]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
22 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
23 from wpasupplicant
import WpaSupplicant
24 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
28 openssl_imported
= True
30 openssl_imported
= False
32 def check_hlr_auc_gw_support():
33 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
34 raise HwsimSkip("No hlr_auc_gw available")
36 def check_eap_capa(dev
, method
):
37 res
= dev
.get_capability("eap")
39 raise HwsimSkip("EAP method %s not supported in the build" % method
)
41 def check_subject_match_support(dev
):
42 tls
= dev
.request("GET tls_library")
43 if not tls
.startswith("OpenSSL"):
44 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
46 def check_altsubject_match_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL"):
49 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
51 def check_domain_match(dev
):
52 tls
= dev
.request("GET tls_library")
53 if tls
.startswith("internal"):
54 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
56 def check_domain_suffix_match(dev
):
57 tls
= dev
.request("GET tls_library")
58 if tls
.startswith("internal"):
59 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
61 def check_domain_match_full(dev
):
62 tls
= dev
.request("GET tls_library")
63 if not tls
.startswith("OpenSSL"):
64 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
66 def check_cert_probe_support(dev
):
67 tls
= dev
.request("GET tls_library")
68 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
69 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
71 def check_ext_cert_check_support(dev
):
72 tls
= dev
.request("GET tls_library")
73 if not tls
.startswith("OpenSSL"):
74 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
76 def check_ocsp_support(dev
):
77 tls
= dev
.request("GET tls_library")
78 #if tls.startswith("internal"):
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80 #if "BoringSSL" in tls:
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83 def check_pkcs5_v15_support(dev
):
84 tls
= dev
.request("GET tls_library")
85 if "BoringSSL" in tls
:
86 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
88 def check_ocsp_multi_support(dev
):
89 tls
= dev
.request("GET tls_library")
90 if not tls
.startswith("internal"):
91 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
92 as_hapd
= hostapd
.Hostapd("as")
93 res
= as_hapd
.request("GET tls_library")
95 if not res
.startswith("internal"):
96 raise HwsimSkip("Authentication server does not support ocsp_multi")
98 def check_pkcs12_support(dev
):
99 tls
= dev
.request("GET tls_library")
100 #if tls.startswith("internal"):
101 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
103 def check_dh_dsa_support(dev
):
104 tls
= dev
.request("GET tls_library")
105 if tls
.startswith("internal"):
106 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
109 with
open(fname
, "r") as f
:
110 lines
= f
.readlines()
118 if "-----BEGIN" in l
:
120 return base64
.b64decode(cert
)
122 def eap_connect(dev
, hapd
, method
, identity
,
123 sha256
=False, expect_failure
=False, local_error_report
=False,
124 maybe_local_error
=False, **kwargs
):
125 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
126 eap
=method
, identity
=identity
,
127 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
129 eap_check_auth(dev
, method
, True, sha256
=sha256
,
130 expect_failure
=expect_failure
,
131 local_error_report
=local_error_report
,
132 maybe_local_error
=maybe_local_error
)
135 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
137 raise Exception("No connection event received from hostapd")
140 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
141 expect_failure
=False, local_error_report
=False,
142 maybe_local_error
=False):
143 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
145 raise Exception("Association and EAP start timed out")
146 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
147 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
149 raise Exception("EAP method selection timed out")
150 if "CTRL-EVENT-EAP-FAILURE" in ev
:
151 if maybe_local_error
:
153 raise Exception("Could not select EAP method")
155 raise Exception("Unexpected EAP method")
157 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
159 raise Exception("EAP failure timed out")
160 ev
= dev
.wait_disconnected(timeout
=10)
161 if maybe_local_error
and "locally_generated=1" in ev
:
163 if not local_error_report
:
164 if "reason=23" not in ev
:
165 raise Exception("Proper reason code for disconnection not reported")
167 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
169 raise Exception("EAP success timed out")
172 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
174 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
176 raise Exception("Association with the AP timed out")
177 status
= dev
.get_status()
178 if status
["wpa_state"] != "COMPLETED":
179 raise Exception("Connection not completed")
181 if status
["suppPortStatus"] != "Authorized":
182 raise Exception("Port not authorized")
183 if "selectedMethod" not in status
:
184 logger
.info("Status: " + str(status
))
185 raise Exception("No selectedMethod in status")
186 if method
not in status
["selectedMethod"]:
187 raise Exception("Incorrect EAP method status")
189 e
= "WPA2-EAP-SHA256"
191 e
= "WPA2/IEEE 802.1X/EAP"
193 e
= "WPA/IEEE 802.1X/EAP"
194 if status
["key_mgmt"] != e
:
195 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
198 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
199 dev
.request("REAUTHENTICATE")
200 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
201 expect_failure
=expect_failure
)
203 def test_ap_wpa2_eap_sim(dev
, apdev
):
204 """WPA2-Enterprise connection using EAP-SIM"""
205 check_hlr_auc_gw_support()
206 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
207 hapd
= hostapd
.add_ap(apdev
[0], params
)
208 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
209 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
210 hwsim_utils
.test_connectivity(dev
[0], hapd
)
211 eap_reauth(dev
[0], "SIM")
213 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
214 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
215 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
216 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
219 logger
.info("Negative test with incorrect key")
220 dev
[0].request("REMOVE_NETWORK all")
221 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
222 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
225 logger
.info("Invalid GSM-Milenage key")
226 dev
[0].request("REMOVE_NETWORK all")
227 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
228 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
231 logger
.info("Invalid GSM-Milenage key(2)")
232 dev
[0].request("REMOVE_NETWORK all")
233 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
234 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
237 logger
.info("Invalid GSM-Milenage key(3)")
238 dev
[0].request("REMOVE_NETWORK all")
239 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
240 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
243 logger
.info("Invalid GSM-Milenage key(4)")
244 dev
[0].request("REMOVE_NETWORK all")
245 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
246 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
249 logger
.info("Missing key configuration")
250 dev
[0].request("REMOVE_NETWORK all")
251 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
254 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
255 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
256 check_hlr_auc_gw_support()
260 raise HwsimSkip("No sqlite3 module available")
261 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
262 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
263 params
['auth_server_port'] = "1814"
264 hapd
= hostapd
.add_ap(apdev
[0], params
)
265 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
266 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
268 logger
.info("SIM fast re-authentication")
269 eap_reauth(dev
[0], "SIM")
271 logger
.info("SIM full auth with pseudonym")
274 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
275 eap_reauth(dev
[0], "SIM")
277 logger
.info("SIM full auth with permanent identity")
280 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
281 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
282 eap_reauth(dev
[0], "SIM")
284 logger
.info("SIM reauth with mismatching MK")
287 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
288 eap_reauth(dev
[0], "SIM", expect_failure
=True)
289 dev
[0].request("REMOVE_NETWORK all")
291 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
292 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
295 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
296 eap_reauth(dev
[0], "SIM")
299 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
300 logger
.info("SIM reauth with mismatching counter")
301 eap_reauth(dev
[0], "SIM")
302 dev
[0].request("REMOVE_NETWORK all")
304 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
305 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
308 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
309 logger
.info("SIM reauth with max reauth count reached")
310 eap_reauth(dev
[0], "SIM")
312 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
313 """EAP-SIM configuration options"""
314 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
315 hapd
= hostapd
.add_ap(apdev
[0], params
)
316 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
317 identity
="1232010000000000",
318 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
319 phase1
="sim_min_num_chal=1",
320 wait_connect
=False, scan_freq
="2412")
321 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
323 raise Exception("No EAP error message seen")
324 dev
[0].request("REMOVE_NETWORK all")
326 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
327 identity
="1232010000000000",
328 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
329 phase1
="sim_min_num_chal=4",
330 wait_connect
=False, scan_freq
="2412")
331 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
333 raise Exception("No EAP error message seen (2)")
334 dev
[0].request("REMOVE_NETWORK all")
336 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
337 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
338 phase1
="sim_min_num_chal=2")
339 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
340 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
341 anonymous_identity
="345678")
343 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
344 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
346 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
348 dev
[0].request("SET external_sim 0")
350 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
351 check_hlr_auc_gw_support()
352 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
353 hostapd
.add_ap(apdev
[0], params
)
354 dev
[0].request("SET external_sim 1")
355 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
356 identity
="1232010000000000",
357 wait_connect
=False, scan_freq
="2412")
358 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
360 raise Exception("Network connected timed out")
362 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
364 raise Exception("Wait for external SIM processing request timed out")
366 if p
[1] != "GSM-AUTH":
367 raise Exception("Unexpected CTRL-REQ-SIM type")
368 rid
= p
[0].split('-')[3]
371 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
372 # This will fail during processing, but the ctrl_iface command succeeds
373 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
374 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
376 raise Exception("EAP failure not reported")
377 dev
[0].request("DISCONNECT")
378 dev
[0].wait_disconnected()
381 dev
[0].select_network(id, freq
="2412")
382 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
384 raise Exception("Wait for external SIM processing request timed out")
386 if p
[1] != "GSM-AUTH":
387 raise Exception("Unexpected CTRL-REQ-SIM type")
388 rid
= p
[0].split('-')[3]
389 # This will fail during GSM auth validation
390 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
391 raise Exception("CTRL-RSP-SIM failed")
392 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
394 raise Exception("EAP failure not reported")
395 dev
