]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
22 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
23 from wpasupplicant
import WpaSupplicant
24 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
28 openssl_imported
= True
30 openssl_imported
= False
32 def check_hlr_auc_gw_support():
33 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
34 raise HwsimSkip("No hlr_auc_gw available")
36 def check_eap_capa(dev
, method
):
37 res
= dev
.get_capability("eap")
39 raise HwsimSkip("EAP method %s not supported in the build" % method
)
41 def check_subject_match_support(dev
):
42 tls
= dev
.request("GET tls_library")
43 if not tls
.startswith("OpenSSL"):
44 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
46 def check_altsubject_match_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL"):
49 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
51 def check_domain_match(dev
):
52 tls
= dev
.request("GET tls_library")
53 if tls
.startswith("internal"):
54 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
56 def check_domain_suffix_match(dev
):
57 tls
= dev
.request("GET tls_library")
58 if tls
.startswith("internal"):
59 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
61 def check_domain_match_full(dev
):
62 tls
= dev
.request("GET tls_library")
63 if not tls
.startswith("OpenSSL"):
64 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
66 def check_cert_probe_support(dev
):
67 tls
= dev
.request("GET tls_library")
68 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
69 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
71 def check_ext_cert_check_support(dev
):
72 tls
= dev
.request("GET tls_library")
73 if not tls
.startswith("OpenSSL"):
74 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
76 def check_ocsp_support(dev
):
77 tls
= dev
.request("GET tls_library")
78 #if tls.startswith("internal"):
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80 #if "BoringSSL" in tls:
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83 def check_pkcs5_v15_support(dev
):
84 tls
= dev
.request("GET tls_library")
85 if "BoringSSL" in tls
:
86 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
88 def check_ocsp_multi_support(dev
):
89 tls
= dev
.request("GET tls_library")
90 if not tls
.startswith("internal"):
91 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
92 as_hapd
= hostapd
.Hostapd("as")
93 res
= as_hapd
.request("GET tls_library")
95 if not res
.startswith("internal"):
96 raise HwsimSkip("Authentication server does not support ocsp_multi")
98 def check_pkcs12_support(dev
):
99 tls
= dev
.request("GET tls_library")
100 #if tls.startswith("internal"):
101 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
103 def check_dh_dsa_support(dev
):
104 tls
= dev
.request("GET tls_library")
105 if tls
.startswith("internal"):
106 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
109 with
open(fname
, "r") as f
:
110 lines
= f
.readlines()
118 if "-----BEGIN" in l
:
120 return base64
.b64decode(cert
)
122 def eap_connect(dev
, hapd
, method
, identity
,
123 sha256
=False, expect_failure
=False, local_error_report
=False,
124 maybe_local_error
=False, **kwargs
):
125 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
126 eap
=method
, identity
=identity
,
127 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
129 eap_check_auth(dev
, method
, True, sha256
=sha256
,
130 expect_failure
=expect_failure
,
131 local_error_report
=local_error_report
,
132 maybe_local_error
=maybe_local_error
)
135 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
137 raise Exception("No connection event received from hostapd")
140 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
141 expect_failure
=False, local_error_report
=False,
142 maybe_local_error
=False):
143 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
145 raise Exception("Association and EAP start timed out")
146 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
147 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
149 raise Exception("EAP method selection timed out")
150 if "CTRL-EVENT-EAP-FAILURE" in ev
:
151 if maybe_local_error
:
153 raise Exception("Could not select EAP method")
155 raise Exception("Unexpected EAP method")
157 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
159 raise Exception("EAP failure timed out")
160 ev
= dev
.wait_disconnected(timeout
=10)
161 if maybe_local_error
and "locally_generated=1" in ev
:
163 if not local_error_report
:
164 if "reason=23" not in ev
:
165 raise Exception("Proper reason code for disconnection not reported")
167 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
169 raise Exception("EAP success timed out")
172 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
174 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
176 raise Exception("Association with the AP timed out")
177 status
= dev
.get_status()
178 if status
["wpa_state"] != "COMPLETED":
179 raise Exception("Connection not completed")
181 if status
["suppPortStatus"] != "Authorized":
182 raise Exception("Port not authorized")
183 if "selectedMethod" not in status
:
184 logger
.info("Status: " + str(status
))
185 raise Exception("No selectedMethod in status")
186 if method
not in status
["selectedMethod"]:
187 raise Exception("Incorrect EAP method status")
189 e
= "WPA2-EAP-SHA256"
191 e
= "WPA2/IEEE 802.1X/EAP"
193 e
= "WPA/IEEE 802.1X/EAP"
194 if status
["key_mgmt"] != e
:
195 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
198 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
199 dev
.request("REAUTHENTICATE")
200 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
201 expect_failure
=expect_failure
)
203 def test_ap_wpa2_eap_sim(dev
, apdev
):
204 """WPA2-Enterprise connection using EAP-SIM"""
205 check_hlr_auc_gw_support()
206 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
207 hapd
= hostapd
.add_ap(apdev
[0], params
)
208 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
209 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
210 hwsim_utils
.test_connectivity(dev
[0], hapd
)
211 eap_reauth(dev
[0], "SIM")
213 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
214 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
215 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
216 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
219 logger
.info("Negative test with incorrect key")
220 dev
[0].request("REMOVE_NETWORK all")
221 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
222 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
225 logger
.info("Invalid GSM-Milenage key")
226 dev
[0].request("REMOVE_NETWORK all")
227 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
228 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
231 logger
.info("Invalid GSM-Milenage key(2)")
232 dev
[0].request("REMOVE_NETWORK all")
233 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
234 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
237 logger
.info("Invalid GSM-Milenage key(3)")
238 dev
[0].request("REMOVE_NETWORK all")
239 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
240 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
243 logger
.info("Invalid GSM-Milenage key(4)")
244 dev
[0].request("REMOVE_NETWORK all")
245 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
246 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
249 logger
.info("Missing key configuration")
250 dev
[0].request("REMOVE_NETWORK all")
251 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
254 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
255 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
256 check_hlr_auc_gw_support()
260 raise HwsimSkip("No sqlite3 module available")
261 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
262 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
263 params
['auth_server_port'] = "1814"
264 hapd
= hostapd
.add_ap(apdev
[0], params
)
265 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
266 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
268 logger
.info("SIM fast re-authentication")
269 eap_reauth(dev
[0], "SIM")
271 logger
.info("SIM full auth with pseudonym")
274 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
275 eap_reauth(dev
[0], "SIM")
277 logger
.info("SIM full auth with permanent identity")
280 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
281 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
282 eap_reauth(dev
[0], "SIM")
284 logger
.info("SIM reauth with mismatching MK")
287 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
288 eap_reauth(dev
[0], "SIM", expect_failure
=True)
289 dev
[0].request("REMOVE_NETWORK all")
291 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
292 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
295 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
296 eap_reauth(dev
[0], "SIM")
299 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
300 logger
.info("SIM reauth with mismatching counter")
301 eap_reauth(dev
[0], "SIM")
302 dev
[0].request("REMOVE_NETWORK all")
304 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
305 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
308 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
309 logger
.info("SIM reauth with max reauth count reached")
310 eap_reauth(dev
[0], "SIM")
312 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
313 """EAP-SIM configuration options"""
314 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
315 hapd
= hostapd
.add_ap(apdev
[0], params
)
316 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
317 identity
="1232010000000000",
318 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
319 phase1
="sim_min_num_chal=1",
320 wait_connect
=False, scan_freq
="2412")
321 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
323 raise Exception("No EAP error message seen")
324 dev
[0].request("REMOVE_NETWORK all")
326 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
327 identity
="1232010000000000",
328 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
329 phase1
="sim_min_num_chal=4",
330 wait_connect
=False, scan_freq
="2412")
331 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
333 raise Exception("No EAP error message seen (2)")
334 dev
[0].request("REMOVE_NETWORK all")
336 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
337 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
338 phase1
="sim_min_num_chal=2")
339 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
340 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
341 anonymous_identity
="345678")
343 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
344 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
346 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
348 dev
[0].request("SET external_sim 0")
350 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
351 check_hlr_auc_gw_support()
352 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
353 hostapd
.add_ap(apdev
[0], params
)
354 dev
[0].request("SET external_sim 1")
355 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
356 identity
="1232010000000000",
357 wait_connect
=False, scan_freq
="2412")
358 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
360 raise Exception("Network connected timed out")
362 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
364 raise Exception("Wait for external SIM processing request timed out")
366 if p
[1] != "GSM-AUTH":
367 raise Exception("Unexpected CTRL-REQ-SIM type")
368 rid
= p
[0].split('-')[3]
371 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
372 # This will fail during processing, but the ctrl_iface command succeeds
373 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
374 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
376 raise Exception("EAP failure not reported")
377 dev
[0].request("DISCONNECT")
378 dev
[0].wait_disconnected()
381 dev
[0].select_network(id, freq
="2412")
382 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
384 raise Exception("Wait for external SIM processing request timed out")
386 if p
[1] != "GSM-AUTH":
387 raise Exception("Unexpected CTRL-REQ-SIM type")
388 rid
= p
[0].split('-')[3]
389 # This will fail during GSM auth validation
390 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
391 raise Exception("CTRL-RSP-SIM failed")
392 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
394 raise Exception("EAP failure not reported")
395 dev
[0].request("DISCONNECT")
396 dev
[0].wait_disconnected()
399 dev
[0].select_network(id, freq
="2412")
400 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
402 raise Exception("Wait for external SIM processing request timed out")
404 if p
[1] != "GSM-AUTH":
405 raise Exception("Unexpected CTRL-REQ-SIM type")
406 rid
= p
[0].split('-')[3]
407 # This will fail during GSM auth validation
408 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
409 raise Exception("CTRL-RSP-SIM failed")
410 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
412 raise Exception("EAP failure not reported")
413 dev
[0].request("DISCONNECT")
414 dev
[0].wait_disconnected()
417 dev
[0].select_network(id, freq
="2412")
418 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
420 raise Exception("Wait for external SIM processing request timed out")
422 if p
[1] != "GSM-AUTH":
423 raise Exception("Unexpected CTRL-REQ-SIM type")
424 rid
= p
[0].split('-')[3]
425 # This will fail during GSM auth validation
426 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
427 raise Exception("CTRL-RSP-SIM failed")
428 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
430 raise Exception("EAP failure not reported")
431 dev
[0].request("DISCONNECT")
432 dev
[0].wait_disconnected()
435 dev
[0].select_network(id, freq
="2412")
436 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
438 raise Exception("Wait for external SIM processing request timed out")
440 if p
[1] != "GSM-AUTH":
441 raise Exception("Unexpected CTRL-REQ-SIM type")
442 rid
= p
[0].split('-')[3]
443 # This will fail during GSM auth validation
444 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
445 raise Exception("CTRL-RSP-SIM failed")
446 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
448 raise Exception("EAP failure not reported")
449 dev
[0].request("DISCONNECT")
450 dev
[0].wait_disconnected()
453 dev
[0].select_network(id, freq
="2412")
454 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
456 raise Exception("Wait for external SIM processing request timed out")
458 if p
[1] != "GSM-AUTH":
459 raise Exception("Unexpected CTRL-REQ-SIM type")
460 rid
= p
[0].split('-')[3]
461 # This will fail during GSM auth validation
462 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
463 raise Exception("CTRL-RSP-SIM failed")
464 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
466 raise Exception("EAP failure not reported")
467 dev
[0].request("DISCONNECT")
468 dev
[0].wait_disconnected()
471 dev
[0].select_network(id, freq
="2412")
472 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
474 raise Exception("Wait for external SIM processing request timed out")
476 if p
[1] != "GSM-AUTH":
477 raise Exception("Unexpected CTRL-REQ-SIM type")
478 rid
= p
[0].split('-')[3]
479 # This will fail during GSM auth validation
480 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
481 raise Exception("CTRL-RSP-SIM failed")
482 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
484 raise Exception("EAP failure not reported")
486 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
487 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
489 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
491 dev
[0].request("SET external_sim 0")
493 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
494 check_hlr_auc_gw_support()
495 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
496 hostapd
.add_ap(apdev
[0], params
)
497 dev
[0].request("SET external_sim 1")
498 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
499 identity
="1232010000000000",
500 wait_connect
=False, scan_freq
="2412")
502 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
504 raise Exception("Wait for external SIM processing request timed out")
506 if p
[1] != "GSM-AUTH":
507 raise Exception("Unexpected CTRL-REQ-SIM type")
508 rid
= p
[0].split('-')[3]
509 rand
= p
[2].split(' ')[0]
511 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
513 "auth_serv/hlr_auc_gw.milenage_db",
514 "GSM-AUTH-REQ 232010000000000 " + rand
])
515 if "GSM-AUTH-RESP" not in res
:
516 raise Exception("Unexpected hlr_auc_gw response")
517 resp
= res
.split(' ')[2].rstrip()
519 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
520 dev
[0].wait_connected(timeout
=15)
521 dev
[0].request("DISCONNECT")
522 dev
[0].wait_disconnected()
524 # Replace SIM, but forget to drop the previous pseudonym identity
525 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
526 dev
[0].select_network(id, freq
="2412")
528 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
530 raise Exception("Wait for external SIM processing request timed out")
532 if p
[1] != "GSM-AUTH":
533 raise Exception("Unexpected CTRL-REQ-SIM type")
534 rid
= p
[0].split('-')[3]
535 rand
= p
[2].split(' ')[0]
537 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
539 "auth_serv/hlr_auc_gw.milenage_db",
540 "GSM-AUTH-REQ 232010000000009 " + rand
])
541 if "GSM-AUTH-RESP" not in res
:
542 raise Exception("Unexpected hlr_auc_gw response")
543 resp
= res
.split(' ')[2].rstrip()
545 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
546 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
548 raise Exception("EAP-Failure not reported")
549 dev
[0].request("DISCONNECT")
550 dev
[0].wait_disconnected()
552 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
553 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
555 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
557 dev
[0].request("SET external_sim 0")
559 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
560 check_hlr_auc_gw_support()
561 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
562 hostapd
.add_ap(apdev
[0], params
)
563 dev
[0].request("SET external_sim 1")
564 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
565 identity
="1232010000000000",
566 wait_connect
=False, scan_freq
="2412")
568 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
570 raise Exception("Wait for external SIM processing request timed out")
572 if p
[1] != "GSM-AUTH":
573 raise Exception("Unexpected CTRL-REQ-SIM type")
574 rid
= p
[0].split('-')[3]
575 rand
= p
[2].split(' ')[0]
577 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
579 "auth_serv/hlr_auc_gw.milenage_db",
580 "GSM-AUTH-REQ 232010000000000 " + rand
])
581 if "GSM-AUTH-RESP" not in res
:
582 raise Exception("Unexpected hlr_auc_gw response")
583 resp
= res
.split(' ')[2].rstrip()
585 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
586 dev
[0].wait_connected(timeout
=15)
587 dev
[0].request("DISCONNECT")
588 dev
[0].wait_disconnected()
590 # Replace SIM and drop the previous pseudonym identity
591 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
592 dev
[0].set_network(id, "anonymous_identity", "NULL")
593 dev
[0].select_network(id, freq
="2412")
595 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
597 raise Exception("Wait for external SIM processing request timed out")
599 if p
[1] != "GSM-AUTH":
600 raise Exception("Unexpected CTRL-REQ-SIM type")
601 rid
= p
[0].split('-')[3]
602 rand
= p
[2].split(' ')[0]
604 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
606 "auth_serv/hlr_auc_gw.milenage_db",
607 "GSM-AUTH-REQ 232010000000009 " + rand
])
608 if "GSM-AUTH-RESP" not in res
:
609 raise Exception("Unexpected hlr_auc_gw response")
610 resp
= res
.split(' ')[2].rstrip()
612 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
613 dev
[0].wait_connected()
614 dev
[0].request("DISCONNECT")
615 dev
[0].wait_disconnected()
617 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
618 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
620 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
622 dev
[0].request("SET external_sim 0")
624 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
625 check_hlr_auc_gw_support()
626 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
627 hostapd
.add_ap(apdev
[0], params
)
628 dev
[0].request("SET external_sim 1")
629 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
630 wait_connect
=False, scan_freq
="2412")
632 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
634 raise Exception("Request for identity timed out")
635 rid
= ev
.split(':')[0].split('-')[-1]
636 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
638 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
640 raise Exception("Wait for external SIM processing request timed out")
642 if p
[1] != "GSM-AUTH":
643 raise Exception("Unexpected CTRL-REQ-SIM type")
644 rid
= p
[0].split('-')[3]
645 rand
= p
[2].split(' ')[0]
647 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
649 "auth_serv/hlr_auc_gw.milenage_db",
650 "GSM-AUTH-REQ 232010000000000 " + rand
])
651 if "GSM-AUTH-RESP" not in res
:
652 raise Exception("Unexpected hlr_auc_gw response")
653 resp
= res
.split(' ')[2].rstrip()
655 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
656 dev
[0].wait_connected(timeout
=15)
657 dev
[0].request("DISCONNECT")
658 dev
[0].wait_disconnected()
660 # Replace SIM and drop the previous permanent and pseudonym identities
661 dev
[0].set_network(id, "identity", "NULL")
662 dev
[0].set_network(id, "anonymous_identity", "NULL")
663 dev
[0].select_network(id, freq
="2412")
665 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
667 raise Exception("Request for identity timed out")
668 rid
= ev
.split(':')[0].split('-')[-1]
669 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
671 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
673 raise Exception("Wait for external SIM processing request timed out")
675 if p
[1] != "GSM-AUTH":
676 raise Exception("Unexpected CTRL-REQ-SIM type")
677 rid
= p
[0].split('-')[3]
678 rand
= p
[2].split(' ')[0]
680 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
682 "auth_serv/hlr_auc_gw.milenage_db",
683 "GSM-AUTH-REQ 232010000000009 " + rand
])
684 if "GSM-AUTH-RESP" not in res
:
685 raise Exception("Unexpected hlr_auc_gw response")
686 resp
= res
.split(' ')[2].rstrip()
688 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
689 dev
[0].wait_connected()
690 dev
[0].request("DISCONNECT")
691 dev
[0].wait_disconnected()
693 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
694 """EAP-SIM with external GSM auth and auth failing"""
696 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
698 dev
[0].request("SET external_sim 0")
700 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
701 check_hlr_auc_gw_support()
702 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
703 hostapd
.add_ap(apdev
[0], params
)
704 dev
[0].request("SET external_sim 1")
705 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
706 identity
="1232010000000000",
707 wait_connect
=False, scan_freq
="2412")
709 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
711 raise Exception("Wait for external SIM processing request timed out")
713 rid
= p
[0].split('-')[3]
714 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
715 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
717 raise Exception("EAP failure not reported")
718 dev
[0].request("REMOVE_NETWORK all")
719 dev
[0].wait_disconnected()
721 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
722 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
724 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
726 dev
[0].request("SET external_sim 0")
728 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
729 check_hlr_auc_gw_support()
730 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
731 hostapd
.add_ap(apdev
[0], params
)
732 dev
[0].request("SET external_sim 1")
733 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
734 identity
="1232010000000000",
735 wait_connect
=False, scan_freq
="2412")
737 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
739 raise Exception("Wait for external SIM processing request timed out")
741 if p
[1] != "GSM-AUTH":
742 raise Exception("Unexpected CTRL-REQ-SIM type")
743 rid
= p
[0].split('-')[3]
744 rand
= p
[2].split(' ')[0]
746 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
748 "auth_serv/hlr_auc_gw.milenage_db",
749 "GSM-AUTH-REQ 232010000000000 " + rand
])
750 if "GSM-AUTH-RESP" not in res
:
751 raise Exception("Unexpected hlr_auc_gw response")
752 resp
= res
.split(' ')[2].rstrip()
754 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
755 dev
[0].wait_connected(timeout
=15)
757 # Verify that EAP-SIM Reauthentication can be used after a profile change
758 # that does not affect EAP parameters.
