=server.w1.fi",
1300 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1301 anonymous_identity
="ttls", password
="password",
1302 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1303 check_cert_subject
=test
)
1304 dev
[0].request("REMOVE_NETWORK all")
1305 dev
[0].wait_disconnected()
1306 dev
[0].dump_monitor()
1308 def test_ap_wpa2_eap_ttls_pap_check_cert_subject_neg(dev
, apdev
):
1309 """EAP-TTLS/PAP and check_cert_subject (negative)"""
1310 check_check_cert_subject_support(dev
[0])
1311 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1312 hapd
= hostapd
.add_ap(apdev
[0], params
)
1322 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1323 anonymous_identity
="ttls", password
="password",
1324 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1325 expect_failure
=True, expect_cert_error
=12,
1326 check_cert_subject
=test
)
1327 dev
[0].request("REMOVE_NETWORK all")
1328 dev
[0].dump_monitor()
1330 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1331 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1332 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1333 hapd
= hostapd
.add_ap(apdev
[0], params
)
1334 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1335 anonymous_identity
="ttls", password
="wrong",
1336 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1337 expect_failure
=True)
1338 eap_connect(dev
[1], hapd
, "TTLS", "user",
1339 anonymous_identity
="ttls", password
="password",
1340 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1341 expect_failure
=True)
1343 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1344 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1345 skip_with_fips(dev
[0])
1346 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1347 hapd
= hostapd
.add_ap(apdev
[0], params
)
1348 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1349 anonymous_identity
="ttls", password
="password",
1350 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1351 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1352 eap_reauth(dev
[0], "TTLS")
1354 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1355 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1356 skip_with_fips(dev
[0])
1357 check_altsubject_match_support(dev
[0])
1358 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1359 hapd
= hostapd
.add_ap(apdev
[0], params
)
1360 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1361 anonymous_identity
="ttls", password
="password",
1362 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1363 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1364 eap_reauth(dev
[0], "TTLS")
1366 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1367 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1368 skip_with_fips(dev
[0])
1369 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1370 hapd
= hostapd
.add_ap(apdev
[0], params
)
1371 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1372 anonymous_identity
="ttls", password
="wrong",
1373 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1374 expect_failure
=True)
1375 eap_connect(dev
[1], hapd
, "TTLS", "user",
1376 anonymous_identity
="ttls", password
="password",
1377 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1378 expect_failure
=True)
1380 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1381 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1382 skip_with_fips(dev
[0])
1383 check_domain_suffix_match(dev
[0])
1384 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1385 hapd
= hostapd
.add_ap(apdev
[0], params
)
1386 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1387 anonymous_identity
="ttls", password
="password",
1388 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1389 domain_suffix_match
="server.w1.fi")
1390 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1391 eap_reauth(dev
[0], "TTLS")
1392 dev
[0].request("REMOVE_NETWORK all")
1393 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1394 anonymous_identity
="ttls", password
="password",
1395 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1396 fragment_size
="200")
1397 dev
[0].request("REMOVE_NETWORK all")
1398 dev
[0].wait_disconnected()
1399 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1400 anonymous_identity
="ttls",
1401 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1402 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1404 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1405 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1406 skip_with_fips(dev
[0])
1407 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1408 hapd
= hostapd
.add_ap(apdev
[0], params
)
1409 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1410 anonymous_identity
="ttls", password
="wrong",
1411 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1412 expect_failure
=True)
1413 eap_connect(dev
[1], hapd
, "TTLS", "user",
1414 anonymous_identity
="ttls", password
="password",
1415 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1416 expect_failure
=True)
1417 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1418 anonymous_identity
="ttls", password
="password",
1419 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1420 expect_failure
=True)
1422 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1423 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1424 check_domain_suffix_match(dev
[0])
1425 check_eap_capa(dev
[0], "MSCHAPV2")
1426 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1427 hapd
= hostapd
.add_ap(apdev
[0], params
)
1428 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1429 anonymous_identity
="ttls", password
="password",
1430 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1431 domain_suffix_match
="server.w1.fi")
1432 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1433 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1434 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1435 eap_reauth(dev
[0], "TTLS")
1436 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1437 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1438 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1439 raise Exception("dot1xAuthEapolFramesRx did not increase")
1440 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1441 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1442 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1443 raise Exception("backendAuthSuccesses did not increase")
1445 logger
.info("Password as hash value")
1446 dev
[0].request("REMOVE_NETWORK all")
1447 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1448 anonymous_identity
="ttls",
1449 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1450 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1452 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1453 """EAP-TTLS with invalid phase2 parameter values"""
1454 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1455 hostapd
.add_ap(apdev
[0], params
)
1456 tests
= [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1457 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1458 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1460 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1461 identity
="DOMAIN\mschapv2 user",
1462 anonymous_identity
="ttls", password
="password",
1463 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1464 wait_connect
=False, scan_freq
="2412")
1465 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1466 if ev
is None or "method=21" not in ev
:
1467 raise Exception("EAP-TTLS not started")
1468 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1469 "CTRL-EVENT-CONNECTED"], timeout
=5)
1470 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1471 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1472 dev
[0].request("REMOVE_NETWORK all")
1473 dev
[0].wait_disconnected()
1474 dev
[0].dump_monitor()
1476 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1477 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1478 check_domain_match_full(dev
[0])
1479 skip_with_fips(dev
[0])
1480 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1481 hapd
= hostapd
.add_ap(apdev
[0], params
)
1482 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1483 anonymous_identity
="ttls", password
="password",
1484 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1485 domain_suffix_match
="w1.fi")
1486 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1487 eap_reauth(dev
[0], "TTLS")
1489 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1490 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1491 check_domain_match(dev
[0])
1492 skip_with_fips(dev
[0])
1493 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1494 hapd
= hostapd
.add_ap(apdev
[0], params
)
1495 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1496 anonymous_identity
="ttls", password
="password",
1497 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1498 domain_match
="Server.w1.fi")
1499 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1500 eap_reauth(dev
[0], "TTLS")
1502 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1503 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1504 skip_with_fips(dev
[0])
1505 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1506 hapd
= hostapd
.add_ap(apdev
[0], params
)
1507 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1508 anonymous_identity
="ttls", password
="password1",
1509 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1510 expect_failure
=True)
1511 eap_connect(dev
[1], hapd
, "TTLS", "user",
1512 anonymous_identity
="ttls", password
="password",
1513 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1514 expect_failure
=True)
1516 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1517 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1518 skip_with_fips(dev
[0])
1519 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1520 hapd
= hostapd
.add_ap(apdev
[0], params
)
1521 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1522 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1523 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1524 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1525 anonymous_identity
="ttls",
1526 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1527 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1528 for p
in [ "80", "41c041e04141e041", 257*"41" ]:
1529 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1530 eap
="TTLS", identity
="utf8-user-hash",
1531 anonymous_identity
="ttls", password_hex
=p
,
1532 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1533 wait_connect
=False, scan_freq
="2412")
1534 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1536 raise Exception("No failure reported")
1537 dev
[2].request("REMOVE_NETWORK all")
1538 dev
[2].wait_disconnected()
1540 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1541 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1542 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1543 hapd
= hostapd
.add_ap(apdev
[0], params
)
1544 eap_connect(dev
[0], hapd
, "TTLS", "user",
1545 anonymous_identity
="ttls", password
="password",
1546 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1547 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1548 eap_reauth(dev
[0], "TTLS")
1550 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1551 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1552 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1553 hapd
= hostapd
.add_ap(apdev
[0], params
)
1554 eap_connect(dev
[0], hapd
, "TTLS", "user",
1555 anonymous_identity
="ttls", password
="wrong",
1556 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1557 expect_failure
=True)
1559 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1560 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1561 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1562 hapd
= hostapd
.add_ap(apdev
[0], params
)
1563 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1564 anonymous_identity
="ttls", password
="password",
1565 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1566 expect_failure
=True)
1568 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1569 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1570 params
= int_eap_server_params()
1571 hapd
= hostapd
.add_ap(apdev
[0], params
)
1572 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1573 eap_connect(dev
[0], hapd
, "TTLS", "user",
1574 anonymous_identity
="ttls", password
="password",
1575 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1576 expect_failure
=True)
1577 dev
[0].request("REMOVE_NETWORK all")
1579 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1580 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1581 eap
="TTLS", identity
="user",
1582 anonymous_identity
="ttls", password
="password",
1583 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1584 wait_connect
=False, scan_freq
="2412")
1585 # This would eventually time out, but we can stop after having reached
1586 # the allocation failure.
1589 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1592 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1593 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1594 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1595 hapd
= hostapd
.add_ap(apdev
[0], params
)
1597 tests
= [ "eap_gtc_init",
1598 "eap_msg_alloc;eap_gtc_process" ]
1600 with
alloc_fail(dev
[0], 1, func
):
1601 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1603 eap
="TTLS", identity
="user",
1604 anonymous_identity
="ttls", password
="password",
1605 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1607 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1608 dev
[0].request("REMOVE_NETWORK all")
1609 dev
[0].wait_disconnected()
1611 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1612 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1613 check_eap_capa(dev
[0], "MD5")
1614 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1615 hapd
= hostapd
.add_ap(apdev
[0], params
)
1616 eap_connect(dev
[0], hapd
, "TTLS", "user",
1617 anonymous_identity
="ttls", password
="password",
1618 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1619 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1620 eap_reauth(dev
[0], "TTLS")
1622 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1623 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1624 check_eap_capa(dev
[0], "MD5")
1625 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1626 hapd
= hostapd
.add_ap(apdev
[0], params
)
1627 eap_connect(dev
[0], hapd
, "TTLS", "user",
1628 anonymous_identity
="ttls", password
="wrong",
1629 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1630 expect_failure
=True)
1632 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1633 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1634 check_eap_capa(dev
[0], "MD5")
1635 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1636 hapd
= hostapd
.add_ap(apdev
[0], params
)
1637 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1638 anonymous_identity
="ttls", password
="password",
1639 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1640 expect_failure
=True)
1642 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1643 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1644 check_eap_capa(dev
[0], "MD5")
1645 params
= int_eap_server_params()
1646 hapd
= hostapd
.add_ap(apdev
[0], params
)
1647 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1648 eap_connect(dev
[0], hapd
, "TTLS", "user",
1649 anonymous_identity
="ttls", password
="password",
1650 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1651 expect_failure
=True)
1652 dev
[0].request("REMOVE_NETWORK all")
1654 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1655 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1656 eap
="TTLS", identity
="user",
1657 anonymous_identity
="ttls", password
="password",
1658 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1659 wait_connect
=False, scan_freq
="2412")
1660 # This would eventually time out, but we can stop after having reached
1661 # the allocation failure.
1664 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1667 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1668 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1669 check_eap_capa(dev
[0], "MSCHAPV2")
1670 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1671 hapd
= hostapd
.add_ap(apdev
[0], params
)
1672 eap_connect(dev
[0], hapd
, "TTLS", "user",
1673 anonymous_identity
="ttls", password
="password",
1674 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1675 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1676 eap_reauth(dev
[0], "TTLS")
1678 logger
.info("Negative test with incorrect password")
1679 dev
[0].request("REMOVE_NETWORK all")
1680 eap_connect(dev
[0], hapd
, "TTLS", "user",
1681 anonymous_identity
="ttls", password
="password1",
1682 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1683 expect_failure
=True)
1685 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1686 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1687 check_eap_capa(dev
[0], "MSCHAPV2")
1688 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1689 hapd
= hostapd
.add_ap(apdev
[0], params
)
1690 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1691 anonymous_identity
="ttls", password
="password",
1692 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1693 expect_failure
=True)
1695 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1696 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1697 check_eap_capa(dev
[0], "MSCHAPV2")
1698 params
= int_eap_server_params()
1699 hapd
= hostapd
.add_ap(apdev
[0], params
)
1700 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1701 eap_connect(dev
[0], hapd
, "TTLS", "user",
1702 anonymous_identity
="ttls", password
="password",
1703 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1704 expect_failure
=True)
1705 dev
[0].request("REMOVE_NETWORK all")
1707 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1708 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1709 eap
="TTLS", identity
="user",
1710 anonymous_identity
="ttls", password
="password",
1711 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1712 wait_connect
=False, scan_freq
="2412")
1713 # This would eventually time out, but we can stop after having reached
1714 # the allocation failure.
1717 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1719 dev
[0].request("REMOVE_NETWORK all")
1721 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1722 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1723 eap
="TTLS", identity
="user",
1724 anonymous_identity
="ttls", password
="password",
1725 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1726 wait_connect
=False, scan_freq
="2412")
1727 # This would eventually time out, but we can stop after having reached
1728 # the allocation failure.
1731 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1733 dev
[0].request("REMOVE_NETWORK all")
1735 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1736 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1737 eap
="TTLS", identity
="user",
1738 anonymous_identity
="ttls", password
="wrong",
1739 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1740 wait_connect
=False, scan_freq
="2412")
1741 # This would eventually time out, but we can stop after having reached
1742 # the allocation failure.
1745 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1747 dev
[0].request("REMOVE_NETWORK all")
1749 def test_ap_wpa2_eap_ttls_eap_sim(dev
, apdev
):
1750 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1751 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1752 hapd
= hostapd
.add_ap(apdev
[0], params
)
1753 eap_connect(dev
[0], hapd
, "TTLS", "1232010000000000",
1754 anonymous_identity
="1232010000000000@ttls",
1755 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1756 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM")
1757 eap_reauth(dev
[0], "TTLS")
1759 def run_ext_sim_auth(dev
):
1760 ev
= dev
.wait_event(["CTRL-REQ-SIM"], timeout
=15)
1762 raise Exception("Wait for external SIM processing request timed out")
1763 p
= ev
.split(':', 2)
1764 if p
[1] != "GSM-AUTH":
1765 raise Exception("Unexpected CTRL-REQ-SIM type")
1766 rid
= p
[0].split('-')[3]
1767 rand
= p
[2].split(' ')[0]
1769 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
1771 "auth_serv/hlr_auc_gw.milenage_db",
1772 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
1773 if "GSM-AUTH-RESP" not in res
:
1774 raise Exception("Unexpected hlr_auc_gw response")
1775 resp
= res
.split(' ')[2].rstrip()
1777 dev
.request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1778 dev
.wait_connected(timeout
=15)
1781 dev
.request("REAUTHENTICATE")
1782 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1784 raise Exception("EAP reauthentication did not succeed")
1785 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=5)
1787 raise Exception("Key negotiation did not complete")
1790 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1791 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1792 check_hlr_auc_gw_support()
1794 run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
)
1796 dev
[0].request("SET external_sim 0")
1798 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1799 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1800 hapd
= hostapd
.add_ap(apdev
[0], params
)
1801 dev
[0].request("SET external_sim 1")
1802 dev
[0].connect("test-wpa2-eap", eap
="TTLS", key_mgmt
="WPA-EAP",
1803 identity
="1232010000000000",
1804 anonymous_identity
="1232010000000000@ttls",
1805 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1806 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM",
1807 wait_connect
=False, scan_freq
="2412")
1808 run_ext_sim_auth(dev
[0])
1810 def test_ap_wpa2_eap_peap_eap_sim(dev
, apdev
):
1811 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1812 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1813 hapd
= hostapd
.add_ap(apdev
[0], params
)
1814 eap_connect(dev
[0], hapd
, "PEAP", "1232010000000000",
1815 anonymous_identity
="1232010000000000@peap",
1816 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1817 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1818 eap_reauth(dev
[0], "PEAP")
1820 def test_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1821 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1822 check_hlr_auc_gw_support()
1824 run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
)
1826 dev
[0].request("SET external_sim 0")
1828 def run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1829 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1830 hapd
= hostapd
.add_ap(apdev
[0], params
)
1831 dev
[0].request("SET external_sim 1")
1832 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1833 identity
="1232010000000000",
1834 anonymous_identity
="1232010000000000@peap",
1835 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1836 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1837 wait_connect
=False, scan_freq
="2412")
1838 run_ext_sim_auth(dev
[0])
1840 def test_ap_wpa2_eap_fast_eap_sim(dev
, apdev
):
1841 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1842 check_eap_capa(dev
[0], "FAST")
1843 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1844 hapd
= hostapd
.add_ap(apdev
[0], params
)
1845 eap_connect(dev
[0], hapd
, "FAST", "1232010000000000",
1846 anonymous_identity
="1232010000000000@fast",
1847 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1848 phase1
="fast_provisioning=2",
1849 pac_file
="blob://fast_pac_auth_sim",
1850 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1851 eap_reauth(dev
[0], "FAST")
1853 def test_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1854 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1855 check_hlr_auc_gw_support()
1857 run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
)
1859 dev
[0].request("SET external_sim 0")
1861 def run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1862 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1863 hapd
= hostapd
.add_ap(apdev
[0], params
)
1864 dev
[0].request("SET external_sim 1")
1865 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1866 identity
="1232010000000000",
1867 anonymous_identity
="1232010000000000@peap",
1868 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1869 phase1
="fast_provisioning=2",
1870 pac_file
="blob://fast_pac_auth_sim",
1871 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1872 wait_connect
=False, scan_freq
="2412")
1873 run_ext_sim_auth(dev
[0])
1875 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1876 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1877 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1878 hapd
= hostapd
.add_ap(apdev
[0], params
)
1879 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1880 anonymous_identity
="0232010000000000@ttls",
1881 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1882 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1883 eap_reauth(dev
[0], "TTLS")
1885 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1886 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1887 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1888 hapd
= hostapd
.add_ap(apdev
[0], params
)
1889 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1890 anonymous_identity
="0232010000000000@peap",
1891 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1892 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1893 eap_reauth(dev
[0], "PEAP")
1895 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1896 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1897 check_eap_capa(dev
[0], "FAST")
1898 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1899 hapd
= hostapd
.add_ap(apdev
[0], params
)
1900 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
1901 anonymous_identity
="0232010000000000@fast",
1902 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1903 phase1
="fast_provisioning=2",
1904 pac_file
="blob://fast_pac_auth_aka",
1905 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1906 eap_reauth(dev
[0], "FAST")
1908 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1909 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1910 check_eap_capa(dev
[0], "MSCHAPV2")
1911 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1912 hapd
= hostapd
.add_ap(apdev
[0], params
)
1913 eap_connect(dev
[0], hapd
, "PEAP", "user",
1914 anonymous_identity
="peap", password
="password",
1915 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1916 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1917 eap_reauth(dev
[0], "PEAP")
1918 dev
[0].request("REMOVE_NETWORK all")
1919 eap_connect(dev
[0], hapd
, "PEAP", "user",
1920 anonymous_identity
="peap", password
="password",
1921 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1922 fragment_size
="200")
1924 logger
.info("Password as hash value")
1925 dev
[0].request("REMOVE_NETWORK all")
1926 eap_connect(dev
[0], hapd
, "PEAP", "user",
1927 anonymous_identity
="peap",
1928 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1929 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1931 logger
.info("Negative test with incorrect password")
1932 dev
[0].request("REMOVE_NETWORK all")
1933 eap_connect(dev
[0], hapd
, "PEAP", "user",
1934 anonymous_identity
="peap", password
="password1",
1935 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1936 expect_failure
=True)
1938 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1939 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1940 check_eap_capa(dev
[0], "MSCHAPV2")
1941 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1942 hapd
= hostapd
.add_ap(apdev
[0], params
)
1943 eap_connect(dev
[0], hapd
, "PEAP", r
"DOMAIN\user3",
1944 anonymous_identity
="peap", password
="password",
1945 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1946 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1947 eap_reauth(dev
[0], "PEAP")
1949 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1950 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1951 check_eap_capa(dev
[0], "MSCHAPV2")
1952 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1953 hapd
= hostapd
.add_ap(apdev
[0], params
)
1954 eap_connect(dev
[0], hapd
, "PEAP", "user",
1955 anonymous_identity
="peap", password
="wrong",
1956 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1957 expect_failure
=True)
1959 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1960 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1961 check_eap_capa(dev
[0], "MSCHAPV2")
1962 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1963 hapd
= hostapd
.add_ap(apdev
[0], params
)
1964 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1965 ca_cert
="auth_serv/ca.pem",
1966 phase1
="peapver=0 crypto_binding=2",
1967 phase2
="auth=MSCHAPV2")
1968 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1969 eap_reauth(dev
[0], "PEAP")
1971 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1972 ca_cert
="auth_serv/ca.pem",
1973 phase1
="peapver=0 crypto_binding=1",
1974 phase2
="auth=MSCHAPV2")
1975 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1976 ca_cert
="auth_serv/ca.pem",
1977 phase1
="peapver=0 crypto_binding=0",
1978 phase2
="auth=MSCHAPV2")
1980 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1981 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1982 check_eap_capa(dev
[0], "MSCHAPV2")
1983 params
= int_eap_server_params()
1984 hapd
= hostapd
.add_ap(apdev
[0], params
)
1985 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1986 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1987 ca_cert
="auth_serv/ca.pem",
1988 phase1
="peapver=0 crypto_binding=2",
1989 phase2
="auth=MSCHAPV2",
1990 expect_failure
=True, local_error_report
=True)
1992 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1993 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1994 check_eap_capa(dev
[0], "MSCHAPV2")
1995 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1996 hapd
= hostapd
.add_ap(apdev
[0], params
)
1997 eap_connect(dev
[0], hapd
, "PEAP", "user",
1998 anonymous_identity
="peap", password
="password",
1999 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2000 phase1
="peapver=0 peaplabel=1",
2001 expect_failure
=True)
2002 dev
[0].request("REMOVE_NETWORK all")
2003 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2005 anonymous_identity
="peap", password
="password",
2006 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2007 phase1
="peap_outer_success=0",
2008 wait_connect
=False, scan_freq
="2412")
2009 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2011 raise Exception("No EAP success seen")
2012 # This won't succeed to connect with peap_outer_success=0, so stop here.