[0].request("DISCONNECT")
396 dev
[0].wait_disconnected()
399 dev
[0].select_network(id, freq
="2412")
400 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
402 raise Exception("Wait for external SIM processing request timed out")
404 if p
[1] != "GSM-AUTH":
405 raise Exception("Unexpected CTRL-REQ-SIM type")
406 rid
= p
[0].split('-')[3]
407 # This will fail during GSM auth validation
408 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
409 raise Exception("CTRL-RSP-SIM failed")
410 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
412 raise Exception("EAP failure not reported")
413 dev
[0].request("DISCONNECT")
414 dev
[0].wait_disconnected()
417 dev
[0].select_network(id, freq
="2412")
418 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
420 raise Exception("Wait for external SIM processing request timed out")
422 if p
[1] != "GSM-AUTH":
423 raise Exception("Unexpected CTRL-REQ-SIM type")
424 rid
= p
[0].split('-')[3]
425 # This will fail during GSM auth validation
426 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
427 raise Exception("CTRL-RSP-SIM failed")
428 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
430 raise Exception("EAP failure not reported")
431 dev
[0].request("DISCONNECT")
432 dev
[0].wait_disconnected()
435 dev
[0].select_network(id, freq
="2412")
436 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
438 raise Exception("Wait for external SIM processing request timed out")
440 if p
[1] != "GSM-AUTH":
441 raise Exception("Unexpected CTRL-REQ-SIM type")
442 rid
= p
[0].split('-')[3]
443 # This will fail during GSM auth validation
444 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
445 raise Exception("CTRL-RSP-SIM failed")
446 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
448 raise Exception("EAP failure not reported")
449 dev
[0].request("DISCONNECT")
450 dev
[0].wait_disconnected()
453 dev
[0].select_network(id, freq
="2412")
454 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
456 raise Exception("Wait for external SIM processing request timed out")
458 if p
[1] != "GSM-AUTH":
459 raise Exception("Unexpected CTRL-REQ-SIM type")
460 rid
= p
[0].split('-')[3]
461 # This will fail during GSM auth validation
462 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
463 raise Exception("CTRL-RSP-SIM failed")
464 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
466 raise Exception("EAP failure not reported")
467 dev
[0].request("DISCONNECT")
468 dev
[0].wait_disconnected()
471 dev
[0].select_network(id, freq
="2412")
472 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
474 raise Exception("Wait for external SIM processing request timed out")
476 if p
[1] != "GSM-AUTH":
477 raise Exception("Unexpected CTRL-REQ-SIM type")
478 rid
= p
[0].split('-')[3]
479 # This will fail during GSM auth validation
480 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
481 raise Exception("CTRL-RSP-SIM failed")
482 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
484 raise Exception("EAP failure not reported")
486 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
487 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
489 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
491 dev
[0].request("SET external_sim 0")
493 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
494 check_hlr_auc_gw_support()
495 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
496 hostapd
.add_ap(apdev
[0], params
)
497 dev
[0].request("SET external_sim 1")
498 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
499 identity
="1232010000000000",
500 wait_connect
=False, scan_freq
="2412")
502 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
504 raise Exception("Wait for external SIM processing request timed out")
506 if p
[1] != "GSM-AUTH":
507 raise Exception("Unexpected CTRL-REQ-SIM type")
508 rid
= p
[0].split('-')[3]
509 rand
= p
[2].split(' ')[0]
511 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
513 "auth_serv/hlr_auc_gw.milenage_db",
514 "GSM-AUTH-REQ 232010000000000 " + rand
])
515 if "GSM-AUTH-RESP" not in res
:
516 raise Exception("Unexpected hlr_auc_gw response")
517 resp
= res
.split(' ')[2].rstrip()
519 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
520 dev
[0].wait_connected(timeout
=15)
521 dev
[0].request("DISCONNECT")
522 dev
[0].wait_disconnected()
524 # Replace SIM, but forget to drop the previous pseudonym identity
525 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
526 dev
[0].select_network(id, freq
="2412")
528 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
530 raise Exception("Wait for external SIM processing request timed out")
532 if p
[1] != "GSM-AUTH":
533 raise Exception("Unexpected CTRL-REQ-SIM type")
534 rid
= p
[0].split('-')[3]
535 rand
= p
[2].split(' ')[0]
537 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
539 "auth_serv/hlr_auc_gw.milenage_db",
540 "GSM-AUTH-REQ 232010000000009 " + rand
])
541 if "GSM-AUTH-RESP" not in res
:
542 raise Exception("Unexpected hlr_auc_gw response")
543 resp
= res
.split(' ')[2].rstrip()
545 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
546 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
548 raise Exception("EAP-Failure not reported")
549 dev
[0].request("DISCONNECT")
550 dev
[0].wait_disconnected()
552 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
553 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
555 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
557 dev
[0].request("SET external_sim 0")
559 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
560 check_hlr_auc_gw_support()
561 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
562 hostapd
.add_ap(apdev
[0], params
)
563 dev
[0].request("SET external_sim 1")
564 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
565 identity
="1232010000000000",
566 wait_connect
=False, scan_freq
="2412")
568 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
570 raise Exception("Wait for external SIM processing request timed out")
572 if p
[1] != "GSM-AUTH":
573 raise Exception("Unexpected CTRL-REQ-SIM type")
574 rid
= p
[0].split('-')[3]
575 rand
= p
[2].split(' ')[0]
577 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
579 "auth_serv/hlr_auc_gw.milenage_db",
580 "GSM-AUTH-REQ 232010000000000 " + rand
])
581 if "GSM-AUTH-RESP" not in res
:
582 raise Exception("Unexpected hlr_auc_gw response")
583 resp
= res
.split(' ')[2].rstrip()
585 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
586 dev
[0].wait_connected(timeout
=15)
587 dev
[0].request("DISCONNECT")
588 dev
[0].wait_disconnected()
590 # Replace SIM and drop the previous pseudonym identity
591 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
592 dev
[0].set_network(id, "anonymous_identity", "NULL")
593 dev
[0].select_network(id, freq
="2412")
595 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
597 raise Exception("Wait for external SIM processing request timed out")
599 if p
[1] != "GSM-AUTH":
600 raise Exception("Unexpected CTRL-REQ-SIM type")
601 rid
= p
[0].split('-')[3]
602 rand
= p
[2].split(' ')[0]
604 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
606 "auth_serv/hlr_auc_gw.milenage_db",
607 "GSM-AUTH-REQ 232010000000009 " + rand
])
608 if "GSM-AUTH-RESP" not in res
:
609 raise Exception("Unexpected hlr_auc_gw response")
610 resp
= res
.split(' ')[2].rstrip()
612 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
613 dev
[0].wait_connected()
614 dev
[0].request("DISCONNECT")
615 dev
[0].wait_disconnected()
617 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
618 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
620 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
622 dev
[0].request("SET external_sim 0")
624 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
625 check_hlr_auc_gw_support()
626 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
627 hostapd
.add_ap(apdev
[0], params
)
628 dev
[0].request("SET external_sim 1")
629 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
630 wait_connect
=False, scan_freq
="2412")
632 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
634 raise Exception("Request for identity timed out")
635 rid
= ev
.split(':')[0].split('-')[-1]
636 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
638 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
640 raise Exception("Wait for external SIM processing request timed out")
642 if p
[1] != "GSM-AUTH":
643 raise Exception("Unexpected CTRL-REQ-SIM type")
644 rid
= p
[0].split('-')[3]
645 rand
= p
[2].split(' ')[0]
647 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
649 "auth_serv/hlr_auc_gw.milenage_db",
650 "GSM-AUTH-REQ 232010000000000 " + rand
])
651 if "GSM-AUTH-RESP" not in res
:
652 raise Exception("Unexpected hlr_auc_gw response")
653 resp
= res
.split(' ')[2].rstrip()
655 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
656 dev
[0].wait_connected(timeout
=15)
657 dev
[0].request("DISCONNECT")
658 dev
[0].wait_disconnected()
660 # Replace SIM and drop the previous permanent and pseudonym identities
661 dev
[0].set_network(id, "identity", "NULL")
662 dev
[0].set_network(id, "anonymous_identity", "NULL")
663 dev
[0].select_network(id, freq
="2412")
665 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
667 raise Exception("Request for identity timed out")
668 rid
= ev
.split(':')[0].split('-')[-1]
669 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
671 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
673 raise Exception("Wait for external SIM processing request timed out")
675 if p
[1] != "GSM-AUTH":
676 raise Exception("Unexpected CTRL-REQ-SIM type")
677 rid
= p
[0].split('-')[3]
678 rand
= p
[2].split(' ')[0]
680 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
682 "auth_serv/hlr_auc_gw.milenage_db",
683 "GSM-AUTH-REQ 232010000000009 " + rand
])
684 if "GSM-AUTH-RESP" not in res
:
685 raise Exception("Unexpected hlr_auc_gw response")
686 resp
= res
.split(' ')[2].rstrip()
688 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
689 dev
[0].wait_connected()
690 dev
[0].request("DISCONNECT")
691 dev
[0].wait_disconnected()
693 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
694 """EAP-SIM with external GSM auth and auth failing"""
696 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
698 dev
[0].request("SET external_sim 0")
700 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
701 check_hlr_auc_gw_support()
702 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
703 hostapd
.add_ap(apdev
[0], params
)
704 dev
[0].request("SET external_sim 1")
705 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
706 identity
="1232010000000000",
707 wait_connect
=False, scan_freq
="2412")
709 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
711 raise Exception("Wait for external SIM processing request timed out")
713 rid
= p
[0].split('-')[3]
714 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
715 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
717 raise Exception("EAP failure not reported")
718 dev
[0].request("REMOVE_NETWORK all")
719 dev
[0].wait_disconnected()
721 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
722 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
724 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
726 dev
[0].request("SET external_sim 0")
728 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
729 check_hlr_auc_gw_support()
730 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
731 hostapd
.add_ap(apdev
[0], params
)
732 dev
[0].request("SET external_sim 1")
733 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
734 identity
="1232010000000000",
735 wait_connect
=False, scan_freq
="2412")
737 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
739 raise Exception("Wait for external SIM processing request timed out")
741 if p
[1] != "GSM-AUTH":
742 raise Exception("Unexpected CTRL-REQ-SIM type")
743 rid
= p
[0].split('-')[3]
744 rand
= p
[2].split(' ')[0]
746 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
748 "auth_serv/hlr_auc_gw.milenage_db",
749 "GSM-AUTH-REQ 232010000000000 " + rand
])
750 if "GSM-AUTH-RESP" not in res
:
751 raise Exception("Unexpected hlr_auc_gw response")
752 resp
= res
.split(' ')[2].rstrip()
754 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
755 dev
[0].wait_connected(timeout
=15)
757 # Verify that EAP-SIM Reauthentication can be used after a profile change
758 # that does not affect EAP parameters.