759 dev
[0].set_network(id, "bssid", "any")
760 eap_reauth(dev
[0], "SIM")
762 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
763 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
765 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
767 dev
[0].request("SET external_sim 0")
769 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
770 check_hlr_auc_gw_support()
771 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
772 hostapd
.add_ap(apdev
[0], params
)
773 dev
[0].request("SET external_sim 1")
774 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
775 identity
="1232010000000000",
776 wait_connect
=False, scan_freq
="2412")
778 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
780 raise Exception("Wait for external SIM processing request timed out")
782 if p
[1] != "GSM-AUTH":
783 raise Exception("Unexpected CTRL-REQ-SIM type")
784 rid
= p
[0].split('-')[3]
785 rand
= p
[2].split(' ')[0]
787 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
789 "auth_serv/hlr_auc_gw.milenage_db",
790 "GSM-AUTH-REQ 232010000000000 " + rand
])
791 if "GSM-AUTH-RESP" not in res
:
792 raise Exception("Unexpected hlr_auc_gw response")
793 resp
= res
.split(' ')[2].rstrip()
795 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
796 dev
[0].wait_connected(timeout
=15)
798 # Verify that EAP-SIM Reauthentication can be used after network profile
799 # SET_NETWORK commands that do not actually change previously set
801 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
802 dev
[0].set_network(id, "eap", "SIM")
803 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
804 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
805 eap_reauth(dev
[0], "SIM")
807 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
808 """EAP-SIM and OOM"""
809 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
810 hostapd
.add_ap(apdev
[0], params
)
811 tests
= [ (1, "milenage_f2345"),
812 (2, "milenage_f2345"),
813 (3, "milenage_f2345"),
814 (4, "milenage_f2345"),
815 (5, "milenage_f2345"),
816 (6, "milenage_f2345"),
817 (7, "milenage_f2345"),
818 (8, "milenage_f2345"),
819 (9, "milenage_f2345"),
820 (10, "milenage_f2345"),
821 (11, "milenage_f2345"),
822 (12, "milenage_f2345") ]
823 for count
, func
in tests
:
824 with
fail_test(dev
[0], count
, func
):
825 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
826 identity
="1232010000000000",
827 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
828 wait_connect
=False, scan_freq
="2412")
829 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
831 raise Exception("EAP method not selected")
832 dev
[0].wait_disconnected()
833 dev
[0].request("REMOVE_NETWORK all")
835 def test_ap_wpa2_eap_aka(dev
, apdev
):
836 """WPA2-Enterprise connection using EAP-AKA"""
837 check_hlr_auc_gw_support()
838 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
839 hapd
= hostapd
.add_ap(apdev
[0], params
)
840 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
841 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
842 hwsim_utils
.test_connectivity(dev
[0], hapd
)
843 eap_reauth(dev
[0], "AKA")
845 logger
.info("Negative test with incorrect key")
846 dev
[0].request("REMOVE_NETWORK all")
847 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
848 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
851 logger
.info("Invalid Milenage key")
852 dev
[0].request("REMOVE_NETWORK all")
853 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
854 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
857 logger
.info("Invalid Milenage key(2)")
858 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
859 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
862 logger
.info("Invalid Milenage key(3)")
863 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
864 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
867 logger
.info("Invalid Milenage key(4)")
868 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
869 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
872 logger
.info("Invalid Milenage key(5)")
873 dev
[0].request("REMOVE_NETWORK all")
874 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
875 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
878 logger
.info("Invalid Milenage key(6)")
879 dev
[0].request("REMOVE_NETWORK all")
880 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
881 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
884 logger
.info("Missing key configuration")
885 dev
[0].request("REMOVE_NETWORK all")
886 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
889 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
890 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
891 check_hlr_auc_gw_support()
895 raise HwsimSkip("No sqlite3 module available")
896 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
897 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
898 params
['auth_server_port'] = "1814"
899 hapd
= hostapd
.add_ap(apdev
[0], params
)
900 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
901 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
903 logger
.info("AKA fast re-authentication")
904 eap_reauth(dev
[0], "AKA")
906 logger
.info("AKA full auth with pseudonym")
909 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
910 eap_reauth(dev
[0], "AKA")
912 logger
.info("AKA full auth with permanent identity")
915 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
916 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
917 eap_reauth(dev
[0], "AKA")
919 logger
.info("AKA reauth with mismatching MK")
922 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
923 eap_reauth(dev
[0], "AKA", expect_failure
=True)
924 dev
[0].request("REMOVE_NETWORK all")
926 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
927 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
930 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
931 eap_reauth(dev
[0], "AKA")
934 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
935 logger
.info("AKA reauth with mismatching counter")
936 eap_reauth(dev
[0], "AKA")
937 dev
[0].request("REMOVE_NETWORK all")
939 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
940 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
943 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
944 logger
.info("AKA reauth with max reauth count reached")
945 eap_reauth(dev
[0], "AKA")
947 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
948 """EAP-AKA configuration options"""
949 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
950 hapd
= hostapd
.add_ap(apdev
[0], params
)
951 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
952 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
953 anonymous_identity
="2345678")
955 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
956 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
958 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
960 dev
[0].request("SET external_sim 0")
962 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
963 check_hlr_auc_gw_support()
964 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
965 hostapd
.add_ap(apdev
[0], params
)
966 dev
[0].request("SET external_sim 1")
967 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
968 identity
="0232010000000000",
969 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
970 wait_connect
=False, scan_freq
="2412")
971 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
973 raise Exception("Network connected timed out")
975 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
977 raise Exception("Wait for external SIM processing request timed out")
979 if p
[1] != "UMTS-AUTH":
980 raise Exception("Unexpected CTRL-REQ-SIM type")
981 rid
= p
[0].split('-')[3]
984 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
985 # This will fail during processing, but the ctrl_iface command succeeds
986 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
987 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
989 raise Exception("EAP failure not reported")
990 dev
[0].request("DISCONNECT")
991 dev
[0].wait_disconnected()
993 dev
[0].dump_monitor()
995 dev
[0].select_network(id, freq
="2412")
996 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
998 raise Exception("Wait for external SIM processing request timed out")
1000 if p
[1] != "UMTS-AUTH":
1001 raise Exception("Unexpected CTRL-REQ-SIM type")
1002 rid
= p
[0].split('-')[3]
1003 # This will fail during UMTS auth validation
1004 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1005 raise Exception("CTRL-RSP-SIM failed")
1006 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1008 raise Exception("Wait for external SIM processing request timed out")
1009 p
= ev
.split(':', 2)
1010 if p
[1] != "UMTS-AUTH":
1011 raise Exception("Unexpected CTRL-REQ-SIM type")
1012 rid
= p
[0].split('-')[3]
1013 # This will fail during UMTS auth validation
1014 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1015 raise Exception("CTRL-RSP-SIM failed")
1016 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1018 raise Exception("EAP failure not reported")
1019 dev
[0].request("DISCONNECT")
1020 dev
[0].wait_disconnected()
1022 dev
[0].dump_monitor()
1024 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1026 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1027 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1028 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1029 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1030 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1032 dev
[0].select_network(id, freq
="2412")
1033 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1035 raise Exception("Wait for external SIM processing request timed out")
1036 p
= ev
.split(':', 2)
1037 if p
[1] != "UMTS-AUTH":
1038 raise Exception("Unexpected CTRL-REQ-SIM type")
1039 rid
= p
[0].split('-')[3]
1040 # This will fail during UMTS auth validation
1041 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1042 raise Exception("CTRL-RSP-SIM failed")
1043 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1045 raise Exception("EAP failure not reported")
1046 dev
[0].request("DISCONNECT")
1047 dev
[0].wait_disconnected()
1049 dev
[0].dump_monitor()
1051 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1052 """EAP-AKA with external UMTS auth and auth failing"""
1054 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1056 dev
[0].request("SET external_sim 0")
1058 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1059 check_hlr_auc_gw_support()
1060 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1061 hostapd
.add_ap(apdev
[0], params
)
1062 dev
[0].request("SET external_sim 1")
1063 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1064 identity
="0232010000000000",
1065 wait_connect
=False, scan_freq
="2412")
1067 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1069 raise Exception("Wait for external SIM processing request timed out")
1070 p
= ev
.split(':', 2)
1071 rid
= p
[0].split('-')[3]
1072 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1073 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1075 raise Exception("EAP failure not reported")
1076 dev
[0].request("REMOVE_NETWORK all")
1077 dev
[0].wait_disconnected()
1079 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1080 """WPA2-Enterprise connection using EAP-AKA'"""
1081 check_hlr_auc_gw_support()
1082 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1083 hapd
= hostapd
.add_ap(apdev
[0], params
)
1084 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1085 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1086 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1087 eap_reauth(dev
[0], "AKA'")
1089 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1090 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1091 identity
="6555444333222111@both",
1092 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1093 wait_connect
=False, scan_freq
="2412")
1094 dev
[1].wait_connected(timeout
=15)
1096 logger
.info("Negative test with incorrect key")
1097 dev
[0].request("REMOVE_NETWORK all")
1098 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1099 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1100 expect_failure
=True)
1102 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1103 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1104 check_hlr_auc_gw_support()
1108 raise HwsimSkip("No sqlite3 module available")
1109 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1110 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1111 params
['auth_server_port'] = "1814"
1112 hapd
= hostapd
.add_ap(apdev
[0], params
)
1113 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1114 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1116 logger
.info("AKA' fast re-authentication")
1117 eap_reauth(dev
[0], "AKA'")
1119 logger
.info("AKA' full auth with pseudonym")
1122 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1123 eap_reauth(dev
[0], "AKA'")
1125 logger
.info("AKA' full auth with permanent identity")
1128 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1129 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1130 eap_reauth(dev
[0], "AKA'")
1132 logger
.info("AKA' reauth with mismatching k_aut")
1135 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1136 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1137 dev
[0].request("REMOVE_NETWORK all")
1139 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1140 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1143 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1144 eap_reauth(dev
[0], "AKA'")
1147 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1148 logger
.info("AKA' reauth with mismatching counter")
1149 eap_reauth(dev
[0], "AKA'")
1150 dev
[0].request("REMOVE_NETWORK all")
1152 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1153 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1156 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1157 logger
.info("AKA' reauth with max reauth count reached")
1158 eap_reauth(dev
[0], "AKA'")
1160 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1161 """EAP-AKA' with external UMTS auth and auth failing"""
1163 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1165 dev
[0].request("SET external_sim 0")
1167 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1168 check_hlr_auc_gw_support()
1169 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1170 hostapd
.add_ap(apdev
[0], params
)
1171 dev
[0].request("SET external_sim 1")
1172 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1173 identity
="6555444333222111",
1174 wait_connect
=False, scan_freq
="2412")
1176 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1178 raise Exception("Wait for external SIM processing request timed out")
1179 p
= ev
.split(':', 2)
1180 rid
= p
[0].split('-')[3]
1181 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1182 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1184 raise Exception("EAP failure not reported")
1185 dev
[0].request("REMOVE_NETWORK all")
1186 dev
[0].wait_disconnected()
1188 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1189 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1190 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1191 hapd
= hostapd
.add_ap(apdev
[0], params
)
1192 key_mgmt
= hapd
.get_config()['key_mgmt']
1193 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1194 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1195 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1196 anonymous_identity
="ttls", password
="password",
1197 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1198 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1199 eap_reauth(dev
[0], "TTLS")
1200 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1201 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1203 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1204 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1205 check_subject_match_support(dev
[0])
1206 check_altsubject_match_support(dev
[0])
1207 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1208 hapd
= hostapd
.add_ap(apdev
[0], params
)
1209 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1210 anonymous_identity
="ttls", password
="password",
1211 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1212 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1213 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1214 eap_reauth(dev
[0], "TTLS")
1216 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1217 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1218 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1219 hapd
= hostapd
.add_ap(apdev
[0], params
)
1220 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1221 anonymous_identity
="ttls", password
="wrong",
1222 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1223 expect_failure
=True)
1224 eap_connect(dev
[1], hapd
, "TTLS", "user",
1225 anonymous_identity
="ttls", password
="password",
1226 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1227 expect_failure
=True)
1229 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1230 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1231 skip_with_fips(dev
[0])
1232 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1233 hapd
= hostapd
.add_ap(apdev
[0], params
)
1234 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1235 anonymous_identity
="ttls", password
="password",
1236 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1237 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1238 eap_reauth(dev
[0], "TTLS")
1240 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1241 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1242 skip_with_fips(dev
[0])
1243 check_altsubject_match_support(dev
[0])
1244 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1245 hapd
= hostapd
.add_ap(apdev
[0], params
)
1246 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1247 anonymous_identity
="ttls", password
="password",
1248 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1249 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1250 eap_reauth(dev
[0], "TTLS")
1252 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1253 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1254 skip_with_fips(dev
[0])
1255 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1256 hapd
= hostapd
.add_ap(apdev
[0], params
)
1257 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1258 anonymous_identity
="ttls", password
="wrong",
1259 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1260 expect_failure
=True)
1261 eap_connect(dev
[1], hapd
, "TTLS", "user",
1262 anonymous_identity
="ttls", password
="password",
1263 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1264 expect_failure
=True)
1266 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1267 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1268 skip_with_fips(dev
[0])
1269 check_domain_suffix_match(dev
[0])
1270 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1271 hapd
= hostapd
.add_ap(apdev
[0], params
)
1272 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1273 anonymous_identity
="ttls", password
="password",
1274 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1275 domain_suffix_match
="server.w1.fi")
1276 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1277 eap_reauth(dev
[0], "TTLS")
1278 dev
[0].request("REMOVE_NETWORK all")
1279 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1280 anonymous_identity
="ttls", password
="password",
1281 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1282 fragment_size
="200")
1283 dev
[0].request("REMOVE_NETWORK all")
1284 dev
[0].wait_disconnected()
1285 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1286 anonymous_identity
="ttls",
1287 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1288 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1290 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1291 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1292 skip_with_fips(dev
[0])
1293 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1294 hapd
= hostapd
.add_ap(apdev
[0], params
)
1295 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1296 anonymous_identity
="ttls", password
="wrong",
1297 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1298 expect_failure
=True)
1299 eap_connect(dev
[1], hapd
, "TTLS", "user",
1300 anonymous_identity
="ttls", password
="password",
1301 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1302 expect_failure
=True)
1303 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1304 anonymous_identity
="ttls", password
="password",
1305 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1306 expect_failure
=True)
1308 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1309 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1310 check_domain_suffix_match(dev
[0])
1311 check_eap_capa(dev
[0], "MSCHAPV2")
1312 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1313 hapd
= hostapd
.add_ap(apdev
[0], params
)
1314 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1315 anonymous_identity
="ttls", password
="password",
1316 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1317 domain_suffix_match
="server.w1.fi")
1318 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1319 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1320 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1321 eap_reauth(dev
[0], "TTLS")
1322 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1323 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1324 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1325 raise Exception("dot1xAuthEapolFramesRx did not increase")
1326 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1327 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1328 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1329 raise Exception("backendAuthSuccesses did not increase")
1331 logger
.info("Password as hash value")
1332 dev
[0].request("REMOVE_NETWORK all")
1333 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1334 anonymous_identity
="ttls",
1335 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1336 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1338 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1339 """EAP-TTLS with invalid phase2 parameter values"""
1340 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1341 hostapd
.add_ap(apdev
[0], params
)
1342 tests
= [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1343 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1344 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1346 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1347 identity
="DOMAIN\mschapv2 user",
1348 anonymous_identity
="ttls", password
="password",
1349 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1350 wait_connect
=False, scan_freq
="2412")
1351 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1352 if ev
is None or "method=21" not in ev
:
1353 raise Exception("EAP-TTLS not started")
1354 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1355 "CTRL-EVENT-CONNECTED"], timeout
=5)
1356 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1357 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1358 dev
[0].request("REMOVE_NETWORK all")
1359 dev
[0].wait_disconnected()
1360 dev
[0].dump_monitor()
1362 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1363 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1364 check_domain_match_full(dev
[0])
1365 skip_with_fips(dev
[0])
1366 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1367 hapd
= hostapd
.add_ap(apdev
[0], params
)
1368 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1369 anonymous_identity
="ttls", password
="password",
1370 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1371 domain_suffix_match
="w1.fi")
1372 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1373 eap_reauth(dev
[0], "TTLS")
1375 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1376 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1377 check_domain_match(dev
[0])
1378 skip_with_fips(dev
[0])
1379 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1380 hapd
= hostapd
.add_ap(apdev
[0], params
)
1381 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1382 anonymous_identity
="ttls", password
="password",
1383 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1384 domain_match
="Server.w1.fi")
1385 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1386 eap_reauth(dev
[0], "TTLS")
1388 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1389 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1390 skip_with_fips(dev
[0])
1391 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1392 hapd
= hostapd
.add_ap(apdev
[0], params
)
1393 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1394 anonymous_identity
="ttls", password
="password1",
1395 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1396 expect_failure
=True)
1397 eap_connect(dev
[1], hapd
, "TTLS", "user",
1398 anonymous_identity
="ttls", password
="password",
1399 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1400 expect_failure
=True)
1402 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1403 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1404 skip_with_fips(dev
[0])
1405 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1406 hapd
= hostapd
.add_ap(apdev
[0], params
)
1407 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1408 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1409 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1410 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1411 anonymous_identity
="ttls",
1412 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1413 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1414 for p
in [ "80", "41c041e04141e041", 257*"41" ]:
1415 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1416 eap
="TTLS", identity
="utf8-user-hash",
1417 anonymous_identity
="ttls", password_hex
=p
,
1418 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1419 wait_connect
=False, scan_freq
="2412")
1420 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1422 raise Exception("No failure reported")
1423 dev
[2].request("REMOVE_NETWORK all")
1424 dev
[2].wait_disconnected()
1426 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1427 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1428 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1429 hapd
= hostapd
.add_ap(apdev
[0], params
)
1430 eap_connect(dev
[0], hapd
, "TTLS", "user",
1431 anonymous_identity
="ttls", password
="password",
1432 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1433 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1434 eap_reauth(dev
[0], "TTLS")
1436 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1437 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1438 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1439 hapd
= hostapd
.add_ap(apdev
[0], params
)
1440 eap_connect(dev
[0], hapd
, "TTLS", "user",
1441 anonymous_identity
="ttls", password
="wrong",
1442 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1443 expect_failure
=True)
1445 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1446 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1447 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1448 hapd
= hostapd
.add_ap(apdev
[0], params
)
1449 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1450 anonymous_identity
="ttls", password
="password",
1451 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1452 expect_failure
=True)
1454 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1455 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1456 params
= int_eap_server_params()
1457 hapd
= hostapd
.add_ap(apdev
[0], params
)
1458 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1459 eap_connect(dev
[0], hapd
, "TTLS", "user",
1460 anonymous_identity
="ttls", password
="password",
1461 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1462 expect_failure
=True)
1463 dev
[0].request("REMOVE_NETWORK all")
1465 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1466 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1467 eap
="TTLS", identity
="user",
1468 anonymous_identity
="ttls", password
="password",
1469 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1470 wait_connect
=False, scan_freq
="2412")
1471 # This would eventually time out, but we can stop after having reached
1472 # the allocation failure.
1475 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1478 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1479 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1480 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1481 hapd
= hostapd
.add_ap(apdev
[0], params
)
1483 tests
= [ "eap_gtc_init",
1484 "eap_msg_alloc;eap_gtc_process" ]
1486 with
alloc_fail(dev
[0], 1, func
):
1487 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1489 eap
="TTLS", identity
="user",
1490 anonymous_identity
="ttls", password
="password",
1491 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1493 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1494 dev
[0].request("REMOVE_NETWORK all")
1495 dev
[0].wait_disconnected()
1497 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1498 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1499 check_eap_capa(dev
[0], "MD5")
1500 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1501 hapd
= hostapd
.add_ap(apdev
[0], params
)
1502 eap_connect(dev
[0], hapd
, "TTLS", "user",
1503 anonymous_identity
="ttls", password
="password",
1504 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1505 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1506 eap_reauth(dev
[0], "TTLS")
1508 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1509 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1510 check_eap_capa(dev
[0], "MD5")
1511 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1512 hapd
= hostapd
.add_ap(apdev
[0], params
)
1513 eap_connect(dev
[0], hapd
, "TTLS", "user",
1514 anonymous_identity
="ttls", password
="wrong",
1515 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1516 expect_failure
=True)
1518 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1519 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1520 check_eap_capa(dev
[0], "MD5")
1521 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1522 hapd
= hostapd
.add_ap(apdev
[0], params
)
1523 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1524 anonymous_identity
="ttls", password
="password",
1525 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1526 expect_failure
=True)
1528 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1529 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1530 check_eap_capa(dev
[0], "MD5")
1531 params
= int_eap_server_params()
1532 hapd
= hostapd
.add_ap(apdev
[0], params
)
1533 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1534 eap_connect(dev
[0], hapd
, "TTLS", "user",
1535 anonymous_identity
="ttls", password
="password",
1536 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1537 expect_failure
=True)
1538 dev
[0].request("REMOVE_NETWORK all")
1540 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1541 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1542 eap
="TTLS", identity
="user",
1543 anonymous_identity
="ttls", password
="password",
1544 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1545 wait_connect
=False, scan_freq
="2412")
1546 # This would eventually time out, but we can stop after having reached
1547 # the allocation failure.
1550 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1553 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1554 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1555 check_eap_capa(dev
[0], "MSCHAPV2")
1556 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1557 hapd
= hostapd
.add_ap(apdev
[0], params
)
1558 eap_connect(dev
[0], hapd
, "TTLS", "user",
1559 anonymous_identity
="ttls", password
="password",
1560 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1561 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1562 eap_reauth(dev
[0], "TTLS")
1564 logger
.info("Negative test with incorrect password")
1565 dev
[0].request("REMOVE_NETWORK all")
1566 eap_connect(dev
[0], hapd
, "TTLS", "user",
1567 anonymous_identity
="ttls", password
="password1",
1568 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1569 expect_failure
=True)
1571 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1572 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1573 check_eap_capa(dev
[0], "MSCHAPV2")
1574 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1575 hapd
= hostapd
.add_ap(apdev
[0], params
)
1576 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1577 anonymous_identity
="ttls", password
="password",
1578 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1579 expect_failure
=True)
1581 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1582 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1583 check_eap_capa(dev
[0], "MSCHAPV2")
1584 params
= int_eap_server_params()
1585 hapd
= hostapd
.add_ap(apdev
[0], params
)
1586 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1587 eap_connect(dev
[0], hapd
, "TTLS", "user",
1588 anonymous_identity
="ttls", password
="password",
1589 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1590 expect_failure
=True)
1591 dev
[0].request("REMOVE_NETWORK all")
1593 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1594 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1595 eap
="TTLS", identity
="user",
1596 anonymous_identity
="ttls", password
="password",
1597 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1598 wait_connect
=False, scan_freq
="2412")
1599 # This would eventually time out, but we can stop after having reached
1600 # the allocation failure.
1603 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1605 dev
[0].request("REMOVE_NETWORK all")
1607 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1608 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1609 eap
="TTLS", identity
="user",
1610 anonymous_identity
="ttls", password
="password",
1611 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1612 wait_connect
=False, scan_freq
="2412")
1613 # This would eventually time out, but we can stop after having reached
1614 # the allocation failure.
1617 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1619 dev
[0].request("REMOVE_NETWORK all")
1621 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1622 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1623 eap
="TTLS", identity
="user",
1624 anonymous_identity
="ttls", password
="wrong",
1625 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1626 wait_connect
=False, scan_freq
="2412")
1627 # This would eventually time out, but we can stop after having reached
1628 # the allocation failure.
1631 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1633 dev
[0].request("REMOVE_NETWORK all")
1635 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1636 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1637 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1638 hapd
= hostapd
.add_ap(apdev
[0], params
)
1639 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1640 anonymous_identity
="0232010000000000@ttls",
1641 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1642 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1644 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1645 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1646 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1647 hapd
= hostapd
.add_ap(apdev
[0], params
)
1648 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1649 anonymous_identity
="0232010000000000@peap",
1650 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1651 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1653 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1654 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1655 check_eap_capa(dev
[0], "FAST")
1656 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1657 hapd
= hostapd
.add_ap(apdev
[0], params
)
1658 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
1659 anonymous_identity
="0232010000000000@fast",
1660 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1661 phase1
="fast_provisioning=2",
1662 pac_file
="blob://fast_pac_auth_aka",
1663 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1665 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1666 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1667 check_eap_capa(dev
[0], "MSCHAPV2")
1668 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1669 hapd
= hostapd
.add_ap(apdev
[0], params
)
1670 eap_connect(dev
[0], hapd
, "PEAP", "user",
1671 anonymous_identity
="peap", password
="password",
1672 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1673 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1674 eap_reauth(dev
[0], "PEAP")
1675 dev
[0].request("REMOVE_NETWORK all")
1676 eap_connect(dev
[0], hapd
, "PEAP", "user",
1677 anonymous_identity
="peap", password
="password",
1678 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1679 fragment_size
="200")
1681 logger
.info("Password as hash value")
1682 dev
[0].request("REMOVE_NETWORK all")
1683 eap_connect(dev
[0], hapd
, "PEAP", "user",
1684 anonymous_identity
="peap",
1685 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1686 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1688 logger
.info("Negative test with incorrect password")
1689 dev
[0].request("REMOVE_NETWORK all")
1690 eap_connect(dev
[0], hapd
, "PEAP", "user",
1691 anonymous_identity
="peap", password
="password1",
1692 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1693 expect_failure
=True)
1695 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1696 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1697 check_eap_capa(dev
[0], "MSCHAPV2")
1698 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1699 hapd
= hostapd
.add_ap(apdev
[0], params
)
1700 eap_connect(dev
[0], hapd
, "PEAP", "DOMAIN\user3",
1701 anonymous_identity
="peap", password
="password",
1702 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1703 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1704 eap_reauth(dev
[0], "PEAP")
1706 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1707 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1708 check_eap_capa(dev
[0], "MSCHAPV2")
1709 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1710 hapd
= hostapd
.add_ap(apdev
[0], params
)
1711 eap_connect(dev
[0], hapd
, "PEAP", "user",
1712 anonymous_identity
="peap", password
="wrong",
1713 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1714 expect_failure
=True)
1716 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1717 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1718 check_eap_capa(dev
[0], "MSCHAPV2")
1719 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1720 hapd
= hostapd
.add_ap(apdev
[0], params
)
1721 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1722 ca_cert
="auth_serv/ca.pem",
1723 phase1
="peapver=0 crypto_binding=2",
1724 phase2
="auth=MSCHAPV2")
1725 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1726 eap_reauth(dev
[0], "PEAP")
1728 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1729 ca_cert
="auth_serv/ca.pem",
1730 phase1
="peapver=0 crypto_binding=1",
1731 phase2
="auth=MSCHAPV2")
1732 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1733 ca_cert
="auth_serv/ca.pem",
1734 phase1
="peapver=0 crypto_binding=0",
1735 phase2
="auth=MSCHAPV2")
1737 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1738 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1739 check_eap_capa(dev
[0], "MSCHAPV2")
1740 params
= int_eap_server_params()
1741 hapd
= hostapd
.add_ap(apdev
[0], params
)
1742 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1743 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1744 ca_cert
="auth_serv/ca.pem",
1745 phase1
="peapver=0 crypto_binding=2",
1746 phase2
="auth=MSCHAPV2",
1747 expect_failure
=True, local_error_report
=True)
1749 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1750 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1751 check_eap_capa(dev
[0], "MSCHAPV2")
1752 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1753 hapd
= hostapd
.add_ap(apdev
[0], params
)
1754 eap_connect(dev
[0], hapd
, "PEAP", "user",
1755 anonymous_identity
="peap", password
="password",
1756 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1757 phase1
="peapver=0 peaplabel=1",
1758 expect_failure
=True)
1759 dev
[0].request("REMOVE_NETWORK all")
1760 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1762 anonymous_identity
="peap", password
="password",
1763 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1764 phase1
="peap_outer_success=0",
1765 wait_connect
=False, scan_freq
="2412")
1766 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1768 raise Exception("No EAP success seen")
1769 # This won't succeed to connect with peap_outer_success=0, so stop here.