2013 dev
[0].request("REMOVE_NETWORK all")
2014 dev
[0].wait_disconnected()
2015 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
2016 ca_cert
="auth_serv/ca.pem",
2017 phase1
="peap_outer_success=1",
2018 phase2
="auth=MSCHAPV2")
2019 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
2020 ca_cert
="auth_serv/ca.pem",
2021 phase1
="peap_outer_success=2",
2022 phase2
="auth=MSCHAPV2")
2023 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2025 anonymous_identity
="peap", password
="password",
2026 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2027 phase1
="peapver=1 peaplabel=1",
2028 wait_connect
=False, scan_freq
="2412")
2029 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2031 raise Exception("No EAP success seen")
2032 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2033 "CTRL-EVENT-DISCONNECTED"], timeout
=1)
2034 if ev
and "CTRL-EVENT-CONNECTED" in ev
:
2035 raise Exception("Unexpected connection")
2036 dev
[0].request("REMOVE_NETWORK all")
2037 dev
[0].request("ABORT_SCAN")
2039 tests
= [ ("peap-ver0", ""),
2041 ("peap-ver0", "peapver=0"),
2042 ("peap-ver1", "peapver=1") ]
2043 for anon
,phase1
in tests
:
2044 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2045 identity
="user", anonymous_identity
=anon
,
2046 password
="password", phase1
=phase1
,
2047 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2049 dev
[0].request("REMOVE_NETWORK all")
2050 dev
[0].wait_disconnected()
2052 tests
= [ ("peap-ver0", "peapver=1"),
2053 ("peap-ver1", "peapver=0") ]
2054 for anon
,phase1
in tests
:
2055 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2056 identity
="user", anonymous_identity
=anon
,
2057 password
="password", phase1
=phase1
,
2058 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2059 wait_connect
=False, scan_freq
="2412")
2060 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
2062 raise Exception("No EAP-Failure seen")
2063 dev
[0].request("REMOVE_NETWORK all")
2064 dev
[0].wait_disconnected()
2066 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2067 ca_cert
="auth_serv/ca.pem",
2068 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
2069 phase2
="auth=MSCHAPV2")
2071 def test_ap_wpa2_eap_peap_eap_gtc(dev
, apdev
, params
):
2072 """WPA2-Enterprise connection using EAP-PEAP/EAP-GTC"""
2073 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2074 hapd
= hostapd
.add_ap(apdev
[0], p
)
2075 eap_connect(dev
[0], hapd
, "PEAP", "user", phase1
="peapver=1",
2076 anonymous_identity
="peap", password
="password",
2077 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
2079 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
2080 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
2081 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2082 hapd
= hostapd
.add_ap(apdev
[0], params
)
2083 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
2084 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
2085 ca_cert2
="auth_serv/ca.pem",
2086 client_cert2
="auth_serv/user.pem",
2087 private_key2
="auth_serv/user.key")
2088 eap_reauth(dev
[0], "PEAP")
2090 def test_ap_wpa2_eap_tls(dev
, apdev
):
2091 """WPA2-Enterprise connection using EAP-TLS"""
2092 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2093 hapd
= hostapd
.add_ap(apdev
[0], params
)
2094 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2095 client_cert
="auth_serv/user.pem",
2096 private_key
="auth_serv/user.key")
2097 eap_reauth(dev
[0], "TLS")
2099 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
2100 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2101 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2102 hapd
= hostapd
.add_ap(apdev
[0], params
)
2103 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2104 client_cert
="auth_serv/user.pem",
2105 private_key
="auth_serv/user.key.pkcs8",
2106 private_key_passwd
="whatever")
2108 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
2109 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
2110 check_pkcs5_v15_support(dev
[0])
2111 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2112 hapd
= hostapd
.add_ap(apdev
[0], params
)
2113 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2114 client_cert
="auth_serv/user.pem",
2115 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
2116 private_key_passwd
="whatever")
2118 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
2119 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2120 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2121 hapd
= hostapd
.add_ap(apdev
[0], params
)
2122 cert
= read_pem("auth_serv/ca.pem")
2123 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2124 raise Exception("Could not set cacert blob")
2125 cert
= read_pem("auth_serv/user.pem")
2126 if "OK" not in dev
[0].request("SET blob usercert " + binascii
.hexlify(cert
).decode()):
2127 raise Exception("Could not set usercert blob")
2128 key
= read_pem("auth_serv/user.rsa-key")
2129 if "OK" not in dev
[0].request("SET blob userkey " + binascii
.hexlify(key
).decode()):
2130 raise Exception("Could not set cacert blob")
2131 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2132 client_cert
="blob://usercert",
2133 private_key
="blob://userkey")
2135 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
2136 """EAP-TLS and config blob missing"""
2137 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2138 hostapd
.add_ap(apdev
[0], params
)
2139 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2140 identity
="tls user",
2141 ca_cert
="blob://testing-blob-does-not-exist",
2142 client_cert
="blob://testing-blob-does-not-exist",
2143 private_key
="blob://testing-blob-does-not-exist",
2144 wait_connect
=False, scan_freq
="2412")
2145 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
2147 raise Exception("EAP failure not reported")
2148 dev
[0].request("REMOVE_NETWORK all")
2149 dev
[0].wait_disconnected()
2151 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
2152 """EAP-TLS and TLS Message Length in unfragmented packets"""
2153 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2154 hapd
= hostapd
.add_ap(apdev
[0], params
)
2155 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2156 phase1
="include_tls_length=1",
2157 client_cert
="auth_serv/user.pem",
2158 private_key
="auth_serv/user.key")
2160 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
2161 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2162 check_pkcs12_support(dev
[0])
2163 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2164 hapd
= hostapd
.add_ap(apdev
[0], params
)
2165 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2166 private_key
="auth_serv/user.pkcs12",
2167 private_key_passwd
="whatever")
2168 dev
[0].request("REMOVE_NETWORK all")
2169 dev
[0].wait_disconnected()
2171 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2172 identity
="tls user",
2173 ca_cert
="auth_serv/ca.pem",
2174 private_key
="auth_serv/user.pkcs12",
2175 wait_connect
=False, scan_freq
="2412")
2176 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2178 raise Exception("Request for private key passphrase timed out")
2179 id = ev
.split(':')[0].split('-')[-1]
2180 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2181 dev
[0].wait_connected(timeout
=10)
2182 dev
[0].request("REMOVE_NETWORK all")
2183 dev
[0].wait_disconnected()
2185 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2186 # different files to cover both cases of the extra certificate being the
2187 # one that signed the client certificate and it being unrelated to the
2188 # client certificate.
2189 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2191 eap_connect(dev
[0], hapd
, "TLS", "tls user",
2192 ca_cert
="auth_serv/ca.pem",
2194 private_key_passwd
="whatever")
2195 dev
[0].request("REMOVE_NETWORK all")
2196 dev
[0].wait_disconnected()
2198 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
2199 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2200 check_pkcs12_support(dev
[0])
2201 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2202 hapd
= hostapd
.add_ap(apdev
[0], params
)
2203 cert
= read_pem("auth_serv/ca.pem")
2204 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2205 raise Exception("Could not set cacert blob")
2206 with
open("auth_serv/user.pkcs12", "rb") as f
:
2207 if "OK" not in dev
[0].request("SET blob pkcs12 " + binascii
.hexlify(f
.read()).decode()):
2208 raise Exception("Could not set pkcs12 blob")
2209 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2210 private_key
="blob://pkcs12",
2211 private_key_passwd
="whatever")
2213 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
2214 """WPA2-Enterprise negative test - incorrect trust root"""
2215 check_eap_capa(dev
[0], "MSCHAPV2")
2216 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2217 hostapd
.add_ap(apdev
[0], params
)
2218 cert
= read_pem("auth_serv/ca-incorrect.pem")
2219 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2220 raise Exception("Could not set cacert blob")
2221 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2222 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2223 password
="password", phase2
="auth=MSCHAPV2",
2224 ca_cert
="blob://cacert",
2225 wait_connect
=False, scan_freq
="2412")
2226 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2227 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2228 password
="password", phase2
="auth=MSCHAPV2",
2229 ca_cert
="auth_serv/ca-incorrect.pem",
2230 wait_connect
=False, scan_freq
="2412")
2232 for dev
in (dev
[0], dev
[1]):
2233 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2235 raise Exception("Association and EAP start timed out")
2237 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2239 raise Exception("EAP method selection timed out")
2240 if "TTLS" not in ev
:
2241 raise Exception("Unexpected EAP method")
2243 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2244 "CTRL-EVENT-EAP-SUCCESS",
2245 "CTRL-EVENT-EAP-FAILURE",
2246 "CTRL-EVENT-CONNECTED",
2247 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2249 raise Exception("EAP result timed out")
2250 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2251 raise Exception("TLS certificate error not reported")
2253 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2254 "CTRL-EVENT-EAP-FAILURE",
2255 "CTRL-EVENT-CONNECTED",
2256 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2258 raise Exception("EAP result(2) timed out")
2259 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2260 raise Exception("EAP failure not reported")
2262 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2263 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2265 raise Exception("EAP result(3) timed out")
2266 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2267 raise Exception("Disconnection not reported")
2269 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2271 raise Exception("Network block disabling not reported")
2273 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2274 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2275 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2276 hapd
= hostapd
.add_ap(apdev
[0], params
)
2277 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2278 identity
="pap user", anonymous_identity
="ttls",
2279 password
="password", phase2
="auth=PAP",
2280 ca_cert
="auth_serv/ca.pem",
2281 wait_connect
=True, scan_freq
="2412")
2282 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2283 identity
="pap user", anonymous_identity
="ttls",
2284 password
="password", phase2
="auth=PAP",
2285 ca_cert
="auth_serv/ca-incorrect.pem",
2286 only_add_network
=True, scan_freq
="2412")
2288 dev
[0].request("DISCONNECT")
2289 dev
[0].wait_disconnected()
2290 dev
[0].dump_monitor()
2291 dev
[0].select_network(id, freq
="2412")
2293 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2295 raise Exception("EAP-TTLS not re-started")
2297 ev
= dev
[0].wait_disconnected(timeout
=15)
2298 if "reason=23" not in ev
:
2299 raise Exception("Proper reason code for disconnection not reported")
2301 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2302 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2303 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2304 hapd
= hostapd
.add_ap(apdev
[0], params
)
2305 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2306 identity
="pap user", anonymous_identity
="ttls",
2307 password
="password", phase2
="auth=PAP",
2308 wait_connect
=True, scan_freq
="2412")
2309 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2310 identity
="pap user", anonymous_identity
="ttls",
2311 password
="password", phase2
="auth=PAP",
2312 ca_cert
="auth_serv/ca-incorrect.pem",
2313 only_add_network
=True, scan_freq
="2412")
2315 dev
[0].request("DISCONNECT")
2316 dev
[0].wait_disconnected()
2317 dev
[0].dump_monitor()
2318 dev
[0].select_network(id, freq
="2412")
2320 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2322 raise Exception("EAP-TTLS not re-started")
2324 ev
= dev
[0].wait_disconnected(timeout
=15)
2325 if "reason=23" not in ev
:
2326 raise Exception("Proper reason code for disconnection not reported")
2328 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2329 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2330 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2331 hapd
= hostapd
.add_ap(apdev
[0], params
)
2332 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2333 identity
="pap user", anonymous_identity
="ttls",
2334 password
="password", phase2
="auth=PAP",
2335 ca_cert
="auth_serv/ca.pem",
2336 wait_connect
=True, scan_freq
="2412")
2337 dev
[0].request("DISCONNECT")
2338 dev
[0].wait_disconnected()
2339 dev
[0].dump_monitor()
2340 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2341 dev
[0].select_network(id, freq
="2412")
2343 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2345 raise Exception("EAP-TTLS not re-started")
2347 ev
= dev
[0].wait_disconnected(timeout
=15)
2348 if "reason=23" not in ev
:
2349 raise Exception("Proper reason code for disconnection not reported")
2351 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2352 """WPA2-Enterprise negative test - domain suffix mismatch"""
2353 check_domain_suffix_match(dev
[0])
2354 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2355 hostapd
.add_ap(apdev
[0], params
)
2356 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2357 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2358 password
="password", phase2
="auth=MSCHAPV2",
2359 ca_cert
="auth_serv/ca.pem",
2360 domain_suffix_match
="incorrect.example.com",
2361 wait_connect
=False, scan_freq
="2412")
2363 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2365 raise Exception("Association and EAP start timed out")
2367 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2369 raise Exception("EAP method selection timed out")
2370 if "TTLS" not in ev
:
2371 raise Exception("Unexpected EAP method")
2373 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2374 "CTRL-EVENT-EAP-SUCCESS",
2375 "CTRL-EVENT-EAP-FAILURE",
2376 "CTRL-EVENT-CONNECTED",
2377 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2379 raise Exception("EAP result timed out")
2380 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2381 raise Exception("TLS certificate error not reported")
2382 if "Domain suffix mismatch" not in ev
:
2383 raise Exception("Domain suffix mismatch not reported")
2385 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2386 "CTRL-EVENT-EAP-FAILURE",
2387 "CTRL-EVENT-CONNECTED",
2388 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2390 raise Exception("EAP result(2) timed out")
2391 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2392 raise Exception("EAP failure not reported")
2394 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2395 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2397 raise Exception("EAP result(3) timed out")
2398 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2399 raise Exception("Disconnection not reported")
2401 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2403 raise Exception("Network block disabling not reported")
2405 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2406 """WPA2-Enterprise negative test - domain mismatch"""
2407 check_domain_match(dev
[0])
2408 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2409 hostapd
.add_ap(apdev
[0], params
)
2410 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2411 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2412 password
="password", phase2
="auth=MSCHAPV2",
2413 ca_cert
="auth_serv/ca.pem",
2414 domain_match
="w1.fi",
2415 wait_connect
=False, scan_freq
="2412")
2417 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2419 raise Exception("Association and EAP start timed out")
2421 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2423 raise Exception("EAP method selection timed out")
2424 if "TTLS" not in ev
:
2425 raise Exception("Unexpected EAP method")
2427 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2428 "CTRL-EVENT-EAP-SUCCESS",
2429 "CTRL-EVENT-EAP-FAILURE",
2430 "CTRL-EVENT-CONNECTED",
2431 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2433 raise Exception("EAP result timed out")
2434 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2435 raise Exception("TLS certificate error not reported")
2436 if "Domain mismatch" not in ev
:
2437 raise Exception("Domain mismatch not reported")
2439 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2440 "CTRL-EVENT-EAP-FAILURE",
2441 "CTRL-EVENT-CONNECTED",
2442 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2444 raise Exception("EAP result(2) timed out")
2445 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2446 raise Exception("EAP failure not reported")
2448 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2449 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2451 raise Exception("EAP result(3) timed out")
2452 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2453 raise Exception("Disconnection not reported")
2455 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2457 raise Exception("Network block disabling not reported")
2459 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2460 """WPA2-Enterprise negative test - subject mismatch"""
2461 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2462 hostapd
.add_ap(apdev
[0], params
)
2463 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2464 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2465 password
="password", phase2
="auth=MSCHAPV2",
2466 ca_cert
="auth_serv/ca.pem",
2467 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2468 wait_connect
=False, scan_freq
="2412")
2470 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2472 raise Exception("Association and EAP start timed out")
2474 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2475 "EAP: Failed to initialize EAP method"], timeout
=10)
2477 raise Exception("EAP method selection timed out")
2478 if "EAP: Failed to initialize EAP method" in ev
:
2479 tls
= dev
[0].request("GET tls_library")
2480 if tls
.startswith("OpenSSL"):
2481 raise Exception("Failed to select EAP method")
2482 logger
.info("subject_match not supported - connection failed, so test succeeded")
2484 if "TTLS" not in ev
:
2485 raise Exception("Unexpected EAP method")
2487 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2488 "CTRL-EVENT-EAP-SUCCESS",
2489 "CTRL-EVENT-EAP-FAILURE",
2490 "CTRL-EVENT-CONNECTED",
2491 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2493 raise Exception("EAP result timed out")
2494 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2495 raise Exception("TLS certificate error not reported")
2496 if "Subject mismatch" not in ev
:
2497 raise Exception("Subject mismatch not reported")
2499 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2500 "CTRL-EVENT-EAP-FAILURE",
2501 "CTRL-EVENT-CONNECTED",
2502 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2504 raise Exception("EAP result(2) timed out")
2505 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2506 raise Exception("EAP failure not reported")
2508 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2509 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2511 raise Exception("EAP result(3) timed out")
2512 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2513 raise Exception("Disconnection not reported")
2515 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2517 raise Exception("Network block disabling not reported")
2519 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2520 """WPA2-Enterprise negative test - altsubject mismatch"""
2521 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2522 hostapd
.add_ap(apdev
[0], params
)
2524 tests
= [ "incorrect.example.com",
2525 "DNS:incorrect.example.com",
2529 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2531 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2532 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2533 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2534 password
="password", phase2
="auth=MSCHAPV2",
2535 ca_cert
="auth_serv/ca.pem",
2536 altsubject_match
=match
,
2537 wait_connect
=False, scan_freq
="2412")
2539 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2541 raise Exception("Association and EAP start timed out")
2543 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2544 "EAP: Failed to initialize EAP method"], timeout
=10)
2546 raise Exception("EAP method selection timed out")
2547 if "EAP: Failed to initialize EAP method" in ev
:
2548 tls
= dev
[0].request("GET tls_library")
2549 if tls
.startswith("OpenSSL"):
2550 raise Exception("Failed to select EAP method")
2551 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2553 if "TTLS" not in ev
:
2554 raise Exception("Unexpected EAP method")
2556 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2557 "CTRL-EVENT-EAP-SUCCESS",
2558 "CTRL-EVENT-EAP-FAILURE",
2559 "CTRL-EVENT-CONNECTED",
2560 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2562 raise Exception("EAP result timed out")
2563 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2564 raise Exception("TLS certificate error not reported")
2565 if "AltSubject mismatch" not in ev
:
2566 raise Exception("altsubject mismatch not reported")
2568 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2569 "CTRL-EVENT-EAP-FAILURE",
2570 "CTRL-EVENT-CONNECTED",
2571 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2573 raise Exception("EAP result(2) timed out")
2574 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2575 raise Exception("EAP failure not reported")
2577 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2578 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2580 raise Exception("EAP result(3) timed out")
2581 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2582 raise Exception("Disconnection not reported")
2584 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2586 raise Exception("Network block disabling not reported")
2588 dev
[0].request("REMOVE_NETWORK all")
2590 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2591 """WPA2-Enterprise connection using UNAUTH-TLS"""
2592 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2593 hapd
= hostapd
.add_ap(apdev
[0], params
)
2594 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2595 ca_cert
="auth_serv/ca.pem")
2596 eap_reauth(dev
[0], "UNAUTH-TLS")
2598 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2599 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2600 check_cert_probe_support(dev
[0])
2601 skip_with_fips(dev
[0])
2602 srv_cert_hash
= "4704e62784f36cc5fd964c6410402f4938773bb471dce9d42939bf22fdbdb2dd"
2603 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2604 hapd
= hostapd
.add_ap(apdev
[0], params
)
2605 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2606 identity
="probe", ca_cert
="probe://",
2607 wait_connect
=False, scan_freq
="2412")
2608 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2610 raise Exception("Association and EAP start timed out")
2611 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2613 raise Exception("No peer server certificate event seen")
2614 if "hash=" + srv_cert_hash
not in ev
:
2615 raise Exception("Expected server certificate hash not reported")
2616 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2618 raise Exception("EAP result timed out")
2619 if "Server certificate chain probe" not in ev
:
2620 raise Exception("Server certificate probe not reported")
2621 dev
[0].wait_disconnected(timeout
=10)
2622 dev
[0].request("REMOVE_NETWORK all")
2624 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2625 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2626 password
="password", phase2
="auth=MSCHAPV2",
2627 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2628 wait_connect
=False, scan_freq
="2412")
2629 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2631 raise Exception("Association and EAP start timed out")
2632 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2634 raise Exception("EAP result timed out")
2635 if "Server certificate mismatch" not in ev
:
2636 raise Exception("Server certificate mismatch not reported")
2637 dev
[0].wait_disconnected(timeout
=10)
2638 dev
[0].request("REMOVE_NETWORK all")
2640 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2641 anonymous_identity
="ttls", password
="password",
2642 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2643 phase2
="auth=MSCHAPV2")
2645 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2646 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2647 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2648 hostapd
.add_ap(apdev
[0], params
)
2649 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2650 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2651 password
="password", phase2
="auth=MSCHAPV2",
2652 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2653 wait_connect
=False, scan_freq
="2412")
2654 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2655 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2656 password
="password", phase2
="auth=MSCHAPV2",
2657 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2658 wait_connect
=False, scan_freq
="2412")
2659 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2660 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2661 password
="password", phase2
="auth=MSCHAPV2",
2662 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2663 wait_connect
=False, scan_freq
="2412")
2664 for i
in range(0, 3):
2665 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2667 raise Exception("Association and EAP start timed out")
2668 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2670 raise Exception("Did not report EAP method initialization failure")
2672 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2673 """WPA2-Enterprise connection using EAP-pwd"""
2674 check_eap_capa(dev
[0], "PWD")
2675 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2676 hapd
= hostapd
.add_ap(apdev
[0], params
)
2677 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2678 eap_reauth(dev
[0], "PWD")
2679 dev
[0].request("REMOVE_NETWORK all")
2681 eap_connect(dev
[1], hapd
, "PWD",
2682 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2683 password
="secret password",
2686 logger
.info("Negative test with incorrect password")
2687 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2688 expect_failure
=True, local_error_report
=True)
2690 eap_connect(dev
[0], hapd
, "PWD",
2691 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2692 password
="secret password",
2695 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2696 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2697 check_eap_capa(dev
[0], "PWD")
2698 skip_with_fips(dev
[0])
2699 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2700 hapd
= hostapd
.add_ap(apdev
[0], params
)
2701 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2702 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2703 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2704 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2705 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2706 expect_failure
=True, local_error_report
=True)
2708 def test_ap_wpa2_eap_pwd_salt_sha1(dev
, apdev
):
2709 """WPA2-Enterprise connection using EAP-pwd and salted password SHA-1"""
2710 check_eap_capa(dev
[0], "PWD")
2711 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2712 hapd
= hostapd
.add_ap(apdev
[0], params
)
2713 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha1",
2714 password
="secret password")
2716 def test_ap_wpa2_eap_pwd_salt_sha256(dev
, apdev
):
2717 """WPA2-Enterprise connection using EAP-pwd and salted password SHA256"""
2718 check_eap_capa(dev
[0], "PWD")
2719 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2720 hapd
= hostapd
.add_ap(apdev
[0], params
)
2721 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha256",
2722 password
="secret password")
2724 def test_ap_wpa2_eap_pwd_salt_sha512(dev
, apdev
):
2725 """WPA2-Enterprise connection using EAP-pwd and salted password SHA512"""
2726 check_eap_capa(dev
[0], "PWD")
2727 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2728 hapd
= hostapd
.add_ap(apdev
[0], params
)
2729 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha512",
2730 password
="secret password")
2732 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2733 """WPA2-Enterprise connection using various EAP-pwd groups"""
2734 check_eap_capa(dev
[0], "PWD")
2735 tls
= dev
[0].request("GET tls_library")
2736 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2737 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2738 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2739 groups
= [ 19, 20, 21, 25, 26 ]
2740 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2741 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2742 groups
+= [ 27, 28, 29, 30 ]
2743 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.1" in tls
and "run=OpenSSL 1.1" in tls
:
2744 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2745 groups
+= [ 27, 28, 29, 30 ]
2747 logger
.info("Group %d" % i
)
2748 params
['pwd_group'] = str(i
)
2749 hapd
= hostapd
.add_ap(apdev
[0], params
)
2751 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2752 password
="secret password")
2753 dev
[0].request("REMOVE_NETWORK all")
2754 dev
[0].wait_disconnected()
2755 dev
[0].dump_monitor()
2757 if "BoringSSL" in tls
and i
in [ 25 ]:
2758 logger
.info("Ignore connection failure with group %d with BoringSSL" % i
)
2759 dev
[0].request("DISCONNECT")
2761 dev
[0].request("REMOVE_NETWORK all")
2762 dev
[0].dump_monitor()
2766 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2767 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2768 check_eap_capa(dev
[0], "PWD")
2769 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2770 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2771 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2772 params
['pwd_group'] = "0"
2773 hostapd
.add_ap(apdev
[0], params
)
2774 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2775 identity
="pwd user", password
="secret password",
2776 scan_freq
="2412", wait_connect
=False)
2777 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2779 raise Exception("Timeout on EAP failure report")
2781 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2782 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2783 check_eap_capa(dev
[0], "PWD")
2784 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2785 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2786 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2787 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2788 "pwd_group": "19", "fragment_size": "40" }
2789 hapd
= hostapd
.add_ap(apdev
[0], params
)
2790 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2792 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2793 """WPA2-Enterprise connection using EAP-GPSK"""
2794 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2795 hapd
= hostapd
.add_ap(apdev
[0], params
)
2796 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2797 password
="abcdefghijklmnop0123456789abcdef")
2798 eap_reauth(dev
[0], "GPSK")
2800 logger
.info("Test forced algorithm selection")
2801 for phase1
in [ "cipher=1", "cipher=2" ]:
2802 dev
[0].set_network_quoted(id, "phase1", phase1
)
2803 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2805 raise Exception("EAP success timed out")
2806 dev
[0].wait_connected(timeout
=10)
2808 logger
.info("Test failed algorithm negotiation")
2809 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2810 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2812 raise Exception("EAP failure timed out")
2814 logger
.info("Negative test with incorrect password")
2815 dev
[0].request("REMOVE_NETWORK all")
2816 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2817 password
="ffcdefghijklmnop0123456789abcdef",
2818 expect_failure
=True)
2820 def test_ap_wpa2_eap_sake(dev
, apdev
):
2821 """WPA2-Enterprise connection using EAP-SAKE"""
2822 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2823 hapd
= hostapd
.add_ap(apdev
[0], params
)
2824 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2825 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2826 eap_reauth(dev
[0], "SAKE")
2828 logger
.info("Negative test with incorrect password")
2829 dev
[0].request("REMOVE_NETWORK all")
2830 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2831 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2832 expect_failure
=True)
2834 def test_ap_wpa2_eap_eke(dev
, apdev
):
2835 """WPA2-Enterprise connection using EAP-EKE"""
2836 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2837 hapd
= hostapd
.add_ap(apdev
[0], params
)
2838 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2839 eap_reauth(dev
[0], "EKE")
2841 logger
.info("Test forced algorithm selection")
2842 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
2843 "dhgroup=4 encr=1 prf=2 mac=2",
2844 "dhgroup=3 encr=1 prf=2 mac=2",
2845 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2846 dev
[0].set_network_quoted(id, "phase1", phase1
)
2847 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2849 raise Exception("EAP success timed out")
2850 dev
[0].wait_connected(timeout
=10)
2852 logger
.info("Test failed algorithm negotiation")
2853 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2854 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2856 raise Exception("EAP failure timed out")
2858 logger
.info("Negative test with incorrect password")
2859 dev
[0].request("REMOVE_NETWORK all")
2860 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
2861 expect_failure
=True)
2863 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2864 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2865 if not params
['long']:
2866 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2867 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2868 hostapd
.add_ap(apdev
[0], params
)
2871 for i
in range(100):
2873 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2874 identity
="eke user", password
="hello",
2875 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2876 scan_freq
="2412", wait_connect
=False)
2878 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2879 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2881 raise Exception("No connected/disconnected event")
2882 if "CTRL-EVENT-DISCONNECTED" in ev
:
2884 # The RADIUS server limits on active sessions can be hit when
2885 # going through this test case, so try to give some more time
2886 # for the server to remove sessions.