759 dev
[0].set_network(id, "bssid", "any")
760 eap_reauth(dev
[0], "SIM")
762 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
763 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
765 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
767 dev
[0].request("SET external_sim 0")
769 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
770 check_hlr_auc_gw_support()
771 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
772 hostapd
.add_ap(apdev
[0], params
)
773 dev
[0].request("SET external_sim 1")
774 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
775 identity
="1232010000000000",
776 wait_connect
=False, scan_freq
="2412")
778 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
780 raise Exception("Wait for external SIM processing request timed out")
782 if p
[1] != "GSM-AUTH":
783 raise Exception("Unexpected CTRL-REQ-SIM type")
784 rid
= p
[0].split('-')[3]
785 rand
= p
[2].split(' ')[0]
787 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
789 "auth_serv/hlr_auc_gw.milenage_db",
790 "GSM-AUTH-REQ 232010000000000 " + rand
])
791 if "GSM-AUTH-RESP" not in res
:
792 raise Exception("Unexpected hlr_auc_gw response")
793 resp
= res
.split(' ')[2].rstrip()
795 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
796 dev
[0].wait_connected(timeout
=15)
798 # Verify that EAP-SIM Reauthentication can be used after network profile
799 # SET_NETWORK commands that do not actually change previously set
801 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
802 dev
[0].set_network(id, "eap", "SIM")
803 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
804 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
805 eap_reauth(dev
[0], "SIM")
807 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
808 """EAP-SIM and OOM"""
809 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
810 hostapd
.add_ap(apdev
[0], params
)
811 tests
= [ (1, "milenage_f2345"),
812 (2, "milenage_f2345"),
813 (3, "milenage_f2345"),
814 (4, "milenage_f2345"),
815 (5, "milenage_f2345"),
816 (6, "milenage_f2345"),
817 (7, "milenage_f2345"),
818 (8, "milenage_f2345"),
819 (9, "milenage_f2345"),
820 (10, "milenage_f2345"),
821 (11, "milenage_f2345"),
822 (12, "milenage_f2345") ]
823 for count
, func
in tests
:
824 with
fail_test(dev
[0], count
, func
):
825 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
826 identity
="1232010000000000",
827 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
828 wait_connect
=False, scan_freq
="2412")
829 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
831 raise Exception("EAP method not selected")
832 dev
[0].wait_disconnected()
833 dev
[0].request("REMOVE_NETWORK all")
835 def test_ap_wpa2_eap_aka(dev
, apdev
):
836 """WPA2-Enterprise connection using EAP-AKA"""
837 check_hlr_auc_gw_support()
838 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
839 hapd
= hostapd
.add_ap(apdev
[0], params
)
840 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
841 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
842 hwsim_utils
.test_connectivity(dev
[0], hapd
)
843 eap_reauth(dev
[0], "AKA")
845 logger
.info("Negative test with incorrect key")
846 dev
[0].request("REMOVE_NETWORK all")
847 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
848 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
851 logger
.info("Invalid Milenage key")
852 dev
[0].request("REMOVE_NETWORK all")
853 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
854 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
857 logger
.info("Invalid Milenage key(2)")
858 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
859 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
862 logger
.info("Invalid Milenage key(3)")
863 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
864 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
867 logger
.info("Invalid Milenage key(4)")
868 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
869 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
872 logger
.info("Invalid Milenage key(5)")
873 dev
[0].request("REMOVE_NETWORK all")
874 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
875 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
878 logger
.info("Invalid Milenage key(6)")
879 dev
[0].request("REMOVE_NETWORK all")
880 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
881 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
884 logger
.info("Missing key configuration")
885 dev
[0].request("REMOVE_NETWORK all")
886 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
889 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
890 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
891 check_hlr_auc_gw_support()
895 raise HwsimSkip("No sqlite3 module available")
896 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
897 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
898 params
['auth_server_port'] = "1814"
899 hapd
= hostapd
.add_ap(apdev
[0], params
)
900 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
901 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
903 logger
.info("AKA fast re-authentication")
904 eap_reauth(dev
[0], "AKA")
906 logger
.info("AKA full auth with pseudonym")
909 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
910 eap_reauth(dev
[0], "AKA")
912 logger
.info("AKA full auth with permanent identity")
915 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
916 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
917 eap_reauth(dev
[0], "AKA")
919 logger
.info("AKA reauth with mismatching MK")
922 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
923 eap_reauth(dev
[0], "AKA", expect_failure
=True)
924 dev
[0].request("REMOVE_NETWORK all")
926 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
927 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
930 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
931 eap_reauth(dev
[0], "AKA")
934 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
935 logger
.info("AKA reauth with mismatching counter")
936 eap_reauth(dev
[0], "AKA")
937 dev
[0].request("REMOVE_NETWORK all")
939 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
940 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
943 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
944 logger
.info("AKA reauth with max reauth count reached")
945 eap_reauth(dev
[0], "AKA")
947 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
948 """EAP-AKA configuration options"""
949 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
950 hapd
= hostapd
.add_ap(apdev
[0], params
)
951 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
952 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
953 anonymous_identity
="2345678")
955 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
956 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
958 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
960 dev
[0].request("SET external_sim 0")
962 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
963 check_hlr_auc_gw_support()
964 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
965 hostapd
.add_ap(apdev
[0], params
)
966 dev
[0].request("SET external_sim 1")
967 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
968 identity
="0232010000000000",
969 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
970 wait_connect
=False, scan_freq
="2412")
971 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
973 raise Exception("Network connected timed out")
975 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
977 raise Exception("Wait for external SIM processing request timed out")
979 if p
[1] != "UMTS-AUTH":
980 raise Exception("Unexpected CTRL-REQ-SIM type")
981 rid
= p
[0].split('-')[3]
984 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
985 # This will fail during processing, but the ctrl_iface command succeeds
986 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
987 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
989 raise Exception("EAP failure not reported")
990 dev
[0].request("DISCONNECT")
991 dev
[0].wait_disconnected()
993 dev
[0].dump_monitor()
995 dev
[0].select_network(id, freq
="2412")
996 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
998 raise Exception("Wait for external SIM processing request timed out")
1000 if p
[1] != "UMTS-AUTH":
1001 raise Exception("Unexpected CTRL-REQ-SIM type")
1002 rid
= p
[0].split('-')[3]
1003 # This will fail during UMTS auth validation
1004 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1005 raise Exception("CTRL-RSP-SIM failed")
1006 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1008 raise Exception("Wait for external SIM processing request timed out")
1009 p
= ev
.split(':', 2)
1010 if p
[1] != "UMTS-AUTH":
1011 raise Exception("Unexpected CTRL-REQ-SIM type")
1012 rid
= p
[0].split('-')[3]
1013 # This will fail during UMTS auth validation
1014 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1015 raise Exception("CTRL-RSP-SIM failed")
1016 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1018 raise Exception("EAP failure not reported")
1019 dev
[0].request("DISCONNECT")
1020 dev
[0].wait_disconnected()
1022 dev
[0].dump_monitor()
1024 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1026 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1027 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1028 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1029 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1030 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1032 dev
[0].select_network(id, freq
="2412")
1033 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1035 raise Exception("Wait for external SIM processing request timed out")
1036 p
= ev
.split(':', 2)
1037 if p
[1] != "UMTS-AUTH":
1038 raise Exception("Unexpected CTRL-REQ-SIM type")
1039 rid
= p
[0].split('-')[3]
1040 # This will fail during UMTS auth validation
1041 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1042 raise Exception("CTRL-RSP-SIM failed")
1043 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1045 raise Exception("EAP failure not reported")
1046 dev
[0].request("DISCONNECT")
1047 dev
[0].wait_disconnected()
1049 dev
[0].dump_monitor()
1051 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1052 """EAP-AKA with external UMTS auth and auth failing"""
1054 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1056 dev
[0].request("SET external_sim 0")
1058 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1059 check_hlr_auc_gw_support()
1060 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1061 hostapd
.add_ap(apdev
[0], params
)
1062 dev
[0].request("SET external_sim 1")
1063 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1064 identity
="0232010000000000",
1065 wait_connect
=False, scan_freq
="2412")
1067 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1069 raise Exception("Wait for external SIM processing request timed out")
1070 p
= ev
.split(':', 2)
1071 rid
= p
[0].split('-')[3]
1072 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1073 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1075 raise Exception("EAP failure not reported")
1076 dev
[0].request("REMOVE_NETWORK all")
1077 dev
[0].wait_disconnected()
1079 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1080 """WPA2-Enterprise connection using EAP-AKA'"""
1081 check_hlr_auc_gw_support()
1082 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1083 hapd
= hostapd
.add_ap(apdev
[0], params
)
1084 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1085 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1086 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1087 eap_reauth(dev
[0], "AKA'")
1089 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1090 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1091 identity
="6555444333222111@both",
1092 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1093 wait_connect
=False, scan_freq
="2412")
1094 dev
[1].wait_connected(timeout
=15)
1096 logger
.info("Negative test with incorrect key")
1097 dev
[0].request("REMOVE_NETWORK all")
1098 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1099 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1100 expect_failure
=True)
1102 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1103 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1104 check_hlr_auc_gw_support()
1108 raise HwsimSkip("No sqlite3 module available")
1109 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1110 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1111 params
['auth_server_port'] = "1814"
1112 hapd
= hostapd
.add_ap(apdev
[0], params
)
1113 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1114 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1116 logger
.info("AKA' fast re-authentication")
1117 eap_reauth(dev
[0], "AKA'")
1119 logger
.info("AKA' full auth with pseudonym")
1122 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1123 eap_reauth(dev
[0], "AKA'")
1125 logger
.info("AKA' full auth with permanent identity")
1128 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1129 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1130 eap_reauth(dev
[0], "AKA'")
1132 logger
.info("AKA' reauth with mismatching k_aut")
1135 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1136 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1137 dev
[0].request("REMOVE_NETWORK all")
1139 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1140 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1143 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1144 eap_reauth(dev
[0], "AKA'")
1147 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1148 logger
.info("AKA' reauth with mismatching counter")
1149 eap_reauth(dev
[0], "AKA'")
1150 dev
[0].request("REMOVE_NETWORK all")
1152 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1153 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1156 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1157 logger
.info("AKA' reauth with max reauth count reached")
1158 eap_reauth(dev
[0], "AKA'")
1160 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1161 """EAP-AKA' with external UMTS auth and auth failing"""
1163 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1165 dev
[0].request("SET external_sim 0")
1167 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1168 check_hlr_auc_gw_support()
1169 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1170 hostapd
.add_ap(apdev
[0], params
)
1171 dev
[0].request("SET external_sim 1")
1172 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1173 identity
="6555444333222111",
1174 wait_connect
=False, scan_freq
="2412")
1176 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1178 raise Exception("Wait for external SIM processing request timed out")
1179 p
= ev
.split(':', 2)
1180 rid
= p
[0].split('-')[3]
1181 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1182 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1184 raise Exception("EAP failure not reported")