1770 dev
[0].request("REMOVE_NETWORK all")
1771 dev
[0].wait_disconnected()
1772 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1773 ca_cert
="auth_serv/ca.pem",
1774 phase1
="peap_outer_success=1",
1775 phase2
="auth=MSCHAPV2")
1776 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1777 ca_cert
="auth_serv/ca.pem",
1778 phase1
="peap_outer_success=2",
1779 phase2
="auth=MSCHAPV2")
1780 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1782 anonymous_identity
="peap", password
="password",
1783 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1784 phase1
="peapver=1 peaplabel=1",
1785 wait_connect
=False, scan_freq
="2412")
1786 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1788 raise Exception("No EAP success seen")
1789 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1791 raise Exception("Unexpected connection")
1793 tests
= [ ("peap-ver0", ""),
1795 ("peap-ver0", "peapver=0"),
1796 ("peap-ver1", "peapver=1") ]
1797 for anon
,phase1
in tests
:
1798 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1799 identity
="user", anonymous_identity
=anon
,
1800 password
="password", phase1
=phase1
,
1801 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1803 dev
[0].request("REMOVE_NETWORK all")
1804 dev
[0].wait_disconnected()
1806 tests
= [ ("peap-ver0", "peapver=1"),
1807 ("peap-ver1", "peapver=0") ]
1808 for anon
,phase1
in tests
:
1809 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1810 identity
="user", anonymous_identity
=anon
,
1811 password
="password", phase1
=phase1
,
1812 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1813 wait_connect
=False, scan_freq
="2412")
1814 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1816 raise Exception("No EAP-Failure seen")
1817 dev
[0].request("REMOVE_NETWORK all")
1818 dev
[0].wait_disconnected()
1820 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1821 ca_cert
="auth_serv/ca.pem",
1822 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1823 phase2
="auth=MSCHAPV2")
1825 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
1826 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1827 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1828 hapd
= hostapd
.add_ap(apdev
[0], params
)
1829 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
1830 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
1831 ca_cert2
="auth_serv/ca.pem",
1832 client_cert2
="auth_serv/user.pem",
1833 private_key2
="auth_serv/user.key")
1834 eap_reauth(dev
[0], "PEAP")
1836 def test_ap_wpa2_eap_tls(dev
, apdev
):
1837 """WPA2-Enterprise connection using EAP-TLS"""
1838 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1839 hapd
= hostapd
.add_ap(apdev
[0], params
)
1840 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1841 client_cert
="auth_serv/user.pem",
1842 private_key
="auth_serv/user.key")
1843 eap_reauth(dev
[0], "TLS")
1845 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
1846 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1847 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1848 hapd
= hostapd
.add_ap(apdev
[0], params
)
1849 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1850 client_cert
="auth_serv/user.pem",
1851 private_key
="auth_serv/user.key.pkcs8",
1852 private_key_passwd
="whatever")
1854 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
1855 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1856 check_pkcs5_v15_support(dev
[0])
1857 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1858 hapd
= hostapd
.add_ap(apdev
[0], params
)
1859 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1860 client_cert
="auth_serv/user.pem",
1861 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
1862 private_key_passwd
="whatever")
1864 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
1865 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1866 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1867 hapd
= hostapd
.add_ap(apdev
[0], params
)
1868 cert
= read_pem("auth_serv/ca.pem")
1869 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1870 raise Exception("Could not set cacert blob")
1871 cert
= read_pem("auth_serv/user.pem")
1872 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
1873 raise Exception("Could not set usercert blob")
1874 key
= read_pem("auth_serv/user.rsa-key")
1875 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
1876 raise Exception("Could not set cacert blob")
1877 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
1878 client_cert
="blob://usercert",
1879 private_key
="blob://userkey")
1881 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
1882 """EAP-TLS and config blob missing"""
1883 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1884 hostapd
.add_ap(apdev
[0], params
)
1885 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1886 identity
="tls user",
1887 ca_cert
="blob://testing-blob-does-not-exist",
1888 client_cert
="blob://testing-blob-does-not-exist",
1889 private_key
="blob://testing-blob-does-not-exist",
1890 wait_connect
=False, scan_freq
="2412")
1891 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
1893 raise Exception("EAP failure not reported")
1894 dev
[0].request("REMOVE_NETWORK all")
1895 dev
[0].wait_disconnected()
1897 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
1898 """EAP-TLS and TLS Message Length in unfragmented packets"""
1899 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1900 hapd
= hostapd
.add_ap(apdev
[0], params
)
1901 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1902 phase1
="include_tls_length=1",
1903 client_cert
="auth_serv/user.pem",
1904 private_key
="auth_serv/user.key")
1906 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
1907 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1908 check_pkcs12_support(dev
[0])
1909 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1910 hapd
= hostapd
.add_ap(apdev
[0], params
)
1911 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1912 private_key
="auth_serv/user.pkcs12",
1913 private_key_passwd
="whatever")
1914 dev
[0].request("REMOVE_NETWORK all")
1915 dev
[0].wait_disconnected()
1917 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1918 identity
="tls user",
1919 ca_cert
="auth_serv/ca.pem",
1920 private_key
="auth_serv/user.pkcs12",
1921 wait_connect
=False, scan_freq
="2412")
1922 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1924 raise Exception("Request for private key passphrase timed out")
1925 id = ev
.split(':')[0].split('-')[-1]
1926 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1927 dev
[0].wait_connected(timeout
=10)
1928 dev
[0].request("REMOVE_NETWORK all")
1929 dev
[0].wait_disconnected()
1931 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1932 # different files to cover both cases of the extra certificate being the
1933 # one that signed the client certificate and it being unrelated to the
1934 # client certificate.
1935 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1937 eap_connect(dev
[0], hapd
, "TLS", "tls user",
1938 ca_cert
="auth_serv/ca.pem",
1940 private_key_passwd
="whatever")
1941 dev
[0].request("REMOVE_NETWORK all")
1942 dev
[0].wait_disconnected()
1944 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
1945 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1946 check_pkcs12_support(dev
[0])
1947 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1948 hapd
= hostapd
.add_ap(apdev
[0], params
)
1949 cert
= read_pem("auth_serv/ca.pem")
1950 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1951 raise Exception("Could not set cacert blob")
1952 with
open("auth_serv/user.pkcs12", "rb") as f
:
1953 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
1954 raise Exception("Could not set pkcs12 blob")
1955 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
1956 private_key
="blob://pkcs12",
1957 private_key_passwd
="whatever")
1959 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
1960 """WPA2-Enterprise negative test - incorrect trust root"""
1961 check_eap_capa(dev
[0], "MSCHAPV2")
1962 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1963 hostapd
.add_ap(apdev
[0], params
)
1964 cert
= read_pem("auth_serv/ca-incorrect.pem")
1965 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1966 raise Exception("Could not set cacert blob")
1967 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1968 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1969 password
="password", phase2
="auth=MSCHAPV2",
1970 ca_cert
="blob://cacert",
1971 wait_connect
=False, scan_freq
="2412")
1972 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1973 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1974 password
="password", phase2
="auth=MSCHAPV2",
1975 ca_cert
="auth_serv/ca-incorrect.pem",
1976 wait_connect
=False, scan_freq
="2412")
1978 for dev
in (dev
[0], dev
[1]):
1979 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
1981 raise Exception("Association and EAP start timed out")
1983 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1985 raise Exception("EAP method selection timed out")
1986 if "TTLS" not in ev
:
1987 raise Exception("Unexpected EAP method")
1989 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1990 "CTRL-EVENT-EAP-SUCCESS",
1991 "CTRL-EVENT-EAP-FAILURE",
1992 "CTRL-EVENT-CONNECTED",
1993 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1995 raise Exception("EAP result timed out")
1996 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1997 raise Exception("TLS certificate error not reported")
1999 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2000 "CTRL-EVENT-EAP-FAILURE",
2001 "CTRL-EVENT-CONNECTED",
2002 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2004 raise Exception("EAP result(2) timed out")
2005 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2006 raise Exception("EAP failure not reported")
2008 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2009 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2011 raise Exception("EAP result(3) timed out")
2012 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2013 raise Exception("Disconnection not reported")
2015 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2017 raise Exception("Network block disabling not reported")
2019 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2020 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2021 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2022 hapd
= hostapd
.add_ap(apdev
[0], params
)
2023 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2024 identity
="pap user", anonymous_identity
="ttls",
2025 password
="password", phase2
="auth=PAP",
2026 ca_cert
="auth_serv/ca.pem",
2027 wait_connect
=True, scan_freq
="2412")
2028 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2029 identity
="pap user", anonymous_identity
="ttls",
2030 password
="password", phase2
="auth=PAP",
2031 ca_cert
="auth_serv/ca-incorrect.pem",
2032 only_add_network
=True, scan_freq
="2412")
2034 dev
[0].request("DISCONNECT")
2035 dev
[0].wait_disconnected()
2036 dev
[0].dump_monitor()
2037 dev
[0].select_network(id, freq
="2412")
2039 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2041 raise Exception("EAP-TTLS not re-started")
2043 ev
= dev
[0].wait_disconnected(timeout
=15)
2044 if "reason=23" not in ev
:
2045 raise Exception("Proper reason code for disconnection not reported")
2047 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2048 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2049 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2050 hapd
= hostapd
.add_ap(apdev
[0], params
)
2051 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2052 identity
="pap user", anonymous_identity
="ttls",
2053 password
="password", phase2
="auth=PAP",
2054 wait_connect
=True, scan_freq
="2412")
2055 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2056 identity
="pap user", anonymous_identity
="ttls",
2057 password
="password", phase2
="auth=PAP",
2058 ca_cert
="auth_serv/ca-incorrect.pem",
2059 only_add_network
=True, scan_freq
="2412")
2061 dev
[0].request("DISCONNECT")
2062 dev
[0].wait_disconnected()
2063 dev
[0].dump_monitor()
2064 dev
[0].select_network(id, freq
="2412")
2066 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2068 raise Exception("EAP-TTLS not re-started")
2070 ev
= dev
[0].wait_disconnected(timeout
=15)
2071 if "reason=23" not in ev
:
2072 raise Exception("Proper reason code for disconnection not reported")
2074 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2075 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2076 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2077 hapd
= hostapd
.add_ap(apdev
[0], params
)
2078 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2079 identity
="pap user", anonymous_identity
="ttls",
2080 password
="password", phase2
="auth=PAP",
2081 ca_cert
="auth_serv/ca.pem",
2082 wait_connect
=True, scan_freq
="2412")
2083 dev
[0].request("DISCONNECT")
2084 dev
[0].wait_disconnected()
2085 dev
[0].dump_monitor()
2086 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2087 dev
[0].select_network(id, freq
="2412")
2089 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2091 raise Exception("EAP-TTLS not re-started")
2093 ev
= dev
[0].wait_disconnected(timeout
=15)
2094 if "reason=23" not in ev
:
2095 raise Exception("Proper reason code for disconnection not reported")
2097 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2098 """WPA2-Enterprise negative test - domain suffix mismatch"""
2099 check_domain_suffix_match(dev
[0])
2100 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2101 hostapd
.add_ap(apdev
[0], params
)
2102 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2103 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2104 password
="password", phase2
="auth=MSCHAPV2",
2105 ca_cert
="auth_serv/ca.pem",
2106 domain_suffix_match
="incorrect.example.com",
2107 wait_connect
=False, scan_freq
="2412")
2109 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2111 raise Exception("Association and EAP start timed out")
2113 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2115 raise Exception("EAP method selection timed out")
2116 if "TTLS" not in ev
:
2117 raise Exception("Unexpected EAP method")
2119 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2120 "CTRL-EVENT-EAP-SUCCESS",
2121 "CTRL-EVENT-EAP-FAILURE",
2122 "CTRL-EVENT-CONNECTED",
2123 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2125 raise Exception("EAP result timed out")
2126 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2127 raise Exception("TLS certificate error not reported")
2128 if "Domain suffix mismatch" not in ev
:
2129 raise Exception("Domain suffix mismatch not reported")
2131 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2132 "CTRL-EVENT-EAP-FAILURE",
2133 "CTRL-EVENT-CONNECTED",
2134 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2136 raise Exception("EAP result(2) timed out")
2137 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2138 raise Exception("EAP failure not reported")
2140 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2141 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2143 raise Exception("EAP result(3) timed out")
2144 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2145 raise Exception("Disconnection not reported")
2147 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2149 raise Exception("Network block disabling not reported")
2151 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2152 """WPA2-Enterprise negative test - domain mismatch"""
2153 check_domain_match(dev
[0])
2154 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2155 hostapd
.add_ap(apdev
[0], params
)
2156 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2157 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2158 password
="password", phase2
="auth=MSCHAPV2",
2159 ca_cert
="auth_serv/ca.pem",
2160 domain_match
="w1.fi",
2161 wait_connect
=False, scan_freq
="2412")
2163 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2165 raise Exception("Association and EAP start timed out")
2167 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2169 raise Exception("EAP method selection timed out")
2170 if "TTLS" not in ev
:
2171 raise Exception("Unexpected EAP method")
2173 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2174 "CTRL-EVENT-EAP-SUCCESS",
2175 "CTRL-EVENT-EAP-FAILURE",
2176 "CTRL-EVENT-CONNECTED",
2177 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2179 raise Exception("EAP result timed out")
2180 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2181 raise Exception("TLS certificate error not reported")
2182 if "Domain mismatch" not in ev
:
2183 raise Exception("Domain mismatch not reported")
2185 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2186 "CTRL-EVENT-EAP-FAILURE",
2187 "CTRL-EVENT-CONNECTED",
2188 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2190 raise Exception("EAP result(2) timed out")
2191 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2192 raise Exception("EAP failure not reported")
2194 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2195 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2197 raise Exception("EAP result(3) timed out")
2198 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2199 raise Exception("Disconnection not reported")
2201 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2203 raise Exception("Network block disabling not reported")
2205 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2206 """WPA2-Enterprise negative test - subject mismatch"""
2207 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2208 hostapd
.add_ap(apdev
[0], params
)
2209 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2210 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2211 password
="password", phase2
="auth=MSCHAPV2",
2212 ca_cert
="auth_serv/ca.pem",
2213 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2214 wait_connect
=False, scan_freq
="2412")
2216 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2218 raise Exception("Association and EAP start timed out")
2220 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2221 "EAP: Failed to initialize EAP method"], timeout
=10)
2223 raise Exception("EAP method selection timed out")
2224 if "EAP: Failed to initialize EAP method" in ev
:
2225 tls
= dev
[0].request("GET tls_library")
2226 if tls
.startswith("OpenSSL"):
2227 raise Exception("Failed to select EAP method")
2228 logger
.info("subject_match not supported - connection failed, so test succeeded")
2230 if "TTLS" not in ev
:
2231 raise Exception("Unexpected EAP method")
2233 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2234 "CTRL-EVENT-EAP-SUCCESS",
2235 "CTRL-EVENT-EAP-FAILURE",
2236 "CTRL-EVENT-CONNECTED",
2237 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2239 raise Exception("EAP result timed out")
2240 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2241 raise Exception("TLS certificate error not reported")
2242 if "Subject mismatch" not in ev
:
2243 raise Exception("Subject mismatch not reported")
2245 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2246 "CTRL-EVENT-EAP-FAILURE",
2247 "CTRL-EVENT-CONNECTED",
2248 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2250 raise Exception("EAP result(2) timed out")
2251 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2252 raise Exception("EAP failure not reported")
2254 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2255 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2257 raise Exception("EAP result(3) timed out")
2258 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2259 raise Exception("Disconnection not reported")
2261 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2263 raise Exception("Network block disabling not reported")
2265 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2266 """WPA2-Enterprise negative test - altsubject mismatch"""
2267 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2268 hostapd
.add_ap(apdev
[0], params
)
2270 tests
= [ "incorrect.example.com",
2271 "DNS:incorrect.example.com",
2275 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2277 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2278 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2279 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2280 password
="password", phase2
="auth=MSCHAPV2",
2281 ca_cert
="auth_serv/ca.pem",
2282 altsubject_match
=match
,
2283 wait_connect
=False, scan_freq
="2412")
2285 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2287 raise Exception("Association and EAP start timed out")
2289 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2290 "EAP: Failed to initialize EAP method"], timeout
=10)
2292 raise Exception("EAP method selection timed out")
2293 if "EAP: Failed to initialize EAP method" in ev
:
2294 tls
= dev
[0].request("GET tls_library")
2295 if tls
.startswith("OpenSSL"):
2296 raise Exception("Failed to select EAP method")
2297 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2299 if "TTLS" not in ev
:
2300 raise Exception("Unexpected EAP method")
2302 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2303 "CTRL-EVENT-EAP-SUCCESS",
2304 "CTRL-EVENT-EAP-FAILURE",
2305 "CTRL-EVENT-CONNECTED",
2306 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2308 raise Exception("EAP result timed out")
2309 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2310 raise Exception("TLS certificate error not reported")
2311 if "AltSubject mismatch" not in ev
:
2312 raise Exception("altsubject mismatch not reported")
2314 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2315 "CTRL-EVENT-EAP-FAILURE",
2316 "CTRL-EVENT-CONNECTED",
2317 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2319 raise Exception("EAP result(2) timed out")
2320 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2321 raise Exception("EAP failure not reported")
2323 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2324 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2326 raise Exception("EAP result(3) timed out")
2327 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2328 raise Exception("Disconnection not reported")
2330 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2332 raise Exception("Network block disabling not reported")
2334 dev
[0].request("REMOVE_NETWORK all")
2336 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2337 """WPA2-Enterprise connection using UNAUTH-TLS"""
2338 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2339 hapd
= hostapd
.add_ap(apdev
[0], params
)
2340 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2341 ca_cert
="auth_serv/ca.pem")
2342 eap_reauth(dev
[0], "UNAUTH-TLS")
2344 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2345 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2346 check_cert_probe_support(dev
[0])
2347 skip_with_fips(dev
[0])
2348 srv_cert_hash
= "bdb9cb55d3df278e52a071abf58e7f0238fbec3ad8fb2c254742f63562628272"
2349 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2350 hapd
= hostapd
.add_ap(apdev
[0], params
)
2351 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2352 identity
="probe", ca_cert
="probe://",
2353 wait_connect
=False, scan_freq
="2412")
2354 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2356 raise Exception("Association and EAP start timed out")
2357 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2359 raise Exception("No peer server certificate event seen")
2360 if "hash=" + srv_cert_hash
not in ev
:
2361 raise Exception("Expected server certificate hash not reported")
2362 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2364 raise Exception("EAP result timed out")
2365 if "Server certificate chain probe" not in ev
:
2366 raise Exception("Server certificate probe not reported")
2367 dev
[0].wait_disconnected(timeout
=10)
2368 dev
[0].request("REMOVE_NETWORK all")
2370 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2371 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2372 password
="password", phase2
="auth=MSCHAPV2",
2373 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2374 wait_connect
=False, scan_freq
="2412")
2375 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2377 raise Exception("Association and EAP start timed out")
2378 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2380 raise Exception("EAP result timed out")
2381 if "Server certificate mismatch" not in ev
:
2382 raise Exception("Server certificate mismatch not reported")
2383 dev
[0].wait_disconnected(timeout
=10)
2384 dev
[0].request("REMOVE_NETWORK all")
2386 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2387 anonymous_identity
="ttls", password
="password",
2388 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2389 phase2
="auth=MSCHAPV2")
2391 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2392 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2393 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2394 hostapd
.add_ap(apdev
[0], params
)
2395 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2396 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2397 password
="password", phase2
="auth=MSCHAPV2",
2398 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2399 wait_connect
=False, scan_freq
="2412")
2400 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2401 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2402 password
="password", phase2
="auth=MSCHAPV2",
2403 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2404 wait_connect
=False, scan_freq
="2412")
2405 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2406 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2407 password
="password", phase2
="auth=MSCHAPV2",
2408 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2409 wait_connect
=False, scan_freq
="2412")
2410 for i
in range(0, 3):
2411 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2413 raise Exception("Association and EAP start timed out")
2414 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2416 raise Exception("Did not report EAP method initialization failure")
2418 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2419 """WPA2-Enterprise connection using EAP-pwd"""
2420 check_eap_capa(dev
[0], "PWD")
2421 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2422 hapd
= hostapd
.add_ap(apdev
[0], params
)
2423 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2424 eap_reauth(dev
[0], "PWD")
2425 dev
[0].request("REMOVE_NETWORK all")
2427 eap_connect(dev
[1], hapd
, "PWD",
2428 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2429 password
="secret password",
2432 logger
.info("Negative test with incorrect password")
2433 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2434 expect_failure
=True, local_error_report
=True)
2436 eap_connect(dev
[0], hapd
, "PWD",
2437 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2438 password
="secret password",
2441 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2442 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2443 check_eap_capa(dev
[0], "PWD")
2444 skip_with_fips(dev
[0])
2445 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2446 hapd
= hostapd
.add_ap(apdev
[0], params
)
2447 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2448 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2449 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2450 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2451 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2452 expect_failure
=True, local_error_report
=True)
2454 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2455 """WPA2-Enterprise connection using various EAP-pwd groups"""
2456 check_eap_capa(dev
[0], "PWD")
2457 tls
= dev
[0].request("GET tls_library")
2458 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2459 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2460 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2461 groups
= [ 19, 20, 21, 25, 26 ]
2462 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2463 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2464 groups
+= [ 27, 28, 29, 30 ]
2466 logger
.info("Group %d" % i
)
2467 params
['pwd_group'] = str(i
)
2468 hapd
= hostapd
.add_ap(apdev
[0], params
)
2470 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2471 password
="secret password")
2472 dev
[0].request("REMOVE_NETWORK all")
2473 dev
[0].wait_disconnected()
2474 dev
[0].dump_monitor()
2476 if "BoringSSL" in tls
and i
in [ 25 ]:
2477 logger
.info("Ignore connection failure with group %d with BoringSSL" % i
)
2478 dev
[0].request("DISCONNECT")
2480 dev
[0].request("REMOVE_NETWORK all")
2481 dev
[0].dump_monitor()
2485 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2486 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2487 check_eap_capa(dev
[0], "PWD")
2488 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2489 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2490 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2491 params
['pwd_group'] = "0"
2492 hostapd
.add_ap(apdev
[0], params
)
2493 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2494 identity
="pwd user", password
="secret password",
2495 scan_freq
="2412", wait_connect
=False)
2496 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2498 raise Exception("Timeout on EAP failure report")
2500 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2501 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2502 check_eap_capa(dev
[0], "PWD")
2503 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2504 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2505 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2506 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2507 "pwd_group": "19", "fragment_size": "40" }
2508 hapd
= hostapd
.add_ap(apdev
[0], params
)
2509 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2511 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2512 """WPA2-Enterprise connection using EAP-GPSK"""
2513 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2514 hapd
= hostapd
.add_ap(apdev
[0], params
)
2515 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2516 password
="abcdefghijklmnop0123456789abcdef")
2517 eap_reauth(dev
[0], "GPSK")
2519 logger
.info("Test forced algorithm selection")
2520 for phase1
in [ "cipher=1", "cipher=2" ]:
2521 dev
[0].set_network_quoted(id, "phase1", phase1
)
2522 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2524 raise Exception("EAP success timed out")
2525 dev
[0].wait_connected(timeout
=10)
2527 logger
.info("Test failed algorithm negotiation")
2528 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2529 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2531 raise Exception("EAP failure timed out")
2533 logger
.info("Negative test with incorrect password")
2534 dev
[0].request("REMOVE_NETWORK all")
2535 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2536 password
="ffcdefghijklmnop0123456789abcdef",
2537 expect_failure
=True)
2539 def test_ap_wpa2_eap_sake(dev
, apdev
):
2540 """WPA2-Enterprise connection using EAP-SAKE"""
2541 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2542 hapd
= hostapd
.add_ap(apdev
[0], params
)
2543 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2544 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2545 eap_reauth(dev
[0], "SAKE")
2547 logger
.info("Negative test with incorrect password")
2548 dev
[0].request("REMOVE_NETWORK all")
2549 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2550 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2551 expect_failure
=True)
2553 def test_ap_wpa2_eap_eke(dev
, apdev
):
2554 """WPA2-Enterprise connection using EAP-EKE"""
2555 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2556 hapd
= hostapd
.add_ap(apdev
[0], params
)
2557 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2558 eap_reauth(dev
[0], "EKE")
2560 logger
.info("Test forced algorithm selection")
2561 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
2562 "dhgroup=4 encr=1 prf=2 mac=2",
2563 "dhgroup=3 encr=1 prf=2 mac=2",
2564 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2565 dev
[0].set_network_quoted(id, "phase1", phase1
)
2566 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2568 raise Exception("EAP success timed out")
2569 dev
[0].wait_connected(timeout
=10)
2571 logger
.info("Test failed algorithm negotiation")
2572 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2573 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2575 raise Exception("EAP failure timed out")
2577 logger
.info("Negative test with incorrect password")
2578 dev
[0].request("REMOVE_NETWORK all")
2579 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
2580 expect_failure
=True)
2582 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2583 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2584 if not params
['long']:
2585 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2586 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2587 hostapd
.add_ap(apdev
[0], params
)
2590 for i
in range(100):
2592 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2593 identity
="eke user", password
="hello",
2594 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2595 scan_freq
="2412", wait_connect
=False)
2597 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2598 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2600 raise Exception("No connected/disconnected event")
2601 if "CTRL-EVENT-DISCONNECTED" in ev
:
2603 # The RADIUS server limits on active sessions can be hit when
2604 # going through this test case, so try to give some more time
2605 # for the server to remove sessions.