2887 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2888 dev
[j
].request("REMOVE_NETWORK all")
2892 dev
[j
].request("REMOVE_NETWORK all")
2893 dev
[j
].wait_disconnected()
2894 dev
[j
].dump_monitor()
2895 logger
.info("Total success=%d failure=%d" % (success
, fail
))
2897 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2898 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2899 params
= int_eap_server_params()
2900 params
['server_id'] = 'example.server@w1.fi'
2901 hapd
= hostapd
.add_ap(apdev
[0], params
)
2902 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2904 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2905 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2906 params
= int_eap_server_params()
2907 hapd
= hostapd
.add_ap(apdev
[0], params
)
2908 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2910 for count
,func
in [ (1, "eap_eke_build_commit"),
2911 (2, "eap_eke_build_commit"),
2912 (3, "eap_eke_build_commit"),
2913 (1, "eap_eke_build_confirm"),
2914 (2, "eap_eke_build_confirm"),
2915 (1, "eap_eke_process_commit"),
2916 (2, "eap_eke_process_commit"),
2917 (1, "eap_eke_process_confirm"),
2918 (1, "eap_eke_process_identity"),
2919 (2, "eap_eke_process_identity"),
2920 (3, "eap_eke_process_identity"),
2921 (4, "eap_eke_process_identity") ]:
2922 with
alloc_fail(hapd
, count
, func
):
2923 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2924 expect_failure
=True)
2925 dev
[0].request("REMOVE_NETWORK all")
2927 for count
,func
,pw
in [ (1, "eap_eke_init", "hello"),
2928 (1, "eap_eke_get_session_id", "hello"),
2929 (1, "eap_eke_getKey", "hello"),
2930 (1, "eap_eke_build_msg", "hello"),
2931 (1, "eap_eke_build_failure", "wrong"),
2932 (1, "eap_eke_build_identity", "hello"),
2933 (2, "eap_eke_build_identity", "hello") ]:
2934 with
alloc_fail(hapd
, count
, func
):
2935 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2936 eap
="EKE", identity
="eke user", password
=pw
,
2937 wait_connect
=False, scan_freq
="2412")
2938 # This would eventually time out, but we can stop after having
2939 # reached the allocation failure.
2942 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2944 dev
[0].request("REMOVE_NETWORK all")
2946 for count
in range(1, 1000):
2948 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2949 dev
[0].connect("test-wpa2-eap",
2950 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2951 eap
="EKE", identity
="eke user", password
=pw
,
2952 wait_connect
=False, scan_freq
="2412")
2953 # This would eventually time out, but we can stop after having
2954 # reached the allocation failure.
2957 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2959 dev
[0].request("REMOVE_NETWORK all")
2960 except Exception as e
:
2961 if str(e
) == "Allocation failure did not trigger":
2963 raise Exception("Too few allocation failures")
2964 logger
.info("%d allocation failures tested" % (count
- 1))
2968 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
2969 """WPA2-Enterprise connection using EAP-IKEv2"""
2970 check_eap_capa(dev
[0], "IKEV2")
2971 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2972 hapd
= hostapd
.add_ap(apdev
[0], params
)
2973 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2974 password
="ike password")
2975 eap_reauth(dev
[0], "IKEV2")
2976 dev
[0].request("REMOVE_NETWORK all")
2977 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2978 password
="ike password", fragment_size
="50")
2980 logger
.info("Negative test with incorrect password")
2981 dev
[0].request("REMOVE_NETWORK all")
2982 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2983 password
="ike-password", expect_failure
=True)
2984 dev
[0].request("REMOVE_NETWORK all")
2986 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2987 password
="ike password", fragment_size
="0")
2988 dev
[0].request("REMOVE_NETWORK all")
2989 dev
[0].wait_disconnected()
2991 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
2992 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2993 check_eap_capa(dev
[0], "IKEV2")
2994 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2995 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2996 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2997 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2998 "fragment_size": "50" }
2999 hapd
= hostapd
.add_ap(apdev
[0], params
)
3000 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3001 password
="ike password")
3002 eap_reauth(dev
[0], "IKEV2")
3004 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
3005 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
3006 check_eap_capa(dev
[0], "IKEV2")
3007 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3008 hostapd
.add_ap(apdev
[0], params
)
3010 tests
= [ (1, "dh_init"),
3012 (1, "dh_derive_shared") ]
3013 for count
, func
in tests
:
3014 with
alloc_fail(dev
[0], count
, func
):
3015 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3016 identity
="ikev2 user", password
="ike password",
3017 wait_connect
=False, scan_freq
="2412")
3018 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3020 raise Exception("EAP method not selected")
3022 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
3025 dev
[0].request("REMOVE_NETWORK all")
3027 tls
= dev
[0].request("GET tls_library")
3028 if not tls
.startswith("wolfSSL"):
3029 tests
= [ (1, "os_get_random;dh_init") ]
3031 tests
= [ (1, "crypto_dh_init;dh_init") ]
3032 for count
, func
in tests
:
3033 with
fail_test(dev
[0], count
, func
):
3034 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3035 identity
="ikev2 user", password
="ike password",
3036 wait_connect
=False, scan_freq
="2412")
3037 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3039 raise Exception("EAP method not selected")
3041 if "0:" in dev
[0].request("GET_FAIL"):
3044 dev
[0].request("REMOVE_NETWORK all")
3046 def test_ap_wpa2_eap_pax(dev
, apdev
):
3047 """WPA2-Enterprise connection using EAP-PAX"""
3048 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3049 hapd
= hostapd
.add_ap(apdev
[0], params
)
3050 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3051 password_hex
="0123456789abcdef0123456789abcdef")
3052 eap_reauth(dev
[0], "PAX")
3054 logger
.info("Negative test with incorrect password")
3055 dev
[0].request("REMOVE_NETWORK all")
3056 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3057 password_hex
="ff23456789abcdef0123456789abcdef",
3058 expect_failure
=True)
3060 def test_ap_wpa2_eap_psk(dev
, apdev
):
3061 """WPA2-Enterprise connection using EAP-PSK"""
3062 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3063 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
3064 params
["ieee80211w"] = "2"
3065 hapd
= hostapd
.add_ap(apdev
[0], params
)
3066 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3067 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
3068 eap_reauth(dev
[0], "PSK", sha256
=True)
3069 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
3070 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
3072 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
3073 if 'flags' not in bss
:
3074 raise Exception("Could not get BSS flags from BSS table")
3075 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
3076 raise Exception("Unexpected BSS flags: " + bss
['flags'])
3078 logger
.info("Negative test with incorrect password")
3079 dev
[0].request("REMOVE_NETWORK all")
3080 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3081 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
3082 expect_failure
=True)
3084 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
3085 """WPA2-Enterprise connection using EAP-PSK and OOM"""
3086 skip_with_fips(dev
[0])
3087 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3088 hostapd
.add_ap(apdev
[0], params
)
3089 tests
= [ (1, "=aes_128_eax_encrypt"),
3090 (1, "=aes_128_eax_decrypt") ]
3091 for count
, func
in tests
:
3092 with
alloc_fail(dev
[0], count
, func
):
3093 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3094 identity
="psk.user@example.com",
3095 password_hex
="0123456789abcdef0123456789abcdef",
3096 wait_connect
=False, scan_freq
="2412")
3097 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3099 raise Exception("EAP method not selected")
3100 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
3101 note
="Failure not triggered: %d:%s" % (count
, func
))
3102 dev
[0].request("REMOVE_NETWORK all")
3103 dev
[0].wait_disconnected()
3105 tests
= [ (1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
3106 (1, "omac1_aes_128;aes_128_eax_encrypt"),
3107 (2, "omac1_aes_128;aes_128_eax_encrypt"),
3108 (3, "omac1_aes_128;aes_128_eax_encrypt"),
3109 (1, "omac1_aes_vector"),
3110 (1, "omac1_aes_128;aes_128_eax_decrypt"),
3111 (2, "omac1_aes_128;aes_128_eax_decrypt"),
3112 (3, "omac1_aes_128;aes_128_eax_decrypt"),
3113 (1, "aes_ctr_encrypt;aes_128_eax_decrypt") ]
3114 for count
, func
in tests
:
3115 with
fail_test(dev
[0], count
, func
):
3116 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3117 identity
="psk.user@example.com",
3118 password_hex
="0123456789abcdef0123456789abcdef",
3119 wait_connect
=False, scan_freq
="2412")
3120 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3122 raise Exception("EAP method not selected")
3123 wait_fail_trigger(dev
[0], "GET_FAIL",
3124 note
="Failure not triggered: %d:%s" % (count
, func
))
3125 dev
[0].request("REMOVE_NETWORK all")
3126 dev
[0].wait_disconnected()
3128 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
3129 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3130 identity
="psk.user@example.com",
3131 password_hex
="0123456789abcdef0123456789abcdef",
3132 wait_connect
=False, scan_freq
="2412")
3133 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3135 raise Exception("EAP method failure not reported")
3136 dev
[0].request("REMOVE_NETWORK all")
3137 dev
[0].wait_disconnected()
3139 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
3140 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
3141 check_eap_capa(dev
[0], "MSCHAPV2")
3142 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
3143 hapd
= hostapd
.add_ap(apdev
[0], params
)
3144 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
3145 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
3146 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
3148 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
3149 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3150 eap_reauth(dev
[0], "PEAP", rsn
=False)
3151 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3152 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
3153 status
= dev
[0].get_status(extra
="VERBOSE")
3154 if 'portControl' not in status
:
3155 raise Exception("portControl missing from STATUS-VERBOSE")
3156 if status
['portControl'] != 'Auto':
3157 raise Exception("Unexpected portControl value: " + status
['portControl'])
3158 if 'eap_session_id' not in status
:
3159 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3160 if not status
['eap_session_id'].startswith("19"):
3161 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
3163 def test_ap_wpa2_eap_interactive(dev
, apdev
):
3164 """WPA2-Enterprise connection using interactive identity/password entry"""
3165 check_eap_capa(dev
[0], "MSCHAPV2")
3166 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3167 hapd
= hostapd
.add_ap(apdev
[0], params
)
3169 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
3170 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3172 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3173 "TTLS", "ttls", None, "auth=MSCHAPV2",
3174 "DOMAIN\mschapv2 user", "password"),
3175 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3176 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3177 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3178 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3179 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3180 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3181 ("Connection with dynamic PEAP/EAP-GTC password entry",
3182 "PEAP", None, "user", "auth=GTC", None, "password") ]
3183 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
3185 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
3186 anonymous_identity
=anon
, identity
=identity
,
3187 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
3188 wait_connect
=False, scan_freq
="2412")
3190 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3192 raise Exception("Request for identity timed out")
3193 id = ev
.split(':')[0].split('-')[-1]
3194 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3195 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
3197 raise Exception("Request for password timed out")
3198 id = ev
.split(':')[0].split('-')[-1]
3199 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
3200 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
3201 dev
[0].wait_connected(timeout
=10)
3202 dev
[0].request("REMOVE_NETWORK all")
3204 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
3205 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3206 check_eap_capa(dev
[0], "MSCHAPV2")
3207 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3208 hapd
= hostapd
.add_ap(apdev
[0], params
)
3210 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
3211 only_add_network
=True)
3213 req_id
= "DOMAIN\mschapv2 user"
3214 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3215 anonymous_identity
="ttls", identity
=None,
3216 password
="password",
3217 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3218 wait_connect
=False, scan_freq
="2412")
3219 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3221 raise Exception("Request for identity timed out")
3222 id = ev
.split(':')[0].split('-')[-1]
3223 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3224 dev
[0].wait_connected(timeout
=10)
3226 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
3227 raise Exception("Failed to enable network")
3228 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
3230 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3231 dev
[0].request("REMOVE_NETWORK all")
3233 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
3234 """WPA2-Enterprise connection using EAP vendor test"""
3235 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3236 hapd
= hostapd
.add_ap(apdev
[0], params
)
3237 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
3238 eap_reauth(dev
[0], "VENDOR-TEST")
3239 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
3242 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
3243 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3244 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3245 hostapd
.add_ap(apdev
[0], params
)
3247 tests
= [ "eap_vendor_test_init",
3248 "eap_msg_alloc;eap_vendor_test_process",
3249 "eap_vendor_test_getKey" ]
3251 with
alloc_fail(dev
[0], 1, func
):
3252 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
3254 eap
="VENDOR-TEST", identity
="vendor-test",
3256 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3257 dev
[0].request("REMOVE_NETWORK all")
3258 dev
[0].wait_disconnected()
3260 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
3261 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3262 check_eap_capa(dev
[0], "FAST")
3263 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3264 hapd
= hostapd
.add_ap(apdev
[0], params
)
3265 eap_connect(dev
[0], hapd
, "FAST", "user",
3266 anonymous_identity
="FAST", password
="password",
3267 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3268 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
3269 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3270 res
= eap_reauth(dev
[0], "FAST")
3271 if res
['tls_session_reused'] != '1':
3272 raise Exception("EAP-FAST could not use PAC session ticket")
3274 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
3275 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3276 check_eap_capa(dev
[0], "FAST")
3277 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
3278 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
3279 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3280 hapd
= hostapd
.add_ap(apdev
[0], params
)
3283 eap_connect(dev
[0], hapd
, "FAST", "user",
3284 anonymous_identity
="FAST", password
="password",
3285 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3286 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3287 with
open(pac_file
, "r") as f
:
3289 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3290 raise Exception("PAC file header missing")
3291 if "PAC-Key=" not in data
:
3292 raise Exception("PAC-Key missing from PAC file")
3293 dev
[0].request("REMOVE_NETWORK all")
3294 eap_connect(dev
[0], hapd
, "FAST", "user",
3295 anonymous_identity
="FAST", password
="password",
3296 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3299 eap_connect(dev
[1], hapd
, "FAST", "user",
3300 anonymous_identity
="FAST", password
="password",
3301 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3302 phase1
="fast_provisioning=1 fast_pac_format=binary",
3304 dev
[1].request("REMOVE_NETWORK all")
3305 eap_connect(dev
[1], hapd
, "FAST", "user",
3306 anonymous_identity
="FAST", password
="password",
3307 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3308 phase1
="fast_pac_format=binary",
3316 os
.remove(pac_file2
)
3320 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3321 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3322 check_eap_capa(dev
[0], "FAST")
3323 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3324 hapd
= hostapd
.add_ap(apdev
[0], params
)
3325 eap_connect(dev
[0], hapd
, "FAST", "user",
3326 anonymous_identity
="FAST", password
="password",
3327 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3328 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3329 pac_file
="blob://fast_pac_bin")
3330 res
= eap_reauth(dev
[0], "FAST")
3331 if res
['tls_session_reused'] != '1':
3332 raise Exception("EAP-FAST could not use PAC session ticket")
3334 # Verify fast_max_pac_list_len=0 special case
3335 dev
[0].request("REMOVE_NETWORK all")
3336 dev
[0].wait_disconnected()
3337 eap_connect(dev
[0], hapd
, "FAST", "user",
3338 anonymous_identity
="FAST", password
="password",
3339 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3340 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3341 pac_file
="blob://fast_pac_bin")
3343 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3344 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3345 check_eap_capa(dev
[0], "FAST")
3346 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3347 hostapd
.add_ap(apdev
[0], params
)
3349 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3350 identity
="user", anonymous_identity
="FAST",
3351 password
="password",
3352 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3353 pac_file
="blob://fast_pac_not_in_use",
3354 wait_connect
=False, scan_freq
="2412")
3355 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3357 raise Exception("Timeout on EAP failure report")
3358 dev
[0].request("REMOVE_NETWORK all")
3360 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3361 identity
="user", anonymous_identity
="FAST",
3362 password
="password",
3363 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3364 wait_connect
=False, scan_freq
="2412")
3365 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3367 raise Exception("Timeout on EAP failure report")
3369 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3370 """EAP-FAST and binary PAC errors"""
3371 check_eap_capa(dev
[0], "FAST")
3372 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3373 hapd
= hostapd
.add_ap(apdev
[0], params
)
3375 tests
= [ (1, "=eap_fast_save_pac_bin"),
3376 (1, "eap_fast_write_pac"),
3377 (2, "eap_fast_write_pac"), ]
3378 for count
, func
in tests
:
3379 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3380 raise Exception("Could not set blob")
3382 with
alloc_fail(dev
[0], count
, func
):
3383 eap_connect(dev
[0], hapd
, "FAST", "user",
3384 anonymous_identity
="FAST", password
="password",
3385 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3386 phase1
="fast_provisioning=1 fast_pac_format=binary",
3387 pac_file
="blob://fast_pac_bin_errors")
3388 dev
[0].request("REMOVE_NETWORK all")
3389 dev
[0].wait_disconnected()
3391 tests
= [ "00", "000000000000", "6ae4920c0001",
3393 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3394 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3395 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3396 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3398 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3399 raise Exception("Could not set blob")
3401 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3402 identity
="user", anonymous_identity
="FAST",
3403 password
="password",
3404 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3405 phase1
="fast_provisioning=1 fast_pac_format=binary",
3406 pac_file
="blob://fast_pac_bin_errors",
3407 scan_freq
="2412", wait_connect
=False)
3408 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3411 raise Exception("Failure not reported")
3412 dev
[0].request("REMOVE_NETWORK all")
3413 dev
[0].wait_disconnected()
3415 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3416 tests
= [ (1, "eap_fast_load_pac_bin"),
3417 (2, "eap_fast_load_pac_bin"),
3418 (3, "eap_fast_load_pac_bin") ]
3419 for count
, func
in tests
:
3420 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3421 raise Exception("Could not set blob")
3423 with
alloc_fail(dev
[0], count
, func
):
3424 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3425 identity
="user", anonymous_identity
="FAST",
3426 password
="password",
3427 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3428 phase1
="fast_provisioning=1 fast_pac_format=binary",
3429 pac_file
="blob://fast_pac_bin_errors",
3430 scan_freq
="2412", wait_connect
=False)
3431 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3434 raise Exception("Failure not reported")
3435 dev
[0].request("REMOVE_NETWORK all")
3436 dev
[0].wait_disconnected()
3438 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3439 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3440 raise Exception("Could not set blob")
3442 eap_connect(dev
[0], hapd
, "FAST", "user",
3443 anonymous_identity
="FAST", password
="password",
3444 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3445 phase1
="fast_provisioning=1 fast_pac_format=binary",
3446 pac_file
="blob://fast_pac_bin_errors")
3447 dev
[0].request("REMOVE_NETWORK all")
3448 dev
[0].wait_disconnected()
3450 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3451 tests
= [ (1, "eap_fast_pac_get_a_id"),
3452 (2, "eap_fast_pac_get_a_id") ]
3453 for count
, func
in tests
:
3454 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3455 raise Exception("Could not set blob")
3456 with
alloc_fail(dev
[0], count
, func
):
3457 eap_connect(dev
[0], hapd
, "FAST", "user",
3458 anonymous_identity
="FAST", password
="password",
3459 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3460 phase1
="fast_provisioning=1 fast_pac_format=binary",
3461 pac_file
="blob://fast_pac_bin_errors")
3462 dev
[0].request("REMOVE_NETWORK all")
3463 dev
[0].wait_disconnected()
3465 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3466 """EAP-FAST and text PAC errors"""
3467 check_eap_capa(dev
[0], "FAST")
3468 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3469 hostapd
.add_ap(apdev
[0], params
)
3471 tests
= [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3472 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3473 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3474 (1, "eap_fast_parse_start"),
3475 (1, "eap_fast_save_pac") ]
3476 for count
, func
in tests
:
3477 dev
[0].request("FLUSH")
3478 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3479 raise Exception("Could not set blob")
3481 with
alloc_fail(dev
[0], count
, func
):
3482 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3483 identity
="user", anonymous_identity
="FAST",
3484 password
="password",
3485 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3486 phase1
="fast_provisioning=1",
3487 pac_file
="blob://fast_pac_text_errors",
3488 scan_freq
="2412", wait_connect
=False)
3489 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3490 dev
[0].request("REMOVE_NETWORK all")
3491 dev
[0].wait_disconnected()
3493 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3497 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + binascii
.hexlify(pac
.encode()).decode()):
3498 raise Exception("Could not set blob")
3500 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3501 identity
="user", anonymous_identity
="FAST",
3502 password
="password",
3503 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3504 phase1
="fast_provisioning=1",
3505 pac_file
="blob://fast_pac_text_errors",
3506 scan_freq
="2412", wait_connect
=False)
3507 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3509 raise Exception("Failure not reported")
3510 dev
[0].request("REMOVE_NETWORK all")
3511 dev
[0].wait_disconnected()
3513 dev
[0].request("FLUSH")
3514 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3515 raise Exception("Could not set blob")
3517 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3519 params
= int_eap_server_params()
3520 params
['ssid'] = "test-wpa2-eap-2"
3521 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3522 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3523 params
['eap_fast_a_id_info'] = "test server %d" % i
3525 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3527 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3528 identity
="user", anonymous_identity
="FAST",
3529 password
="password",
3530 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3531 phase1
="fast_provisioning=1",
3532 pac_file
="blob://fast_pac_text_errors",
3533 scan_freq
="2412", wait_connect
=False)
3534 dev
[0].wait_connected()
3535 dev
[0].request("REMOVE_NETWORK all")