1185 dev
[0].request("REMOVE_NETWORK all")
1186 dev
[0].wait_disconnected()
1188 def test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1189 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1191 _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
)
1193 dev
[0].request("SET external_sim 0")
1195 def _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1196 check_hlr_auc_gw_support()
1197 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1198 hostapd
.add_ap(apdev
[0], params
)
1199 dev
[0].request("SET external_sim 1")
1200 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1201 identity
="6555444333222111",
1202 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1203 wait_connect
=False, scan_freq
="2412")
1204 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1206 raise Exception("Network connected timed out")
1208 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1210 raise Exception("Wait for external SIM processing request timed out")
1211 p
= ev
.split(':', 2)
1212 if p
[1] != "UMTS-AUTH":
1213 raise Exception("Unexpected CTRL-REQ-SIM type")
1214 rid
= p
[0].split('-')[3]
1215 # This will fail during UMTS auth validation
1216 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1217 raise Exception("CTRL-RSP-SIM failed")
1218 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1220 raise Exception("Wait for external SIM processing request timed out")
1222 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1223 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1224 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1225 hapd
= hostapd
.add_ap(apdev
[0], params
)
1226 key_mgmt
= hapd
.get_config()['key_mgmt']
1227 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1228 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1229 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1230 anonymous_identity
="ttls", password
="password",
1231 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1232 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1233 eap_reauth(dev
[0], "TTLS")
1234 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1235 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1237 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1238 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1239 check_subject_match_support(dev
[0])
1240 check_altsubject_match_support(dev
[0])
1241 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1242 hapd
= hostapd
.add_ap(apdev
[0], params
)
1243 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1244 anonymous_identity
="ttls", password
="password",
1245 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1246 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1247 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1248 eap_reauth(dev
[0], "TTLS")
1250 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1251 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1252 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1253 hapd
= hostapd
.add_ap(apdev
[0], params
)
1254 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1255 anonymous_identity
="ttls", password
="wrong",
1256 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1257 expect_failure
=True)
1258 eap_connect(dev
[1], hapd
, "TTLS", "user",
1259 anonymous_identity
="ttls", password
="password",
1260 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1261 expect_failure
=True)
1263 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1264 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1265 skip_with_fips(dev
[0])
1266 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1267 hapd
= hostapd
.add_ap(apdev
[0], params
)
1268 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1269 anonymous_identity
="ttls", password
="password",
1270 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1271 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1272 eap_reauth(dev
[0], "TTLS")
1274 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1275 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1276 skip_with_fips(dev
[0])
1277 check_altsubject_match_support(dev
[0])
1278 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1279 hapd
= hostapd
.add_ap(apdev
[0], params
)
1280 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1281 anonymous_identity
="ttls", password
="password",
1282 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1283 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1284 eap_reauth(dev
[0], "TTLS")
1286 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1287 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1288 skip_with_fips(dev
[0])
1289 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1290 hapd
= hostapd
.add_ap(apdev
[0], params
)
1291 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1292 anonymous_identity
="ttls", password
="wrong",
1293 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1294 expect_failure
=True)
1295 eap_connect(dev
[1], hapd
, "TTLS", "user",
1296 anonymous_identity
="ttls", password
="password",
1297 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1298 expect_failure
=True)
1300 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1301 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1302 skip_with_fips(dev
[0])
1303 check_domain_suffix_match(dev
[0])
1304 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1305 hapd
= hostapd
.add_ap(apdev
[0], params
)
1306 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1307 anonymous_identity
="ttls", password
="password",
1308 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1309 domain_suffix_match
="server.w1.fi")
1310 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1311 eap_reauth(dev
[0], "TTLS")
1312 dev
[0].request("REMOVE_NETWORK all")
1313 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1314 anonymous_identity
="ttls", password
="password",
1315 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1316 fragment_size
="200")
1317 dev
[0].request("REMOVE_NETWORK all")
1318 dev
[0].wait_disconnected()
1319 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1320 anonymous_identity
="ttls",
1321 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1322 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1324 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1325 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1326 skip_with_fips(dev
[0])
1327 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1328 hapd
= hostapd
.add_ap(apdev
[0], params
)
1329 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1330 anonymous_identity
="ttls", password
="wrong",
1331 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1332 expect_failure
=True)
1333 eap_connect(dev
[1], hapd
, "TTLS", "user",
1334 anonymous_identity
="ttls", password
="password",
1335 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1336 expect_failure
=True)
1337 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1338 anonymous_identity
="ttls", password
="password",
1339 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1340 expect_failure
=True)
1342 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1343 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1344 check_domain_suffix_match(dev
[0])
1345 check_eap_capa(dev
[0], "MSCHAPV2")
1346 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1347 hapd
= hostapd
.add_ap(apdev
[0], params
)
1348 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1349 anonymous_identity
="ttls", password
="password",
1350 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1351 domain_suffix_match
="server.w1.fi")
1352 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1353 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1354 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1355 eap_reauth(dev
[0], "TTLS")
1356 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1357 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1358 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1359 raise Exception("dot1xAuthEapolFramesRx did not increase")
1360 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1361 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1362 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1363 raise Exception("backendAuthSuccesses did not increase")
1365 logger
.info("Password as hash value")
1366 dev
[0].request("REMOVE_NETWORK all")
1367 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1368 anonymous_identity
="ttls",
1369 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1370 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1372 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1373 """EAP-TTLS with invalid phase2 parameter values"""
1374 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1375 hostapd
.add_ap(apdev
[0], params
)
1376 tests
= [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1377 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1378 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1380 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1381 identity
="DOMAIN\mschapv2 user",
1382 anonymous_identity
="ttls", password
="password",
1383 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1384 wait_connect
=False, scan_freq
="2412")
1385 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1386 if ev
is None or "method=21" not in ev
:
1387 raise Exception("EAP-TTLS not started")
1388 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1389 "CTRL-EVENT-CONNECTED"], timeout
=5)
1390 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1391 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1392 dev
[0].request("REMOVE_NETWORK all")
1393 dev
[0].wait_disconnected()
1394 dev
[0].dump_monitor()
1396 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1397 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1398 check_domain_match_full(dev
[0])
1399 skip_with_fips(dev
[0])
1400 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1401 hapd
= hostapd
.add_ap(apdev
[0], params
)
1402 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1403 anonymous_identity
="ttls", password
="password",
1404 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1405 domain_suffix_match
="w1.fi")
1406 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1407 eap_reauth(dev
[0], "TTLS")
1409 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1410 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1411 check_domain_match(dev
[0])
1412 skip_with_fips(dev
[0])
1413 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1414 hapd
= hostapd
.add_ap(apdev
[0], params
)
1415 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1416 anonymous_identity
="ttls", password
="password",
1417 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1418 domain_match
="Server.w1.fi")
1419 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1420 eap_reauth(dev
[0], "TTLS")
1422 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1423 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1424 skip_with_fips(dev
[0])
1425 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1426 hapd
= hostapd
.add_ap(apdev
[0], params
)
1427 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1428 anonymous_identity
="ttls", password
="password1",
1429 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1430 expect_failure
=True)
1431 eap_connect(dev
[1], hapd
, "TTLS", "user",
1432 anonymous_identity
="ttls", password
="password",
1433 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1434 expect_failure
=True)
1436 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1437 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1438 skip_with_fips(dev
[0])
1439 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1440 hapd
= hostapd
.add_ap(apdev
[0], params
)
1441 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1442 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1443 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1444 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1445 anonymous_identity
="ttls",
1446 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1447 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1448 for p
in [ "80", "41c041e04141e041", 257*"41" ]:
1449 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1450 eap
="TTLS", identity
="utf8-user-hash",
1451 anonymous_identity
="ttls", password_hex
=p
,
1452 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1453 wait_connect
=False, scan_freq
="2412")
1454 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1456 raise Exception("No failure reported")
1457 dev
[2].request("REMOVE_NETWORK all")
1458 dev
[2].wait_disconnected()
1460 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1461 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1462 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1463 hapd
= hostapd
.add_ap(apdev
[0], params
)
1464 eap_connect(dev
[0], hapd
, "TTLS", "user",
1465 anonymous_identity
="ttls", password
="password",
1466 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1467 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1468 eap_reauth(dev
[0], "TTLS")
1470 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1471 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1472 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1473 hapd
= hostapd
.add_ap(apdev
[0], params
)
1474 eap_connect(dev
[0], hapd
, "TTLS", "user",
1475 anonymous_identity
="ttls", password
="wrong",
1476 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1477 expect_failure
=True)
1479 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1480 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1481 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1482 hapd
= hostapd
.add_ap(apdev
[0], params
)
1483 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1484 anonymous_identity
="ttls", password
="password",
1485 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1486 expect_failure
=True)
1488 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1489 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1490 params
= int_eap_server_params()
1491 hapd
= hostapd
.add_ap(apdev
[0], params
)
1492 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1493 eap_connect(dev
[0], hapd
, "TTLS", "user",
1494 anonymous_identity
="ttls", password
="password",
1495 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1496 expect_failure
=True)
1497 dev
[0].request("REMOVE_NETWORK all")
1499 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1500 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1501 eap
="TTLS", identity
="user",
1502 anonymous_identity
="ttls", password
="password",
1503 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1504 wait_connect
=False, scan_freq
="2412")
1505 # This would eventually time out, but we can stop after having reached
1506 # the allocation failure.