2606 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2607 dev
[j
].request("REMOVE_NETWORK all")
2611 dev
[j
].request("REMOVE_NETWORK all")
2612 dev
[j
].wait_disconnected()
2613 dev
[j
].dump_monitor()
2614 logger
.info("Total success=%d failure=%d" % (success
, fail
))
2616 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2617 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2618 params
= int_eap_server_params()
2619 params
['server_id'] = 'example.server@w1.fi'
2620 hapd
= hostapd
.add_ap(apdev
[0], params
)
2621 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2623 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2624 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2625 params
= int_eap_server_params()
2626 hapd
= hostapd
.add_ap(apdev
[0], params
)
2627 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2629 for count
,func
in [ (1, "eap_eke_build_commit"),
2630 (2, "eap_eke_build_commit"),
2631 (3, "eap_eke_build_commit"),
2632 (1, "eap_eke_build_confirm"),
2633 (2, "eap_eke_build_confirm"),
2634 (1, "eap_eke_process_commit"),
2635 (2, "eap_eke_process_commit"),
2636 (1, "eap_eke_process_confirm"),
2637 (1, "eap_eke_process_identity"),
2638 (2, "eap_eke_process_identity"),
2639 (3, "eap_eke_process_identity"),
2640 (4, "eap_eke_process_identity") ]:
2641 with
alloc_fail(hapd
, count
, func
):
2642 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2643 expect_failure
=True)
2644 dev
[0].request("REMOVE_NETWORK all")
2646 for count
,func
,pw
in [ (1, "eap_eke_init", "hello"),
2647 (1, "eap_eke_get_session_id", "hello"),
2648 (1, "eap_eke_getKey", "hello"),
2649 (1, "eap_eke_build_msg", "hello"),
2650 (1, "eap_eke_build_failure", "wrong"),
2651 (1, "eap_eke_build_identity", "hello"),
2652 (2, "eap_eke_build_identity", "hello") ]:
2653 with
alloc_fail(hapd
, count
, func
):
2654 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2655 eap
="EKE", identity
="eke user", password
=pw
,
2656 wait_connect
=False, scan_freq
="2412")
2657 # This would eventually time out, but we can stop after having
2658 # reached the allocation failure.
2661 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2663 dev
[0].request("REMOVE_NETWORK all")
2665 for count
in range(1, 1000):
2667 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2668 dev
[0].connect("test-wpa2-eap",
2669 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2670 eap
="EKE", identity
="eke user", password
=pw
,
2671 wait_connect
=False, scan_freq
="2412")
2672 # This would eventually time out, but we can stop after having
2673 # reached the allocation failure.
2676 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2678 dev
[0].request("REMOVE_NETWORK all")
2679 except Exception, e
:
2680 if str(e
) == "Allocation failure did not trigger":
2682 raise Exception("Too few allocation failures")
2683 logger
.info("%d allocation failures tested" % (count
- 1))
2687 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
2688 """WPA2-Enterprise connection using EAP-IKEv2"""
2689 check_eap_capa(dev
[0], "IKEV2")
2690 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2691 hapd
= hostapd
.add_ap(apdev
[0], params
)
2692 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2693 password
="ike password")
2694 eap_reauth(dev
[0], "IKEV2")
2695 dev
[0].request("REMOVE_NETWORK all")
2696 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2697 password
="ike password", fragment_size
="50")
2699 logger
.info("Negative test with incorrect password")
2700 dev
[0].request("REMOVE_NETWORK all")
2701 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2702 password
="ike-password", expect_failure
=True)
2703 dev
[0].request("REMOVE_NETWORK all")
2705 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2706 password
="ike password", fragment_size
="0")
2707 dev
[0].request("REMOVE_NETWORK all")
2708 dev
[0].wait_disconnected()
2710 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
2711 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2712 check_eap_capa(dev
[0], "IKEV2")
2713 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2714 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2715 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2716 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2717 "fragment_size": "50" }
2718 hapd
= hostapd
.add_ap(apdev
[0], params
)
2719 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2720 password
="ike password")
2721 eap_reauth(dev
[0], "IKEV2")
2723 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
2724 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2725 check_eap_capa(dev
[0], "IKEV2")
2726 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2727 hostapd
.add_ap(apdev
[0], params
)
2729 tests
= [ (1, "dh_init"),
2731 (1, "dh_derive_shared") ]
2732 for count
, func
in tests
:
2733 with
alloc_fail(dev
[0], count
, func
):
2734 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2735 identity
="ikev2 user", password
="ike password",
2736 wait_connect
=False, scan_freq
="2412")
2737 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2739 raise Exception("EAP method not selected")
2741 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2744 dev
[0].request("REMOVE_NETWORK all")
2746 tests
= [ (1, "os_get_random;dh_init") ]
2747 for count
, func
in tests
:
2748 with
fail_test(dev
[0], count
, func
):
2749 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2750 identity
="ikev2 user", password
="ike password",
2751 wait_connect
=False, scan_freq
="2412")
2752 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2754 raise Exception("EAP method not selected")
2756 if "0:" in dev
[0].request("GET_FAIL"):
2759 dev
[0].request("REMOVE_NETWORK all")
2761 def test_ap_wpa2_eap_pax(dev
, apdev
):
2762 """WPA2-Enterprise connection using EAP-PAX"""
2763 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2764 hapd
= hostapd
.add_ap(apdev
[0], params
)
2765 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2766 password_hex
="0123456789abcdef0123456789abcdef")
2767 eap_reauth(dev
[0], "PAX")
2769 logger
.info("Negative test with incorrect password")
2770 dev
[0].request("REMOVE_NETWORK all")
2771 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2772 password_hex
="ff23456789abcdef0123456789abcdef",
2773 expect_failure
=True)
2775 def test_ap_wpa2_eap_psk(dev
, apdev
):
2776 """WPA2-Enterprise connection using EAP-PSK"""
2777 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2778 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2779 params
["ieee80211w"] = "2"
2780 hapd
= hostapd
.add_ap(apdev
[0], params
)
2781 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
2782 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
2783 eap_reauth(dev
[0], "PSK", sha256
=True)
2784 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2785 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2787 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
2788 if 'flags' not in bss
:
2789 raise Exception("Could not get BSS flags from BSS table")
2790 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
2791 raise Exception("Unexpected BSS flags: " + bss
['flags'])
2793 logger
.info("Negative test with incorrect password")
2794 dev
[0].request("REMOVE_NETWORK all")
2795 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
2796 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
2797 expect_failure
=True)
2799 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
2800 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2801 skip_with_fips(dev
[0])
2802 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2803 hostapd
.add_ap(apdev
[0], params
)
2804 tests
= [ (1, "=aes_128_eax_encrypt"),
2805 (1, "=aes_128_eax_decrypt") ]
2806 for count
, func
in tests
:
2807 with
alloc_fail(dev
[0], count
, func
):
2808 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2809 identity
="psk.user@example.com",
2810 password_hex
="0123456789abcdef0123456789abcdef",
2811 wait_connect
=False, scan_freq
="2412")
2812 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2814 raise Exception("EAP method not selected")
2815 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
2816 note
="Failure not triggered: %d:%s" % (count
, func
))
2817 dev
[0].request("REMOVE_NETWORK all")
2818 dev
[0].wait_disconnected()
2820 tests
= [ (1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
2821 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2822 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2823 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2824 (1, "omac1_aes_vector"),
2825 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2826 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2827 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2828 (1, "aes_ctr_encrypt;aes_128_eax_decrypt") ]
2829 for count
, func
in tests
:
2830 with
fail_test(dev
[0], count
, func
):
2831 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2832 identity
="psk.user@example.com",
2833 password_hex
="0123456789abcdef0123456789abcdef",
2834 wait_connect
=False, scan_freq
="2412")
2835 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2837 raise Exception("EAP method not selected")
2838 wait_fail_trigger(dev
[0], "GET_FAIL",
2839 note
="Failure not triggered: %d:%s" % (count
, func
))
2840 dev
[0].request("REMOVE_NETWORK all")
2841 dev
[0].wait_disconnected()
2843 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
2844 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2845 identity
="psk.user@example.com",
2846 password_hex
="0123456789abcdef0123456789abcdef",
2847 wait_connect
=False, scan_freq
="2412")
2848 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2850 raise Exception("EAP method failure not reported")
2851 dev
[0].request("REMOVE_NETWORK all")
2852 dev
[0].wait_disconnected()
2854 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
2855 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2856 check_eap_capa(dev
[0], "MSCHAPV2")
2857 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
2858 hapd
= hostapd
.add_ap(apdev
[0], params
)
2859 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2860 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
2861 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
2863 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
2864 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2865 eap_reauth(dev
[0], "PEAP", rsn
=False)
2866 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2867 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2868 status
= dev
[0].get_status(extra
="VERBOSE")
2869 if 'portControl' not in status
:
2870 raise Exception("portControl missing from STATUS-VERBOSE")
2871 if status
['portControl'] != 'Auto':
2872 raise Exception("Unexpected portControl value: " + status
['portControl'])
2873 if 'eap_session_id' not in status
:
2874 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2875 if not status
['eap_session_id'].startswith("19"):
2876 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
2878 def test_ap_wpa2_eap_interactive(dev
, apdev
):
2879 """WPA2-Enterprise connection using interactive identity/password entry"""
2880 check_eap_capa(dev
[0], "MSCHAPV2")
2881 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2882 hapd
= hostapd
.add_ap(apdev
[0], params
)
2884 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2885 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2887 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2888 "TTLS", "ttls", None, "auth=MSCHAPV2",
2889 "DOMAIN\mschapv2 user", "password"),
2890 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2891 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2892 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2893 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2894 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2895 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2896 ("Connection with dynamic PEAP/EAP-GTC password entry",
2897 "PEAP", None, "user", "auth=GTC", None, "password") ]
2898 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
2900 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
2901 anonymous_identity
=anon
, identity
=identity
,
2902 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
2903 wait_connect
=False, scan_freq
="2412")
2905 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
2907 raise Exception("Request for identity timed out")
2908 id = ev
.split(':')[0].split('-')[-1]
2909 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
2910 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2912 raise Exception("Request for password timed out")
2913 id = ev
.split(':')[0].split('-')[-1]
2914 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
2915 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
2916 dev
[0].wait_connected(timeout
=10)
2917 dev
[0].request("REMOVE_NETWORK all")
2919 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
2920 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2921 check_eap_capa(dev
[0], "MSCHAPV2")
2922 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2923 hapd
= hostapd
.add_ap(apdev
[0], params
)
2925 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
2926 only_add_network
=True)
2928 req_id
= "DOMAIN\mschapv2 user"
2929 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2930 anonymous_identity
="ttls", identity
=None,
2931 password
="password",
2932 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2933 wait_connect
=False, scan_freq
="2412")
2934 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
2936 raise Exception("Request for identity timed out")
2937 id = ev
.split(':')[0].split('-')[-1]
2938 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
2939 dev
[0].wait_connected(timeout
=10)
2941 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
2942 raise Exception("Failed to enable network")
2943 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
2945 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2946 dev
[0].request("REMOVE_NETWORK all")
2948 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
2949 """WPA2-Enterprise connection using EAP vendor test"""
2950 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2951 hapd
= hostapd
.add_ap(apdev
[0], params
)
2952 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
2953 eap_reauth(dev
[0], "VENDOR-TEST")
2954 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
2957 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
2958 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
2959 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2960 hostapd
.add_ap(apdev
[0], params
)
2962 tests
= [ "eap_vendor_test_init",
2963 "eap_msg_alloc;eap_vendor_test_process",
2964 "eap_vendor_test_getKey" ]
2966 with
alloc_fail(dev
[0], 1, func
):
2967 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
2969 eap
="VENDOR-TEST", identity
="vendor-test",
2971 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
2972 dev
[0].request("REMOVE_NETWORK all")
2973 dev
[0].wait_disconnected()
2975 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
2976 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2977 check_eap_capa(dev
[0], "FAST")
2978 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2979 hapd
= hostapd
.add_ap(apdev
[0], params
)
2980 eap_connect(dev
[0], hapd
, "FAST", "user",
2981 anonymous_identity
="FAST", password
="password",
2982 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2983 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
2984 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2985 res
= eap_reauth(dev
[0], "FAST")
2986 if res
['tls_session_reused'] != '1':
2987 raise Exception("EAP-FAST could not use PAC session ticket")
2989 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
2990 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2991 check_eap_capa(dev
[0], "FAST")
2992 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
2993 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
2994 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2995 hapd
= hostapd
.add_ap(apdev
[0], params
)
2998 eap_connect(dev
[0], hapd
, "FAST", "user",
2999 anonymous_identity
="FAST", password
="password",
3000 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3001 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3002 with
open(pac_file
, "r") as f
:
3004 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3005 raise Exception("PAC file header missing")
3006 if "PAC-Key=" not in data
:
3007 raise Exception("PAC-Key missing from PAC file")
3008 dev
[0].request("REMOVE_NETWORK all")
3009 eap_connect(dev
[0], hapd
, "FAST", "user",
3010 anonymous_identity
="FAST", password
="password",
3011 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3014 eap_connect(dev
[1], hapd
, "FAST", "user",
3015 anonymous_identity
="FAST", password
="password",
3016 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3017 phase1
="fast_provisioning=1 fast_pac_format=binary",
3019 dev
[1].request("REMOVE_NETWORK all")
3020 eap_connect(dev
[1], hapd
, "FAST", "user",
3021 anonymous_identity
="FAST", password
="password",
3022 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3023 phase1
="fast_pac_format=binary",
3031 os
.remove(pac_file2
)
3035 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3036 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3037 check_eap_capa(dev
[0], "FAST")
3038 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3039 hapd
= hostapd
.add_ap(apdev
[0], params
)
3040 eap_connect(dev
[0], hapd
, "FAST", "user",
3041 anonymous_identity
="FAST", password
="password",
3042 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3043 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3044 pac_file
="blob://fast_pac_bin")
3045 res
= eap_reauth(dev
[0], "FAST")
3046 if res
['tls_session_reused'] != '1':
3047 raise Exception("EAP-FAST could not use PAC session ticket")
3049 # Verify fast_max_pac_list_len=0 special case
3050 dev
[0].request("REMOVE_NETWORK all")
3051 dev
[0].wait_disconnected()
3052 eap_connect(dev
[0], hapd
, "FAST", "user",
3053 anonymous_identity
="FAST", password
="password",
3054 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3055 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3056 pac_file
="blob://fast_pac_bin")
3058 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3059 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3060 check_eap_capa(dev
[0], "FAST")
3061 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3062 hostapd
.add_ap(apdev
[0], params
)
3064 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3065 identity
="user", anonymous_identity
="FAST",
3066 password
="password",
3067 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3068 pac_file
="blob://fast_pac_not_in_use",
3069 wait_connect
=False, scan_freq
="2412")
3070 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3072 raise Exception("Timeout on EAP failure report")
3073 dev
[0].request("REMOVE_NETWORK all")
3075 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3076 identity
="user", anonymous_identity
="FAST",
3077 password
="password",
3078 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3079 wait_connect
=False, scan_freq
="2412")
3080 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3082 raise Exception("Timeout on EAP failure report")
3084 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3085 """EAP-FAST and binary PAC errors"""
3086 check_eap_capa(dev
[0], "FAST")
3087 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3088 hapd
= hostapd
.add_ap(apdev
[0], params
)
3090 tests
= [ (1, "=eap_fast_save_pac_bin"),
3091 (1, "eap_fast_write_pac"),
3092 (2, "eap_fast_write_pac"), ]
3093 for count
, func
in tests
:
3094 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3095 raise Exception("Could not set blob")
3097 with
alloc_fail(dev
[0], count
, func
):
3098 eap_connect(dev
[0], hapd
, "FAST", "user",
3099 anonymous_identity
="FAST", password
="password",
3100 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3101 phase1
="fast_provisioning=1 fast_pac_format=binary",
3102 pac_file
="blob://fast_pac_bin_errors")
3103 dev
[0].request("REMOVE_NETWORK all")
3104 dev
[0].wait_disconnected()
3106 tests
= [ "00", "000000000000", "6ae4920c0001",
3108 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3109 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3110 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3111 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3113 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3114 raise Exception("Could not set blob")
3116 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3117 identity
="user", anonymous_identity
="FAST",
3118 password
="password",
3119 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3120 phase1
="fast_provisioning=1 fast_pac_format=binary",
3121 pac_file
="blob://fast_pac_bin_errors",
3122 scan_freq
="2412", wait_connect
=False)
3123 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3126 raise Exception("Failure not reported")
3127 dev
[0].request("REMOVE_NETWORK all")
3128 dev
[0].wait_disconnected()
3130 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3131 tests
= [ (1, "eap_fast_load_pac_bin"),
3132 (2, "eap_fast_load_pac_bin"),
3133 (3, "eap_fast_load_pac_bin") ]
3134 for count
, func
in tests
:
3135 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3136 raise Exception("Could not set blob")
3138 with
alloc_fail(dev
[0], count
, func
):
3139 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3140 identity
="user", anonymous_identity
="FAST",
3141 password
="password",
3142 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3143 phase1
="fast_provisioning=1 fast_pac_format=binary",
3144 pac_file
="blob://fast_pac_bin_errors",
3145 scan_freq
="2412", wait_connect
=False)
3146 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3149 raise Exception("Failure not reported")
3150 dev
[0].request("REMOVE_NETWORK all")
3151 dev
[0].wait_disconnected()
3153 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3154 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3155 raise Exception("Could not set blob")
3157 eap_connect(dev
[0], hapd
, "FAST", "user",
3158 anonymous_identity
="FAST", password
="password",
3159 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3160 phase1
="fast_provisioning=1 fast_pac_format=binary",
3161 pac_file
="blob://fast_pac_bin_errors")
3162 dev
[0].request("REMOVE_NETWORK all")
3163 dev
[0].wait_disconnected()
3165 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3166 tests
= [ (1, "eap_fast_pac_get_a_id"),
3167 (2, "eap_fast_pac_get_a_id") ]
3168 for count
, func
in tests
:
3169 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3170 raise Exception("Could not set blob")
3171 with
alloc_fail(dev
[0], count
, func
):
3172 eap_connect(dev
[0], hapd
, "FAST", "user",
3173 anonymous_identity
="FAST", password
="password",
3174 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3175 phase1
="fast_provisioning=1 fast_pac_format=binary",
3176 pac_file
="blob://fast_pac_bin_errors")
3177 dev
[0].request("REMOVE_NETWORK all")
3178 dev
[0].wait_disconnected()
3180 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3181 """EAP-FAST and text PAC errors"""
3182 check_eap_capa(dev
[0], "FAST")
3183 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3184 hostapd
.add_ap(apdev
[0], params
)
3186 tests
= [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3187 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3188 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3189 (1, "eap_fast_parse_start"),
3190 (1, "eap_fast_save_pac") ]
3191 for count
, func
in tests
:
3192 dev
[0].request("FLUSH")
3193 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3194 raise Exception("Could not set blob")
3196 with
alloc_fail(dev
[0], count
, func
):
3197 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3198 identity
="user", anonymous_identity
="FAST",
3199 password
="password",
3200 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3201 phase1
="fast_provisioning=1",
3202 pac_file
="blob://fast_pac_text_errors",
3203 scan_freq
="2412", wait_connect
=False)
3204 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3205 dev
[0].request("REMOVE_NETWORK all")
3206 dev
[0].wait_disconnected()
3208 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3212 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + pac
.encode("hex")):
3213 raise Exception("Could not set blob")
3215 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3216 identity
="user", anonymous_identity
="FAST",
3217 password
="password",
3218 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3219 phase1
="fast_provisioning=1",
3220 pac_file
="blob://fast_pac_text_errors",
3221 scan_freq
="2412", wait_connect
=False)
3222 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3224 raise Exception("Failure not reported")
3225 dev
[0].request("REMOVE_NETWORK all")
3226 dev
[0].wait_disconnected()
3228 dev
[0].request("FLUSH")
3229 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3230 raise Exception("Could not set blob")
3232 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3234 params
= int_eap_server_params()
3235 params
['ssid'] = "test-wpa2-eap-2"
3236 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3237 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3238 params
['eap_fast_a_id_info'] = "test server %d" % i
3240 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3242 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3243 identity
="user", anonymous_identity
="FAST",
3244 password
="password",
3245 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3246 phase1
="fast_provisioning=1",
3247 pac_file
="blob://fast_pac_text_errors",
3248 scan_freq
="2412", wait_connect
=False)
3249 dev
[0].wait_connected()
3250 dev
[0].request("REMOVE_NETWORK all")
3251 dev
[0].wait_disconnected()
3255 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3256 """EAP-FAST and PAC list truncation"""
3257 check_eap_capa(dev
[0], "FAST")
3258 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3259 raise Exception("Could not set blob")
3261 params
= int_eap_server_params()
3262 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3263 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3264 params
['eap_fast_a_id_info'] = "test server %d" % i
3265 hapd
= hostapd
.add_ap(apdev
[0], params
)
3267 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3268 identity
="user", anonymous_identity
="FAST",
3269 password
="password",
3270 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3271 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3272 pac_file
="blob://fast_pac_truncate",
3273 scan_freq
="2412", wait_connect
=False)
3274 dev
[0].wait_connected()
3275 dev
[0].request("REMOVE_NETWORK all")
3276 dev
[0].wait_disconnected()
3280 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3281 """EAP-FAST and PAC refresh"""
3282 check_eap_capa(dev
[0], "FAST")
3283 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3284 raise Exception("Could not set blob")
3286 params
= int_eap_server_params()
3287 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3288 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3289 params
['eap_fast_a_id_info'] = "test server %d" % i
3290 params
['pac_key_refresh_time'] = "1"
3291 params
['pac_key_lifetime'] = "10"
3292 hapd
= hostapd
.add_ap(apdev
[0], params
)
3294 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3295 identity
="user", anonymous_identity
="FAST",
3296 password
="password",
3297 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3298 phase1
="fast_provisioning=1",
3299 pac_file
="blob://fast_pac_refresh",
3300 scan_freq
="2412", wait_connect
=False)
3301 dev
[0].wait_connected()
3302 dev
[0].request("REMOVE_NETWORK all")
3303 dev
[0].wait_disconnected()
3308 params
= int_eap_server_params()
3309 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3310 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3311 params
['eap_fast_a_id_info'] = "test server %d" % i
3312 params
['pac_key_refresh_time'] = "10"
3313 params
['pac_key_lifetime'] = "10"
3314 hapd
= hostapd
.add_ap(apdev
[0], params
)
3316 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3317 identity
="user", anonymous_identity
="FAST",
3318 password
="password",
3319 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3320 phase1
="fast_provisioning=1",
3321 pac_file
="blob://fast_pac_refresh",
3322 scan_freq
="2412", wait_connect
=False)
3323 dev
[0].wait_connected()
3324 dev
[0].request("REMOVE_NETWORK all")
3325 dev
[0].wait_disconnected()
3329 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3330 """EAP-FAST and PAC lifetime"""
3331 check_eap_capa(dev
[0], "FAST")
3332 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3333 raise Exception("Could not set blob")
3336 params
= int_eap_server_params()
3337 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3338 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3339 params
['eap_fast_a_id_info'] = "test server %d" % i
3340 params
['pac_key_refresh_time'] = "0"
3341 params
['pac_key_lifetime'] = "2"