3536 dev
[0].wait_disconnected()
3540 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3541 """EAP-FAST and PAC list truncation"""
3542 check_eap_capa(dev
[0], "FAST")
3543 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3544 raise Exception("Could not set blob")
3546 params
= int_eap_server_params()
3547 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3548 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3549 params
['eap_fast_a_id_info'] = "test server %d" % i
3550 hapd
= hostapd
.add_ap(apdev
[0], params
)
3552 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3553 identity
="user", anonymous_identity
="FAST",
3554 password
="password",
3555 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3556 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3557 pac_file
="blob://fast_pac_truncate",
3558 scan_freq
="2412", wait_connect
=False)
3559 dev
[0].wait_connected()
3560 dev
[0].request("REMOVE_NETWORK all")
3561 dev
[0].wait_disconnected()
3565 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3566 """EAP-FAST and PAC refresh"""
3567 check_eap_capa(dev
[0], "FAST")
3568 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3569 raise Exception("Could not set blob")
3571 params
= int_eap_server_params()
3572 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3573 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3574 params
['eap_fast_a_id_info'] = "test server %d" % i
3575 params
['pac_key_refresh_time'] = "1"
3576 params
['pac_key_lifetime'] = "10"
3577 hapd
= hostapd
.add_ap(apdev
[0], params
)
3579 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3580 identity
="user", anonymous_identity
="FAST",
3581 password
="password",
3582 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3583 phase1
="fast_provisioning=1",
3584 pac_file
="blob://fast_pac_refresh",
3585 scan_freq
="2412", wait_connect
=False)
3586 dev
[0].wait_connected()
3587 dev
[0].request("REMOVE_NETWORK all")
3588 dev
[0].wait_disconnected()
3593 params
= int_eap_server_params()
3594 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3595 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3596 params
['eap_fast_a_id_info'] = "test server %d" % i
3597 params
['pac_key_refresh_time'] = "10"
3598 params
['pac_key_lifetime'] = "10"
3599 hapd
= hostapd
.add_ap(apdev
[0], params
)
3601 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3602 identity
="user", anonymous_identity
="FAST",
3603 password
="password",
3604 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3605 phase1
="fast_provisioning=1",
3606 pac_file
="blob://fast_pac_refresh",
3607 scan_freq
="2412", wait_connect
=False)
3608 dev
[0].wait_connected()
3609 dev
[0].request("REMOVE_NETWORK all")
3610 dev
[0].wait_disconnected()
3614 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3615 """EAP-FAST and PAC lifetime"""
3616 check_eap_capa(dev
[0], "FAST")
3617 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3618 raise Exception("Could not set blob")
3621 params
= int_eap_server_params()
3622 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3623 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3624 params
['eap_fast_a_id_info'] = "test server %d" % i
3625 params
['pac_key_refresh_time'] = "0"
3626 params
['pac_key_lifetime'] = "2"
3627 hapd
= hostapd
.add_ap(apdev
[0], params
)
3629 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3630 identity
="user", anonymous_identity
="FAST",
3631 password
="password",
3632 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3633 phase1
="fast_provisioning=2",
3634 pac_file
="blob://fast_pac_refresh",
3635 scan_freq
="2412", wait_connect
=False)
3636 dev
[0].wait_connected()
3637 dev
[0].request("DISCONNECT")
3638 dev
[0].wait_disconnected()
3641 dev
[0].request("PMKSA_FLUSH")
3642 dev
[0].request("RECONNECT")
3643 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3645 raise Exception("No EAP-Failure seen after expired PAC")
3646 dev
[0].request("DISCONNECT")
3647 dev
[0].wait_disconnected()
3649 dev
[0].select_network(id)
3650 dev
[0].wait_connected()
3651 dev
[0].request("REMOVE_NETWORK all")
3652 dev
[0].wait_disconnected()
3654 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3655 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3656 check_eap_capa(dev
[0], "FAST")
3657 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3658 hapd
= hostapd
.add_ap(apdev
[0], params
)
3659 eap_connect(dev
[0], hapd
, "FAST", "user",
3660 anonymous_identity
="FAST", password
="password",
3661 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3662 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3663 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3664 res
= eap_reauth(dev
[0], "FAST")
3665 if res
['tls_session_reused'] != '1':
3666 raise Exception("EAP-FAST could not use PAC session ticket")
3668 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3669 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3670 check_eap_capa(dev
[0], "FAST")
3671 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3672 hapd
= hostapd
.add_ap(apdev
[0], params
)
3673 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3674 anonymous_identity
="FAST", password
="password",
3675 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3676 phase1
="fast_provisioning=2",
3677 pac_file
="blob://fast_pac_auth")
3678 dev
[0].set_network_quoted(id, "identity", "user2")
3679 dev
[0].wait_disconnected()
3680 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3682 raise Exception("EAP-FAST not started")
3683 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3685 raise Exception("EAP failure not reported")
3686 dev
[0].wait_disconnected()
3688 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3689 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3690 check_eap_capa(dev
[0], "FAST")
3691 tls
= dev
[0].request("GET tls_library")
3692 if tls
.startswith("OpenSSL"):
3693 func
= "tls_connection_get_eap_fast_key"
3695 elif tls
.startswith("internal"):
3696 func
= "tls_connection_prf"
3699 raise HwsimSkip("Unsupported TLS library")
3700 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3701 hapd
= hostapd
.add_ap(apdev
[0], params
)
3702 with
alloc_fail(dev
[0], count
, func
):
3703 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3704 identity
="user", anonymous_identity
="FAST",
3705 password
="password", ca_cert
="auth_serv/ca.pem",
3707 phase1
="fast_provisioning=2",
3708 pac_file
="blob://fast_pac_auth",
3709 wait_connect
=False, scan_freq
="2412")
3710 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3712 raise Exception("EAP failure not reported")
3713 dev
[0].request("DISCONNECT")
3715 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3716 """EAP-FAST/MSCHAPv2 and server OOM"""
3717 check_eap_capa(dev
[0], "FAST")
3719 params
= int_eap_server_params()
3720 params
['dh_file'] = 'auth_serv/dh.conf'
3721 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3722 params
['eap_fast_a_id'] = '1011'
3723 params
['eap_fast_a_id_info'] = 'another test server'
3724 hapd
= hostapd
.add_ap(apdev
[0], params
)
3726 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3727 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3728 anonymous_identity
="FAST", password
="password",
3729 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3730 phase1
="fast_provisioning=1",
3731 pac_file
="blob://fast_pac",
3732 expect_failure
=True)
3733 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3735 raise Exception("No EAP failure reported")
3736 dev
[0].wait_disconnected()
3737 dev
[0].request("DISCONNECT")
3739 dev
[0].select_network(id, freq
="2412")
3741 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3742 """EAP-FAST and different TLS cipher suites"""
3743 check_eap_capa(dev
[0], "FAST")
3744 tls
= dev
[0].request("GET tls_library")
3745 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
3746 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls
)
3748 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3749 hapd
= hostapd
.add_ap(apdev
[0], params
)
3751 dev
[0].request("SET blob fast_pac_ciphers ")
3752 eap_connect(dev
[0], hapd
, "FAST", "user",
3753 anonymous_identity
="FAST", password
="password",
3754 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3755 phase1
="fast_provisioning=2",
3756 pac_file
="blob://fast_pac_ciphers")
3757 res
= dev
[0].get_status_field('EAP TLS cipher')
3758 dev
[0].request("REMOVE_NETWORK all")
3759 dev
[0].wait_disconnected()
3760 if res
!= "DHE-RSA-AES256-SHA":
3761 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3763 tests
= [ "DHE-RSA-AES128-SHA",
3767 "DHE-RSA-AES256-SHA" ]
3768 for cipher
in tests
:
3769 dev
[0].dump_monitor()
3770 logger
.info("Testing " + cipher
)
3772 eap_connect(dev
[0], hapd
, "FAST", "user",
3773 openssl_ciphers
=cipher
,
3774 anonymous_identity
="FAST", password
="password",
3775 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3776 pac_file
="blob://fast_pac_ciphers",
3777 report_failure
=True)
3778 except Exception as e
:
3779 if cipher
== "RC4-SHA" and \
3780 ("Could not select EAP method" in str(e
) or \
3781 "EAP failed" in str(e
)):
3782 if "run=OpenSSL 1.1" in tls
:
3783 logger
.info("Allow failure due to missing TLS library support")
3784 dev
[0].request("REMOVE_NETWORK all")
3785 dev
[0].wait_disconnected()
3788 res
= dev
[0].get_status_field('EAP TLS cipher')
3789 dev
[0].request("REMOVE_NETWORK all")
3790 dev
[0].wait_disconnected()
3792 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3794 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3795 """EAP-FAST and provisioning options"""
3796 check_eap_capa(dev
[0], "FAST")
3797 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3798 raise Exception("Could not set blob")
3801 params
= int_eap_server_params()
3802 params
['disable_pmksa_caching'] = '1'
3803 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3804 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3805 params
['eap_fast_a_id_info'] = "test server %d" % i
3806 params
['eap_fast_prov'] = "0"
3807 hapd
= hostapd
.add_ap(apdev
[0], params
)
3809 logger
.info("Provisioning attempt while server has provisioning disabled")
3810 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3811 identity
="user", anonymous_identity
="FAST",
3812 password
="password",
3813 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3814 phase1
="fast_provisioning=2",
3815 pac_file
="blob://fast_pac_prov",
3816 scan_freq
="2412", wait_connect
=False)
3817 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3820 raise Exception("EAP result not reported")
3821 if "parameter='failure'" not in ev
:
3822 raise Exception("Unexpected EAP result: " + ev
)
3823 dev
[0].wait_disconnected()
3824 dev
[0].request("DISCONNECT")
3825 dev
[0].dump_monitor()
3828 logger
.info("Authenticated provisioning")
3829 hapd
.set("eap_fast_prov", "2")
3832 dev
[0].select_network(id, freq
="2412")
3833 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3836 raise Exception("EAP result not reported")
3837 if "parameter='success'" not in ev
:
3838 raise Exception("Unexpected EAP result: " + ev
)
3839 dev
[0].wait_connected()
3840 dev
[0].request("DISCONNECT")
3841 dev
[0].wait_disconnected()
3842 dev
[0].dump_monitor()
3845 logger
.info("Provisioning disabled - using previously provisioned PAC")
3846 hapd
.set("eap_fast_prov", "0")
3849 dev
[0].select_network(id, freq
="2412")
3850 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3853 raise Exception("EAP result not reported")
3854 if "parameter='success'" not in ev
:
3855 raise Exception("Unexpected EAP result: " + ev
)
3856 dev
[0].wait_connected()
3857 dev
[0].request("DISCONNECT")
3858 dev
[0].wait_disconnected()
3859 dev
[0].dump_monitor()
3861 logger
.info("Drop PAC and verify connection failure")
3862 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3863 raise Exception("Could not set blob")
3865 dev
[0].select_network(id, freq
="2412")
3866 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3869 raise Exception("EAP result not reported")
3870 if "parameter='failure'" not in ev
:
3871 raise Exception("Unexpected EAP result: " + ev
)
3872 dev
[0].wait_disconnected()
3873 dev
[0].request("DISCONNECT")
3874 dev
[0].dump_monitor()
3877 logger
.info("Anonymous provisioning")
3878 hapd
.set("eap_fast_prov", "1")
3880 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3881 dev
[0].select_network(id, freq
="2412")
3882 # Anonymous provisioning results in EAP-Failure first
3883 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3886 raise Exception("EAP result not reported")
3887 if "parameter='failure'" not in ev
:
3888 raise Exception("Unexpected EAP result: " + ev
)
3889 dev
[0].wait_disconnected()
3890 # And then the actual data connection
3891 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3894 raise Exception("EAP result not reported")
3895 if "parameter='success'" not in ev
:
3896 raise Exception("Unexpected EAP result: " + ev
)
3897 dev
[0].wait_connected()
3898 dev
[0].request("DISCONNECT")
3899 dev
[0].wait_disconnected()
3900 dev
[0].dump_monitor()
3903 logger
.info("Provisioning disabled - using previously provisioned PAC")
3904 hapd
.set("eap_fast_prov", "0")
3907 dev
[0].select_network(id, freq
="2412")
3908 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3911 raise Exception("EAP result not reported")
3912 if "parameter='success'" not in ev
:
3913 raise Exception("Unexpected EAP result: " + ev
)
3914 dev
[0].wait_connected()
3915 dev
[0].request("DISCONNECT")
3916 dev
[0].wait_disconnected()
3917 dev
[0].dump_monitor()
3919 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
3920 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3921 check_ocsp_support(dev
[0])
3922 check_pkcs12_support(dev
[0])
3923 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3924 hapd
= hostapd
.add_ap(apdev
[0], params
)
3925 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3926 private_key
="auth_serv/user.pkcs12",
3927 private_key_passwd
="whatever", ocsp
=2)
3929 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
3930 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3931 check_ocsp_multi_support(dev
[0])
3932 check_pkcs12_support(dev
[0])
3934 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3935 hapd
= hostapd
.add_ap(apdev
[0], params
)
3936 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3937 private_key
="auth_serv/user.pkcs12",
3938 private_key_passwd
="whatever", ocsp
=2)
3940 def int_eap_server_params():
3941 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3942 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3943 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3944 "ca_cert": "auth_serv/ca.pem",
3945 "server_cert": "auth_serv/server.pem",
3946 "private_key": "auth_serv/server.key",
3947 "dh_file": "auth_serv/dh.conf" }
3950 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
3951 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3952 check_ocsp_support(dev
[0])
3953 check_pkcs12_support(dev
[0])
3954 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
3955 if not os
.path
.exists(ocsp
):
3956 raise HwsimSkip("No OCSP response available")
3957 params
= int_eap_server_params()
3958 params
["ocsp_stapling_response"] = ocsp
3959 hostapd
.add_ap(apdev
[0], params
)
3960 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3961 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3962 private_key
="auth_serv/user.pkcs12",
3963 private_key_passwd
="whatever", ocsp
=2,
3966 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
3967 """EAP-TLS and CA signed OCSP response (good)"""
3968 check_ocsp_support(dev
[0])
3969 check_pkcs12_support(dev
[0])
3970 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
3971 if not os
.path
.exists(ocsp
):
3972 raise HwsimSkip("No OCSP response available")
3973 params
= int_eap_server_params()
3974 params
["ocsp_stapling_response"] = ocsp
3975 hostapd
.add_ap(apdev
[0], params
)
3976 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3977 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3978 private_key
="auth_serv/user.pkcs12",
3979 private_key_passwd
="whatever", ocsp
=2,
3982 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
3983 """EAP-TLS and CA signed OCSP response (revoked)"""
3984 check_ocsp_support(dev
[0])
3985 check_pkcs12_support(dev
[0])
3986 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
3987 if not os
.path
.exists(ocsp
):
3988 raise HwsimSkip("No OCSP response available")
3989 params
= int_eap_server_params()
3990 params
["ocsp_stapling_response"] = ocsp
3991 hostapd
.add_ap(apdev
[0], params
)
3992 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3993 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3994 private_key
="auth_serv/user.pkcs12",
3995 private_key_passwd
="whatever", ocsp
=2,
3996 wait_connect
=False, scan_freq
="2412")
3999 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4001 raise Exception("Timeout on EAP status")
4002 if 'bad certificate status response' in ev
:
4004 if 'certificate revoked' in ev
:
4008 raise Exception("Unexpected number of EAP status messages")
4010 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4012 raise Exception("Timeout on EAP failure report")
4014 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
4015 """EAP-TLS and CA signed OCSP response (unknown)"""
4016 check_ocsp_support(dev
[0])
4017 check_pkcs12_support(dev
[0])
4018 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
4019 if not os
.path
.exists(ocsp
):
4020 raise HwsimSkip("No OCSP response available")
4021 params
= int_eap_server_params()
4022 params
["ocsp_stapling_response"] = ocsp
4023 hostapd
.add_ap(apdev
[0], params
)
4024 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4025 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4026 private_key
="auth_serv/user.pkcs12",
4027 private_key_passwd
="whatever", ocsp
=2,
4028 wait_connect
=False, scan_freq
="2412")
4031 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4033 raise Exception("Timeout on EAP status")
4034 if 'bad certificate status response' in ev
:
4038 raise Exception("Unexpected number of EAP status messages")
4040 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4042 raise Exception("Timeout on EAP failure report")
4044 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
4045 """EAP-TLS and server signed OCSP response"""
4046 check_ocsp_support(dev
[0])
4047 check_pkcs12_support(dev
[0])
4048 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
4049 if not os
.path
.exists(ocsp
):
4050 raise HwsimSkip("No OCSP response available")
4051 params
= int_eap_server_params()
4052 params
["ocsp_stapling_response"] = ocsp
4053 hostapd
.add_ap(apdev
[0], params
)
4054 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4055 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4056 private_key
="auth_serv/user.pkcs12",
4057 private_key_passwd
="whatever", ocsp
=2,
4058 wait_connect
=False, scan_freq
="2412")
4061 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4063 raise Exception("Timeout on EAP status")
4064 if 'bad certificate status response' in ev
:
4068 raise Exception("Unexpected number of EAP status messages")
4070 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4072 raise Exception("Timeout on EAP failure report")
4074 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
4075 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
4076 check_ocsp_support(dev
[0])
4077 check_pkcs12_support(dev
[0])
4078 params
= int_eap_server_params()
4079 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
4080 hostapd
.add_ap(apdev
[0], params
)
4081 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4082 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4083 private_key
="auth_serv/user.pkcs12",
4084 private_key_passwd
="whatever", ocsp
=2,
4085 wait_connect
=False, scan_freq
="2412")
4088 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4090 raise Exception("Timeout on EAP status")
4091 if 'bad certificate status response' in ev
:
4095 raise Exception("Unexpected number of EAP status messages")
4097 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4099 raise Exception("Timeout on EAP failure report")
4101 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
4102 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
4103 check_ocsp_support(dev
[0])
4104 check_pkcs12_support(dev
[0])
4105 params
= int_eap_server_params()
4106 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
4107 hostapd
.add_ap(apdev
[0], params
)
4108 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4109 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4110 private_key
="auth_serv/user.pkcs12",
4111 private_key_passwd
="whatever", ocsp
=2,
4112 wait_connect
=False, scan_freq
="2412")
4115 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4117 raise Exception("Timeout on EAP status")
4118 if 'bad certificate status response' in ev
:
4122 raise Exception("Unexpected number of EAP status messages")
4124 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4126 raise Exception("Timeout on EAP failure report")
4128 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
4129 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
4130 check_ocsp_support(dev
[0])
4131 check_pkcs12_support(dev
[0])
4132 params
= int_eap_server_params()
4133 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
4134 hostapd
.add_ap(apdev
[0], params
)
4135 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4136 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4137 private_key
="auth_serv/user.pkcs12",
4138 private_key_passwd
="whatever", ocsp
=2,
4139 wait_connect
=False, scan_freq
="2412")
4142 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4144 raise Exception("Timeout on EAP status")
4145 if 'bad certificate status response' in ev
:
4149 raise Exception("Unexpected number of EAP status messages")
4151 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4153 raise Exception("Timeout on EAP failure report")
4155 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
4156 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4157 check_ocsp_support(dev
[0])
4158 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
4159 if not os
.path
.exists(ocsp
):
4160 raise HwsimSkip("No OCSP response available")
4161 params
= int_eap_server_params()
4162 params
["ocsp_stapling_response"] = ocsp
4163 hostapd
.add_ap(apdev
[0], params
)
4164 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4165 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4166 anonymous_identity
="ttls", password
="password",
4167 phase2
="auth=PAP", ocsp
=2,
4168 wait_connect
=False, scan_freq
="2412")
4171 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4173 raise Exception("Timeout on EAP status")
4174 if 'bad certificate status response' in ev
:
4176 if 'certificate revoked' in ev
:
4180 raise Exception("Unexpected number of EAP status messages")
4182 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4184 raise Exception("Timeout on EAP failure report")
4186 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
4187 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4188 check_ocsp_support(dev
[0])
4189 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4190 if not os
.path
.exists(ocsp
):
4191 raise HwsimSkip("No OCSP response available")
4192 params
= int_eap_server_params()
4193 params
["ocsp_stapling_response"] = ocsp
4194 hostapd
.add_ap(apdev
[0], params
)
4195 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4196 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4197 anonymous_identity
="ttls", password
="password",
4198 phase2
="auth=PAP", ocsp
=2,
4199 wait_connect
=False, scan_freq
="2412")
4202 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4204 raise Exception("Timeout on EAP status")
4205 if 'bad certificate status response' in ev
:
4209 raise Exception("Unexpected number of EAP status messages")
4211 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4213 raise Exception("Timeout on EAP failure report")
4215 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
4216 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4217 check_ocsp_support(dev
[0])
4218 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4219 if not os
.path
.exists(ocsp
):
4220 raise HwsimSkip("No OCSP response available")
4221 params
= int_eap_server_params()
4222 params
["ocsp_stapling_response"] = ocsp
4223 hostapd
.add_ap(apdev
[0], params
)
4224 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4225 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4226 anonymous_identity
="ttls", password
="password",
4227 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
4229 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
4230 """EAP-TLS with intermediate server/user CA"""
4231 params
= int_eap_server_params()
4232 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4233 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4234 params
["private_key"] = "auth_serv/iCA-server/server.key"
4235 hostapd
.add_ap(apdev
[0], params
)
4236 tls
= dev
[0].request("GET tls_library")
4237 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4238 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4239 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4241 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4242 client_cert
= "auth_serv/iCA-user/user.pem"
4243 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4244 identity
="tls user",
4246 client_cert
=client_cert
,
4247 private_key
="auth_serv/iCA-user/user.key",
4250 def root_ocsp(cert
):
4251 ca
= "auth_serv/ca.pem"
4253 fd2
, fn2
= tempfile
.mkstemp()
4256 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-sha256",
4257 "-cert", cert
, "-no_nonce", "-text" ]
4258 logger
.info(' '.join(arg
))
4259 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4260 stderr
=subprocess
.PIPE
)
4261 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4265 if cmd
.returncode
!= 0:
4266 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4267 logger
.info("OCSP request:\n" + res
)
4269 fd
, fn
= tempfile
.mkstemp()
4271 arg
= [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4272 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
4273 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4274 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4276 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4277 stderr
=subprocess
.PIPE
)
4278 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4282 if cmd
.returncode
!= 0:
4283 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4284 logger
.info("OCSP response:\n" + res
)
4288 def ica_ocsp(cert
, md
="-sha256"):
4289 prefix
= "auth_serv/iCA-server/"
4290 ca
= prefix
+ "cacert.pem"
4291 cert
= prefix
+ cert
4293 fd2
, fn2
= tempfile
.mkstemp()
4296 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, md
,
4297 "-cert", cert
, "-no_nonce", "-text" ]
4298 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4299 stderr
=subprocess
.PIPE
)
4300 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4304 if cmd
.returncode
!= 0:
4305 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4306 logger
.info("OCSP request:\n" + res
)
4308 fd
, fn
= tempfile
.mkstemp()
4310 arg
= [ "openssl", "ocsp", "-index", prefix
+ "index.txt",
4311 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
4312 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4313 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4315 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4316 stderr
=subprocess
.PIPE
)
4317 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4321 if cmd
.returncode
!= 0:
4322 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4323 logger
.info("OCSP response:\n" + res
)
4327 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4328 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4329 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha256")
4331 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev
, apdev
, params
):
4332 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4333 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha1")
4335 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, md
):
4336 params
= int_eap_server_params()
4337 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4338 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4339 params
["private_key"] = "auth_serv/iCA-server/server.key"
4340 fn
= ica_ocsp("server.pem", md
)
4341 params
["ocsp_stapling_response"] = fn
4343 hostapd
.add_ap(apdev
[0], params
)
4344 tls
= dev
[0].request("GET tls_library")
4345 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4346 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4347 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4349 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4350 client_cert
= "auth_serv/iCA-user/user.pem"
4351 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4352 identity
="tls user",
4354 client_cert
=client_cert
,
4355 private_key
="auth_serv/iCA-user/user.key",
4356 scan_freq
="2412", ocsp
=2)
4360 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4361 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4362 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4365 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev
, apdev
, params
):
4366 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4367 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4370 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
, md
):
4371 check_ocsp_support(dev
[0])
4372 params
= int_eap_server_params()
4373 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4374 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4375 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4376 fn
= ica_ocsp("server-revoked.pem", md
)
4377 params
["ocsp_stapling_response"] = fn
4379 hostapd
.add_ap(apdev
[0], params
)
4380 tls
= dev
[0].request("GET tls_library")
4381 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4382 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4383 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4385 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4386 client_cert
= "auth_serv/iCA-user/user.pem"
4387 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4388 identity
="tls user",
4390 client_cert
=client_cert
,
4391 private_key
="auth_serv/iCA-user/user.key",
4392 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4395 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4396 "CTRL-EVENT-EAP-SUCCESS"])
4398 raise Exception("Timeout on EAP status")
4399 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4400 raise Exception("Unexpected EAP-Success")
4401 if 'bad certificate status response' in ev
:
4403 if 'certificate revoked' in ev
:
4407 raise Exception("Unexpected number of EAP status messages")
4409 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4411 raise Exception("Timeout on EAP failure report")
4412 dev
[0].request("REMOVE_NETWORK all")
4413 dev
[0].wait_disconnected()
4417 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4418 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4419 check_ocsp_support(dev
[0])
4420 check_ocsp_multi_support(dev
[0])
4422 params
= int_eap_server_params()
4423 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4424 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4425 params
["private_key"] = "auth_serv/iCA-server/server.key"
4426 fn
= ica_ocsp("server.pem")
4427 params
["ocsp_stapling_response"] = fn
4429 hostapd
.add_ap(apdev
[0], params
)
4430 tls
= dev
[0].request("GET tls_library")
4431 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4432 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4433 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4435 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4436 client_cert
= "auth_serv/iCA-user/user.pem"
4437 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4438 identity
="tls user",
4440 client_cert
=client_cert
,
4441 private_key
="auth_serv/iCA-user/user.key",
4442 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4445 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4446 "CTRL-EVENT-EAP-SUCCESS"])
4448 raise Exception("Timeout on EAP status")
4449 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4450 raise Exception("Unexpected EAP-Success")
4451 if 'bad certificate status response' in ev
:
4453 if 'certificate revoked' in ev
:
4457 raise Exception("Unexpected number of EAP status messages")
4459 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4461 raise Exception("Timeout on EAP failure report")
4462 dev
[0].request("REMOVE_NETWORK all")
4463 dev
[0].wait_disconnected()
4467 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4468 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4469 check_ocsp_support(dev
[0])
4470 check_ocsp_multi_support(dev
[0])
4472 params
= int_eap_server_params()
4473 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4474 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4475 params
["private_key"] = "auth_serv/iCA-server/server.key"
4476 fn
= ica_ocsp("server.pem")
4477 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4478 params
["ocsp_stapling_response"] = fn
4480 with
open(fn
, "rb") as f
:
4481 resp_server
= f
.read()
4482 with
open(fn2
, "rb") as f
:
4485 fd3
, fn3
= tempfile
.mkstemp()
4487 f
= os
.fdopen(fd3
, 'wb')
4488 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4489 f
.write(resp_server
)
4490 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4494 params
["ocsp_stapling_response_multi"] = fn3
4496 hostapd
.add_ap(apdev
[0], params
)
4497 tls
= dev
[0].request("GET tls_library")
4498 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4499 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4500 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4502 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4503 client_cert
= "auth_serv/iCA-user/user.pem"
4504 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4505 identity
="tls user",
4507 client_cert
=client_cert
,
4508 private_key
="auth_serv/iCA-user/user.key",
4509 scan_freq
="2412", ocsp
=3)
4510 dev
[0].request("REMOVE_NETWORK all")
4511 dev
[0].wait_disconnected()
4517 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4518 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4519 check_ocsp_support(dev
[0])
4520 check_ocsp_multi_support(dev
[0])
4521 check_pkcs12_support(dev
[0])
4523 ocsp_revoked
= os
.path
.join(params
['logdir'],
4524 "ocsp-resp-ca-signed-revoked.der")
4525 if not os
.path
.exists(ocsp_revoked
):
4526 raise HwsimSkip("No OCSP response (revoked) available")
4527 ocsp_unknown
= os
.path
.join(params
['logdir'],
4528 "ocsp-resp-ca-signed-unknown.der")
4529 if not os
.path
.exists(ocsp_unknown
):
4530 raise HwsimSkip("No OCSP response(unknown) available")
4532 with
open(ocsp_revoked
, "rb") as f
:
4533 resp_revoked
= f
.read()
4534 with
open(ocsp_unknown
, "rb") as f
:
4535 resp_unknown
= f
.read()
4537 fd
, fn
= tempfile
.mkstemp()
4539 # This is not really a valid order of the OCSPResponse items in the
4540 # list, but this works for now to verify parsing and processing of
4541 # multiple responses.
4542 f
= os
.fdopen(fd
, 'wb')
4543 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4544 f
.write(resp_unknown
)
4545 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4546 f
.write(resp_revoked
)
4547 f
.write(struct
.pack(">L", 0)[1:4])
4548 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4549 f
.write(resp_unknown
)
4552 params
= int_eap_server_params()
4553 params
["ocsp_stapling_response_multi"] = fn
4554 hostapd
.add_ap(apdev
[0], params
)
4555 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4556 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4557 private_key
="auth_serv/user.pkcs12",
4558 private_key_passwd
="whatever", ocsp
=1,
4559 wait_connect
=False, scan_freq
="2412")
4562 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4563 "CTRL-EVENT-EAP-SUCCESS"])
4565 raise Exception("Timeout on EAP status")
4566 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4567 raise Exception("Unexpected EAP-Success")
4568 if 'bad certificate status response' in ev
:
4570 if 'certificate revoked' in ev
:
4574 raise Exception("Unexpected number of EAP status messages")
4578 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4579 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4580 check_domain_match_full(dev
[0])
4581 check_pkcs12_support(dev
[0])
4582 params
= int_eap_server_params()
4583 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4584 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4585 hostapd
.add_ap(apdev
[0], params
)
4586 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4587 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4588 private_key
="auth_serv/user.pkcs12",
4589 private_key_passwd
="whatever",
4590 domain_suffix_match
="server3.w1.fi",
4593 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4594 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4595 check_domain_match(dev
[0])
4596 check_pkcs12_support(dev
[0])
4597 params
= int_eap_server_params()
4598 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4599 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4600 hostapd
.add_ap(apdev
[0], params
)
4601 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4602 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4603 private_key
="auth_serv/user.pkcs12",
4604 private_key_passwd
="whatever",
4605 domain_match
="server3.w1.fi",
4608 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4609 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4610 check_domain_match_full(dev
[0])
4611 check_pkcs12_support(dev
[0])
4612 params
= int_eap_server_params()
4613 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4614 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4615 hostapd
.add_ap(apdev
[0], params
)
4616 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4617 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4618 private_key
="auth_serv/user.pkcs12",
4619 private_key_passwd
="whatever",
4620 domain_suffix_match
="w1.fi",
4623 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4624 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4625 check_domain_suffix_match(dev
[0])
4626 check_pkcs12_support(dev
[0])
4627 params
= int_eap_server_params()
4628 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4629 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4630 hostapd
.add_ap(apdev
[0], params
)
4631 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4632 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4633 private_key
="auth_serv/user.pkcs12",
4634 private_key_passwd
="whatever",
4635 domain_suffix_match
="example.com",
4638 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4639 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4640 private_key
="auth_serv/user.pkcs12",
4641 private_key_passwd
="whatever",
4642 domain_suffix_match
="erver3.w1.fi",
4645 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4647 raise Exception("Timeout on EAP failure report")
4648 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4650 raise Exception("Timeout on EAP failure report (2)")
4652 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4653 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4654 check_domain_match(dev
[0])
4655 check_pkcs12_support(dev
[0])
4656 params
= int_eap_server_params()
4657 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4658 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4659 hostapd
.add_ap(apdev
[0], params
)
4660 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4661 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4662 private_key
="auth_serv/user.pkcs12",
4663 private_key_passwd
="whatever",
4664 domain_match
="example.com",
4667 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4668 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4669 private_key
="auth_serv/user.pkcs12",
4670 private_key_passwd
="whatever",
4671 domain_match
="w1.fi",
4674 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4676 raise Exception("Timeout on EAP failure report")
4677 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4679 raise Exception("Timeout on EAP failure report (2)")
4681 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4682 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4683 skip_with_fips(dev
[0])
4684 params
= int_eap_server_params()
4685 params
["server_cert"] = "auth_serv/server-expired.pem"
4686 params
["private_key"] = "auth_serv/server-expired.key"
4687 hostapd
.add_ap(apdev
[0], params
)
4688 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4689 identity
="mschap user", password
="password",
4690 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4693 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4695 raise Exception("Timeout on EAP certificate error report")
4696 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4697 raise Exception("Unexpected failure reason: " + ev
)
4698 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4700 raise Exception("Timeout on EAP failure report")
4702 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4703 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4704 skip_with_fips(dev
[0])
4705 params
= int_eap_server_params()
4706 params
["server_cert"] = "auth_serv/server-expired.pem"
4707 params
["private_key"] = "auth_serv/server-expired.key"
4708 hostapd
.add_ap(apdev
[0], params
)
4709 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4710 identity
="mschap user", password
="password",
4711 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4712 phase1
="tls_disable_time_checks=1",
4715 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4716 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4717 skip_with_fips(dev
[0])
4718 params
= int_eap_server_params()
4719 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4720 params
["private_key"] = "auth_serv/server-long-duration.key"
4721 hostapd
.add_ap(apdev
[0], params
)
4722 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4723 identity
="mschap user", password
="password",
4724 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4727 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4728 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4729 skip_with_fips(dev
[0])
4730 params
= int_eap_server_params()
4731 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4732 params
["private_key"] = "auth_serv/server-eku-client.key"
4733 hostapd
.add_ap(apdev
[0], params
)
4734 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4735 identity
="mschap user", password
="password",
4736 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4739 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4741 raise Exception("Timeout on EAP failure report")
4743 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4744 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4745 skip_with_fips(dev
[0])
4746 params
= int_eap_server_params()
4747 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4748 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4749 hostapd
.add_ap(apdev
[0], params
)
4750 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4751 identity
="mschap user", password
="password",
4752 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4755 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4756 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4757 skip_with_fips(dev
[0])
4758 params
= int_eap_server_params()
4759 del params
["server_cert"]
4760 params
["private_key"] = "auth_serv/server.pkcs12"
4761 hostapd
.add_ap(apdev
[0], params
)
4762 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4763 identity
="mschap user", password
="password",
4764 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4767 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
4768 """EAP-TTLS and server PKCS#12 file with extra certs"""
4769 skip_with_fips(dev
[0])
4770 params
= int_eap_server_params()
4771 del params
["server_cert"]
4772 params
["private_key"] = "auth_serv/server-extra.pkcs12"
4773 params
["private_key_passwd"] = "whatever"
4774 hostapd
.add_ap(apdev
[0], params
)
4775 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4776 identity
="mschap user", password
="password",
4777 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4780 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
4781 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4782 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4783 hapd
= hostapd
.add_ap(apdev
[0], params
)
4784 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4785 anonymous_identity
="ttls", password
="password",
4786 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4787 dh_file
="auth_serv/dh.conf")
4789 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
4790 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4791 check_dh_dsa_support(dev
[0])
4792 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4793 hapd
= hostapd
.add_ap(apdev
[0], params
)
4794 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4795 anonymous_identity
="ttls", password
="password",
4796 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4797 dh_file
="auth_serv/dsaparam.pem")
4799 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4800 """EAP-TTLS and DH params file not found"""
4801 skip_with_fips(dev
[0])
4802 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4803 hostapd
.add_ap(apdev
[0], params
)
4804 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4805 identity
="mschap user", password
="password",
4806 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4807 dh_file
="auth_serv/dh-no-such-file.conf",
4808 scan_freq
="2412", wait_connect
=False)
4809 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4811 raise Exception("EAP failure timed out")
4812 dev
[0].request("REMOVE_NETWORK all")
4813 dev
[0].wait_disconnected()
4815 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4816 """EAP-TTLS and invalid DH params file"""
4817 skip_with_fips(dev
[0])
4818 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4819 hostapd
.add_ap(apdev
[0], params
)
4820 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4821 identity
="mschap user", password
="password",
4822 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4823 dh_file
="auth_serv/ca.pem",
4824 scan_freq
="2412", wait_connect
=False)
4825 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4827 raise Exception("EAP failure timed out")
4828 dev
[0].request("REMOVE_NETWORK all")
4829 dev
[0].wait_disconnected()
4831 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
4832 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4833 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4834 hapd
= hostapd
.add_ap(apdev
[0], params
)
4835 dh
= read_pem("auth_serv/dh2.conf")
4836 if "OK" not in dev
[0].request("SET blob dhparams " + binascii
.hexlify(dh
).decode()):
4837 raise Exception("Could not set dhparams blob")
4838 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4839 anonymous_identity
="ttls", password
="password",
4840 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4841 dh_file
="blob://dhparams")
4843 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
4844 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4845 params
= int_eap_server_params()
4846 params
["dh_file"] = "auth_serv/dh2.conf"
4847 hapd
= hostapd
.add_ap(apdev
[0], params
)
4848 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4849 anonymous_identity
="ttls", password
="password",
4850 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4852 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
4853 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4854 params
= int_eap_server_params()
4855 params
["dh_file"] = "auth_serv/dsaparam.pem"
4856 hapd
= hostapd
.add_ap(apdev
[0], params
)
4857 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4858 anonymous_identity
="ttls", password
="password",
4859 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4861 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4862 """EAP-TLS server and dhparams file not found"""
4863 params
= int_eap_server_params()
4864 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
4865 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4866 if "FAIL" not in hapd
.request("ENABLE"):
4867 raise Exception("Invalid configuration accepted")
4869 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4870 """EAP-TLS server and invalid dhparams file"""
4871 params
= int_eap_server_params()
4872 params
["dh_file"] = "auth_serv/ca.pem"
4873 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4874 if "FAIL" not in hapd
.request("ENABLE"):
4875 raise Exception("Invalid configuration accepted")
4877 def test_ap_wpa2_eap_reauth(dev
, apdev
):
4878 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4879 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4880 params
['eap_reauth_period'] = '2'
4881 hapd
= hostapd
.add_ap(apdev
[0], params
)
4882 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4883 password_hex
="0123456789abcdef0123456789abcdef")
4884 logger
.info("Wait for reauthentication")
4885 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
4887 raise Exception("Timeout on reauthentication")
4888 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4890 raise Exception("Timeout on reauthentication")
4891 for i
in range(0, 20):
4892 state
= dev
[0].get_status_field("wpa_state")
4893 if state
== "COMPLETED":
4896 if state
!= "COMPLETED":
4897 raise Exception("Reauthentication did not complete")
4899 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
4900 """Optional displayable message in EAP Request-Identity"""
4901 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4902 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4903 hapd
= hostapd
.add_ap(apdev
[0], params
)
4904 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4905 password_hex
="0123456789abcdef0123456789abcdef")
4907 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
4908 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4909 check_hlr_auc_gw_support()
4910 params
= int_eap_server_params()
4911 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4912 params
['eap_sim_aka_result_ind'] = "1"
4913 hapd
= hostapd
.add_ap(apdev
[0], params
)
4915 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
4916 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4917 phase1
="result_ind=1")
4918 eap_reauth(dev
[0], "SIM")
4919 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
4920 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4922 dev
[0].request("REMOVE_NETWORK all")
4923 dev
[1].request("REMOVE_NETWORK all")
4925 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
4926 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4927 phase1
="result_ind=1")
4928 eap_reauth(dev
[0], "AKA")
4929 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
4930 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4932 dev
[0].request("REMOVE_NETWORK all")
4933 dev
[1].request("REMOVE_NETWORK all")
4935 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
4936 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4937 phase1
="result_ind=1")
4938 eap_reauth(dev
[0], "AKA'")
4939 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
4940 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4942 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
4943 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4944 check_hlr_auc_gw_support()
4945 params
= int_eap_server_params()
4946 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4947 params
['eap_sim_db_timeout'] = "0"
4948 params
['disable_pmksa_caching'] = '1'
4949 hapd
= hostapd
.add_ap(apdev
[0], params
)
4951 # Run multiple iterations to make it more likely to hit the case where the
4952 # DB request times out and response is lost.