1509 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1512 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1513 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1514 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1515 hapd
= hostapd
.add_ap(apdev
[0], params
)
1517 tests
= [ "eap_gtc_init",
1518 "eap_msg_alloc;eap_gtc_process" ]
1520 with
alloc_fail(dev
[0], 1, func
):
1521 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1523 eap
="TTLS", identity
="user",
1524 anonymous_identity
="ttls", password
="password",
1525 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1527 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1528 dev
[0].request("REMOVE_NETWORK all")
1529 dev
[0].wait_disconnected()
1531 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1532 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1533 check_eap_capa(dev
[0], "MD5")
1534 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1535 hapd
= hostapd
.add_ap(apdev
[0], params
)
1536 eap_connect(dev
[0], hapd
, "TTLS", "user",
1537 anonymous_identity
="ttls", password
="password",
1538 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1539 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1540 eap_reauth(dev
[0], "TTLS")
1542 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1543 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1544 check_eap_capa(dev
[0], "MD5")
1545 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1546 hapd
= hostapd
.add_ap(apdev
[0], params
)
1547 eap_connect(dev
[0], hapd
, "TTLS", "user",
1548 anonymous_identity
="ttls", password
="wrong",
1549 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1550 expect_failure
=True)
1552 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1553 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1554 check_eap_capa(dev
[0], "MD5")
1555 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1556 hapd
= hostapd
.add_ap(apdev
[0], params
)
1557 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1558 anonymous_identity
="ttls", password
="password",
1559 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1560 expect_failure
=True)
1562 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1563 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1564 check_eap_capa(dev
[0], "MD5")
1565 params
= int_eap_server_params()
1566 hapd
= hostapd
.add_ap(apdev
[0], params
)
1567 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1568 eap_connect(dev
[0], hapd
, "TTLS", "user",
1569 anonymous_identity
="ttls", password
="password",
1570 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1571 expect_failure
=True)
1572 dev
[0].request("REMOVE_NETWORK all")
1574 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1575 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1576 eap
="TTLS", identity
="user",
1577 anonymous_identity
="ttls", password
="password",
1578 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1579 wait_connect
=False, scan_freq
="2412")
1580 # This would eventually time out, but we can stop after having reached
1581 # the allocation failure.
1584 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1587 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1588 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1589 check_eap_capa(dev
[0], "MSCHAPV2")
1590 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1591 hapd
= hostapd
.add_ap(apdev
[0], params
)
1592 eap_connect(dev
[0], hapd
, "TTLS", "user",
1593 anonymous_identity
="ttls", password
="password",
1594 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1595 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1596 eap_reauth(dev
[0], "TTLS")
1598 logger
.info("Negative test with incorrect password")
1599 dev
[0].request("REMOVE_NETWORK all")
1600 eap_connect(dev
[0], hapd
, "TTLS", "user",
1601 anonymous_identity
="ttls", password
="password1",
1602 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1603 expect_failure
=True)
1605 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1606 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1607 check_eap_capa(dev
[0], "MSCHAPV2")
1608 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1609 hapd
= hostapd
.add_ap(apdev
[0], params
)
1610 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1611 anonymous_identity
="ttls", password
="password",
1612 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1613 expect_failure
=True)
1615 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1616 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1617 check_eap_capa(dev
[0], "MSCHAPV2")
1618 params
= int_eap_server_params()
1619 hapd
= hostapd
.add_ap(apdev
[0], params
)
1620 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1621 eap_connect(dev
[0], hapd
, "TTLS", "user",
1622 anonymous_identity
="ttls", password
="password",
1623 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1624 expect_failure
=True)
1625 dev
[0].request("REMOVE_NETWORK all")
1627 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1628 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1629 eap
="TTLS", identity
="user",
1630 anonymous_identity
="ttls", password
="password",
1631 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1632 wait_connect
=False, scan_freq
="2412")
1633 # This would eventually time out, but we can stop after having reached
1634 # the allocation failure.
1637 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1639 dev
[0].request("REMOVE_NETWORK all")
1641 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1642 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1643 eap
="TTLS", identity
="user",
1644 anonymous_identity
="ttls", password
="password",
1645 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1646 wait_connect
=False, scan_freq
="2412")
1647 # This would eventually time out, but we can stop after having reached
1648 # the allocation failure.
1651 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1653 dev
[0].request("REMOVE_NETWORK all")
1655 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1656 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1657 eap
="TTLS", identity
="user",
1658 anonymous_identity
="ttls", password
="wrong",
1659 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1660 wait_connect
=False, scan_freq
="2412")
1661 # This would eventually time out, but we can stop after having reached
1662 # the allocation failure.