3342 hapd
= hostapd
.add_ap(apdev
[0], params
)
3344 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3345 identity
="user", anonymous_identity
="FAST",
3346 password
="password",
3347 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3348 phase1
="fast_provisioning=2",
3349 pac_file
="blob://fast_pac_refresh",
3350 scan_freq
="2412", wait_connect
=False)
3351 dev
[0].wait_connected()
3352 dev
[0].request("DISCONNECT")
3353 dev
[0].wait_disconnected()
3356 dev
[0].request("PMKSA_FLUSH")
3357 dev
[0].request("RECONNECT")
3358 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3360 raise Exception("No EAP-Failure seen after expired PAC")
3361 dev
[0].request("DISCONNECT")
3362 dev
[0].wait_disconnected()
3364 dev
[0].select_network(id)
3365 dev
[0].wait_connected()
3366 dev
[0].request("REMOVE_NETWORK all")
3367 dev
[0].wait_disconnected()
3369 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3370 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3371 check_eap_capa(dev
[0], "FAST")
3372 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3373 hapd
= hostapd
.add_ap(apdev
[0], params
)
3374 eap_connect(dev
[0], hapd
, "FAST", "user",
3375 anonymous_identity
="FAST", password
="password",
3376 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3377 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3378 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3379 res
= eap_reauth(dev
[0], "FAST")
3380 if res
['tls_session_reused'] != '1':
3381 raise Exception("EAP-FAST could not use PAC session ticket")
3383 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3384 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3385 check_eap_capa(dev
[0], "FAST")
3386 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3387 hapd
= hostapd
.add_ap(apdev
[0], params
)
3388 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3389 anonymous_identity
="FAST", password
="password",
3390 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3391 phase1
="fast_provisioning=2",
3392 pac_file
="blob://fast_pac_auth")
3393 dev
[0].set_network_quoted(id, "identity", "user2")
3394 dev
[0].wait_disconnected()
3395 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3397 raise Exception("EAP-FAST not started")
3398 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3400 raise Exception("EAP failure not reported")
3401 dev
[0].wait_disconnected()
3403 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3404 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3405 check_eap_capa(dev
[0], "FAST")
3406 tls
= dev
[0].request("GET tls_library")
3407 if tls
.startswith("OpenSSL"):
3408 func
= "tls_connection_get_eap_fast_key"
3410 elif tls
.startswith("internal"):
3411 func
= "tls_connection_prf"
3414 raise HwsimSkip("Unsupported TLS library")
3415 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3416 hapd
= hostapd
.add_ap(apdev
[0], params
)
3417 with
alloc_fail(dev
[0], count
, func
):
3418 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3419 identity
="user", anonymous_identity
="FAST",
3420 password
="password", ca_cert
="auth_serv/ca.pem",
3422 phase1
="fast_provisioning=2",
3423 pac_file
="blob://fast_pac_auth",
3424 wait_connect
=False, scan_freq
="2412")
3425 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3427 raise Exception("EAP failure not reported")
3428 dev
[0].request("DISCONNECT")
3430 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3431 """EAP-FAST/MSCHAPv2 and server OOM"""
3432 check_eap_capa(dev
[0], "FAST")
3434 params
= int_eap_server_params()
3435 params
['dh_file'] = 'auth_serv/dh.conf'
3436 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3437 params
['eap_fast_a_id'] = '1011'
3438 params
['eap_fast_a_id_info'] = 'another test server'
3439 hapd
= hostapd
.add_ap(apdev
[0], params
)
3441 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3442 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3443 anonymous_identity
="FAST", password
="password",
3444 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3445 phase1
="fast_provisioning=1",
3446 pac_file
="blob://fast_pac",
3447 expect_failure
=True)
3448 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3450 raise Exception("No EAP failure reported")
3451 dev
[0].wait_disconnected()
3452 dev
[0].request("DISCONNECT")
3454 dev
[0].select_network(id, freq
="2412")
3456 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3457 """EAP-FAST and different TLS cipher suites"""
3458 check_eap_capa(dev
[0], "FAST")
3459 tls
= dev
[0].request("GET tls_library")
3460 if not tls
.startswith("OpenSSL"):
3461 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
3463 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3464 hapd
= hostapd
.add_ap(apdev
[0], params
)
3466 dev
[0].request("SET blob fast_pac_ciphers ")
3467 eap_connect(dev
[0], hapd
, "FAST", "user",
3468 anonymous_identity
="FAST", password
="password",
3469 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3470 phase1
="fast_provisioning=2",
3471 pac_file
="blob://fast_pac_ciphers")
3472 res
= dev
[0].get_status_field('EAP TLS cipher')
3473 dev
[0].request("REMOVE_NETWORK all")
3474 dev
[0].wait_disconnected()
3475 if res
!= "DHE-RSA-AES256-SHA":
3476 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3478 tests
= [ "DHE-RSA-AES128-SHA",
3482 "DHE-RSA-AES256-SHA" ]
3483 for cipher
in tests
:
3484 dev
[0].dump_monitor()
3485 logger
.info("Testing " + cipher
)
3487 eap_connect(dev
[0], hapd
, "FAST", "user",
3488 openssl_ciphers
=cipher
,
3489 anonymous_identity
="FAST", password
="password",
3490 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3491 pac_file
="blob://fast_pac_ciphers")
3492 except Exception, e
:
3493 if "Could not select EAP method" in str(e
) and cipher
== "RC4-SHA":
3494 tls
= dev
[0].request("GET tls_library")
3495 if "run=OpenSSL 1.1" in tls
:
3496 logger
.info("Allow failure due to missing TLS library support")
3497 dev
[0].request("REMOVE_NETWORK all")
3498 dev
[0].wait_disconnected()
3501 res
= dev
[0].get_status_field('EAP TLS cipher')
3502 dev
[0].request("REMOVE_NETWORK all")
3503 dev
[0].wait_disconnected()
3505 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3507 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3508 """EAP-FAST and provisioning options"""
3509 check_eap_capa(dev
[0], "FAST")
3510 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3511 raise Exception("Could not set blob")
3514 params
= int_eap_server_params()
3515 params
['disable_pmksa_caching'] = '1'
3516 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3517 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3518 params
['eap_fast_a_id_info'] = "test server %d" % i
3519 params
['eap_fast_prov'] = "0"
3520 hapd
= hostapd
.add_ap(apdev
[0], params
)
3522 logger
.info("Provisioning attempt while server has provisioning disabled")
3523 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3524 identity
="user", anonymous_identity
="FAST",
3525 password
="password",
3526 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3527 phase1
="fast_provisioning=2",
3528 pac_file
="blob://fast_pac_prov",
3529 scan_freq
="2412", wait_connect
=False)
3530 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3533 raise Exception("EAP result not reported")
3534 if "parameter='failure'" not in ev
:
3535 raise Exception("Unexpected EAP result: " + ev
)
3536 dev
[0].wait_disconnected()
3537 dev
[0].request("DISCONNECT")
3538 dev
[0].dump_monitor()
3541 logger
.info("Authenticated provisioning")
3542 hapd
.set("eap_fast_prov", "2")
3545 dev
[0].select_network(id, freq
="2412")
3546 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3549 raise Exception("EAP result not reported")
3550 if "parameter='success'" not in ev
:
3551 raise Exception("Unexpected EAP result: " + ev
)
3552 dev
[0].wait_connected()
3553 dev
[0].request("DISCONNECT")
3554 dev
[0].wait_disconnected()
3555 dev
[0].dump_monitor()
3558 logger
.info("Provisioning disabled - using previously provisioned PAC")
3559 hapd
.set("eap_fast_prov", "0")
3562 dev
[0].select_network(id, freq
="2412")
3563 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3566 raise Exception("EAP result not reported")
3567 if "parameter='success'" not in ev
:
3568 raise Exception("Unexpected EAP result: " + ev
)
3569 dev
[0].wait_connected()
3570 dev
[0].request("DISCONNECT")
3571 dev
[0].wait_disconnected()
3572 dev
[0].dump_monitor()
3574 logger
.info("Drop PAC and verify connection failure")
3575 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3576 raise Exception("Could not set blob")
3578 dev
[0].select_network(id, freq
="2412")
3579 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3582 raise Exception("EAP result not reported")
3583 if "parameter='failure'" not in ev
:
3584 raise Exception("Unexpected EAP result: " + ev
)
3585 dev
[0].wait_disconnected()
3586 dev
[0].request("DISCONNECT")
3587 dev
[0].dump_monitor()
3590 logger
.info("Anonymous provisioning")
3591 hapd
.set("eap_fast_prov", "1")
3593 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3594 dev
[0].select_network(id, freq
="2412")
3595 # Anonymous provisioning results in EAP-Failure first
3596 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3599 raise Exception("EAP result not reported")
3600 if "parameter='failure'" not in ev
:
3601 raise Exception("Unexpected EAP result: " + ev
)
3602 dev
[0].wait_disconnected()
3603 # And then the actual data connection
3604 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3607 raise Exception("EAP result not reported")
3608 if "parameter='success'" not in ev
:
3609 raise Exception("Unexpected EAP result: " + ev
)
3610 dev
[0].wait_connected()
3611 dev
[0].request("DISCONNECT")
3612 dev
[0].wait_disconnected()
3613 dev
[0].dump_monitor()
3616 logger
.info("Provisioning disabled - using previously provisioned PAC")
3617 hapd
.set("eap_fast_prov", "0")
3620 dev
[0].select_network(id, freq
="2412")
3621 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3624 raise Exception("EAP result not reported")
3625 if "parameter='success'" not in ev
:
3626 raise Exception("Unexpected EAP result: " + ev
)
3627 dev
[0].wait_connected()
3628 dev
[0].request("DISCONNECT")
3629 dev
[0].wait_disconnected()
3630 dev
[0].dump_monitor()
3632 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
3633 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3634 check_ocsp_support(dev
[0])
3635 check_pkcs12_support(dev
[0])
3636 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3637 hapd
= hostapd
.add_ap(apdev
[0], params
)
3638 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3639 private_key
="auth_serv/user.pkcs12",
3640 private_key_passwd
="whatever", ocsp
=2)
3642 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
3643 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3644 check_ocsp_multi_support(dev
[0])
3645 check_pkcs12_support(dev
[0])
3647 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3648 hapd
= hostapd
.add_ap(apdev
[0], params
)
3649 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3650 private_key
="auth_serv/user.pkcs12",
3651 private_key_passwd
="whatever", ocsp
=2)
3653 def int_eap_server_params():
3654 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3655 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3656 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3657 "ca_cert": "auth_serv/ca.pem",
3658 "server_cert": "auth_serv/server.pem",
3659 "private_key": "auth_serv/server.key",
3660 "dh_file": "auth_serv/dh.conf" }
3663 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
3664 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3665 check_ocsp_support(dev
[0])
3666 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
3667 if not os
.path
.exists(ocsp
):
3668 raise HwsimSkip("No OCSP response available")
3669 params
= int_eap_server_params()
3670 params
["ocsp_stapling_response"] = ocsp
3671 hostapd
.add_ap(apdev
[0], params
)
3672 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3673 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3674 private_key
="auth_serv/user.pkcs12",
3675 private_key_passwd
="whatever", ocsp
=2,
3678 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
3679 """EAP-TLS and CA signed OCSP response (good)"""
3680 check_ocsp_support(dev
[0])
3681 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
3682 if not os
.path
.exists(ocsp
):
3683 raise HwsimSkip("No OCSP response available")
3684 params
= int_eap_server_params()
3685 params
["ocsp_stapling_response"] = ocsp
3686 hostapd
.add_ap(apdev
[0], params
)
3687 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3688 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3689 private_key
="auth_serv/user.pkcs12",
3690 private_key_passwd
="whatever", ocsp
=2,
3693 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
3694 """EAP-TLS and CA signed OCSP response (revoked)"""
3695 check_ocsp_support(dev
[0])
3696 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
3697 if not os
.path
.exists(ocsp
):
3698 raise HwsimSkip("No OCSP response available")
3699 params
= int_eap_server_params()
3700 params
["ocsp_stapling_response"] = ocsp
3701 hostapd
.add_ap(apdev
[0], params
)
3702 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3703 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3704 private_key
="auth_serv/user.pkcs12",
3705 private_key_passwd
="whatever", ocsp
=2,
3706 wait_connect
=False, scan_freq
="2412")
3709 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3711 raise Exception("Timeout on EAP status")
3712 if 'bad certificate status response' in ev
:
3714 if 'certificate revoked' in ev
:
3718 raise Exception("Unexpected number of EAP status messages")
3720 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3722 raise Exception("Timeout on EAP failure report")
3724 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
3725 """EAP-TLS and CA signed OCSP response (unknown)"""
3726 check_ocsp_support(dev
[0])
3727 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
3728 if not os
.path
.exists(ocsp
):
3729 raise HwsimSkip("No OCSP response available")
3730 params
= int_eap_server_params()
3731 params
["ocsp_stapling_response"] = ocsp
3732 hostapd
.add_ap(apdev
[0], params
)
3733 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3734 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3735 private_key
="auth_serv/user.pkcs12",
3736 private_key_passwd
="whatever", ocsp
=2,
3737 wait_connect
=False, scan_freq
="2412")
3740 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3742 raise Exception("Timeout on EAP status")
3743 if 'bad certificate status response' in ev
:
3747 raise Exception("Unexpected number of EAP status messages")
3749 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3751 raise Exception("Timeout on EAP failure report")
3753 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
3754 """EAP-TLS and server signed OCSP response"""
3755 check_ocsp_support(dev
[0])
3756 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
3757 if not os
.path
.exists(ocsp
):
3758 raise HwsimSkip("No OCSP response available")
3759 params
= int_eap_server_params()
3760 params
["ocsp_stapling_response"] = ocsp
3761 hostapd
.add_ap(apdev
[0], params
)
3762 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3763 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3764 private_key
="auth_serv/user.pkcs12",
3765 private_key_passwd
="whatever", ocsp
=2,
3766 wait_connect
=False, scan_freq
="2412")
3769 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3771 raise Exception("Timeout on EAP status")
3772 if 'bad certificate status response' in ev
:
3776 raise Exception("Unexpected number of EAP status messages")
3778 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3780 raise Exception("Timeout on EAP failure report")
3782 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
3783 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3784 check_ocsp_support(dev
[0])
3785 params
= int_eap_server_params()
3786 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3787 hostapd
.add_ap(apdev
[0], params
)
3788 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3789 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3790 private_key
="auth_serv/user.pkcs12",
3791 private_key_passwd
="whatever", ocsp
=2,
3792 wait_connect
=False, scan_freq
="2412")
3795 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3797 raise Exception("Timeout on EAP status")
3798 if 'bad certificate status response' in ev
:
3802 raise Exception("Unexpected number of EAP status messages")
3804 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3806 raise Exception("Timeout on EAP failure report")
3808 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
3809 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3810 check_ocsp_support(dev
[0])
3811 params
= int_eap_server_params()
3812 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
3813 hostapd
.add_ap(apdev
[0], params
)
3814 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3815 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3816 private_key
="auth_serv/user.pkcs12",
3817 private_key_passwd
="whatever", ocsp
=2,
3818 wait_connect
=False, scan_freq
="2412")
3821 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3823 raise Exception("Timeout on EAP status")
3824 if 'bad certificate status response' in ev
:
3828 raise Exception("Unexpected number of EAP status messages")
3830 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3832 raise Exception("Timeout on EAP failure report")
3834 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
3835 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
3836 check_ocsp_support(dev
[0])
3837 params
= int_eap_server_params()
3838 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
3839 hostapd
.add_ap(apdev
[0], params
)
3840 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3841 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3842 private_key
="auth_serv/user.pkcs12",
3843 private_key_passwd
="whatever", ocsp
=2,
3844 wait_connect
=False, scan_freq
="2412")
3847 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3849 raise Exception("Timeout on EAP status")
3850 if 'bad certificate status response' in ev
:
3854 raise Exception("Unexpected number of EAP status messages")
3856 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3858 raise Exception("Timeout on EAP failure report")
3860 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
3861 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3862 check_ocsp_support(dev
[0])
3863 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
3864 if not os
.path
.exists(ocsp
):
3865 raise HwsimSkip("No OCSP response available")
3866 params
= int_eap_server_params()
3867 params
["ocsp_stapling_response"] = ocsp
3868 hostapd
.add_ap(apdev
[0], params
)
3869 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3870 identity
="pap user", ca_cert
="auth_serv/ca.pem",
3871 anonymous_identity
="ttls", password
="password",
3872 phase2
="auth=PAP", ocsp
=2,
3873 wait_connect
=False, scan_freq
="2412")
3876 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3878 raise Exception("Timeout on EAP status")
3879 if 'bad certificate status response' in ev
:
3881 if 'certificate revoked' in ev
:
3885 raise Exception("Unexpected number of EAP status messages")
3887 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3889 raise Exception("Timeout on EAP failure report")
3891 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
3892 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3893 check_ocsp_support(dev
[0])
3894 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
3895 if not os
.path
.exists(ocsp
):
3896 raise HwsimSkip("No OCSP response available")
3897 params
= int_eap_server_params()
3898 params
["ocsp_stapling_response"] = ocsp
3899 hostapd
.add_ap(apdev
[0], params
)
3900 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3901 identity
="pap user", ca_cert
="auth_serv/ca.pem",
3902 anonymous_identity
="ttls", password
="password",
3903 phase2
="auth=PAP", ocsp
=2,
3904 wait_connect
=False, scan_freq
="2412")
3907 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3909 raise Exception("Timeout on EAP status")
3910 if 'bad certificate status response' in ev
:
3914 raise Exception("Unexpected number of EAP status messages")
3916 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3918 raise Exception("Timeout on EAP failure report")
3920 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
3921 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3922 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
3923 if not os
.path
.exists(ocsp
):
3924 raise HwsimSkip("No OCSP response available")
3925 params
= int_eap_server_params()
3926 params
["ocsp_stapling_response"] = ocsp
3927 hostapd
.add_ap(apdev
[0], params
)
3928 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3929 identity
="pap user", ca_cert
="auth_serv/ca.pem",
3930 anonymous_identity
="ttls", password
="password",
3931 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
3933 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
3934 """EAP-TLS with intermediate server/user CA"""
3935 params
= int_eap_server_params()
3936 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3937 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
3938 params
["private_key"] = "auth_serv/iCA-server/server.key"
3939 hostapd
.add_ap(apdev
[0], params
)
3940 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3941 identity
="tls user",
3942 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
3943 client_cert
="auth_serv/iCA-user/user.pem",
3944 private_key
="auth_serv/iCA-user/user.key",
3947 def root_ocsp(cert
):
3948 ca
= "auth_serv/ca.pem"
3950 fd2
, fn2
= tempfile
.mkstemp()
3953 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-cert", cert
,
3954 "-no_nonce", "-sha256", "-text" ]
3955 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
3956 stderr
=subprocess
.PIPE
)
3957 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
3960 logger
.info("OCSP request:\n" + res
)
3962 fd
, fn
= tempfile
.mkstemp()
3964 arg
= [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
3965 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
3966 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
3967 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
3969 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
3970 stderr
=subprocess
.PIPE
)
3971 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
3974 logger
.info("OCSP response:\n" + res
)
3979 prefix
= "auth_serv/iCA-server/"
3980 ca
= prefix
+ "cacert.pem"
3981 cert
= prefix
+ cert
3983 fd2
, fn2
= tempfile
.mkstemp()
3986 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-cert", cert
,
3987 "-no_nonce", "-sha256", "-text" ]
3988 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
3989 stderr
=subprocess
.PIPE
)
3990 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
3993 logger
.info("OCSP request:\n" + res
)
3995 fd
, fn
= tempfile
.mkstemp()
3997 arg
= [ "openssl", "ocsp", "-index", prefix
+ "index.txt",
3998 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
3999 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4000 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4002 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4003 stderr
=subprocess
.PIPE
)
4004 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4007 logger
.info("OCSP response:\n" + res
)
4011 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4012 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4013 params
= int_eap_server_params()
4014 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4015 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4016 params
["private_key"] = "auth_serv/iCA-server/server.key"
4017 fn
= ica_ocsp("server.pem")
4018 params
["ocsp_stapling_response"] = fn
4020 hostapd
.add_ap(apdev
[0], params
)
4021 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4022 identity
="tls user",
4023 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4024 client_cert
="auth_serv/iCA-user/user.pem",
4025 private_key
="auth_serv/iCA-user/user.key",
4026 scan_freq
="2412", ocsp
=2)
4030 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4031 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4032 params
= int_eap_server_params()
4033 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4034 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4035 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4036 fn
= ica_ocsp("server-revoked.pem")
4037 params
["ocsp_stapling_response"] = fn
4039 hostapd
.add_ap(apdev
[0], params
)
4040 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4041 identity
="tls user",
4042 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4043 client_cert
="auth_serv/iCA-user/user.pem",
4044 private_key
="auth_serv/iCA-user/user.key",
4045 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4048 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4049 "CTRL-EVENT-EAP-SUCCESS"])
4051 raise Exception("Timeout on EAP status")
4052 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4053 raise Exception("Unexpected EAP-Success")
4054 if 'bad certificate status response' in ev
:
4056 if 'certificate revoked' in ev
:
4060 raise Exception("Unexpected number of EAP status messages")
4062 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4064 raise Exception("Timeout on EAP failure report")
4065 dev
[0].request("REMOVE_NETWORK all")
4066 dev
[0].wait_disconnected()
4070 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4071 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4072 check_ocsp_support(dev
[0])
4073 check_ocsp_multi_support(dev
[0])
4075 params
= int_eap_server_params()
4076 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4077 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4078 params
["private_key"] = "auth_serv/iCA-server/server.key"
4079 fn
= ica_ocsp("server.pem")
4080 params
["ocsp_stapling_response"] = fn
4082 hostapd
.add_ap(apdev
[0], params
)
4083 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4084 identity
="tls user",
4085 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4086 client_cert
="auth_serv/iCA-user/user.pem",
4087 private_key
="auth_serv/iCA-user/user.key",
4088 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4091 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4092 "CTRL-EVENT-EAP-SUCCESS"])
4094 raise Exception("Timeout on EAP status")
4095 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4096 raise Exception("Unexpected EAP-Success")
4097 if 'bad certificate status response' in ev
:
4099 if 'certificate revoked' in ev
:
4103 raise Exception("Unexpected number of EAP status messages")
4105 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4107 raise Exception("Timeout on EAP failure report")
4108 dev
[0].request("REMOVE_NETWORK all")
4109 dev
[0].wait_disconnected()
4113 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4114 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4115 check_ocsp_support(dev
[0])
4116 check_ocsp_multi_support(dev
[0])
4118 params
= int_eap_server_params()
4119 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4120 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4121 params
["private_key"] = "auth_serv/iCA-server/server.key"
4122 fn
= ica_ocsp("server.pem")
4123 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4124 params
["ocsp_stapling_response"] = fn
4126 with
open(fn
, "r") as f
:
4127 resp_server
= f
.read()
4128 with
open(fn2
, "r") as f
:
4131 fd3
, fn3
= tempfile
.mkstemp()
4133 f
= os
.fdopen(fd3
, 'w')
4134 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4135 f
.write(resp_server
)
4136 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4140 params
["ocsp_stapling_response_multi"] = fn3
4142 hostapd
.add_ap(apdev
[0], params
)
4143 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4144 identity
="tls user",
4145 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4146 client_cert
="auth_serv/iCA-user/user.pem",
4147 private_key
="auth_serv/iCA-user/user.key",
4148 scan_freq
="2412", ocsp
=3)
4149 dev
[0].request("REMOVE_NETWORK all")
4150 dev
[0].wait_disconnected()
4156 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4157 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4158 check_ocsp_support(dev
[0])
4159 check_ocsp_multi_support(dev
[0])
4161 ocsp_revoked
= os
.path
.join(params
['logdir'],
4162 "ocsp-resp-ca-signed-revoked.der")
4163 if not os
.path
.exists(ocsp_revoked
):
4164 raise HwsimSkip("No OCSP response (revoked) available")
4165 ocsp_unknown
= os
.path
.join(params
['logdir'],
4166 "ocsp-resp-ca-signed-unknown.der")
4167 if not os
.path
.exists(ocsp_unknown
):
4168 raise HwsimSkip("No OCSP response(unknown) available")
4170 with
open(ocsp_revoked
, "r") as f
:
4171 resp_revoked
= f
.read()
4172 with
open(ocsp_unknown
, "r") as f
:
4173 resp_unknown
= f
.read()
4175 fd
, fn
= tempfile
.mkstemp()
4177 # This is not really a valid order of the OCSPResponse items in the
4178 # list, but this works for now to verify parsing and processing of
4179 # multiple responses.