4954 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
4955 identity
="1232010000000000",
4956 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4957 wait_connect
=False, scan_freq
="2412")
4958 ev
= dev
[0].wait_event([ "CTRL-EVENT-CONNECTED",
4959 "CTRL-EVENT-DISCONNECTED" ],
4962 raise Exception("No connection result")
4963 dev
[0].request("REMOVE_NETWORK all")
4964 if "CTRL-EVENT-DISCONNECTED" in ev
:
4966 dev
[0].wait_disconnected()
4969 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
4970 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4971 skip_with_fips(dev
[0])
4972 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4973 hostapd
.add_ap(apdev
[0], params
)
4974 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4975 eap
="TTLS", identity
="mschap user",
4976 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
4977 anonymous_identity
="ttls", password
="password",
4978 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4980 ev
= dev
[0].wait_event(["EAP: more than",
4981 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
4982 if ev
is None or "EAP: more than" not in ev
:
4983 raise Exception("EAP roundtrip limit not reached")
4985 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
4986 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4987 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4988 hostapd
.add_ap(apdev
[0], params
)
4989 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4990 eap
="PSK", identity
="vendor-test",
4991 password_hex
="ff23456789abcdef0123456789abcdef",
4995 for i
in range(0, 5):
4996 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
4998 raise Exception("Association and EAP start timed out")
4999 if "refuse proposed method" in ev
:
5003 raise Exception("Unexpected EAP status: " + ev
)
5005 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
5007 raise Exception("EAP failure timed out")
5009 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
5010 """WPA2-Enterprise connection using SQLite for user DB"""
5011 skip_with_fips(dev
[0])
5015 raise HwsimSkip("No sqlite3 module available")
5016 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
5021 con
= sqlite3
.connect(dbfile
)
5024 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
5025 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
5026 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
5027 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
5028 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
5029 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
5030 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
5031 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
5034 params
= int_eap_server_params()
5035 params
["eap_user_file"] = "sqlite:" + dbfile
5036 hapd
= hostapd
.add_ap(apdev
[0], params
)
5037 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
5038 anonymous_identity
="ttls", password
="password",
5039 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5040 dev
[0].request("REMOVE_NETWORK all")
5041 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
5042 anonymous_identity
="ttls", password
="password",
5043 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
5044 dev
[1].request("REMOVE_NETWORK all")
5045 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
5046 anonymous_identity
="ttls", password
="password",
5047 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
5048 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
5049 anonymous_identity
="ttls", password
="password",
5050 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5054 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
5055 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5056 params
= int_eap_server_params()
5057 hostapd
.add_ap(apdev
[0], params
)
5058 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5059 identity
="\x80", password
="password", wait_connect
=False)
5060 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5061 identity
="a\x80", password
="password", wait_connect
=False)
5062 for i
in range(0, 2):
5063 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5065 raise Exception("Association and EAP start timed out")
5066 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5068 raise Exception("EAP method selection timed out")
5070 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
5071 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5072 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5073 hostapd
.add_ap(apdev
[0], params
)
5074 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5075 identity
="\x80", password
="password", wait_connect
=False)
5076 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5077 identity
="a\x80", password
="password", wait_connect
=False)
5078 for i
in range(0, 2):
5079 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5081 raise Exception("Association and EAP start timed out")
5082 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5084 raise Exception("EAP method selection timed out")
5086 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
5087 """OpenSSL cipher suite configuration on wpa_supplicant"""
5088 tls
= dev
[0].request("GET tls_library")
5089 if not tls
.startswith("OpenSSL"):
5090 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
5091 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5092 hapd
= hostapd
.add_ap(apdev
[0], params
)
5093 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5094 anonymous_identity
="ttls", password
="password",
5095 openssl_ciphers
="AES128",
5096 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5097 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5098 anonymous_identity
="ttls", password
="password",
5099 openssl_ciphers
="EXPORT",
5100 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5101 expect_failure
=True, maybe_local_error
=True)
5102 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5103 identity
="pap user", anonymous_identity
="ttls",
5104 password
="password",
5105 openssl_ciphers
="FOO",
5106 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5108 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5110 raise Exception("EAP failure after invalid openssl_ciphers not reported")
5111 dev
[2].request("DISCONNECT")
5113 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
5114 """OpenSSL cipher suite configuration on hostapd"""
5115 tls
= dev
[0].request("GET tls_library")
5116 if not tls
.startswith("OpenSSL"):
5117 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
5118 params
= int_eap_server_params()
5119 params
['openssl_ciphers'] = "AES256"
5120 hapd
= hostapd
.add_ap(apdev
[0], params
)
5121 tls
= hapd
.request("GET tls_library")
5122 if not tls
.startswith("OpenSSL"):
5123 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5124 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5125 anonymous_identity
="ttls", password
="password",
5126 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5127 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5128 anonymous_identity
="ttls", password
="password",
5129 openssl_ciphers
="AES128",
5130 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5131 expect_failure
=True)
5132 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
5133 anonymous_identity
="ttls", password
="password",
5134 openssl_ciphers
="HIGH:!ADH",
5135 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5137 params
['openssl_ciphers'] = "FOO"
5138 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
5139 if "FAIL" not in hapd2
.request("ENABLE"):
5140 if "run=OpenSSL 1.1.1" in tls
:
5141 logger
.info("Ignore acceptance of an invalid openssl_ciphers value with OpenSSL 1.1.1")
5143 raise Exception("Invalid openssl_ciphers value accepted")
5145 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
5146 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5147 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5148 hapd
= hostapd
.add_ap(apdev
[0], p
)
5149 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5150 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
5151 anonymous_identity
="ttls", password
=password
,
5152 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5153 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5155 def test_wpa2_eap_peap_gtc_key_lifetime_in_memory(dev
, apdev
, params
):
5156 """Key lifetime in memory with WPA2-Enterprise using PEAP/GTC"""
5157 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5158 hapd
= hostapd
.add_ap(apdev
[0], p
)
5159 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5160 id = eap_connect(dev
[0], hapd
, "PEAP", "user-secret",
5161 anonymous_identity
="peap", password
=password
,
5162 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
5163 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5165 def run_eap_key_lifetime_in_memory(dev
, params
, id, password
):
5166 pid
= find_wpas_process(dev
[0])
5168 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5169 # event has been delivered, so verify that wpa_supplicant has returned to
5170 # eloop before reading process memory.
5173 password
= password
.encode()
5174 buf
= read_process_memory(pid
, password
)
5176 dev
[0].request("DISCONNECT")
5177 dev
[0].wait_disconnected()
5185 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
5186 for l
in f
.readlines():
5187 if "EAP-TTLS: Derived key - hexdump" in l
or \
5188 "EAP-PEAP: Derived key - hexdump" in l
:
5189 val
= l
.strip().split(':')[3].replace(' ', '')
5190 msk
= binascii
.unhexlify(val
)
5191 if "EAP-TTLS: Derived EMSK - hexdump" in l
or \
5192 "EAP-PEAP: Derived EMSK - hexdump" in l
:
5193 val
= l
.strip().split(':')[3].replace(' ', '')
5194 emsk
= binascii
.unhexlify(val
)
5195 if "WPA: PMK - hexdump" in l
:
5196 val
= l
.strip().split(':')[3].replace(' ', '')
5197 pmk
= binascii
.unhexlify(val
)
5198 if "WPA: PTK - hexdump" in l
:
5199 val
= l
.strip().split(':')[3].replace(' ', '')
5200 ptk
= binascii
.unhexlify(val
)
5201 if "WPA: Group Key - hexdump" in l
:
5202 val
= l
.strip().split(':')[3].replace(' ', '')
5203 gtk
= binascii
.unhexlify(val
)
5204 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
5205 raise Exception("Could not find keys from debug log")
5207 raise Exception("Unexpected GTK length")
5213 fname
= os
.path
.join(params
['logdir'],
5214 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5216 logger
.info("Checking keys in memory while associated")
5217 get_key_locations(buf
, password
, "Password")
5218 get_key_locations(buf
, pmk
, "PMK")
5219 get_key_locations(buf
, msk
, "MSK")
5220 get_key_locations(buf
, emsk
, "EMSK")
5221 if password
not in buf
:
5222 raise HwsimSkip("Password not found while associated")
5224 raise HwsimSkip("PMK not found while associated")
5226 raise Exception("KCK not found while associated")
5228 raise Exception("KEK not found while associated")
5230 # raise Exception("TK found from memory")
5232 logger
.info("Checking keys in memory after disassociation")
5233 buf
= read_process_memory(pid
, password
)
5235 # Note: Password is still present in network configuration
5236 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5238 get_key_locations(buf
, password
, "Password")
5239 get_key_locations(buf
, pmk
, "PMK")
5240 get_key_locations(buf
, msk
, "MSK")
5241 get_key_locations(buf
, emsk
, "EMSK")
5242 verify_not_present(buf
, kck
, fname
, "KCK")
5243 verify_not_present(buf
, kek
, fname
, "KEK")
5244 verify_not_present(buf
, tk
, fname
, "TK")
5246 get_key_locations(buf
, gtk
, "GTK")
5247 verify_not_present(buf
, gtk
, fname
, "GTK")
5249 dev
[0].request("PMKSA_FLUSH")
5250 dev
[0].set_network_quoted(id, "identity", "foo")
5251 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5252 buf
= read_process_memory(pid
, password
)
5253 get_key_locations(buf
, password
, "Password")
5254 get_key_locations(buf
, pmk
, "PMK")
5255 get_key_locations(buf
, msk
, "MSK")
5256 get_key_locations(buf
, emsk
, "EMSK")
5257 verify_not_present(buf
, pmk
, fname
, "PMK")
5259 dev
[0].request("REMOVE_NETWORK all")
5261 logger
.info("Checking keys in memory after network profile removal")
5262 buf
= read_process_memory(pid
, password
)
5264 get_key_locations(buf
, password
, "Password")
5265 get_key_locations(buf
, pmk
, "PMK")
5266 get_key_locations(buf
, msk
, "MSK")
5267 get_key_locations(buf
, emsk
, "EMSK")
5268 verify_not_present(buf
, password
, fname
, "password")
5269 verify_not_present(buf
, pmk
, fname
, "PMK")
5270 verify_not_present(buf
, kck
, fname
, "KCK")
5271 verify_not_present(buf
, kek
, fname
, "KEK")
5272 verify_not_present(buf
, tk
, fname
, "TK")
5273 verify_not_present(buf
, gtk
, fname
, "GTK")
5274 verify_not_present(buf
, msk
, fname
, "MSK")
5275 verify_not_present(buf
, emsk
, fname
, "EMSK")
5277 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
5278 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5279 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5280 hapd
= hostapd
.add_ap(apdev
[0], params
)
5281 bssid
= apdev
[0]['bssid']
5282 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5283 anonymous_identity
="ttls", password
="password",
5284 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5286 # Send unexpected WEP EAPOL-Key; this gets dropped
5287 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5289 raise Exception("EAPOL_RX to wpa_supplicant failed")
5291 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5292 """WPA2-EAP and wpas interface in a bridge"""
5296 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
5298 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
5299 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
5300 subprocess
.call(['brctl', 'delbr', br_ifname
])
5301 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
5303 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5304 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5305 hapd
= hostapd
.add_ap(apdev
[0], params
)
5309 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
5310 subprocess
.call(['brctl', 'addbr', br_ifname
])
5311 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
5312 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
5313 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
5314 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
5315 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
5318 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
5319 password_hex
="0123456789abcdef0123456789abcdef")
5321 eap_reauth(wpas
, "PAX")
5323 # Try again as a regression test for packet socket workaround
5324 eap_reauth(wpas
, "PAX")
5326 wpas
.request("DISCONNECT")
5327 wpas
.wait_disconnected()
5329 wpas
.request("RECONNECT")
5330 wpas
.wait_connected()
5333 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
5334 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5335 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5336 hapd
= hostapd
.add_ap(apdev
[0], params
)
5337 key_mgmt
= hapd
.get_config()['key_mgmt']
5338 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5339 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5340 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5341 anonymous_identity
="ttls", password
="password",
5342 ca_cert
="auth_serv/ca.pem",
5343 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
5344 eap_reauth(dev
[0], "TTLS")
5346 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
5347 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5348 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5349 hapd
= hostapd
.add_ap(apdev
[0], params
)
5350 key_mgmt
= hapd
.get_config()['key_mgmt']
5351 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5352 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5353 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5354 anonymous_identity
="ttls", password
="password",
5355 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5357 eap_reauth(dev
[0], "TTLS")
5359 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
5360 """EAP-TLS and server checking CRL"""
5361 params
= int_eap_server_params()
5362 params
['check_crl'] = '1'
5363 hapd
= hostapd
.add_ap(apdev
[0], params
)
5365 # check_crl=1 and no CRL available --> reject connection
5366 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5367 client_cert
="auth_serv/user.pem",
5368 private_key
="auth_serv/user.key", expect_failure
=True)
5369 dev
[0].request("REMOVE_NETWORK all")
5372 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
5375 # check_crl=1 and valid CRL --> accept
5376 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5377 client_cert
="auth_serv/user.pem",
5378 private_key
="auth_serv/user.key")
5379 dev
[0].request("REMOVE_NETWORK all")
5382 hapd
.set("check_crl", "2")
5385 # check_crl=2 and valid CRL --> accept
5386 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5387 client_cert
="auth_serv/user.pem",
5388 private_key
="auth_serv/user.key")
5389 dev
[0].request("REMOVE_NETWORK all")
5391 def test_ap_wpa2_eap_tls_crl_reload(dev
, apdev
, params
):
5392 """EAP-TLS and server reloading CRL from ca_cert"""
5393 ca_cert
= os
.path
.join(params
['logdir'],
5394 "ap_wpa2_eap_tls_crl_reload.ca_cert")
5395 with
open('auth_serv/ca.pem', 'r') as f
:
5396 only_cert
= f
.read()
5397 with
open('auth_serv/ca-and-crl.pem', 'r') as f
:
5398 cert_and_crl
= f
.read()
5399 with
open(ca_cert
, 'w') as f
:
5401 params
= int_eap_server_params()
5402 params
['ca_cert'] = ca_cert
5403 params
['check_crl'] = '1'
5404 params
['crl_reload_interval'] = '1'
5405 hapd
= hostapd
.add_ap(apdev
[0], params
)
5407 # check_crl=1 and no CRL available --> reject connection
5408 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5409 client_cert
="auth_serv/user.pem",
5410 private_key
="auth_serv/user.key", expect_failure
=True)
5411 dev
[0].request("REMOVE_NETWORK all")
5412 dev
[0].dump_monitor()
5414 with
open(ca_cert
, 'w') as f
:
5415 f
.write(cert_and_crl
)
5418 # check_crl=1 and valid CRL --> accept
5419 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5420 client_cert
="auth_serv/user.pem",
5421 private_key
="auth_serv/user.key")
5422 dev
[0].request("REMOVE_NETWORK all")
5423 dev
[0].wait_disconnected()
5425 def test_ap_wpa2_eap_tls_check_cert_subject(dev
, apdev
):
5426 """EAP-TLS and server checking client subject name"""
5427 params
= int_eap_server_params()
5428 params
['check_cert_subject'] = 'C=FI/O=w1.fi/CN=Test User'
5429 hapd
= hostapd
.add_ap(apdev
[0], params
)
5430 check_check_cert_subject_support(hapd
)
5432 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5433 client_cert
="auth_serv/user.pem",
5434 private_key
="auth_serv/user.key")
5436 def test_ap_wpa2_eap_tls_check_cert_subject_neg(dev
, apdev
):
5437 """EAP-TLS and server checking client subject name (negative)"""
5438 params
= int_eap_server_params()
5439 params
['check_cert_subject'] = 'C=FI/O=example'
5440 hapd
= hostapd
.add_ap(apdev
[0], params
)
5441 check_check_cert_subject_support(hapd
)
5443 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5444 client_cert
="auth_serv/user.pem",
5445 private_key
="auth_serv/user.key", expect_failure
=True)
5447 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5448 """EAP-TLS and OOM"""
5449 check_subject_match_support(dev
[0])
5450 check_altsubject_match_support(dev
[0])
5451 check_domain_match(dev
[0])
5452 check_domain_match_full(dev
[0])
5454 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5455 hostapd
.add_ap(apdev
[0], params
)
5457 tests
= [ (1, "tls_connection_set_subject_match"),
5458 (2, "tls_connection_set_subject_match"),
5459 (3, "tls_connection_set_subject_match"),
5460 (4, "tls_connection_set_subject_match") ]
5461 for count
, func
in tests
:
5462 with
alloc_fail(dev
[0], count
, func
):
5463 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5464 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5465 client_cert
="auth_serv/user.pem",
5466 private_key
="auth_serv/user.key",
5467 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5468 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5469 domain_suffix_match
="server.w1.fi",
5470 domain_match
="server.w1.fi",
5471 wait_connect
=False, scan_freq
="2412")
5472 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5473 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5475 raise Exception("No passphrase request")
5476 dev
[0].request("REMOVE_NETWORK all")
5477 dev
[0].wait_disconnected()
5479 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5480 """WPA2-Enterprise connection using MAC ACL"""
5481 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5482 params
["macaddr_acl"] = "2"
5483 hapd
= hostapd
.add_ap(apdev
[0], params
)
5484 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5485 client_cert
="auth_serv/user.pem",
5486 private_key
="auth_serv/user.key")
5488 def test_ap_wpa2_eap_oom(dev
, apdev
):
5489 """EAP server and OOM"""
5490 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5491 hapd
= hostapd
.add_ap(apdev
[0], params
)
5492 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5494 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5495 # The first attempt fails, but STA will send EAPOL-Start to retry and
5497 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5498 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5499 client_cert
="auth_serv/user.pem",
5500 private_key
="auth_serv/user.key",
5503 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5504 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5505 client_cert
="auth_serv/user.pem",
5506 private_key
="auth_serv/user.key",
5508 ver
= dev
.get_status_field("eap_tls_version")
5510 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5512 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5513 """EAP-TLS and TLS version configuration"""
5514 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5515 hapd
= hostapd
.add_ap(apdev
[0], params
)
5517 tls
= dev
[0].request("GET tls_library")
5518 if tls
.startswith("OpenSSL"):
5519 if "build=OpenSSL 1.0.1" not in tls
and "run=OpenSSL 1.0.1" not in tls
:
5520 check_tls_ver(dev
[0], hapd
,
5521 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5523 if tls
.startswith("wolfSSL"):
5524 if ("build=3.10.0" in tls
and "run=3.10.0" in tls
) or \
5525 ("build=3.13.0" in tls
and "run=3.13.0" in tls
):
5526 check_tls_ver(dev
[0], hapd
,
5527 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5529 elif tls
.startswith("internal"):
5530 check_tls_ver(dev
[0], hapd
,
5531 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5532 check_tls_ver(dev
[1], hapd
,
5533 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5534 check_tls_ver(dev
[2], hapd
,
5535 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5536 if "run=OpenSSL 1.1.1" in tls
:
5537 check_tls_ver(dev
[0], hapd
,
5538 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
5540 def test_ap_wpa2_eap_tls_13(dev
, apdev
):
5541 """EAP-TLS and TLS 1.3"""
5542 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5543 hapd
= hostapd
.add_ap(apdev
[0], params
)
5545 tls
= dev
[0].request("GET tls_library")
5546 if "run=OpenSSL 1.1.1" not in tls
:
5547 raise HwsimSkip("TLS v1.3 not supported")
5548 id = eap_connect(dev
[0], hapd
, "TLS", "tls user",
5549 ca_cert
="auth_serv/ca.pem",
5550 client_cert
="auth_serv/user.pem",
5551 private_key
="auth_serv/user.key",
5552 phase1
="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0")
5553 ver
= dev
[0].get_status_field("eap_tls_version")
5554 if ver
!= "TLSv1.3":
5555 raise Exception("Unexpected TLS version")
5557 eap_reauth(dev
[0], "TLS")
5558 dev
[0].request("DISCONNECT")
5559 dev
[0].wait_disconnected()
5560 dev
[0].request("PMKSA_FLUSH")
5561 dev
[0].request("RECONNECT")
5562 dev
[0].wait_connected()
5564 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
5565 """RSN element protocol testing for EAP cases on STA side"""
5566 bssid