1665 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1667 dev
[0].request("REMOVE_NETWORK all")
1669 def test_ap_wpa2_eap_ttls_eap_sim(dev
, apdev
):
1670 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1671 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1672 hapd
= hostapd
.add_ap(apdev
[0], params
)
1673 eap_connect(dev
[0], hapd
, "TTLS", "1232010000000000",
1674 anonymous_identity
="1232010000000000@ttls",
1675 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1676 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM")
1677 eap_reauth(dev
[0], "TTLS")
1679 def run_ext_sim_auth(dev
):
1680 ev
= dev
.wait_event(["CTRL-REQ-SIM"], timeout
=15)
1682 raise Exception("Wait for external SIM processing request timed out")
1683 p
= ev
.split(':', 2)
1684 if p
[1] != "GSM-AUTH":
1685 raise Exception("Unexpected CTRL-REQ-SIM type")
1686 rid
= p
[0].split('-')[3]
1687 rand
= p
[2].split(' ')[0]
1689 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
1691 "auth_serv/hlr_auc_gw.milenage_db",
1692 "GSM-AUTH-REQ 232010000000000 " + rand
])
1693 if "GSM-AUTH-RESP" not in res
:
1694 raise Exception("Unexpected hlr_auc_gw response")
1695 resp
= res
.split(' ')[2].rstrip()
1697 dev
.request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1698 dev
.wait_connected(timeout
=15)
1701 dev
.request("REAUTHENTICATE")
1702 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1704 raise Exception("EAP reauthentication did not succeed")
1705 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=5)
1707 raise Exception("Key negotiation did not complete")
1710 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1711 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1712 check_hlr_auc_gw_support()
1714 run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
)
1716 dev
[0].request("SET external_sim 0")
1718 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1719 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1720 hapd
= hostapd
.add_ap(apdev
[0], params
)
1721 dev
[0].request("SET external_sim 1")
1722 dev
[0].connect("test-wpa2-eap", eap
="TTLS", key_mgmt
="WPA-EAP",
1723 identity
="1232010000000000",
1724 anonymous_identity
="1232010000000000@ttls",
1725 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1726 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM",
1727 wait_connect
=False, scan_freq
="2412")
1728 run_ext_sim_auth(dev
[0])
1730 def test_ap_wpa2_eap_peap_eap_sim(dev
, apdev
):
1731 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1732 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1733 hapd
= hostapd
.add_ap(apdev
[0], params
)
1734 eap_connect(dev
[0], hapd
, "PEAP", "1232010000000000",
1735 anonymous_identity
="1232010000000000@peap",
1736 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1737 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1738 eap_reauth(dev
[0], "PEAP")
1740 def test_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1741 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1742 check_hlr_auc_gw_support()
1744 run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
)
1746 dev
[0].request("SET external_sim 0")
1748 def run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1749 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1750 hapd
= hostapd
.add_ap(apdev
[0], params
)
1751 dev
[0].request("SET external_sim 1")
1752 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1753 identity
="1232010000000000",
1754 anonymous_identity
="1232010000000000@peap",
1755 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1756 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1757 wait_connect
=False, scan_freq
="2412")
1758 run_ext_sim_auth(dev
[0])
1760 def test_ap_wpa2_eap_fast_eap_sim(dev
, apdev
):
1761 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1762 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1763 hapd
= hostapd
.add_ap(apdev
[0], params
)
1764 eap_connect(dev
[0], hapd
, "FAST", "1232010000000000",
1765 anonymous_identity
="1232010000000000@fast",
1766 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1767 phase1
="fast_provisioning=2",
1768 pac_file
="blob://fast_pac_auth_sim",
1769 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1770 eap_reauth(dev
[0], "FAST")
1772 def test_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1773 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1774 check_hlr_auc_gw_support()
1776 run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
)
1778 dev
[0].request("SET external_sim 0")
1780 def run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1781 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1782 hapd
= hostapd
.add_ap(apdev
[0], params
)
1783 dev
[0].request("SET external_sim 1")
1784 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1785 identity
="1232010000000000",
1786 anonymous_identity
="1232010000000000@peap",
1787 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1788 phase1
="fast_provisioning=2",
1789 pac_file
="blob://fast_pac_auth_sim",
1790 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1791 wait_connect
=False, scan_freq
="2412")
1792 run_ext_sim_auth(dev
[0])
1794 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1795 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1796 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1797 hapd
= hostapd
.add_ap(apdev
[0], params
)
1798 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1799 anonymous_identity
="0232010000000000@ttls",
1800 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1801 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1802 eap_reauth(dev
[0], "TTLS")
1804 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1805 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1806 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1807 hapd
= hostapd
.add_ap(apdev
[0], params
)
1808 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1809 anonymous_identity
="0232010000000000@peap",
1810 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1811 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1812 eap_reauth(dev
[0], "PEAP")
1814 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1815 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1816 check_eap_capa(dev
[0], "FAST")
1817 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1818 hapd
= hostapd
.add_ap(apdev
[0], params
)
1819 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
1820 anonymous_identity
="0232010000000000@fast",
1821 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1822 phase1
="fast_provisioning=2",
1823 pac_file
="blob://fast_pac_auth_aka",
1824 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1825 eap_reauth(dev
[0], "FAST")
1827 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1828 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1829 check_eap_capa(dev
[0], "MSCHAPV2")
1830 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1831 hapd
= hostapd
.add_ap(apdev
[0], params
)
1832 eap_connect(dev
[0], hapd
, "PEAP", "user",
1833 anonymous_identity
="peap", password
="password",
1834 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1835 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1836 eap_reauth(dev
[0], "PEAP")
1837 dev
[0].request("REMOVE_NETWORK all")
1838 eap_connect(dev
[0], hapd
, "PEAP", "user",
1839 anonymous_identity
="peap", password
="password",
1840 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1841 fragment_size
="200")
1843 logger
.info("Password as hash value")
1844 dev
[0].request("REMOVE_NETWORK all")
1845 eap_connect(dev
[0], hapd
, "PEAP", "user",
1846 anonymous_identity
="peap",
1847 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1848 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1850 logger
.info("Negative test with incorrect password")
1851 dev
[0].request("REMOVE_NETWORK all")
1852 eap_connect(dev
[0], hapd
, "PEAP", "user",
1853 anonymous_identity
="peap", password
="password1",
1854 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1855 expect_failure
=True)
1857 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1858 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1859 check_eap_capa(dev
[0], "MSCHAPV2")
1860 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1861 hapd
= hostapd
.add_ap(apdev
[0], params
)
1862 eap_connect(dev
[0], hapd
, "PEAP", "DOMAIN\user3",
1863 anonymous_identity
="peap", password
="password",
1864 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1865 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1866 eap_reauth(dev
[0], "PEAP")
1868 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1869 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1870 check_eap_capa(dev
[0], "MSCHAPV2")
1871 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1872 hapd
= hostapd
.add_ap(apdev
[0], params
)
1873 eap_connect(dev
[0], hapd
, "PEAP", "user",
1874 anonymous_identity
="peap", password
="wrong",
1875 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1876 expect_failure
=True)
1878 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1879 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1880 check_eap_capa(dev
[0], "MSCHAPV2")
1881 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1882 hapd
= hostapd
.add_ap(apdev
[0], params
)
1883 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1884 ca_cert
="auth_serv/ca.pem",
1885 phase1
="peapver=0 crypto_binding=2",
1886 phase2
="auth=MSCHAPV2")
1887 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1888 eap_reauth(dev
[0], "PEAP")
1890 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1891 ca_cert
="auth_serv/ca.pem",
1892 phase1
="peapver=0 crypto_binding=1",
1893 phase2
="auth=MSCHAPV2")
1894 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1895 ca_cert
="auth_serv/ca.pem",
1896 phase1
="peapver=0 crypto_binding=0",
1897 phase2
="auth=MSCHAPV2")
1899 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1900 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1901 check_eap_capa(dev
[0], "MSCHAPV2")
1902 params
= int_eap_server_params()
1903 hapd
= hostapd
.add_ap(apdev
[0], params
)
1904 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1905 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1906 ca_cert
="auth_serv/ca.pem",
1907 phase1
="peapver=0 crypto_binding=2",
1908 phase2
="auth=MSCHAPV2",
1909 expect_failure
=True, local_error_report
=True)
1911 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1912 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1913 check_eap_capa(dev
[0], "MSCHAPV2")
1914 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1915 hapd
= hostapd
.add_ap(apdev
[0], params
)
1916 eap_connect(dev
[0], hapd
, "PEAP", "user",
1917 anonymous_identity
="peap", password
="password",
1918 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1919 phase1
="peapver=0 peaplabel=1",
1920 expect_failure
=True)
1921 dev
[0].request("REMOVE_NETWORK all")
1922 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1924 anonymous_identity
="peap", password
="password",
1925 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1926 phase1
="peap_outer_success=0",
1927 wait_connect
=False, scan_freq
="2412")
1928 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1930 raise Exception("No EAP success seen")
1931 # This won't succeed to connect with peap_outer_success=0, so stop here.
1932 dev
[0].request("REMOVE_NETWORK all")
1933 dev
[0].wait_disconnected()
1934 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1935 ca_cert
="auth_serv/ca.pem",
1936 phase1
="peap_outer_success=1",
1937 phase2
="auth=MSCHAPV2")
1938 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1939 ca_cert
="auth_serv/ca.pem",
1940 phase1
="peap_outer_success=2",
1941 phase2
="auth=MSCHAPV2")
1942 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1944 anonymous_identity
="peap", password
="password",
1945 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1946 phase1
="peapver=1 peaplabel=1",
1947 wait_connect
=False, scan_freq
="2412")
1948 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1950 raise Exception("No EAP success seen")
1951 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1953 raise Exception("Unexpected connection")
1955 tests
= [ ("peap-ver0", ""),
1957 ("peap-ver0", "peapver=0"),
1958 ("peap-ver1", "peapver=1") ]
1959 for anon
,phase1
in tests
:
1960 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1961 identity
="user", anonymous_identity
=anon
,
1962 password
="password", phase1
=phase1
,
1963 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1965 dev
[0].request("REMOVE_NETWORK all")
1966 dev
[0].wait_disconnected()
1968 tests
= [ ("peap-ver0", "peapver=1"),
1969 ("peap-ver1", "peapver=0") ]
1970 for anon
,phase1
in tests
:
1971 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1972 identity
="user", anonymous_identity
=anon
,
1973 password
="password", phase1
=phase1
,
1974 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1975 wait_connect
=False, scan_freq
="2412")
1976 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1978 raise Exception("No EAP-Failure seen")
1979 dev
[0].request("REMOVE_NETWORK all")
1980 dev
[0].wait_disconnected()
1982 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1983 ca_cert
="auth_serv/ca.pem",
1984 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1985 phase2
="auth=MSCHAPV2")
1987 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
1988 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1989 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1990 hapd
= hostapd
.add_ap(apdev
[0], params
)
1991 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
1992 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
1993 ca_cert2
="auth_serv/ca.pem",
1994 client_cert2
="auth_serv/user.pem",
1995 private_key2
="auth_serv/user.key")
1996 eap_reauth(dev
[0], "PEAP")
1998 def test_ap_wpa2_eap_tls(dev
, apdev
):
1999 """WPA2-Enterprise connection using EAP-TLS"""
2000 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2001 hapd
= hostapd
.add_ap(apdev
[0], params
)
2002 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2003 client_cert
="auth_serv/user.pem",
2004 private_key
="auth_serv/user.key")
2005 eap_reauth(dev
[0], "TLS")
2007 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
2008 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2009 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2010 hapd
= hostapd
.add_ap(apdev
[0], params
)
2011 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2012 client_cert
="auth_serv/user.pem",
2013 private_key
="auth_serv/user.key.pkcs8",
2014 private_key_passwd
="whatever")
2016 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
2017 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
2018 check_pkcs5_v15_support(dev
[0])
2019 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2020 hapd
= hostapd
.add_ap(apdev
[0], params
)
2021 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2022 client_cert
="auth_serv/user.pem",
2023 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
2024 private_key_passwd
="whatever")
2026 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
2027 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2028 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2029 hapd
= hostapd
.add_ap(apdev
[0], params
)
2030 cert
= read_pem("auth_serv/ca.pem")
2031 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2032 raise Exception("Could not set cacert blob")
2033 cert
= read_pem("auth_serv/user.pem")
2034 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
2035 raise Exception("Could not set usercert blob")
2036 key
= read_pem("auth_serv/user.rsa-key")
2037 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
2038 raise Exception("Could not set cacert blob")
2039 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2040 client_cert
="blob://usercert",
2041 private_key
="blob://userkey")
2043 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
2044 """EAP-TLS and config blob missing"""
2045 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2046 hostapd
.add_ap(apdev
[0], params
)
2047 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2048 identity
="tls user",
2049 ca_cert
="blob://testing-blob-does-not-exist",
2050 client_cert
="blob://testing-blob-does-not-exist",
2051 private_key
="blob://testing-blob-does-not-exist",
2052 wait_connect
=False, scan_freq
="2412")
2053 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
2055 raise Exception("EAP failure not reported")
2056 dev
[0].request("REMOVE_NETWORK all")
2057 dev
[0].wait_disconnected()
2059 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
2060 """EAP-TLS and TLS Message Length in unfragmented packets"""
2061 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2062 hapd
= hostapd
.add_ap(apdev
[0], params
)
2063 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2064 phase1
="include_tls_length=1",
2065 client_cert
="auth_serv/user.pem",
2066 private_key
="auth_serv/user.key")
2068 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
2069 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2070 check_pkcs12_support(dev
[0])
2071 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2072 hapd
= hostapd
.add_ap(apdev
[0], params
)
2073 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2074 private_key
="auth_serv/user.pkcs12",
2075 private_key_passwd
="whatever")
2076 dev
[0].request("REMOVE_NETWORK all")
2077 dev
[0].wait_disconnected()
2079 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2080 identity
="tls user",
2081 ca_cert
="auth_serv/ca.pem",
2082 private_key
="auth_serv/user.pkcs12",
2083 wait_connect
=False, scan_freq
="2412")
2084 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2086 raise Exception("Request for private key passphrase timed out")
2087 id = ev
.split(':')[0].split('-')[-1]
2088 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2089 dev
[0].wait_connected(timeout
=10)
2090 dev
[0].request("REMOVE_NETWORK all")
2091 dev
[0].wait_disconnected()
2093 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2094 # different files to cover both cases of the extra certificate being the
2095 # one that signed the client certificate and it being unrelated to the
2096 # client certificate.