4180 f
= os
.fdopen(fd
, 'w')
4181 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4182 f
.write(resp_unknown
)
4183 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4184 f
.write(resp_revoked
)
4185 f
.write(struct
.pack(">L", 0)[1:4])
4186 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4187 f
.write(resp_unknown
)
4190 params
= int_eap_server_params()
4191 params
["ocsp_stapling_response_multi"] = fn
4192 hostapd
.add_ap(apdev
[0], params
)
4193 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4194 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4195 private_key
="auth_serv/user.pkcs12",
4196 private_key_passwd
="whatever", ocsp
=1,
4197 wait_connect
=False, scan_freq
="2412")
4200 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4201 "CTRL-EVENT-EAP-SUCCESS"])
4203 raise Exception("Timeout on EAP status")
4204 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4205 raise Exception("Unexpected EAP-Success")
4206 if 'bad certificate status response' in ev
:
4208 if 'certificate revoked' in ev
:
4212 raise Exception("Unexpected number of EAP status messages")
4216 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4217 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4218 check_domain_match_full(dev
[0])
4219 params
= int_eap_server_params()
4220 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4221 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4222 hostapd
.add_ap(apdev
[0], params
)
4223 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4224 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4225 private_key
="auth_serv/user.pkcs12",
4226 private_key_passwd
="whatever",
4227 domain_suffix_match
="server3.w1.fi",
4230 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4231 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4232 check_domain_match(dev
[0])
4233 params
= int_eap_server_params()
4234 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4235 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4236 hostapd
.add_ap(apdev
[0], params
)
4237 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4238 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4239 private_key
="auth_serv/user.pkcs12",
4240 private_key_passwd
="whatever",
4241 domain_match
="server3.w1.fi",
4244 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4245 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4246 check_domain_match_full(dev
[0])
4247 params
= int_eap_server_params()
4248 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4249 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4250 hostapd
.add_ap(apdev
[0], params
)
4251 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4252 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4253 private_key
="auth_serv/user.pkcs12",
4254 private_key_passwd
="whatever",
4255 domain_suffix_match
="w1.fi",
4258 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4259 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4260 check_domain_suffix_match(dev
[0])
4261 params
= int_eap_server_params()
4262 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4263 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4264 hostapd
.add_ap(apdev
[0], params
)
4265 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4266 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4267 private_key
="auth_serv/user.pkcs12",
4268 private_key_passwd
="whatever",
4269 domain_suffix_match
="example.com",
4272 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4273 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4274 private_key
="auth_serv/user.pkcs12",
4275 private_key_passwd
="whatever",
4276 domain_suffix_match
="erver3.w1.fi",
4279 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4281 raise Exception("Timeout on EAP failure report")
4282 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4284 raise Exception("Timeout on EAP failure report (2)")
4286 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4287 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4288 check_domain_match(dev
[0])
4289 params
= int_eap_server_params()
4290 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4291 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4292 hostapd
.add_ap(apdev
[0], params
)
4293 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4294 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4295 private_key
="auth_serv/user.pkcs12",
4296 private_key_passwd
="whatever",
4297 domain_match
="example.com",
4300 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4301 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4302 private_key
="auth_serv/user.pkcs12",
4303 private_key_passwd
="whatever",
4304 domain_match
="w1.fi",
4307 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4309 raise Exception("Timeout on EAP failure report")
4310 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4312 raise Exception("Timeout on EAP failure report (2)")
4314 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4315 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4316 skip_with_fips(dev
[0])
4317 params
= int_eap_server_params()
4318 params
["server_cert"] = "auth_serv/server-expired.pem"
4319 params
["private_key"] = "auth_serv/server-expired.key"
4320 hostapd
.add_ap(apdev
[0], params
)
4321 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4322 identity
="mschap user", password
="password",
4323 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4326 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4328 raise Exception("Timeout on EAP certificate error report")
4329 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4330 raise Exception("Unexpected failure reason: " + ev
)
4331 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4333 raise Exception("Timeout on EAP failure report")
4335 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4336 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4337 skip_with_fips(dev
[0])
4338 params
= int_eap_server_params()
4339 params
["server_cert"] = "auth_serv/server-expired.pem"
4340 params
["private_key"] = "auth_serv/server-expired.key"
4341 hostapd
.add_ap(apdev
[0], params
)
4342 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4343 identity
="mschap user", password
="password",
4344 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4345 phase1
="tls_disable_time_checks=1",
4348 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4349 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4350 skip_with_fips(dev
[0])
4351 params
= int_eap_server_params()
4352 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4353 params
["private_key"] = "auth_serv/server-long-duration.key"
4354 hostapd
.add_ap(apdev
[0], params
)
4355 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4356 identity
="mschap user", password
="password",
4357 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4360 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4361 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4362 skip_with_fips(dev
[0])
4363 params
= int_eap_server_params()
4364 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4365 params
["private_key"] = "auth_serv/server-eku-client.key"
4366 hostapd
.add_ap(apdev
[0], params
)
4367 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4368 identity
="mschap user", password
="password",
4369 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4372 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4374 raise Exception("Timeout on EAP failure report")
4376 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4377 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4378 skip_with_fips(dev
[0])
4379 params
= int_eap_server_params()
4380 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4381 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4382 hostapd
.add_ap(apdev
[0], params
)
4383 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4384 identity
="mschap user", password
="password",
4385 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4388 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4389 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4390 skip_with_fips(dev
[0])
4391 params
= int_eap_server_params()
4392 del params
["server_cert"]
4393 params
["private_key"] = "auth_serv/server.pkcs12"
4394 hostapd
.add_ap(apdev
[0], params
)
4395 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4396 identity
="mschap user", password
="password",
4397 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4400 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
4401 """EAP-TTLS and server PKCS#12 file with extra certs"""
4402 skip_with_fips(dev
[0])
4403 params
= int_eap_server_params()
4404 del params
["server_cert"]
4405 params
["private_key"] = "auth_serv/server-extra.pkcs12"
4406 params
["private_key_passwd"] = "whatever"
4407 hostapd
.add_ap(apdev
[0], params
)
4408 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4409 identity
="mschap user", password
="password",
4410 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4413 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
4414 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4415 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4416 hapd
= hostapd
.add_ap(apdev
[0], params
)
4417 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4418 anonymous_identity
="ttls", password
="password",
4419 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4420 dh_file
="auth_serv/dh.conf")
4422 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
4423 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4424 check_dh_dsa_support(dev
[0])
4425 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4426 hapd
= hostapd
.add_ap(apdev
[0], params
)
4427 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4428 anonymous_identity
="ttls", password
="password",
4429 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4430 dh_file
="auth_serv/dsaparam.pem")
4432 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4433 """EAP-TTLS and DH params file not found"""
4434 skip_with_fips(dev
[0])
4435 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4436 hostapd
.add_ap(apdev
[0], params
)
4437 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4438 identity
="mschap user", password
="password",
4439 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4440 dh_file
="auth_serv/dh-no-such-file.conf",
4441 scan_freq
="2412", wait_connect
=False)
4442 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4444 raise Exception("EAP failure timed out")
4445 dev
[0].request("REMOVE_NETWORK all")
4446 dev
[0].wait_disconnected()
4448 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4449 """EAP-TTLS and invalid DH params file"""
4450 skip_with_fips(dev
[0])
4451 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4452 hostapd
.add_ap(apdev
[0], params
)
4453 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4454 identity
="mschap user", password
="password",
4455 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4456 dh_file
="auth_serv/ca.pem",
4457 scan_freq
="2412", wait_connect
=False)
4458 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4460 raise Exception("EAP failure timed out")
4461 dev
[0].request("REMOVE_NETWORK all")
4462 dev
[0].wait_disconnected()
4464 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
4465 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4466 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4467 hapd
= hostapd
.add_ap(apdev
[0], params
)
4468 dh
= read_pem("auth_serv/dh2.conf")
4469 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
4470 raise Exception("Could not set dhparams blob")
4471 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4472 anonymous_identity
="ttls", password
="password",
4473 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4474 dh_file
="blob://dhparams")
4476 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
4477 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4478 params
= int_eap_server_params()
4479 params
["dh_file"] = "auth_serv/dh2.conf"
4480 hapd
= hostapd
.add_ap(apdev
[0], params
)
4481 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4482 anonymous_identity
="ttls", password
="password",
4483 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4485 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
4486 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4487 params
= int_eap_server_params()
4488 params
["dh_file"] = "auth_serv/dsaparam.pem"
4489 hapd
= hostapd
.add_ap(apdev
[0], params
)
4490 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4491 anonymous_identity
="ttls", password
="password",
4492 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4494 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4495 """EAP-TLS server and dhparams file not found"""
4496 params
= int_eap_server_params()
4497 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
4498 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4499 if "FAIL" not in hapd
.request("ENABLE"):
4500 raise Exception("Invalid configuration accepted")
4502 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4503 """EAP-TLS server and invalid dhparams file"""
4504 params
= int_eap_server_params()
4505 params
["dh_file"] = "auth_serv/ca.pem"
4506 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4507 if "FAIL" not in hapd
.request("ENABLE"):
4508 raise Exception("Invalid configuration accepted")
4510 def test_ap_wpa2_eap_reauth(dev
, apdev
):
4511 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4512 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4513 params
['eap_reauth_period'] = '2'
4514 hapd
= hostapd
.add_ap(apdev
[0], params
)
4515 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4516 password_hex
="0123456789abcdef0123456789abcdef")
4517 logger
.info("Wait for reauthentication")
4518 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
4520 raise Exception("Timeout on reauthentication")
4521 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4523 raise Exception("Timeout on reauthentication")
4524 for i
in range(0, 20):
4525 state
= dev
[0].get_status_field("wpa_state")
4526 if state
== "COMPLETED":
4529 if state
!= "COMPLETED":
4530 raise Exception("Reauthentication did not complete")
4532 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
4533 """Optional displayable message in EAP Request-Identity"""
4534 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4535 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4536 hapd
= hostapd
.add_ap(apdev
[0], params
)
4537 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4538 password_hex
="0123456789abcdef0123456789abcdef")
4540 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
4541 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4542 check_hlr_auc_gw_support()
4543 params
= int_eap_server_params()
4544 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4545 params
['eap_sim_aka_result_ind'] = "1"
4546 hapd
= hostapd
.add_ap(apdev
[0], params
)
4548 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
4549 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4550 phase1
="result_ind=1")
4551 eap_reauth(dev
[0], "SIM")
4552 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
4553 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4555 dev
[0].request("REMOVE_NETWORK all")
4556 dev
[1].request("REMOVE_NETWORK all")
4558 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
4559 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4560 phase1
="result_ind=1")
4561 eap_reauth(dev
[0], "AKA")
4562 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
4563 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4565 dev
[0].request("REMOVE_NETWORK all")
4566 dev
[1].request("REMOVE_NETWORK all")
4568 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
4569 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4570 phase1
="result_ind=1")
4571 eap_reauth(dev
[0], "AKA'")
4572 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
4573 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4575 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
4576 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4577 check_hlr_auc_gw_support()
4578 params
= int_eap_server_params()
4579 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4580 params
['eap_sim_db_timeout'] = "0"
4581 params
['disable_pmksa_caching'] = '1'
4582 hapd
= hostapd
.add_ap(apdev
[0], params
)
4584 # Run multiple iterations to make it more likely to hit the case where the
4585 # DB request times out and response is lost.
4588 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
4589 identity
="1232010000000000",
4590 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4591 wait_connect
=False, scan_freq
="2412")
4592 ev
= dev
[0].wait_event([ "CTRL-EVENT-CONNECTED",
4593 "CTRL-EVENT-DISCONNECTED" ],
4596 raise Exception("No connection result")
4597 dev
[0].request("REMOVE_NETWORK all")
4598 if "CTRL-EVENT-DISCONNECTED" in ev
:
4600 dev
[0].wait_disconnected()
4603 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
4604 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4605 skip_with_fips(dev
[0])
4606 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4607 hostapd
.add_ap(apdev
[0], params
)
4608 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4609 eap
="TTLS", identity
="mschap user",
4610 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
4611 anonymous_identity
="ttls", password
="password",
4612 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4614 ev
= dev
[0].wait_event(["EAP: more than",
4615 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
4616 if ev
is None or "EAP: more than" not in ev
:
4617 raise Exception("EAP roundtrip limit not reached")
4619 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
4620 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4621 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4622 hostapd
.add_ap(apdev
[0], params
)
4623 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4624 eap
="PSK", identity
="vendor-test",
4625 password_hex
="ff23456789abcdef0123456789abcdef",
4629 for i
in range(0, 5):
4630 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
4632 raise Exception("Association and EAP start timed out")
4633 if "refuse proposed method" in ev
:
4637 raise Exception("Unexpected EAP status: " + ev
)
4639 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4641 raise Exception("EAP failure timed out")
4643 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
4644 """WPA2-Enterprise connection using SQLite for user DB"""
4645 skip_with_fips(dev
[0])
4649 raise HwsimSkip("No sqlite3 module available")
4650 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
4655 con
= sqlite3
.connect(dbfile
)
4658 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4659 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4660 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4661 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4662 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4663 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4664 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4665 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4668 params
= int_eap_server_params()
4669 params
["eap_user_file"] = "sqlite:" + dbfile
4670 hapd
= hostapd
.add_ap(apdev
[0], params
)
4671 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
4672 anonymous_identity
="ttls", password
="password",
4673 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4674 dev
[0].request("REMOVE_NETWORK all")
4675 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
4676 anonymous_identity
="ttls", password
="password",
4677 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
4678 dev
[1].request("REMOVE_NETWORK all")
4679 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
4680 anonymous_identity
="ttls", password
="password",
4681 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
4682 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
4683 anonymous_identity
="ttls", password
="password",
4684 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4688 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
4689 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4690 params
= int_eap_server_params()
4691 hostapd
.add_ap(apdev
[0], params
)
4692 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4693 identity
="\x80", password
="password", wait_connect
=False)
4694 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4695 identity
="a\x80", password
="password", wait_connect
=False)
4696 for i
in range(0, 2):
4697 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4699 raise Exception("Association and EAP start timed out")
4700 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4702 raise Exception("EAP method selection timed out")
4704 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
4705 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4706 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4707 hostapd
.add_ap(apdev
[0], params
)
4708 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4709 identity
="\x80", password
="password", wait_connect
=False)
4710 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4711 identity
="a\x80", password
="password", wait_connect
=False)
4712 for i
in range(0, 2):
4713 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4715 raise Exception("Association and EAP start timed out")
4716 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4718 raise Exception("EAP method selection timed out")
4720 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
4721 """OpenSSL cipher suite configuration on wpa_supplicant"""
4722 tls
= dev
[0].request("GET tls_library")
4723 if not tls
.startswith("OpenSSL"):
4724 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
4725 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4726 hapd
= hostapd
.add_ap(apdev
[0], params
)
4727 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4728 anonymous_identity
="ttls", password
="password",
4729 openssl_ciphers
="AES128",
4730 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4731 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
4732 anonymous_identity
="ttls", password
="password",
4733 openssl_ciphers
="EXPORT",
4734 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4735 expect_failure
=True, maybe_local_error
=True)
4736 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4737 identity
="pap user", anonymous_identity
="ttls",
4738 password
="password",
4739 openssl_ciphers
="FOO",
4740 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4742 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
4744 raise Exception("EAP failure after invalid openssl_ciphers not reported")
4745 dev
[2].request("DISCONNECT")
4747 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
4748 """OpenSSL cipher suite configuration on hostapd"""
4749 tls
= dev
[0].request("GET tls_library")
4750 if not tls
.startswith("OpenSSL"):
4751 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
4752 params
= int_eap_server_params()
4753 params
['openssl_ciphers'] = "AES256"
4754 hapd
= hostapd
.add_ap(apdev
[0], params
)
4755 tls
= hapd
.request("GET tls_library")
4756 if not tls
.startswith("OpenSSL"):
4757 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
4758 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4759 anonymous_identity
="ttls", password
="password",
4760 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4761 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
4762 anonymous_identity
="ttls", password
="password",
4763 openssl_ciphers
="AES128",
4764 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4765 expect_failure
=True)
4766 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
4767 anonymous_identity
="ttls", password
="password",
4768 openssl_ciphers
="HIGH:!ADH",
4769 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4771 params
['openssl_ciphers'] = "FOO"
4772 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
4773 if "FAIL" not in hapd2
.request("ENABLE"):
4774 raise Exception("Invalid openssl_ciphers value accepted")
4776 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
4777 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
4778 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4779 hapd
= hostapd
.add_ap(apdev
[0], p
)
4780 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
4781 pid
= find_wpas_process(dev
[0])
4782 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
4783 anonymous_identity
="ttls", password
=password
,
4784 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4785 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
4786 # event has been delivered, so verify that wpa_supplicant has returned to
4787 # eloop before reading process memory.