= apdev
[0]['bssid']
5567 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5568 # This is the RSN element used normally by hostapd
5569 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5570 hapd
= hostapd
.add_ap(apdev
[0], params
)
5571 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5572 identity
="gpsk user",
5573 password
="abcdefghijklmnop0123456789abcdef",
5576 tests
= [ ('No RSN Capabilities field',
5577 '30120100000fac040100000fac040100000fac01'),
5578 ('No AKM Suite fields',
5579 '300c0100000fac040100000fac04'),
5580 ('No Pairwise Cipher Suite fields',
5581 '30060100000fac04'),
5582 ('No Group Data Cipher Suite field',
5584 for txt
,ie
in tests
:
5585 dev
[0].request("DISCONNECT")
5586 dev
[0].wait_disconnected()
5589 hapd
.set('own_ie_override', ie
)
5591 dev
[0].request("BSS_FLUSH 0")
5592 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
5593 dev
[0].select_network(id, freq
=2412)
5594 dev
[0].wait_connected()
5596 dev
[0].request("DISCONNECT")
5597 dev
[0].wait_disconnected()
5598 dev
[0].flush_scan_cache()
5600 def check_tls_session_resumption_capa(dev
, hapd
):
5601 tls
= hapd
.request("GET tls_library")
5602 if not tls
.startswith("OpenSSL"):
5603 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls
)
5605 tls
= dev
.request("GET tls_library")
5606 if not tls
.startswith("OpenSSL"):
5607 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
5609 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
5610 """EAP-TTLS/PAP session resumption"""
5611 params
= int_eap_server_params()
5612 params
['tls_session_lifetime'] = '60'
5613 hapd
= hostapd
.add_ap(apdev
[0], params
)
5614 check_tls_session_resumption_capa(dev
[0], hapd
)
5615 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5616 anonymous_identity
="ttls", password
="password",
5617 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5619 if dev
[0].get_status_field("tls_session_reused") != '0':
5620 raise Exception("Unexpected session resumption on the first connection")
5622 dev
[0].request("REAUTHENTICATE")
5623 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5625 raise Exception("EAP success timed out")
5626 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5628 raise Exception("Key handshake with the AP timed out")
5629 if dev
[0].get_status_field("tls_session_reused") != '1':
5630 raise Exception("Session resumption not used on the second connection")
5631 hwsim_utils
.test_connectivity(dev
[0], hapd
)
5633 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
5634 """EAP-TTLS/CHAP session resumption"""
5635 params
= int_eap_server_params()
5636 params
['tls_session_lifetime'] = '60'
5637 hapd
= hostapd
.add_ap(apdev
[0], params
)
5638 check_tls_session_resumption_capa(dev
[0], hapd
)
5639 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
5640 anonymous_identity
="ttls", password
="password",
5641 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
5642 if dev
[0].get_status_field("tls_session_reused") != '0':
5643 raise Exception("Unexpected session resumption on the first connection")
5645 dev
[0].request("REAUTHENTICATE")
5646 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5648 raise Exception("EAP success timed out")
5649 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5651 raise Exception("Key handshake with the AP timed out")
5652 if dev
[0].get_status_field("tls_session_reused") != '1':
5653 raise Exception("Session resumption not used on the second connection")
5655 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
5656 """EAP-TTLS/MSCHAP session resumption"""
5657 check_domain_suffix_match(dev
[0])
5658 params
= int_eap_server_params()
5659 params
['tls_session_lifetime'] = '60'
5660 hapd
= hostapd
.add_ap(apdev
[0], params
)
5661 check_tls_session_resumption_capa(dev
[0], hapd
)
5662 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
5663 anonymous_identity
="ttls", password
="password",
5664 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5665 domain_suffix_match
="server.w1.fi")
5666 if dev
[0].get_status_field("tls_session_reused") != '0':
5667 raise Exception("Unexpected session resumption on the first connection")
5669 dev
[0].request("REAUTHENTICATE")
5670 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5672 raise Exception("EAP success timed out")
5673 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5675 raise Exception("Key handshake with the AP timed out")
5676 if dev
[0].get_status_field("tls_session_reused") != '1':
5677 raise Exception("Session resumption not used on the second connection")
5679 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
5680 """EAP-TTLS/MSCHAPv2 session resumption"""
5681 check_domain_suffix_match(dev
[0])
5682 check_eap_capa(dev
[0], "MSCHAPV2")
5683 params
= int_eap_server_params()
5684 params
['tls_session_lifetime'] = '60'
5685 hapd
= hostapd
.add_ap(apdev
[0], params
)
5686 check_tls_session_resumption_capa(dev
[0], hapd
)
5687 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
5688 anonymous_identity
="ttls", password
="password",
5689 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5690 domain_suffix_match
="server.w1.fi")
5691 if dev
[0].get_status_field("tls_session_reused") != '0':
5692 raise Exception("Unexpected session resumption on the first connection")
5694 dev
[0].request("REAUTHENTICATE")
5695 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5697 raise Exception("EAP success timed out")
5698 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5700 raise Exception("Key handshake with the AP timed out")
5701 if dev
[0].get_status_field("tls_session_reused") != '1':
5702 raise Exception("Session resumption not used on the second connection")
5704 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
5705 """EAP-TTLS/EAP-GTC session resumption"""
5706 params
= int_eap_server_params()
5707 params
['tls_session_lifetime'] = '60'
5708 hapd
= hostapd
.add_ap(apdev
[0], params
)
5709 check_tls_session_resumption_capa(dev
[0], hapd
)
5710 eap_connect(dev
[0], hapd
, "TTLS", "user",
5711 anonymous_identity
="ttls", password
="password",
5712 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
5713 if dev
[0].get_status_field("tls_session_reused") != '0':
5714 raise Exception("Unexpected session resumption on the first connection")
5716 dev
[0].request("REAUTHENTICATE")
5717 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5719 raise Exception("EAP success timed out")
5720 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5722 raise Exception("Key handshake with the AP timed out")
5723 if dev
[0].get_status_field("tls_session_reused") != '1':
5724 raise Exception("Session resumption not used on the second connection")
5726 def test_eap_ttls_no_session_resumption(dev
, apdev
):
5727 """EAP-TTLS session resumption disabled on server"""
5728 params
= int_eap_server_params()
5729 params
['tls_session_lifetime'] = '0'
5730 hapd
= hostapd
.add_ap(apdev
[0], params
)
5731 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5732 anonymous_identity
="ttls", password
="password",
5733 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5735 if dev
[0].get_status_field("tls_session_reused") != '0':
5736 raise Exception("Unexpected session resumption on the first connection")
5738 dev
[0].request("REAUTHENTICATE")
5739 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5741 raise Exception("EAP success timed out")
5742 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5744 raise Exception("Key handshake with the AP timed out")
5745 if dev
[0].get_status_field("tls_session_reused") != '0':
5746 raise Exception("Unexpected session resumption on the second connection")
5748 def test_eap_peap_session_resumption(dev
, apdev
):
5749 """EAP-PEAP session resumption"""
5750 check_eap_capa(dev
[0], "MSCHAPV2")
5751 params
= int_eap_server_params()
5752 params
['tls_session_lifetime'] = '60'
5753 hapd
= hostapd
.add_ap(apdev
[0], params
)
5754 check_tls_session_resumption_capa(dev
[0], hapd
)
5755 eap_connect(dev
[0], hapd
, "PEAP", "user",
5756 anonymous_identity
="peap", password
="password",
5757 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5758 if dev
[0].get_status_field("tls_session_reused") != '0':
5759 raise Exception("Unexpected session resumption on the first connection")
5761 dev
[0].request("REAUTHENTICATE")
5762 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5764 raise Exception("EAP success timed out")
5765 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5767 raise Exception("Key handshake with the AP timed out")
5768 if dev
[0].get_status_field("tls_session_reused") != '1':
5769 raise Exception("Session resumption not used on the second connection")
5771 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
5772 """EAP-PEAP session resumption with crypto binding"""
5773 params
= int_eap_server_params()
5774 params
['tls_session_lifetime'] = '60'
5775 hapd
= hostapd
.add_ap(apdev
[0], params
)
5776 check_tls_session_resumption_capa(dev
[0], hapd
)
5777 eap_connect(dev
[0], hapd
, "PEAP", "user",
5778 anonymous_identity
="peap", password
="password",
5779 phase1
="peapver=0 crypto_binding=2",
5780 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5781 if dev
[0].get_status_field("tls_session_reused") != '0':
5782 raise Exception("Unexpected session resumption on the first connection")
5784 dev
[0].request("REAUTHENTICATE")
5785 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5787 raise Exception("EAP success timed out")
5788 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5790 raise Exception("Key handshake with the AP timed out")
5791 if dev
[0].get_status_field("tls_session_reused") != '1':
5792 raise Exception("Session resumption not used on the second connection")
5794 def test_eap_peap_no_session_resumption(dev
, apdev
):
5795 """EAP-PEAP session resumption disabled on server"""
5796 params
= int_eap_server_params()
5797 hapd
= hostapd
.add_ap(apdev
[0], params
)
5798 eap_connect(dev
[0], hapd
, "PEAP", "user",
5799 anonymous_identity
="peap", password
="password",
5800 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5801 if dev
[0].get_status_field("tls_session_reused") != '0':
5802 raise Exception("Unexpected session resumption on the first connection")
5804 dev
[0].request("REAUTHENTICATE")
5805 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5807 raise Exception("EAP success timed out")
5808 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5810 raise Exception("Key handshake with the AP timed out")
5811 if dev
[0].get_status_field("tls_session_reused") != '0':
5812 raise Exception("Unexpected session resumption on the second connection")
5814 def test_eap_tls_session_resumption(dev
, apdev
):
5815 """EAP-TLS session resumption"""
5816 params
= int_eap_server_params()
5817 params
['tls_session_lifetime'] = '60'
5818 hapd
= hostapd
.add_ap(apdev
[0], params
)
5819 check_tls_session_resumption_capa(dev
[0], hapd
)
5820 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5821 client_cert
="auth_serv/user.pem",
5822 private_key
="auth_serv/user.key")
5823 if dev
[0].get_status_field("tls_session_reused") != '0':
5824 raise Exception("Unexpected session resumption on the first connection")
5826 dev
[0].request("REAUTHENTICATE")
5827 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5829 raise Exception("EAP success timed out")
5830 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5832 raise Exception("Key handshake with the AP timed out")
5833 if dev
[0].get_status_field("tls_session_reused") != '1':
5834 raise Exception("Session resumption not used on the second connection")
5836 dev
[0].request("REAUTHENTICATE")
5837 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5839 raise Exception("EAP success timed out")
5840 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5842 raise Exception("Key handshake with the AP timed out")
5843 if dev
[0].get_status_field("tls_session_reused") != '1':
5844 raise Exception("Session resumption not used on the third connection")
5846 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
5847 """EAP-TLS session resumption"""
5848 params
= int_eap_server_params()
5849 params
['tls_session_lifetime'] = '1'
5850 hapd
= hostapd
.add_ap(apdev
[0], params
)
5851 check_tls_session_resumption_capa(dev
[0], hapd
)
5852 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5853 client_cert
="auth_serv/user.pem",
5854 private_key
="auth_serv/user.key")
5855 if dev
[0].get_status_field("tls_session_reused") != '0':
5856 raise Exception("Unexpected session resumption on the first connection")
5858 # Allow multiple attempts since OpenSSL may not expire the cached entry
5863 dev
[0].request("REAUTHENTICATE")
5864 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5866 raise Exception("EAP success timed out")
5867 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5869 raise Exception("Key handshake with the AP timed out")
5870 if dev
[0].get_status_field("tls_session_reused") == '0':
5872 if dev
[0].get_status_field("tls_session_reused") != '0':
5873 raise Exception("Session resumption used after lifetime expiration")
5875 def test_eap_tls_no_session_resumption(dev
, apdev
):
5876 """EAP-TLS session resumption disabled on server"""
5877 params
= int_eap_server_params()
5878 hapd
= hostapd
.add_ap(apdev
[0], params
)
5879 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5880 client_cert
="auth_serv/user.pem",
5881 private_key
="auth_serv/user.key")
5882 if dev
[0].get_status_field("tls_session_reused") != '0':
5883 raise Exception("Unexpected session resumption on the first connection")
5885 dev
[0].request("REAUTHENTICATE")
5886 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5888 raise Exception("EAP success timed out")
5889 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5891 raise Exception("Key handshake with the AP timed out")
5892 if dev
[0].get_status_field("tls_session_reused") != '0':
5893 raise Exception("Unexpected session resumption on the second connection")
5895 def test_eap_tls_session_resumption_radius(dev
, apdev
):
5896 """EAP-TLS session resumption (RADIUS)"""
5897 params
= { "ssid": "as", "beacon_int": "2000",
5898 "radius_server_clients": "auth_serv/radius_clients.conf",
5899 "radius_server_auth_port": '18128',
5901 "eap_user_file": "auth_serv/eap_user.conf",
5902 "ca_cert": "auth_serv/ca.pem",
5903 "server_cert": "auth_serv/server.pem",
5904 "private_key": "auth_serv/server.key",
5905 "tls_session_lifetime": "60" }
5906 authsrv
= hostapd
.add_ap(apdev
[1], params
)
5907 check_tls_session_resumption_capa(dev
[0], authsrv
)
5909 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5910 params
['auth_server_port'] = "18128"
5911 hapd
= hostapd
.add_ap(apdev
[0], params
)
5912 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5913 client_cert
="auth_serv/user.pem",
5914 private_key
="auth_serv/user.key")
5915 if dev
[0].get_status_field("tls_session_reused") != '0':
5916 raise Exception("Unexpected session resumption on the first connection")
5918 dev
[0].request("REAUTHENTICATE")
5919 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5921 raise Exception("EAP success timed out")
5922 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5924 raise Exception("Key handshake with the AP timed out")
5925 if dev
[0].get_status_field("tls_session_reused") != '1':
5926 raise Exception("Session resumption not used on the second connection")
5928 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
5929 """EAP-TLS session resumption disabled (RADIUS)"""
5930 params
= { "ssid": "as", "beacon_int": "2000",
5931 "radius_server_clients": "auth_serv/radius_clients.conf",
5932 "radius_server_auth_port": '18128',
5934 "eap_user_file": "auth_serv/eap_user.conf",
5935 "ca_cert": "auth_serv/ca.pem",
5936 "server_cert": "auth_serv/server.pem",
5937 "private_key": "auth_serv/server.key",
5938 "tls_session_lifetime": "0" }
5939 hostapd
.add_ap(apdev
[1], params
)
5941 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5942 params
['auth_server_port'] = "18128"
5943 hapd
= hostapd
.add_ap(apdev
[0], params
)
5944 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5945 client_cert
="auth_serv/user.pem",
5946 private_key
="auth_serv/user.key")
5947 if dev
[0].get_status_field("tls_session_reused") != '0':
5948 raise Exception("Unexpected session resumption on the first connection")
5950 dev
[0].request("REAUTHENTICATE")
5951 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5953 raise Exception("EAP success timed out")
5954 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5956 raise Exception("Key handshake with the AP timed out")
5957 if dev
[0].get_status_field("tls_session_reused") != '0':
5958 raise Exception("Unexpected session resumption on the second connection")
5960 def test_eap_mschapv2_errors(dev
, apdev
):
5961 """EAP-MSCHAPv2 error cases"""
5962 check_eap_capa(dev
[0], "MSCHAPV2")
5963 check_eap_capa(dev
[0], "FAST")
5965 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5966 hapd
= hostapd
.add_ap(apdev
[0], params
)
5967 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5968 identity
="phase1-user", password
="password",
5970 dev
[0].request("REMOVE_NETWORK all")
5971 dev
[0].wait_disconnected()
5973 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5974 (1, "nt_password_hash;mschapv2_derive_response"),
5975 (1, "nt_password_hash;=mschapv2_derive_response"),
5976 (1, "generate_nt_response;mschapv2_derive_response"),
5977 (1, "generate_authenticator_response;mschapv2_derive_response"),
5978 (1, "nt_password_hash;=mschapv2_derive_response"),
5979 (1, "get_master_key;mschapv2_derive_response"),
5980 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5981 for count
, func
in tests
:
5982 with
fail_test(dev
[0], count
, func
):
5983 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5984 identity
="phase1-user", password
="password",
5985 wait_connect
=False, scan_freq
="2412")
5986 wait_fail_trigger(dev
[0], "GET_FAIL")
5987 dev
[0].request("REMOVE_NETWORK all")
5988 dev
[0].wait_disconnected()
5990 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5991 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5992 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5993 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5994 for count
, func
in tests
:
5995 with
fail_test(dev
[0], count
, func
):
5996 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5997 identity
="phase1-user",
5998 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
5999 wait_connect
=False, scan_freq
="2412")
6000 wait_fail_trigger(dev
[0], "GET_FAIL")
6001 dev
[0].request("REMOVE_NETWORK all")
6002 dev
[0].wait_disconnected()
6004 tests
= [ (1, "eap_mschapv2_init"),
6005 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
6006 (1, "eap_msg_alloc;eap_mschapv2_success"),
6007 (1, "eap_mschapv2_getKey") ]
6008 for count
, func
in tests
:
6009 with
alloc_fail(dev
[0], count
, func
):
6010 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6011 identity
="phase1-user", password
="password",
6012 wait_connect
=False, scan_freq
="2412")
6013 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6014 dev
[0].request("REMOVE_NETWORK all")
6015 dev
[0].wait_disconnected()
6017 tests
= [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
6018 for count
, func
in tests
:
6019 with
alloc_fail(dev
[0], count
, func
):
6020 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6021 identity
="phase1-user", password
="wrong password",
6022 wait_connect
=False, scan_freq
="2412")
6023 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6024 dev
[0].request("REMOVE_NETWORK all")
6025 dev
[0].wait_disconnected()
6027 tests
= [ (2, "eap_mschapv2_init"),
6028 (3, "eap_mschapv2_init") ]
6029 for count
, func
in tests
:
6030 with
alloc_fail(dev
[0], count
, func
):
6031 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6032 anonymous_identity
="FAST", identity
="user",
6033 password
="password",
6034 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
6035 phase1
="fast_provisioning=1",
6036 pac_file
="blob://fast_pac",
6037 wait_connect
=False, scan_freq
="2412")
6038 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6039 dev
[0].request("REMOVE_NETWORK all")
6040 dev
[0].wait_disconnected()
6042 def test_eap_gpsk_errors(dev
, apdev
):
6043 """EAP-GPSK error cases"""
6044 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
6045 hapd
= hostapd
.add_ap(apdev
[0], params
)
6046 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6047 identity
="gpsk user",
6048 password
="abcdefghijklmnop0123456789abcdef",
6050 dev
[0].request("REMOVE_NETWORK all")
6051 dev
[0].wait_disconnected()
6053 tests
= [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
6054 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6056 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6058 (1, "eap_gpsk_derive_keys_helper", None),
6059 (2, "eap_gpsk_derive_keys_helper", None),
6060 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6062 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6064 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
6065 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
6066 (1, "eap_gpsk_derive_mid_helper", None) ]
6067 for count
, func
, phase1
in tests
:
6068 with
fail_test(dev
[0], count
, func
):
6069 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6070 identity
="gpsk user",
6071 password
="abcdefghijklmnop0123456789abcdef",
6073 wait_connect
=False, scan_freq
="2412")
6074 wait_fail_trigger(dev
[0], "GET_FAIL")
6075 dev
[0].request("REMOVE_NETWORK all")
6076 dev
[0].wait_disconnected()
6078 tests
= [ (1, "eap_gpsk_init"),
6079 (2, "eap_gpsk_init"),
6080 (3, "eap_gpsk_init"),
6081 (1, "eap_gpsk_process_id_server"),
6082 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
6083 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6084 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6085 (1, "eap_gpsk_derive_keys"),
6086 (1, "eap_gpsk_derive_keys_helper"),
6087 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
6088 (1, "eap_gpsk_getKey"),
6089 (1, "eap_gpsk_get_emsk"),
6090 (1, "eap_gpsk_get_session_id") ]
6091 for count
, func
in tests
:
6092 with
alloc_fail(dev
[0], count
, func
):
6093 dev
[0].request("ERP_FLUSH")
6094 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6095 identity
="gpsk user@domain", erp
="1",
6096 password
="abcdefghijklmnop0123456789abcdef",
6097 wait_connect
=False, scan_freq
="2412")
6098 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6099 dev
[0].request("REMOVE_NETWORK all")
6100 dev
[0].wait_disconnected()
6102 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
6103 """EAP-SIM DB error cases"""
6104 sockpath
= '/tmp/hlr_auc_gw.sock-test'
6109 hparams
= int_eap_server_params()
6110 hparams
['eap_sim_db'] = 'unix:' + sockpath
6111 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
6113 # Initial test with hlr_auc_gw socket not available
6114 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
6115 eap
="SIM", identity
="1232010000000000",
6116 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
6117 scan_freq
="2412", wait_connect
=False)
6118 ev
= dev
[0].wait_event(["EAP-ERROR-CODE"], timeout
=10)
6120 raise Exception("EAP method specific error code not reported")
6121 if int(ev
.split()[1]) != 16384:
6122 raise Exception("Unexpected EAP method specific error code: " + ev
)
6123 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6125 raise Exception("EAP-Failure not reported")
6126 dev
[0].wait_disconnected()
6127 dev
[0].request("DISCONNECT")
6129 # Test with invalid responses and response timeout
6131 class test_handler(SocketServer
.DatagramRequestHandler
):
6133 data
= self
.request
[0].decode().strip()
6134 socket
= self
.request
[1]
6135 logger
.debug("Received hlr_auc_gw request: " + data
)
6136 # EAP-SIM DB: Failed to parse response string