2097 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2099 eap_connect(dev
[0], hapd
, "TLS", "tls user",
2100 ca_cert
="auth_serv/ca.pem",
2102 private_key_passwd
="whatever")
2103 dev
[0].request("REMOVE_NETWORK all")
2104 dev
[0].wait_disconnected()
2106 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
2107 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2108 check_pkcs12_support(dev
[0])
2109 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2110 hapd
= hostapd
.add_ap(apdev
[0], params
)
2111 cert
= read_pem("auth_serv/ca.pem")
2112 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2113 raise Exception("Could not set cacert blob")
2114 with
open("auth_serv/user.pkcs12", "rb") as f
:
2115 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
2116 raise Exception("Could not set pkcs12 blob")
2117 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2118 private_key
="blob://pkcs12",
2119 private_key_passwd
="whatever")
2121 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
2122 """WPA2-Enterprise negative test - incorrect trust root"""
2123 check_eap_capa(dev
[0], "MSCHAPV2")
2124 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2125 hostapd
.add_ap(apdev
[0], params
)
2126 cert
= read_pem("auth_serv/ca-incorrect.pem")
2127 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2128 raise Exception("Could not set cacert blob")
2129 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2130 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2131 password
="password", phase2
="auth=MSCHAPV2",
2132 ca_cert
="blob://cacert",
2133 wait_connect
=False, scan_freq
="2412")
2134 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2135 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2136 password
="password", phase2
="auth=MSCHAPV2",
2137 ca_cert
="auth_serv/ca-incorrect.pem",
2138 wait_connect
=False, scan_freq
="2412")
2140 for dev
in (dev
[0], dev
[1]):
2141 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2143 raise Exception("Association and EAP start timed out")
2145 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2147 raise Exception("EAP method selection timed out")
2148 if "TTLS" not in ev
:
2149 raise Exception("Unexpected EAP method")
2151 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2152 "CTRL-EVENT-EAP-SUCCESS",
2153 "CTRL-EVENT-EAP-FAILURE",
2154 "CTRL-EVENT-CONNECTED",
2155 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2157 raise Exception("EAP result timed out")
2158 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2159 raise Exception("TLS certificate error not reported")
2161 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2162 "CTRL-EVENT-EAP-FAILURE",
2163 "CTRL-EVENT-CONNECTED",
2164 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2166 raise Exception("EAP result(2) timed out")
2167 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2168 raise Exception("EAP failure not reported")
2170 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2171 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2173 raise Exception("EAP result(3) timed out")
2174 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2175 raise Exception("Disconnection not reported")
2177 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2179 raise Exception("Network block disabling not reported")
2181 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2182 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2183 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2184 hapd
= hostapd
.add_ap(apdev
[0], params
)
2185 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2186 identity
="pap user", anonymous_identity
="ttls",
2187 password
="password", phase2
="auth=PAP",
2188 ca_cert
="auth_serv/ca.pem",
2189 wait_connect
=True, scan_freq
="2412")
2190 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2191 identity
="pap user", anonymous_identity
="ttls",
2192 password
="password", phase2
="auth=PAP",
2193 ca_cert
="auth_serv/ca-incorrect.pem",
2194 only_add_network
=True, scan_freq
="2412")
2196 dev
[0].request("DISCONNECT")
2197 dev
[0].wait_disconnected()
2198 dev
[0].dump_monitor()
2199 dev
[0].select_network(id, freq
="2412")
2201 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2203 raise Exception("EAP-TTLS not re-started")
2205 ev
= dev
[0].wait_disconnected(timeout
=15)
2206 if "reason=23" not in ev
:
2207 raise Exception("Proper reason code for disconnection not reported")
2209 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2210 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2211 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2212 hapd
= hostapd
.add_ap(apdev
[0], params
)
2213 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2214 identity
="pap user", anonymous_identity
="ttls",
2215 password
="password", phase2
="auth=PAP",
2216 wait_connect
=True, scan_freq
="2412")
2217 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2218 identity
="pap user", anonymous_identity
="ttls",
2219 password
="password", phase2
="auth=PAP",
2220 ca_cert
="auth_serv/ca-incorrect.pem",
2221 only_add_network
=True, scan_freq
="2412")
2223 dev
[0].request("DISCONNECT")
2224 dev
[0].wait_disconnected()
2225 dev
[0].dump_monitor()
2226 dev
[0].select_network(id, freq
="2412")
2228 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2230 raise Exception("EAP-TTLS not re-started")
2232 ev
= dev
[0].wait_disconnected(timeout
=15)
2233 if "reason=23" not in ev
:
2234 raise Exception("Proper reason code for disconnection not reported")
2236 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2237 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2238 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2239 hapd
= hostapd
.add_ap(apdev
[0], params
)
2240 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2241 identity
="pap user", anonymous_identity
="ttls",
2242 password
="password", phase2
="auth=PAP",
2243 ca_cert
="auth_serv/ca.pem",
2244 wait_connect
=True, scan_freq
="2412")
2245 dev
[0].request("DISCONNECT")
2246 dev
[0].wait_disconnected()
2247 dev
[0].dump_monitor()
2248 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2249 dev
[0].select_network(id, freq
="2412")
2251 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2253 raise Exception("EAP-TTLS not re-started")
2255 ev
= dev
[0].wait_disconnected(timeout
=15)
2256 if "reason=23" not in ev
:
2257 raise Exception("Proper reason code for disconnection not reported")
2259 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2260 """WPA2-Enterprise negative test - domain suffix mismatch"""
2261 check_domain_suffix_match(dev
[0])
2262 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2263 hostapd
.add_ap(apdev
[0], params
)
2264 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2265 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2266 password
="password", phase2
="auth=MSCHAPV2",
2267 ca_cert
="auth_serv/ca.pem",
2268 domain_suffix_match
="incorrect.example.com",
2269 wait_connect
=False, scan_freq
="2412")
2271 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2273 raise Exception("Association and EAP start timed out")
2275 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2277 raise Exception("EAP method selection timed out")
2278 if "TTLS" not in ev
:
2279 raise Exception("Unexpected EAP method")
2281 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2282 "CTRL-EVENT-EAP-SUCCESS",
2283 "CTRL-EVENT-EAP-FAILURE",
2284 "CTRL-EVENT-CONNECTED",
2285 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2287 raise Exception("EAP result timed out")
2288 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2289 raise Exception("TLS certificate error not reported")
2290 if "Domain suffix mismatch" not in ev
:
2291 raise Exception("Domain suffix mismatch not reported")
2293 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2294 "CTRL-EVENT-EAP-FAILURE",
2295 "CTRL-EVENT-CONNECTED",
2296 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2298 raise Exception("EAP result(2) timed out")
2299 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2300 raise Exception("EAP failure not reported")
2302 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2303 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2305 raise Exception("EAP result(3) timed out")
2306 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2307 raise Exception("Disconnection not reported")
2309 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2311 raise Exception("Network block disabling not reported")
2313 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2314 """WPA2-Enterprise negative test - domain mismatch"""
2315 check_domain_match(dev
[0])
2316 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2317 hostapd
.add_ap(apdev
[0], params
)
2318 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2319 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2320 password
="password", phase2
="auth=MSCHAPV2",
2321 ca_cert
="auth_serv/ca.pem",
2322 domain_match
="w1.fi",
2323 wait_connect
=False, scan_freq
="2412")
2325 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2327 raise Exception("Association and EAP start timed out")
2329 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2331 raise Exception("EAP method selection timed out")
2332 if "TTLS" not in ev
:
2333 raise Exception("Unexpected EAP method")
2335 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2336 "CTRL-EVENT-EAP-SUCCESS",
2337 "CTRL-EVENT-EAP-FAILURE",
2338 "CTRL-EVENT-CONNECTED",
2339 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2341 raise Exception("EAP result timed out")
2342 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2343 raise Exception("TLS certificate error not reported")
2344 if "Domain mismatch" not in ev
:
2345 raise Exception("Domain mismatch not reported")
2347 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2348 "CTRL-EVENT-EAP-FAILURE",
2349 "CTRL-EVENT-CONNECTED",
2350 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2352 raise Exception("EAP result(2) timed out")
2353 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2354 raise Exception("EAP failure not reported")
2356 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2357 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2359 raise Exception("EAP result(3) timed out")
2360 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2361 raise Exception("Disconnection not reported")
2363 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2365 raise Exception("Network block disabling not reported")
2367 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2368 """WPA2-Enterprise negative test - subject mismatch"""
2369 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2370 hostapd
.add_ap(apdev
[0], params
)
2371 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2372 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2373 password
="password", phase2
="auth=MSCHAPV2",
2374 ca_cert
="auth_serv/ca.pem",