4790 buf
= read_process_memory(pid
, password
)
4792 dev
[0].request("DISCONNECT")
4793 dev
[0].wait_disconnected()
4801 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
4802 for l
in f
.readlines():
4803 if "EAP-TTLS: Derived key - hexdump" in l
:
4804 val
= l
.strip().split(':')[3].replace(' ', '')
4805 msk
= binascii
.unhexlify(val
)
4806 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
4807 val
= l
.strip().split(':')[3].replace(' ', '')
4808 emsk
= binascii
.unhexlify(val
)
4809 if "WPA: PMK - hexdump" in l
:
4810 val
= l
.strip().split(':')[3].replace(' ', '')
4811 pmk
= binascii
.unhexlify(val
)
4812 if "WPA: PTK - hexdump" in l
:
4813 val
= l
.strip().split(':')[3].replace(' ', '')
4814 ptk
= binascii
.unhexlify(val
)
4815 if "WPA: Group Key - hexdump" in l
:
4816 val
= l
.strip().split(':')[3].replace(' ', '')
4817 gtk
= binascii
.unhexlify(val
)
4818 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
4819 raise Exception("Could not find keys from debug log")
4821 raise Exception("Unexpected GTK length")
4827 fname
= os
.path
.join(params
['logdir'],
4828 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
4830 logger
.info("Checking keys in memory while associated")
4831 get_key_locations(buf
, password
, "Password")
4832 get_key_locations(buf
, pmk
, "PMK")
4833 get_key_locations(buf
, msk
, "MSK")
4834 get_key_locations(buf
, emsk
, "EMSK")
4835 if password
not in buf
:
4836 raise HwsimSkip("Password not found while associated")
4838 raise HwsimSkip("PMK not found while associated")
4840 raise Exception("KCK not found while associated")
4842 raise Exception("KEK not found while associated")
4844 raise Exception("TK found from memory")
4846 get_key_locations(buf
, gtk
, "GTK")
4847 raise Exception("GTK found from memory")
4849 logger
.info("Checking keys in memory after disassociation")
4850 buf
= read_process_memory(pid
, password
)
4852 # Note: Password is still present in network configuration
4853 # Note: PMK is in PMKSA cache and EAP fast re-auth data
4855 get_key_locations(buf
, password
, "Password")
4856 get_key_locations(buf
, pmk
, "PMK")
4857 get_key_locations(buf
, msk
, "MSK")
4858 get_key_locations(buf
, emsk
, "EMSK")
4859 verify_not_present(buf
, kck
, fname
, "KCK")
4860 verify_not_present(buf
, kek
, fname
, "KEK")
4861 verify_not_present(buf
, tk
, fname
, "TK")
4862 verify_not_present(buf
, gtk
, fname
, "GTK")
4864 dev
[0].request("PMKSA_FLUSH")
4865 dev
[0].set_network_quoted(id, "identity", "foo")
4866 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
4867 buf
= read_process_memory(pid
, password
)
4868 get_key_locations(buf
, password
, "Password")
4869 get_key_locations(buf
, pmk
, "PMK")
4870 get_key_locations(buf
, msk
, "MSK")
4871 get_key_locations(buf
, emsk
, "EMSK")
4872 verify_not_present(buf
, pmk
, fname
, "PMK")
4874 dev
[0].request("REMOVE_NETWORK all")
4876 logger
.info("Checking keys in memory after network profile removal")
4877 buf
= read_process_memory(pid
, password
)
4879 get_key_locations(buf
, password
, "Password")
4880 get_key_locations(buf
, pmk
, "PMK")
4881 get_key_locations(buf
, msk
, "MSK")
4882 get_key_locations(buf
, emsk
, "EMSK")
4883 verify_not_present(buf
, password
, fname
, "password")
4884 verify_not_present(buf
, pmk
, fname
, "PMK")
4885 verify_not_present(buf
, kck
, fname
, "KCK")
4886 verify_not_present(buf
, kek
, fname
, "KEK")
4887 verify_not_present(buf
, tk
, fname
, "TK")
4888 verify_not_present(buf
, gtk
, fname
, "GTK")
4889 verify_not_present(buf
, msk
, fname
, "MSK")
4890 verify_not_present(buf
, emsk
, fname
, "EMSK")
4892 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
4893 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
4894 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4895 hapd
= hostapd
.add_ap(apdev
[0], params
)
4896 bssid
= apdev
[0]['bssid']
4897 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4898 anonymous_identity
="ttls", password
="password",
4899 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4901 # Send unexpected WEP EAPOL-Key; this gets dropped
4902 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
4904 raise Exception("EAPOL_RX to wpa_supplicant failed")
4906 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
4907 """WPA2-EAP and wpas interface in a bridge"""
4911 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
4913 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
4914 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
4915 subprocess
.call(['brctl', 'delbr', br_ifname
])
4916 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
4918 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
4919 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4920 hapd
= hostapd
.add_ap(apdev
[0], params
)
4924 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
4925 subprocess
.call(['brctl', 'addbr', br_ifname
])
4926 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
4927 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
4928 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
4929 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
4930 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
4933 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
4934 password_hex
="0123456789abcdef0123456789abcdef")
4936 eap_reauth(wpas
, "PAX")
4938 # Try again as a regression test for packet socket workaround
4939 eap_reauth(wpas
, "PAX")
4941 wpas
.request("DISCONNECT")
4942 wpas
.wait_disconnected()
4944 wpas
.request("RECONNECT")
4945 wpas
.wait_connected()
4948 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
4949 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
4950 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4951 hapd
= hostapd
.add_ap(apdev
[0], params
)
4952 key_mgmt
= hapd
.get_config()['key_mgmt']
4953 if key_mgmt
.split(' ')[0] != "WPA-EAP":
4954 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
4955 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4956 anonymous_identity
="ttls", password
="password",
4957 ca_cert
="auth_serv/ca.pem",
4958 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
4959 eap_reauth(dev
[0], "TTLS")
4961 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
4962 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
4963 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4964 hapd
= hostapd
.add_ap(apdev
[0], params
)
4965 key_mgmt
= hapd
.get_config()['key_mgmt']
4966 if key_mgmt
.split(' ')[0] != "WPA-EAP":
4967 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
4968 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4969 anonymous_identity
="ttls", password
="password",
4970 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
4972 eap_reauth(dev
[0], "TTLS")
4974 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
4975 """EAP-TLS and server checking CRL"""
4976 params
= int_eap_server_params()
4977 params
['check_crl'] = '1'
4978 hapd
= hostapd
.add_ap(apdev
[0], params
)
4980 # check_crl=1 and no CRL available --> reject connection
4981 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4982 client_cert
="auth_serv/user.pem",
4983 private_key
="auth_serv/user.key", expect_failure
=True)
4984 dev
[0].request("REMOVE_NETWORK all")
4987 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
4990 # check_crl=1 and valid CRL --> accept
4991 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4992 client_cert
="auth_serv/user.pem",
4993 private_key
="auth_serv/user.key")
4994 dev
[0].request("REMOVE_NETWORK all")
4997 hapd
.set("check_crl", "2")
5000 # check_crl=2 and valid CRL --> accept
5001 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5002 client_cert
="auth_serv/user.pem",
5003 private_key
="auth_serv/user.key")
5004 dev
[0].request("REMOVE_NETWORK all")
5006 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5007 """EAP-TLS and OOM"""
5008 check_subject_match_support(dev
[0])
5009 check_altsubject_match_support(dev
[0])
5010 check_domain_match(dev
[0])
5011 check_domain_match_full(dev
[0])
5013 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5014 hostapd
.add_ap(apdev
[0], params
)
5016 tests
= [ (1, "tls_connection_set_subject_match"),
5017 (2, "tls_connection_set_subject_match"),
5018 (3, "tls_connection_set_subject_match"),
5019 (4, "tls_connection_set_subject_match") ]
5020 for count
, func
in tests
:
5021 with
alloc_fail(dev
[0], count
, func
):
5022 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5023 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5024 client_cert
="auth_serv/user.pem",
5025 private_key
="auth_serv/user.key",
5026 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5027 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5028 domain_suffix_match
="server.w1.fi",
5029 domain_match
="server.w1.fi",
5030 wait_connect
=False, scan_freq
="2412")
5031 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5032 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5034 raise Exception("No passphrase request")
5035 dev
[0].request("REMOVE_NETWORK all")
5036 dev
[0].wait_disconnected()
5038 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5039 """WPA2-Enterprise connection using MAC ACL"""
5040 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5041 params
["macaddr_acl"] = "2"
5042 hapd
= hostapd
.add_ap(apdev
[0], params
)
5043 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5044 client_cert
="auth_serv/user.pem",
5045 private_key
="auth_serv/user.key")
5047 def test_ap_wpa2_eap_oom(dev
, apdev
):
5048 """EAP server and OOM"""
5049 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5050 hapd
= hostapd
.add_ap(apdev
[0], params
)
5051 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5053 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5054 # The first attempt fails, but STA will send EAPOL-Start to retry and
5056 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5057 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5058 client_cert
="auth_serv/user.pem",
5059 private_key
="auth_serv/user.key",
5062 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5063 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5064 client_cert
="auth_serv/user.pem",
5065 private_key
="auth_serv/user.key",
5067 ver
= dev
.get_status_field("eap_tls_version")
5069 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5071 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5072 """EAP-TLS and TLS version configuration"""
5073 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5074 hapd
= hostapd
.add_ap(apdev
[0], params
)
5076 tls
= dev
[0].request("GET tls_library")
5077 if tls
.startswith("OpenSSL"):
5078 if "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
5079 check_tls_ver(dev
[0], hapd
,
5080 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5082 elif tls
.startswith("internal"):
5083 check_tls_ver(dev
[0], hapd
,
5084 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5085 check_tls_ver(dev
[1], hapd
,
5086 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5087 check_tls_ver(dev
[2], hapd
,
5088 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5090 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
5091 """RSN element protocol testing for EAP cases on STA side"""
5092 bssid
= apdev
[0]['bssid']
5093 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5094 # This is the RSN element used normally by hostapd
5095 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5096 hapd
= hostapd
.add_ap(apdev
[0], params
)
5097 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5098 identity
="gpsk user",
5099 password
="abcdefghijklmnop0123456789abcdef",
5102 tests
= [ ('No RSN Capabilities field',
5103 '30120100000fac040100000fac040100000fac01'),
5104 ('No AKM Suite fields',
5105 '300c0100000fac040100000fac04'),
5106 ('No Pairwise Cipher Suite fields',
5107 '30060100000fac04'),
5108 ('No Group Data Cipher Suite field',
5110 for txt
,ie
in tests
:
5111 dev
[0].request("DISCONNECT")
5112 dev
[0].wait_disconnected()
5115 hapd
.set('own_ie_override', ie
)
5117 dev
[0].request("BSS_FLUSH 0")
5118 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
5119 dev
[0].select_network(id, freq
=2412)
5120 dev
[0].wait_connected()
5122 dev
[0].request("DISCONNECT")
5123 dev
[0].wait_disconnected()
5124 dev
[0].flush_scan_cache()
5126 def check_tls_session_resumption_capa(dev
, hapd
):
5127 tls
= hapd
.request("GET tls_library")
5128 if not tls
.startswith("OpenSSL"):
5129 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5131 tls
= dev
.request("GET tls_library")
5132 if not tls
.startswith("OpenSSL"):
5133 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
5135 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
5136 """EAP-TTLS/PAP session resumption"""
5137 params
= int_eap_server_params()
5138 params
['tls_session_lifetime'] = '60'
5139 hapd
= hostapd
.add_ap(apdev
[0], params
)
5140 check_tls_session_resumption_capa(dev
[0], hapd
)
5141 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5142 anonymous_identity
="ttls", password
="password",
5143 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5145 if dev
[0].get_status_field("tls_session_reused") != '0':
5146 raise Exception("Unexpected session resumption on the first connection")
5148 dev
[0].request("REAUTHENTICATE")
5149 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5151 raise Exception("EAP success timed out")
5152 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5154 raise Exception("Key handshake with the AP timed out")
5155 if dev
[0].get_status_field("tls_session_reused") != '1':
5156 raise Exception("Session resumption not used on the second connection")
5158 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
5159 """EAP-TTLS/CHAP session resumption"""
5160 params
= int_eap_server_params()
5161 params
['tls_session_lifetime'] = '60'
5162 hapd
= hostapd
.add_ap(apdev
[0], params
)
5163 check_tls_session_resumption_capa(dev
[0], hapd
)
5164 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
5165 anonymous_identity
="ttls", password
="password",
5166 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
5167 if dev
[0].get_status_field("tls_session_reused") != '0':
5168 raise Exception("Unexpected session resumption on the first connection")
5170 dev
[0].request("REAUTHENTICATE")
5171 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5173 raise Exception("EAP success timed out")
5174 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5176 raise Exception("Key handshake with the AP timed out")
5177 if dev
[0].get_status_field("tls_session_reused") != '1':
5178 raise Exception("Session resumption not used on the second connection")
5180 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
5181 """EAP-TTLS/MSCHAP session resumption"""
5182 check_domain_suffix_match(dev
[0])
5183 params
= int_eap_server_params()
5184 params
['tls_session_lifetime'] = '60'
5185 hapd
= hostapd
.add_ap(apdev
[0], params
)
5186 check_tls_session_resumption_capa(dev
[0], hapd
)
5187 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
5188 anonymous_identity
="ttls", password
="password",
5189 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5190 domain_suffix_match
="server.w1.fi")
5191 if dev
[0].get_status_field("tls_session_reused") != '0':
5192 raise Exception("Unexpected session resumption on the first connection")
5194 dev
[0].request("REAUTHENTICATE")
5195 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5197 raise Exception("EAP success timed out")
5198 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5200 raise Exception("Key handshake with the AP timed out")
5201 if dev
[0].get_status_field("tls_session_reused") != '1':
5202 raise Exception("Session resumption not used on the second connection")
5204 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
5205 """EAP-TTLS/MSCHAPv2 session resumption"""
5206 check_domain_suffix_match(dev
[0])
5207 check_eap_capa(dev
[0], "MSCHAPV2")
5208 params
= int_eap_server_params()
5209 params
['tls_session_lifetime'] = '60'
5210 hapd
= hostapd
.add_ap(apdev
[0], params
)
5211 check_tls_session_resumption_capa(dev
[0], hapd
)
5212 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
5213 anonymous_identity
="ttls", password
="password",
5214 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5215 domain_suffix_match
="server.w1.fi")
5216 if dev
[0].get_status_field("tls_session_reused") != '0':
5217 raise Exception("Unexpected session resumption on the first connection")
5219 dev
[0].request("REAUTHENTICATE")
5220 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5222 raise Exception("EAP success timed out")
5223 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5225 raise Exception("Key handshake with the AP timed out")
5226 if dev
[0].get_status_field("tls_session_reused") != '1':
5227 raise Exception("Session resumption not used on the second connection")
5229 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
5230 """EAP-TTLS/EAP-GTC session resumption"""
5231 params
= int_eap_server_params()
5232 params
['tls_session_lifetime'] = '60'
5233 hapd
= hostapd
.add_ap(apdev
[0], params
)
5234 check_tls_session_resumption_capa(dev
[0], hapd
)
5235 eap_connect(dev
[0], hapd
, "TTLS", "user",
5236 anonymous_identity
="ttls", password
="password",
5237 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
5238 if dev
[0].get_status_field("tls_session_reused") != '0':
5239 raise Exception("Unexpected session resumption on the first connection")
5241 dev
[0].request("REAUTHENTICATE")
5242 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5244 raise Exception("EAP success timed out")
5245 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5247 raise Exception("Key handshake with the AP timed out")
5248 if dev
[0].get_status_field("tls_session_reused") != '1':
5249 raise Exception("Session resumption not used on the second connection")
5251 def test_eap_ttls_no_session_resumption(dev
, apdev
):
5252 """EAP-TTLS session resumption disabled on server"""
5253 params
= int_eap_server_params()
5254 params
['tls_session_lifetime'] = '0'
5255 hapd
= hostapd
.add_ap(apdev
[0], params
)
5256 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5257 anonymous_identity
="ttls", password
="password",
5258 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5260 if dev
[0].get_status_field("tls_session_reused") != '0':
5261 raise Exception("Unexpected session resumption on the first connection")
5263 dev
[0].request("REAUTHENTICATE")
5264 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5266 raise Exception("EAP success timed out")
5267 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5269 raise Exception("Key handshake with the AP timed out")
5270 if dev
[0].get_status_field("tls_session_reused") != '0':
5271 raise Exception("Unexpected session resumption on the second connection")
5273 def test_eap_peap_session_resumption(dev
, apdev
):
5274 """EAP-PEAP session resumption"""
5275 params
= int_eap_server_params()
5276 params
['tls_session_lifetime'] = '60'
5277 hapd
= hostapd
.add_ap(apdev
[0], params
)
5278 check_tls_session_resumption_capa(dev
[0], hapd
)
5279 eap_connect(dev
[0], hapd
, "PEAP", "user",
5280 anonymous_identity
="peap", password
="password",
5281 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5282 if dev
[0].get_status_field("tls_session_reused") != '0':
5283 raise Exception("Unexpected session resumption on the first connection")
5285 dev
[0].request("REAUTHENTICATE")
5286 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5288 raise Exception("EAP success timed out")
5289 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5291 raise Exception("Key handshake with the AP timed out")
5292 if dev
[0].get_status_field("tls_session_reused") != '1':
5293 raise Exception("Session resumption not used on the second connection")
5295 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
5296 """EAP-PEAP session resumption with crypto binding"""
5297 params
= int_eap_server_params()
5298 params
['tls_session_lifetime'] = '60'
5299 hapd
= hostapd
.add_ap(apdev
[0], params
)
5300 check_tls_session_resumption_capa(dev
[0], hapd
)
5301 eap_connect(dev
[0], hapd
, "PEAP", "user",
5302 anonymous_identity
="peap", password
="password",
5303 phase1
="peapver=0 crypto_binding=2",
5304 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5305 if dev
[0].get_status_field("tls_session_reused") != '0':
5306 raise Exception("Unexpected session resumption on the first connection")
5308 dev
[0].request("REAUTHENTICATE")
5309 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5311 raise Exception("EAP success timed out")
5312 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5314 raise Exception("Key handshake with the AP timed out")
5315 if dev
[0].get_status_field("tls_session_reused") != '1':
5316 raise Exception("Session resumption not used on the second connection")
5318 def test_eap_peap_no_session_resumption(dev
, apdev
):
5319 """EAP-PEAP session resumption disabled on server"""
5320 params
= int_eap_server_params()
5321 hapd
= hostapd
.add_ap(apdev
[0], params
)
5322 eap_connect(dev
[0], hapd
, "PEAP", "user",
5323 anonymous_identity
="peap", password
="password",
5324 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5325 if dev
[0].get_status_field("tls_session_reused") != '0':
5326 raise Exception("Unexpected session resumption on the first connection")
5328 dev
[0].request("REAUTHENTICATE")
5329 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5331 raise Exception("EAP success timed out")
5332 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5334 raise Exception("Key handshake with the AP timed out")
5335 if dev
[0].get_status_field("tls_session_reused") != '0':
5336 raise Exception("Unexpected session resumption on the second connection")
5338 def test_eap_tls_session_resumption(dev
, apdev
):
5339 """EAP-TLS session resumption"""
5340 params
= int_eap_server_params()
5341 params
['tls_session_lifetime'] = '60'
5342 hapd
= hostapd
.add_ap(apdev
[0], params
)
5343 check_tls_session_resumption_capa(dev
[0], hapd
)
5344 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5345 client_cert
="auth_serv/user.pem",
5346 private_key
="auth_serv/user.key")
5347 if dev
[0].get_status_field("tls_session_reused") != '0':
5348 raise Exception("Unexpected session resumption on the first connection")
5350 dev
[0].request("REAUTHENTICATE")
5351 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5353 raise Exception("EAP success timed out")
5354 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5356 raise Exception("Key handshake with the AP timed out")
5357 if dev
[0].get_status_field("tls_session_reused") != '1':
5358 raise Exception("Session resumption not used on the second connection")
5360 dev
[0].request("REAUTHENTICATE")
5361 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5363 raise Exception("EAP success timed out")
5364 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5366 raise Exception("Key handshake with the AP timed out")
5367 if dev
[0].get_status_field("tls_session_reused") != '1':
5368 raise Exception("Session resumption not used on the third connection")
5370 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
5371 """EAP-TLS session resumption"""
5372 params
= int_eap_server_params()
5373 params
['tls_session_lifetime'] = '1'
5374 hapd
= hostapd
.add_ap(apdev
[0], params
)
5375 check_tls_session_resumption_capa(dev
[0], hapd
)
5376 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5377 client_cert
="auth_serv/user.pem",
5378 private_key
="auth_serv/user.key")
5379 if dev
[0].get_status_field("tls_session_reused") != '0':
5380 raise Exception("Unexpected session resumption on the first connection")
5382 # Allow multiple attempts since OpenSSL may not expire the cached entry
5387 dev
[0].request("REAUTHENTICATE")
5388 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5390 raise Exception("EAP success timed out")
5391 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5393 raise Exception("Key handshake with the AP timed out")
5394 if dev
[0].get_status_field("tls_session_reused") == '0':
5396 if dev
[0].get_status_field("tls_session_reused") != '0':
5397 raise Exception("Session resumption used after lifetime expiration")
5399 def test_eap_tls_no_session_resumption(dev
, apdev
):
5400 """EAP-TLS session resumption disabled on server"""
5401 params
= int_eap_server_params()
5402 hapd
= hostapd
.add_ap(apdev
[0], params
)
5403 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5404 client_cert
="auth_serv/user.pem",
5405 private_key
="auth_serv/user.key")
5406 if dev
[0].get_status_field("tls_session_reused") != '0':
5407 raise Exception("Unexpected session resumption on the first connection")
5409 dev
[0].request("REAUTHENTICATE")
5410 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5412 raise Exception("EAP success timed out")
5413 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5415 raise Exception("Key handshake with the AP timed out")
5416 if dev
[0].get_status_field("tls_session_reused") != '0':
5417 raise Exception("Unexpected session resumption on the second connection")
5419 def test_eap_tls_session_resumption_radius(dev
, apdev
):
5420 """EAP-TLS session resumption (RADIUS)"""
5421 params
= { "ssid": "as", "beacon_int": "2000",
5422 "radius_server_clients": "auth_serv/radius_clients.conf",
5423 "radius_server_auth_port": '18128',
5425 "eap_user_file": "auth_serv/eap_user.conf",
5426 "ca_cert": "auth_serv/ca.pem",
5427 "server_cert": "auth_serv/server.pem",
5428 "private_key": "auth_serv/server.key",
5429 "tls_session_lifetime": "60" }
5430 authsrv
= hostapd
.add_ap(apdev
[1], params
)
5431 check_tls_session_resumption_capa(dev
[0], authsrv
)
5433 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5434 params
['auth_server_port'] = "18128"
5435 hapd
= hostapd
.add_ap(apdev
[0], params
)
5436 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5437 client_cert
="auth_serv/user.pem",
5438 private_key
="auth_serv/user.key")