6137 socket
.sendto(b
"FOO", self
.client_address
)
6138 # EAP-SIM DB: Failed to parse response string
6139 socket
.sendto(b
"FOO 1", self
.client_address
)
6140 # EAP-SIM DB: Unknown external response
6141 socket
.sendto(b
"FOO 1 2", self
.client_address
)
6142 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
6144 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
6147 dev
[0].select_network(id)
6148 server
.handle_request()
6149 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6151 raise Exception("EAP-Failure not reported")
6152 dev
[0].wait_disconnected()
6153 dev
[0].request("DISCONNECT")
6155 # Test with a valid response
6157 class test_handler2(SocketServer
.DatagramRequestHandler
):
6159 data
= self
.request
[0].decode().strip()
6160 socket
= self
.request
[1]
6161 logger
.debug("Received hlr_auc_gw request: " + data
)
6162 fname
= os
.path
.join(params
['logdir'],
6163 'hlr_auc_gw.milenage_db')
6164 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
6166 stdout
=subprocess
.PIPE
)
6167 res
= cmd
.stdout
.read().decode().strip()
6169 logger
.debug("hlr_auc_gw response: " + res
)
6170 socket
.sendto(res
.encode(), self
.client_address
)
6172 server
.RequestHandlerClass
= test_handler2
6174 dev
[0].select_network(id)
6175 server
.handle_request()
6176 dev
[0].wait_connected()
6177 dev
[0].request("DISCONNECT")
6178 dev
[0].wait_disconnected()
6180 def test_eap_tls_sha512(dev
, apdev
, params
):
6181 """EAP-TLS with SHA512 signature"""
6182 params
= int_eap_server_params()
6183 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6184 params
["server_cert"] = "auth_serv/sha512-server.pem"
6185 params
["private_key"] = "auth_serv/sha512-server.key"
6186 hostapd
.add_ap(apdev
[0], params
)
6188 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6189 identity
="tls user sha512",
6190 ca_cert
="auth_serv/sha512-ca.pem",
6191 client_cert
="auth_serv/sha512-user.pem",
6192 private_key
="auth_serv/sha512-user.key",
6194 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6195 identity
="tls user sha512",
6196 ca_cert
="auth_serv/sha512-ca.pem",
6197 client_cert
="auth_serv/sha384-user.pem",
6198 private_key
="auth_serv/sha384-user.key",
6201 def test_eap_tls_sha384(dev
, apdev
, params
):
6202 """EAP-TLS with SHA384 signature"""
6203 params
= int_eap_server_params()
6204 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6205 params
["server_cert"] = "auth_serv/sha384-server.pem"
6206 params
["private_key"] = "auth_serv/sha384-server.key"
6207 hostapd
.add_ap(apdev
[0], params
)
6209 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6210 identity
="tls user sha512",
6211 ca_cert
="auth_serv/sha512-ca.pem",
6212 client_cert
="auth_serv/sha512-user.pem",
6213 private_key
="auth_serv/sha512-user.key",
6215 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6216 identity
="tls user sha512",
6217 ca_cert
="auth_serv/sha512-ca.pem",
6218 client_cert
="auth_serv/sha384-user.pem",
6219 private_key
="auth_serv/sha384-user.key",
6222 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
6223 """WPA2-Enterprise AP and association request RSN IE differences"""
6224 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6225 hostapd
.add_ap(apdev
[0], params
)
6227 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
6228 params
["ieee80211w"] = "2"
6229 hostapd
.add_ap(apdev
[1], params
)
6231 # Success cases with optional RSN IE fields removed one by one
6232 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
6233 "30140100000fac040100000fac040100000fac010000"),
6234 ("Extra PMKIDCount field in RSN IE",
6235 "30160100000fac040100000fac040100000fac0100000000"),
6236 ("Extra Group Management Cipher Suite in RSN IE",
6237 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6238 ("Extra undefined extension field in RSN IE",
6239 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6240 ("RSN IE without RSN Capabilities",
6241 "30120100000fac040100000fac040100000fac01"),
6242 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6243 ("RSN IE without pairwise", "30060100000fac04"),
6244 ("RSN IE without group", "30020100") ]
6245 for title
, ie
in tests
:
6247 set_test_assoc_ie(dev
[0], ie
)
6248 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6249 identity
="gpsk user",
6250 password
="abcdefghijklmnop0123456789abcdef",
6252 dev
[0].request("REMOVE_NETWORK all")
6253 dev
[0].wait_disconnected()
6255 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
6256 "30140100000fac040100000fac040100000fac01cc00"),
6257 ("Group management cipher included in assoc req RSN IE",
6258 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
6259 for title
, ie
in tests
:
6261 set_test_assoc_ie(dev
[0], ie
)
6262 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6263 eap
="GPSK", identity
="gpsk user",
6264 password
="abcdefghijklmnop0123456789abcdef",
6266 dev
[0].request("REMOVE_NETWORK all")
6267 dev
[0].wait_disconnected()
6269 tests
= [ ("Invalid group cipher", "30060100000fac02", 41),
6270 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
6271 for title
, ie
, status
in tests
:
6273 set_test_assoc_ie(dev
[0], ie
)
6274 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6275 identity
="gpsk user",
6276 password
="abcdefghijklmnop0123456789abcdef",
6277 scan_freq
="2412", wait_connect
=False)
6278 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6280 raise Exception("Association rejection not reported")
6281 if "status_code=" + str(status
) not in ev
:
6282 raise Exception("Unexpected status code: " + ev
)
6283 dev
[0].request("REMOVE_NETWORK all")
6284 dev
[0].dump_monitor()
6286 tests
= [ ("Management frame protection not enabled",
6287 "30140100000fac040100000fac040100000fac010000", 31),
6288 ("Unsupported management group cipher",
6289 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46) ]
6290 for title
, ie
, status
in tests
:
6292 set_test_assoc_ie(dev
[0], ie
)
6293 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6294 eap
="GPSK", identity
="gpsk user",
6295 password
="abcdefghijklmnop0123456789abcdef",
6296 scan_freq
="2412", wait_connect
=False)
6297 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6299 raise Exception("Association rejection not reported")
6300 if "status_code=" + str(status
) not in ev
:
6301 raise Exception("Unexpected status code: " + ev
)
6302 dev
[0].request("REMOVE_NETWORK all")
6303 dev
[0].dump_monitor()
6305 def test_eap_tls_ext_cert_check(dev
, apdev
):
6306 """EAP-TLS and external server certification validation"""
6307 # With internal server certificate chain validation
6308 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6309 identity
="tls user",
6310 ca_cert
="auth_serv/ca.pem",
6311 client_cert
="auth_serv/user.pem",
6312 private_key
="auth_serv/user.key",
6313 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6314 only_add_network
=True)
6315 run_ext_cert_check(dev
, apdev
, id)
6317 def test_eap_ttls_ext_cert_check(dev
, apdev
):
6318 """EAP-TTLS and external server certification validation"""
6319 # Without internal server certificate chain validation
6320 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6321 identity
="pap user", anonymous_identity
="ttls",
6322 password
="password", phase2
="auth=PAP",
6323 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6324 only_add_network
=True)
6325 run_ext_cert_check(dev
, apdev
, id)
6327 def test_eap_peap_ext_cert_check(dev
, apdev
):
6328 """EAP-PEAP and external server certification validation"""
6329 # With internal server certificate chain validation
6330 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6331 identity
="user", anonymous_identity
="peap",
6332 ca_cert
="auth_serv/ca.pem",
6333 password
="password", phase2
="auth=MSCHAPV2",
6334 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6335 only_add_network
=True)
6336 run_ext_cert_check(dev
, apdev
, id)
6338 def test_eap_fast_ext_cert_check(dev
, apdev
):
6339 """EAP-FAST and external server certification validation"""
6340 check_eap_capa(dev
[0], "FAST")
6341 # With internal server certificate chain validation
6342 dev
[0].request("SET blob fast_pac_auth_ext ")
6343 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6344 identity
="user", anonymous_identity
="FAST",
6345 ca_cert
="auth_serv/ca.pem",
6346 password
="password", phase2
="auth=GTC",
6347 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
6348 pac_file
="blob://fast_pac_auth_ext",
6350 only_add_network
=True)
6351 run_ext_cert_check(dev
, apdev
, id)
6353 def run_ext_cert_check(dev
, apdev
, net_id
):
6354 check_ext_cert_check_support(dev
[0])
6355 if not openssl_imported
:
6356 raise HwsimSkip("OpenSSL python method not available")
6358 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6359 hapd
= hostapd
.add_ap(apdev
[0], params
)
6361 dev
[0].select_network(net_id
)
6364 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6365 "CTRL-REQ-EXT_CERT_CHECK",
6366 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6368 raise Exception("No peer server certificate event seen")
6369 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
6372 vals
= ev
.split(' ')
6374 if v
.startswith("depth="):
6375 depth
= int(v
.split('=')[1])
6376 elif v
.startswith("cert="):
6377 cert
= v
.split('=')[1]
6378 if depth
is not None and cert
:
6379 certs
[depth
] = binascii
.unhexlify(cert
)
6380 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
6381 raise Exception("Unexpected EAP-Success")
6382 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
6383 id = ev
.split(':')[0].split('-')[-1]
6386 raise Exception("Server certificate not received")
6388 raise Exception("Server certificate issuer not received")
6390 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6392 cn
= cert
.get_subject().commonName
6393 logger
.info("Server certificate CN=" + cn
)
6395 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6397 icn
= issuer
.get_subject().commonName
6398 logger
.info("Issuer certificate CN=" + icn
)
6400 if cn
!= "server.w1.fi":
6401 raise Exception("Unexpected server certificate CN: " + cn
)
6402 if icn
!= "Root CA":
6403 raise Exception("Unexpected server certificate issuer CN: " + icn
)
6405 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
6407 raise Exception("Unexpected EAP-Success before external check result indication")
6409 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6410 dev
[0].wait_connected()
6412 dev
[0].request("DISCONNECT")
6413 dev
[0].wait_disconnected()
6414 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
6415 raise Exception("PMKSA_FLUSH failed")
6416 dev
[0].request("SET blob fast_pac_auth_ext ")
6417 dev
[0].request("RECONNECT")
6419 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
6421 raise Exception("No peer server certificate event seen (2)")
6422 id = ev
.split(':')[0].split('-')[-1]
6423 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6424 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
6426 raise Exception("EAP-Failure not reported")
6427 dev
[0].request("REMOVE_NETWORK all")
6428 dev
[0].wait_disconnected()
6430 def test_eap_tls_errors(dev
, apdev
):
6431 """EAP-TLS error cases"""
6432 params
= int_eap_server_params()
6433 params
['fragment_size'] = '100'
6434 hostapd
.add_ap(apdev
[0], params
)
6435 with
alloc_fail(dev
[0], 1,
6436 "eap_peer_tls_reassemble_fragment"):
6437 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6438 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6439 client_cert
="auth_serv/user.pem",
6440 private_key
="auth_serv/user.key",
6441 wait_connect
=False, scan_freq
="2412")
6442 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6443 dev
[0].request("REMOVE_NETWORK all")
6444 dev
[0].wait_disconnected()
6446 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
6447 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6448 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6449 client_cert
="auth_serv/user.pem",
6450 private_key
="auth_serv/user.key",
6451 wait_connect
=False, scan_freq
="2412")
6452 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6453 dev
[0].request("REMOVE_NETWORK all")
6454 dev
[0].wait_disconnected()
6456 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
6457 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6458 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6459 client_cert
="auth_serv/user.pem",
6460 private_key
="auth_serv/user.key",
6462 wait_connect
=False, scan_freq
="2412")
6463 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6464 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
6466 raise Exception("No CTRL-REQ-PIN seen")
6467 dev
[0].request("REMOVE_NETWORK all")
6468 dev
[0].wait_disconnected()
6470 tests
= [ "eap_peer_tls_derive_key;eap_tls_success",
6471 "eap_peer_tls_derive_session_id;eap_tls_success",
6474 "eap_tls_get_session_id" ]
6476 with
alloc_fail(dev
[0], 1, func
):
6477 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6478 identity
="tls user@domain",
6479 ca_cert
="auth_serv/ca.pem",
6480 client_cert
="auth_serv/user.pem",
6481 private_key
="auth_serv/user.key",
6483 wait_connect
=False, scan_freq
="2412")
6484 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6485 dev
[0].request("REMOVE_NETWORK all")
6486 dev
[0].wait_disconnected()
6488 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6489 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6490 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6491 wait_connect
=False, scan_freq
="2412")
6492 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6493 dev
[0].request("REMOVE_NETWORK all")
6494 dev
[0].wait_disconnected()
6496 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6497 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6498 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6499 wait_connect
=False, scan_freq
="2412")
6500 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6501 dev
[0].request("REMOVE_NETWORK all")
6502 dev
[0].wait_disconnected()
6504 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6505 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6506 eap
="WFA-UNAUTH-TLS",
6507 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6508 wait_connect
=False, scan_freq
="2412")
6509 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6510 dev
[0].request("REMOVE_NETWORK all")
6511 dev
[0].wait_disconnected()
6513 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6514 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6515 eap
="WFA-UNAUTH-TLS",
6516 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6517 wait_connect
=False, scan_freq
="2412")
6518 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6519 dev
[0].request("REMOVE_NETWORK all")
6520 dev
[0].wait_disconnected()
6522 def test_ap_wpa2_eap_status(dev
, apdev
):
6523 """EAP state machine status information"""
6524 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6525 hostapd
.add_ap(apdev
[0], params
)
6526 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6527 identity
="cert user",
6528 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6529 ca_cert2
="auth_serv/ca.pem",
6530 client_cert2
="auth_serv/user.pem",
6531 private_key2
="auth_serv/user.key",
6532 scan_freq
="2412", wait_connect
=False)
6538 selected_methods
= []
6539 for i
in range(100000):
6540 s
= dev
[0].get_status(extra
="VERBOSE")
6541 if 'EAP state' in s
:
6542 state
= s
['EAP state']
6544 if state
not in states
:
6545 states
.append(state
)
6546 if state
== "SUCCESS":
6549 if 'methodState' in s
:
6550 val
= s
['methodState']
6551 if val
not in method_states
:
6552 method_states
.append(val
)
6555 if val
not in decisions
:
6556 decisions
.append(val
)
6557 if 'reqMethod' in s
:
6558 val
= s
['reqMethod']
6559 if val
not in req_methods
:
6560 req_methods
.append(val
)
6561 if 'selectedMethod' in s
:
6562 val
= s
['selectedMethod']
6563 if val
not in selected_methods
:
6564 selected_methods
.append(val
)
6565 logger
.info("Iterations: %d" % i
)
6566 logger
.info("EAP states: " + str(states
))
6567 logger
.info("methodStates: " + str(method_states
))
6568 logger
.info("decisions: " + str(decisions
))
6569 logger
.info("reqMethods: " + str(req_methods
))
6570 logger
.info("selectedMethods: " + str(selected_methods
))
6572 raise Exception("EAP did not succeed")
6573 dev
[0].wait_connected()
6574 dev
[0].request("REMOVE_NETWORK all")
6575 dev
[0].wait_disconnected()
6577 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
6578 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6579 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6580 params
['wpa_ptk_rekey'] = '2'
6581 hapd
= hostapd
.add_ap(apdev
[0], params
)
6582 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
6583 password
="abcdefghijklmnop0123456789abcdef")
6584 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
6586 raise Exception("PTK rekey timed out")
6587 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6589 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
6590 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6591 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6592 hapd
= hostapd
.add_ap(apdev
[0], params
)
6593 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
6594 identity
="gpsk user",
6595 password
="abcdefghijklmnop0123456789abcdef",
6598 def test_ap_wpa2_eap_psk_mac_addr_change(dev
, apdev
):
6599 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
6600 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6601 hapd
= hostapd
.add_ap(apdev
[0], params
)
6603 cmd
= subprocess
.Popen(['ps', '-eo', 'pid,command'], stdout
=subprocess
.PIPE
)
6604 res
= cmd
.stdout
.read().decode()
6607 for p
in res
.splitlines():
6608 if "wpa_supplicant" not in p
:
6610 if dev
[0].ifname
not in p
:
6612 pid
= int(p
.strip().split(' ')[0])
6614 logger
.info("Could not find wpa_supplicant PID")
6616 logger
.info("wpa_supplicant PID %d" % pid
)
6618 addr
= dev
[0].get_status_field("address")
6619 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6620 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6621 '02:11:22:33:44:55'])
6622 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6623 addr1
= dev
[0].get_status_field("address")
6624 if addr1
!= '02:11:22:33:44:55':
6625 raise Exception("Failed to change MAC address")
6627 # Scan using the externally set MAC address, stop the wpa_supplicant
6628 # process to avoid it from processing the ifdown event before the interface
6629 # is already UP, change the MAC address back, allow the wpa_supplicant
6630 # process to continue. This will result in the ifdown + ifup sequence of
6631 # RTM_NEWLINK events to be processed while the interface is already UP.
6633 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
6634 os
.kill(pid
, signal
.SIGSTOP
)
6637 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6638 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6640 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6642 os
.kill(pid
, signal
.SIGCONT
)
6644 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
6645 password_hex
="0123456789abcdef0123456789abcdef")
6647 addr2
= dev
[0].get_status_field("address")
6649 raise Exception("Failed to restore MAC address")
6651 def test_ap_wpa2_eap_server_get_id(dev
, apdev
):
6652 """Internal EAP server and dot1xAuthSessionUserName"""
6653 params
= int_eap_server_params()
6654 hapd
= hostapd
.add_ap(apdev
[0], params
)
6655 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6656 client_cert
="auth_serv/user.pem",
6657 private_key
="auth_serv/user.key")
6658 sta
= hapd
.get_sta(dev
[0].own_addr())
6659 if 'dot1xAuthSessionUserName' not in sta
:
6660 raise Exception("No dot1xAuthSessionUserName included")
6661 user
= sta
['dot1xAuthSessionUserName']
6662 if user
!= "tls user":
6663 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6665 def test_ap_wpa2_radius_server_get_id(dev
, apdev
):
6666 """External RADIUS server and dot1xAuthSessionUserName"""
6667 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6668 hapd
= hostapd
.add_ap(apdev
[0], params
)
6669 eap_connect(dev
[0], hapd
, "TTLS", "test-user",
6670 anonymous_identity
="ttls", password
="password",
6671 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
6672 sta
= hapd
.get_sta(dev
[0].own_addr())
6673 if 'dot1xAuthSessionUserName' not in sta
:
6674 raise Exception("No dot1xAuthSessionUserName included")
6675 user
= sta
['dot1xAuthSessionUserName']
6676 if user
!= "real-user":
6677 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6679 def test_openssl_systemwide_policy(dev
, apdev
, test_params
):
6680 """OpenSSL systemwide policy and overrides"""
6681 prefix
= "openssl_systemwide_policy"
6682 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
6684 with
HWSimRadio() as (radio
, iface
):
6685 run_openssl_systemwide_policy(iface
, apdev
, test_params
)
6687 if os
.path
.exists(pidfile
):
6688 with
open(pidfile
, 'r') as f
:
6689 pid
= int(f
.read().strip())
6690 os
.kill(pid
, signal
.SIGTERM
)
6692 def write_openssl_cnf(cnf
, MinProtocol
=None, CipherString
=None):
6693 with
open(cnf
, "w") as f
:
6694 f
.write("""openssl_conf = default_conf
6698 system_default = system_default_sect
6699 [system_default_sect]
6702 f
.write("MinProtocol = %s\n" % MinProtocol
)
6704 f
.write("CipherString = %s\n" % CipherString
)
6706 def run_openssl_systemwide_policy(iface
, apdev
, test_params
):
6707 prefix
= "openssl_systemwide_policy"
6708 logfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.log-wpas')
6709 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
6710 conffile
= os
.path
.join(test_params
['logdir'], prefix
+ '.conf')
6711 openssl_cnf
= os
.path
.join(test_params
['logdir'], prefix
+ '.openssl.cnf')
6713 write_openssl_cnf(openssl_cnf
, "TLSv1.2", "DEFAULT@SECLEVEL=2")
6715 with
open(conffile
, 'w') as f
:
6716 f
.write("ctrl_interface=DIR=/var/run/wpa_supplicant\n")
6718 params
= int_eap_server_params()
6719 params
['tls_flags'] = "[DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"
6721 hapd
= hostapd
.add_ap(apdev
[0], params
)
6723 prg
= os
.path
.join(test_params
['logdir'],
6724 'alt-wpa_supplicant/wpa_supplicant/wpa_supplicant')
6725 if not os
.path
.exists(prg
):
6726 prg
= '../../wpa_supplicant/wpa_supplicant'
6727 arg
= [ prg
, '-BddtK', '-P', pidfile
, '-f', logfile
,
6728 '-Dnl80211', '-c', conffile
, '-i', iface
]
6729 logger
.info("Start wpa_supplicant: " + str(arg
))
6730 subprocess
.call(arg
, env
={'OPENSSL_CONF': openssl_cnf
})
6731 wpas
= WpaSupplicant(ifname
=iface
)
6732 if "PONG" not in wpas
.request("PING"):
6733 raise Exception("Could not PING wpa_supplicant")
6734 tls
= wpas
.request("GET tls_library")
6735 if not tls
.startswith("OpenSSL"):
6736 raise HwsimSkip("Not using OpenSSL")
6738 # Use default configuration without any TLS version overrides. This should
6739 # end up using OpenSSL systemwide policy and result in failure to find a
6740 # compatible protocol version.
6741 ca_file
= os
.path
.join(os
.getcwd(), "auth_serv/ca.pem")
6742 id = wpas
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6743 identity
="pap user", anonymous_identity
="ttls",
6744 password
="password", phase2
="auth=PAP",
6746 scan_freq
="2412", wait_connect
=False)
6747 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
6749 raise Exception("EAP not started")
6750 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'"],
6753 raise HwsimSkip("OpenSSL systemwide policy not supported")
6754 wpas
.request("DISCONNECT")
6755 wpas
.wait_disconnected()
6758 # Explicitly allow TLSv1.0 to be used to override OpenSSL systemwide policy
6759 wpas
.set_network_quoted(id, "openssl_ciphers", "DEFAULT@SECLEVEL=1")
6760 wpas
.set_network_quoted(id, "phase1", "tls_disable_tlsv1_0=0")
6761 wpas
.select_network(id, freq
="2412")
6762 wpas
.wait_connected()
6764 wpas
.request("TERMINATE")