5439 if dev
[0].get_status_field("tls_session_reused") != '0':
5440 raise Exception("Unexpected session resumption on the first connection")
5442 dev
[0].request("REAUTHENTICATE")
5443 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5445 raise Exception("EAP success timed out")
5446 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5448 raise Exception("Key handshake with the AP timed out")
5449 if dev
[0].get_status_field("tls_session_reused") != '1':
5450 raise Exception("Session resumption not used on the second connection")
5452 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
5453 """EAP-TLS session resumption disabled (RADIUS)"""
5454 params
= { "ssid": "as", "beacon_int": "2000",
5455 "radius_server_clients": "auth_serv/radius_clients.conf",
5456 "radius_server_auth_port": '18128',
5458 "eap_user_file": "auth_serv/eap_user.conf",
5459 "ca_cert": "auth_serv/ca.pem",
5460 "server_cert": "auth_serv/server.pem",
5461 "private_key": "auth_serv/server.key",
5462 "tls_session_lifetime": "0" }
5463 hostapd
.add_ap(apdev
[1], params
)
5465 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5466 params
['auth_server_port'] = "18128"
5467 hapd
= hostapd
.add_ap(apdev
[0], params
)
5468 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5469 client_cert
="auth_serv/user.pem",
5470 private_key
="auth_serv/user.key")
5471 if dev
[0].get_status_field("tls_session_reused") != '0':
5472 raise Exception("Unexpected session resumption on the first connection")
5474 dev
[0].request("REAUTHENTICATE")
5475 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5477 raise Exception("EAP success timed out")
5478 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5480 raise Exception("Key handshake with the AP timed out")
5481 if dev
[0].get_status_field("tls_session_reused") != '0':
5482 raise Exception("Unexpected session resumption on the second connection")
5484 def test_eap_mschapv2_errors(dev
, apdev
):
5485 """EAP-MSCHAPv2 error cases"""
5486 check_eap_capa(dev
[0], "MSCHAPV2")
5487 check_eap_capa(dev
[0], "FAST")
5489 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5490 hapd
= hostapd
.add_ap(apdev
[0], params
)
5491 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5492 identity
="phase1-user", password
="password",
5494 dev
[0].request("REMOVE_NETWORK all")
5495 dev
[0].wait_disconnected()
5497 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5498 (1, "nt_password_hash;mschapv2_derive_response"),
5499 (1, "nt_password_hash;=mschapv2_derive_response"),
5500 (1, "generate_nt_response;mschapv2_derive_response"),
5501 (1, "generate_authenticator_response;mschapv2_derive_response"),
5502 (1, "nt_password_hash;=mschapv2_derive_response"),
5503 (1, "get_master_key;mschapv2_derive_response"),
5504 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5505 for count
, func
in tests
:
5506 with
fail_test(dev
[0], count
, func
):
5507 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5508 identity
="phase1-user", password
="password",
5509 wait_connect
=False, scan_freq
="2412")
5510 wait_fail_trigger(dev
[0], "GET_FAIL")
5511 dev
[0].request("REMOVE_NETWORK all")
5512 dev
[0].wait_disconnected()
5514 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5515 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5516 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5517 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5518 for count
, func
in tests
:
5519 with
fail_test(dev
[0], count
, func
):
5520 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5521 identity
="phase1-user",
5522 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
5523 wait_connect
=False, scan_freq
="2412")
5524 wait_fail_trigger(dev
[0], "GET_FAIL")
5525 dev
[0].request("REMOVE_NETWORK all")
5526 dev
[0].wait_disconnected()
5528 tests
= [ (1, "eap_mschapv2_init"),
5529 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5530 (1, "eap_msg_alloc;eap_mschapv2_success"),
5531 (1, "eap_mschapv2_getKey") ]
5532 for count
, func
in tests
:
5533 with
alloc_fail(dev
[0], count
, func
):
5534 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5535 identity
="phase1-user", password
="password",
5536 wait_connect
=False, scan_freq
="2412")
5537 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5538 dev
[0].request("REMOVE_NETWORK all")
5539 dev
[0].wait_disconnected()
5541 tests
= [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5542 for count
, func
in tests
:
5543 with
alloc_fail(dev
[0], count
, func
):
5544 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5545 identity
="phase1-user", password
="wrong password",
5546 wait_connect
=False, scan_freq
="2412")
5547 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5548 dev
[0].request("REMOVE_NETWORK all")
5549 dev
[0].wait_disconnected()
5551 tests
= [ (2, "eap_mschapv2_init"),
5552 (3, "eap_mschapv2_init") ]
5553 for count
, func
in tests
:
5554 with
alloc_fail(dev
[0], count
, func
):
5555 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
5556 anonymous_identity
="FAST", identity
="user",
5557 password
="password",
5558 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5559 phase1
="fast_provisioning=1",
5560 pac_file
="blob://fast_pac",
5561 wait_connect
=False, scan_freq
="2412")
5562 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5563 dev
[0].request("REMOVE_NETWORK all")
5564 dev
[0].wait_disconnected()
5566 def test_eap_gpsk_errors(dev
, apdev
):
5567 """EAP-GPSK error cases"""
5568 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5569 hapd
= hostapd
.add_ap(apdev
[0], params
)
5570 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5571 identity
="gpsk user",
5572 password
="abcdefghijklmnop0123456789abcdef",
5574 dev
[0].request("REMOVE_NETWORK all")
5575 dev
[0].wait_disconnected()
5577 tests
= [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5578 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5580 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5582 (1, "eap_gpsk_derive_keys_helper", None),
5583 (2, "eap_gpsk_derive_keys_helper", None),
5584 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5586 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5588 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5589 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5590 (1, "eap_gpsk_derive_mid_helper", None) ]
5591 for count
, func
, phase1
in tests
:
5592 with
fail_test(dev
[0], count
, func
):
5593 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5594 identity
="gpsk user",
5595 password
="abcdefghijklmnop0123456789abcdef",
5597 wait_connect
=False, scan_freq
="2412")
5598 wait_fail_trigger(dev
[0], "GET_FAIL")
5599 dev
[0].request("REMOVE_NETWORK all")
5600 dev
[0].wait_disconnected()
5602 tests
= [ (1, "eap_gpsk_init"),
5603 (2, "eap_gpsk_init"),
5604 (3, "eap_gpsk_init"),
5605 (1, "eap_gpsk_process_id_server"),
5606 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5607 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5608 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5609 (1, "eap_gpsk_derive_keys"),
5610 (1, "eap_gpsk_derive_keys_helper"),
5611 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5612 (1, "eap_gpsk_getKey"),
5613 (1, "eap_gpsk_get_emsk"),
5614 (1, "eap_gpsk_get_session_id") ]
5615 for count
, func
in tests
:
5616 with
alloc_fail(dev
[0], count
, func
):
5617 dev
[0].request("ERP_FLUSH")
5618 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5619 identity
="gpsk user", erp
="1",
5620 password
="abcdefghijklmnop0123456789abcdef",
5621 wait_connect
=False, scan_freq
="2412")
5622 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5623 dev
[0].request("REMOVE_NETWORK all")
5624 dev
[0].wait_disconnected()
5626 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
5627 """EAP-SIM DB error cases"""
5628 sockpath
= '/tmp/hlr_auc_gw.sock-test'
5633 hparams
= int_eap_server_params()
5634 hparams
['eap_sim_db'] = 'unix:' + sockpath
5635 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
5637 # Initial test with hlr_auc_gw socket not available
5638 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5639 eap
="SIM", identity
="1232010000000000",
5640 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5641 scan_freq
="2412", wait_connect
=False)
5642 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5644 raise Exception("EAP-Failure not reported")
5645 dev
[0].wait_disconnected()
5646 dev
[0].request("DISCONNECT")
5648 # Test with invalid responses and response timeout
5650 class test_handler(SocketServer
.DatagramRequestHandler
):
5652 data
= self
.request
[0].strip()
5653 socket
= self
.request
[1]
5654 logger
.debug("Received hlr_auc_gw request: " + data
)
5655 # EAP-SIM DB: Failed to parse response string
5656 socket
.sendto("FOO", self
.client_address
)
5657 # EAP-SIM DB: Failed to parse response string
5658 socket
.sendto("FOO 1", self
.client_address
)
5659 # EAP-SIM DB: Unknown external response
5660 socket
.sendto("FOO 1 2", self
.client_address
)
5661 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
5663 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
5666 dev
[0].select_network(id)
5667 server
.handle_request()
5668 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5670 raise Exception("EAP-Failure not reported")
5671 dev
[0].wait_disconnected()
5672 dev
[0].request("DISCONNECT")
5674 # Test with a valid response
5676 class test_handler2(SocketServer
.DatagramRequestHandler
):
5678 data
= self
.request
[0].strip()
5679 socket
= self
.request
[1]
5680 logger
.debug("Received hlr_auc_gw request: " + data
)
5681 fname
= os
.path
.join(params
['logdir'],
5682 'hlr_auc_gw.milenage_db')
5683 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
5685 stdout
=subprocess
.PIPE
)
5686 res
= cmd
.stdout
.read().strip()
5688 logger
.debug("hlr_auc_gw response: " + res
)
5689 socket
.sendto(res
, self
.client_address
)
5691 server
.RequestHandlerClass
= test_handler2
5693 dev
[0].select_network(id)
5694 server
.handle_request()
5695 dev
[0].wait_connected()
5696 dev
[0].request("DISCONNECT")
5697 dev
[0].wait_disconnected()
5699 def test_eap_tls_sha512(dev
, apdev
, params
):
5700 """EAP-TLS with SHA512 signature"""
5701 params
= int_eap_server_params()
5702 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5703 params
["server_cert"] = "auth_serv/sha512-server.pem"
5704 params
["private_key"] = "auth_serv/sha512-server.key"
5705 hostapd
.add_ap(apdev
[0], params
)
5707 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5708 identity
="tls user sha512",
5709 ca_cert
="auth_serv/sha512-ca.pem",
5710 client_cert
="auth_serv/sha512-user.pem",
5711 private_key
="auth_serv/sha512-user.key",
5713 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5714 identity
="tls user sha512",
5715 ca_cert
="auth_serv/sha512-ca.pem",
5716 client_cert
="auth_serv/sha384-user.pem",
5717 private_key
="auth_serv/sha384-user.key",
5720 def test_eap_tls_sha384(dev
, apdev
, params
):
5721 """EAP-TLS with SHA384 signature"""
5722 params
= int_eap_server_params()
5723 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5724 params
["server_cert"] = "auth_serv/sha384-server.pem"
5725 params
["private_key"] = "auth_serv/sha384-server.key"
5726 hostapd
.add_ap(apdev
[0], params
)
5728 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5729 identity
="tls user sha512",
5730 ca_cert
="auth_serv/sha512-ca.pem",
5731 client_cert
="auth_serv/sha512-user.pem",
5732 private_key
="auth_serv/sha512-user.key",
5734 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5735 identity
="tls user sha512",
5736 ca_cert
="auth_serv/sha512-ca.pem",
5737 client_cert
="auth_serv/sha384-user.pem",
5738 private_key
="auth_serv/sha384-user.key",
5741 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
5742 """WPA2-Enterprise AP and association request RSN IE differences"""
5743 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5744 hostapd
.add_ap(apdev
[0], params
)
5746 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
5747 params
["ieee80211w"] = "2"
5748 hostapd
.add_ap(apdev
[1], params
)
5750 # Success cases with optional RSN IE fields removed one by one
5751 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
5752 "30140100000fac040100000fac040100000fac010000"),
5753 ("Extra PMKIDCount field in RSN IE",
5754 "30160100000fac040100000fac040100000fac0100000000"),
5755 ("Extra Group Management Cipher Suite in RSN IE",
5756 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
5757 ("Extra undefined extension field in RSN IE",
5758 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
5759 ("RSN IE without RSN Capabilities",
5760 "30120100000fac040100000fac040100000fac01"),
5761 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
5762 ("RSN IE without pairwise", "30060100000fac04"),
5763 ("RSN IE without group", "30020100") ]
5764 for title
, ie
in tests
:
5766 set_test_assoc_ie(dev
[0], ie
)
5767 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5768 identity
="gpsk user",
5769 password
="abcdefghijklmnop0123456789abcdef",
5771 dev
[0].request("REMOVE_NETWORK all")
5772 dev
[0].wait_disconnected()
5774 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
5775 "30140100000fac040100000fac040100000fac01cc00"),
5776 ("Group management cipher included in assoc req RSN IE",
5777 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
5778 for title
, ie
in tests
:
5780 set_test_assoc_ie(dev
[0], ie
)
5781 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
5782 eap
="GPSK", identity
="gpsk user",
5783 password
="abcdefghijklmnop0123456789abcdef",
5785 dev
[0].request("REMOVE_NETWORK all")
5786 dev
[0].wait_disconnected()
5788 tests
= [ ("Invalid group cipher", "30060100000fac02", 41),
5789 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
5790 for title
, ie
, status
in tests
:
5792 set_test_assoc_ie(dev
[0], ie
)
5793 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5794 identity
="gpsk user",
5795 password
="abcdefghijklmnop0123456789abcdef",
5796 scan_freq
="2412", wait_connect
=False)
5797 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5799 raise Exception("Association rejection not reported")
5800 if "status_code=" + str(status
) not in ev
:
5801 raise Exception("Unexpected status code: " + ev
)
5802 dev
[0].request("REMOVE_NETWORK all")
5803 dev
[0].dump_monitor()
5805 tests
= [ ("Management frame protection not enabled",
5806 "30140100000fac040100000fac040100000fac010000", 31),
5807 ("Unsupported management group cipher",
5808 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
5809 for title
, ie
, status
in tests
:
5811 set_test_assoc_ie(dev
[0], ie
)
5812 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
5813 eap
="GPSK", identity
="gpsk user",
5814 password
="abcdefghijklmnop0123456789abcdef",
5815 scan_freq
="2412", wait_connect
=False)
5816 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5818 raise Exception("Association rejection not reported")
5819 if "status_code=" + str(status
) not in ev
:
5820 raise Exception("Unexpected status code: " + ev
)
5821 dev
[0].request("REMOVE_NETWORK all")
5822 dev
[0].dump_monitor()
5824 def test_eap_tls_ext_cert_check(dev
, apdev
):
5825 """EAP-TLS and external server certification validation"""
5826 # With internal server certificate chain validation
5827 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5828 identity
="tls user",
5829 ca_cert
="auth_serv/ca.pem",
5830 client_cert
="auth_serv/user.pem",
5831 private_key
="auth_serv/user.key",
5832 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
5833 only_add_network
=True)
5834 run_ext_cert_check(dev
, apdev
, id)
5836 def test_eap_ttls_ext_cert_check(dev
, apdev
):
5837 """EAP-TTLS and external server certification validation"""
5838 # Without internal server certificate chain validation
5839 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5840 identity
="pap user", anonymous_identity
="ttls",
5841 password
="password", phase2
="auth=PAP",
5842 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
5843 only_add_network
=True)
5844 run_ext_cert_check(dev
, apdev
, id)
5846 def test_eap_peap_ext_cert_check(dev
, apdev
):
5847 """EAP-PEAP and external server certification validation"""
5848 # With internal server certificate chain validation
5849 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
5850 identity
="user", anonymous_identity
="peap",
5851 ca_cert
="auth_serv/ca.pem",
5852 password
="password", phase2
="auth=MSCHAPV2",
5853 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
5854 only_add_network
=True)
5855 run_ext_cert_check(dev
, apdev
, id)
5857 def test_eap_fast_ext_cert_check(dev
, apdev
):
5858 """EAP-FAST and external server certification validation"""
5859 check_eap_capa(dev
[0], "FAST")
5860 # With internal server certificate chain validation
5861 dev
[0].request("SET blob fast_pac_auth_ext ")
5862 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
5863 identity
="user", anonymous_identity
="FAST",
5864 ca_cert
="auth_serv/ca.pem",
5865 password
="password", phase2
="auth=GTC",
5866 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
5867 pac_file
="blob://fast_pac_auth_ext",
5869 only_add_network
=True)
5870 run_ext_cert_check(dev
, apdev
, id)
5872 def run_ext_cert_check(dev
, apdev
, net_id
):
5873 check_ext_cert_check_support(dev
[0])
5874 if not openssl_imported
:
5875 raise HwsimSkip("OpenSSL python method not available")
5877 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5878 hapd
= hostapd
.add_ap(apdev
[0], params
)
5880 dev
[0].select_network(net_id
)
5883 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
5884 "CTRL-REQ-EXT_CERT_CHECK",
5885 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5887 raise Exception("No peer server certificate event seen")
5888 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
5891 vals
= ev
.split(' ')
5893 if v
.startswith("depth="):
5894 depth
= int(v
.split('=')[1])
5895 elif v
.startswith("cert="):
5896 cert
= v
.split('=')[1]
5897 if depth
is not None and cert
:
5898 certs
[depth
] = binascii
.unhexlify(cert
)
5899 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
5900 raise Exception("Unexpected EAP-Success")
5901 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
5902 id = ev
.split(':')[0].split('-')[-1]
5905 raise Exception("Server certificate not received")
5907 raise Exception("Server certificate issuer not received")
5909 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
5911 cn
= cert
.get_subject().commonName
5912 logger
.info("Server certificate CN=" + cn
)
5914 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
5916 icn
= issuer
.get_subject().commonName
5917 logger
.info("Issuer certificate CN=" + icn
)
5919 if cn
!= "server.w1.fi":
5920 raise Exception("Unexpected server certificate CN: " + cn
)
5921 if icn
!= "Root CA":
5922 raise Exception("Unexpected server certificate issuer CN: " + icn
)
5924 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
5926 raise Exception("Unexpected EAP-Success before external check result indication")
5928 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
5929 dev
[0].wait_connected()
5931 dev
[0].request("DISCONNECT")
5932 dev
[0].wait_disconnected()
5933 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
5934 raise Exception("PMKSA_FLUSH failed")
5935 dev
[0].request("SET blob fast_pac_auth_ext ")
5936 dev
[0].request("RECONNECT")
5938 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
5940 raise Exception("No peer server certificate event seen (2)")
5941 id = ev
.split(':')[0].split('-')[-1]
5942 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
5943 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
5945 raise Exception("EAP-Failure not reported")
5946 dev
[0].request("REMOVE_NETWORK all")
5947 dev
[0].wait_disconnected()
5949 def test_eap_tls_errors(dev
, apdev
):
5950 """EAP-TLS error cases"""
5951 params
= int_eap_server_params()
5952 params
['fragment_size'] = '100'
5953 hostapd
.add_ap(apdev
[0], params
)
5954 with
alloc_fail(dev
[0], 1,
5955 "eap_peer_tls_reassemble_fragment"):
5956 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5957 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5958 client_cert
="auth_serv/user.pem",
5959 private_key
="auth_serv/user.key",
5960 wait_connect
=False, scan_freq
="2412")
5961 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5962 dev
[0].request("REMOVE_NETWORK all")
5963 dev
[0].wait_disconnected()
5965 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
5966 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5967 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5968 client_cert
="auth_serv/user.pem",
5969 private_key
="auth_serv/user.key",
5970 wait_connect
=False, scan_freq
="2412")
5971 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5972 dev
[0].request("REMOVE_NETWORK all")
5973 dev
[0].wait_disconnected()
5975 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
5976 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5977 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5978 client_cert
="auth_serv/user.pem",
5979 private_key
="auth_serv/user.key",
5981 wait_connect
=False, scan_freq
="2412")
5982 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5983 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
5985 raise Exception("No CTRL-REQ-PIN seen")
5986 dev
[0].request("REMOVE_NETWORK all")
5987 dev
[0].wait_disconnected()
5989 tests
= [ "eap_peer_tls_derive_key;eap_tls_success",
5990 "eap_peer_tls_derive_session_id;eap_tls_success",
5993 "eap_tls_get_session_id" ]
5995 with
alloc_fail(dev
[0], 1, func
):
5996 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5997 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5998 client_cert
="auth_serv/user.pem",
5999 private_key
="auth_serv/user.key",
6001 wait_connect
=False, scan_freq
="2412")
6002 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6003 dev
[0].request("REMOVE_NETWORK all")
6004 dev
[0].wait_disconnected()
6006 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6007 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6008 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6009 wait_connect
=False, scan_freq
="2412")
6010 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6011 dev
[0].request("REMOVE_NETWORK all")
6012 dev
[0].wait_disconnected()
6014 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6015 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6016 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6017 wait_connect
=False, scan_freq
="2412")
6018 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6019 dev
[0].request("REMOVE_NETWORK all")
6020 dev
[0].wait_disconnected()
6022 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6023 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6024 eap
="WFA-UNAUTH-TLS",
6025 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6026 wait_connect
=False, scan_freq
="2412")
6027 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6028 dev
[0].request("REMOVE_NETWORK all")
6029 dev
[0].wait_disconnected()
6031 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6032 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6033 eap
="WFA-UNAUTH-TLS",
6034 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6035 wait_connect
=False, scan_freq
="2412")
6036 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6037 dev
[0].request("REMOVE_NETWORK all")
6038 dev
[0].wait_disconnected()
6040 def test_ap_wpa2_eap_status(dev
, apdev
):
6041 """EAP state machine status information"""
6042 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6043 hostapd
.add_ap(apdev
[0], params
)
6044 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6045 identity
="cert user",
6046 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6047 ca_cert2
="auth_serv/ca.pem",
6048 client_cert2
="auth_serv/user.pem",
6049 private_key2
="auth_serv/user.key",
6050 scan_freq
="2412", wait_connect
=False)
6056 selected_methods
= []
6057 for i
in range(100000):
6058 s
= dev
[0].get_status(extra
="VERBOSE")
6059 if 'EAP state' in s
:
6060 state
= s
['EAP state']
6062 if state
not in states
:
6063 states
.append(state
)
6064 if state
== "SUCCESS":
6067 if 'methodState' in s
:
6068 val
= s
['methodState']
6069 if val
not in method_states
:
6070 method_states
.append(val
)
6073 if val
not in decisions
:
6074 decisions
.append(val
)
6075 if 'reqMethod' in s
:
6076 val
= s
['reqMethod']
6077 if val
not in req_methods
:
6078 req_methods
.append(val
)
6079 if 'selectedMethod' in s
:
6080 val
= s
['selectedMethod']
6081 if val
not in selected_methods
:
6082 selected_methods
.append(val
)
6083 logger
.info("Iterations: %d" % i
)
6084 logger
.info("EAP states: " + str(states
))
6085 logger
.info("methodStates: " + str(method_states
))
6086 logger
.info("decisions: " + str(decisions
))
6087 logger
.info("reqMethods: " + str(req_methods
))
6088 logger
.info("selectedMethods: " + str(selected_methods
))
6090 raise Exception("EAP did not succeed")
6091 dev
[0].wait_connected()
6092 dev
[0].request("REMOVE_NETWORK all")
6093 dev
[0].wait_disconnected()
6095 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
6096 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6097 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6098 params
['wpa_ptk_rekey'] = '2'
6099 hapd
= hostapd
.add_ap(apdev
[0], params
)
6100 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
6101 password
="abcdefghijklmnop0123456789abcdef")
6102 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
6104 raise Exception("PTK rekey timed out")
6105 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6107 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
6108 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6109 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6110 hapd
= hostapd
.add_ap(apdev
[0], params
)
6111 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
6112 identity
="gpsk user",
6113 password
="abcdefghijklmnop0123456789abcdef",