2375 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2376 wait_connect
=False, scan_freq
="2412")
2378 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2380 raise Exception("Association and EAP start timed out")
2382 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2383 "EAP: Failed to initialize EAP method"], timeout
=10)
2385 raise Exception("EAP method selection timed out")
2386 if "EAP: Failed to initialize EAP method" in ev
:
2387 tls
= dev
[0].request("GET tls_library")
2388 if tls
.startswith("OpenSSL"):
2389 raise Exception("Failed to select EAP method")
2390 logger
.info("subject_match not supported - connection failed, so test succeeded")
2392 if "TTLS" not in ev
:
2393 raise Exception("Unexpected EAP method")
2395 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2396 "CTRL-EVENT-EAP-SUCCESS",
2397 "CTRL-EVENT-EAP-FAILURE",
2398 "CTRL-EVENT-CONNECTED",
2399 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2401 raise Exception("EAP result timed out")
2402 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2403 raise Exception("TLS certificate error not reported")
2404 if "Subject mismatch" not in ev
:
2405 raise Exception("Subject mismatch not reported")
2407 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2408 "CTRL-EVENT-EAP-FAILURE",
2409 "CTRL-EVENT-CONNECTED",
2410 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2412 raise Exception("EAP result(2) timed out")
2413 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2414 raise Exception("EAP failure not reported")
2416 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2417 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2419 raise Exception("EAP result(3) timed out")
2420 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2421 raise Exception("Disconnection not reported")
2423 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2425 raise Exception("Network block disabling not reported")
2427 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2428 """WPA2-Enterprise negative test - altsubject mismatch"""
2429 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2430 hostapd
.add_ap(apdev
[0], params
)
2432 tests
= [ "incorrect.example.com",
2433 "DNS:incorrect.example.com",
2437 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2439 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2440 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2441 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2442 password
="password", phase2
="auth=MSCHAPV2",
2443 ca_cert
="auth_serv/ca.pem",
2444 altsubject_match
=match
,
2445 wait_connect
=False, scan_freq
="2412")
2447 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2449 raise Exception("Association and EAP start timed out")
2451 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2452 "EAP: Failed to initialize EAP method"], timeout
=10)
2454 raise Exception("EAP method selection timed out")
2455 if "EAP: Failed to initialize EAP method" in ev
:
2456 tls
= dev
[0].request("GET tls_library")
2457 if tls
.startswith("OpenSSL"):
2458 raise Exception("Failed to select EAP method")
2459 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2461 if "TTLS" not in ev
:
2462 raise Exception("Unexpected EAP method")
2464 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2465 "CTRL-EVENT-EAP-SUCCESS",
2466 "CTRL-EVENT-EAP-FAILURE",
2467 "CTRL-EVENT-CONNECTED",
2468 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2470 raise Exception("EAP result timed out")
2471 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2472 raise Exception("TLS certificate error not reported")
2473 if "AltSubject mismatch" not in ev
:
2474 raise Exception("altsubject mismatch not reported")
2476 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2477 "CTRL-EVENT-EAP-FAILURE",
2478 "CTRL-EVENT-CONNECTED",
2479 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2481 raise Exception("EAP result(2) timed out")
2482 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2483 raise Exception("EAP failure not reported")
2485 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2486 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2488 raise Exception("EAP result(3) timed out")
2489 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2490 raise Exception("Disconnection not reported")
2492 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2494 raise Exception("Network block disabling not reported")
2496 dev
[0].request("REMOVE_NETWORK all")
2498 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2499 """WPA2-Enterprise connection using UNAUTH-TLS"""
2500 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2501 hapd
= hostapd
.add_ap(apdev
[0], params
)
2502 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2503 ca_cert
="auth_serv/ca.pem")
2504 eap_reauth(dev
[0], "UNAUTH-TLS")
2506 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2507 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2508 check_cert_probe_support(dev
[0])
2509 skip_with_fips(dev
[0])
2510 srv_cert_hash
= "53728dde442d4adc27cb10a847234a4315590f0b36786353023c3b0f2e9fdf49"
2511 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2512 hapd
= hostapd
.add_ap(apdev
[0], params
)
2513 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2514 identity
="probe", ca_cert
="probe://",
2515 wait_connect
=False, scan_freq
="2412")
2516 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2518 raise Exception("Association and EAP start timed out")
2519 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2521 raise Exception("No peer server certificate event seen")
2522 if "hash=" + srv_cert_hash
not in ev
:
2523 raise Exception("Expected server certificate hash not reported")
2524 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2526 raise Exception("EAP result timed out")
2527 if "Server certificate chain probe" not in ev
:
2528 raise Exception("Server certificate probe not reported")
2529 dev
[0].wait_disconnected(timeout
=10)
2530 dev
[0].request("REMOVE_NETWORK all")
2532 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2533 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2534 password
="password", phase2
="auth=MSCHAPV2",
2535 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2536 wait_connect
=False, scan_freq
="2412")
2537 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2539 raise Exception("Association and EAP start timed out")
2540 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2542 raise Exception("EAP result timed out")
2543 if "Server certificate mismatch" not in ev
:
2544 raise Exception("Server certificate mismatch not reported")
2545 dev
[0].wait_disconnected(timeout
=10)
2546 dev
[0].request("REMOVE_NETWORK all")
2548 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2549 anonymous_identity
="ttls", password
="password",
2550 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2551 phase2
="auth=MSCHAPV2")
2553 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2554 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2555 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2556 hostapd
.add_ap(apdev
[0], params
)
2557 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2558 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2559 password
="password", phase2
="auth=MSCHAPV2",
2560 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2561 wait_connect
=False, scan_freq
="2412")
2562 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2563 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2564 password
="password", phase2
="auth=MSCHAPV2",
2565 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2566 wait_connect
=False, scan_freq
="2412")
2567 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2568 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2569 password
="password", phase2
="auth=MSCHAPV2",
2570 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2571 wait_connect
=False, scan_freq
="2412")
2572 for i
in range(0, 3):
2573 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2575 raise Exception("Association and EAP start timed out")
2576 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2578 raise Exception("Did not report EAP method initialization failure")
2580 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2581 """WPA2-Enterprise connection using EAP-pwd"""
2582 check_eap_capa(dev
[0], "PWD")
2583 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2584 hapd
= hostapd
.add_ap(apdev
[0], params
)
2585 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2586 eap_reauth(dev
[0], "PWD")
2587 dev
[0].request("REMOVE_NETWORK all")
2589 eap_connect(dev
[1], hapd
, "PWD",
2590 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2591 password
="secret password",
2594 logger
.info("Negative test with incorrect password")
2595 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2596 expect_failure
=True, local_error_report
=True)
2598 eap_connect(dev
[0], hapd
, "PWD",
2599 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2600 password
="secret password",
2603 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2604 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2605 check_eap_capa(dev
[0], "PWD")
2606 skip_with_fips(dev
[0])
2607 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2608 hapd
= hostapd
.add_ap(apdev
[0], params
)
2609 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2610 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2611 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2612 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2613 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2614 expect_failure
=True, local_error_report
=True)
2616 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2617 """WPA2-Enterprise connection using various EAP-pwd groups"""
2618 check_eap_capa(dev
[0], "PWD")
2619 tls
= dev
[0].request("GET tls_library")
2620 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2621 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2622 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2623 groups
= [ 19, 20, 21, 25, 26 ]
2624 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2625 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2626 groups
+= [ 27, 28, 29, 30 ]
2628 logger
.info("Group %d" % i
)
2629 params
['pwd_group'] = str(i
)
2630 hapd
= hostapd
.add_ap(apdev
[0], params
)
2632 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2633 password
="secret password")
2634 dev
[0].request("REMOVE_NETWORK all")
2635 dev
[0].wait_disconnected()
2636 dev
[0].dump_monitor()
2638 if "BoringSSL" in tls
and i
in [ 25 ]:
2639 logger
.info("Ignore connection failure with group %d with BoringSSL" % i
)
2640 dev
[0].request("DISCONNECT")
2642 dev
[0].request("REMOVE_NETWORK all")
2643 dev
[0].dump_monitor()
2647 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2648 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2649 check_eap_capa(dev
[0], "PWD")
2650 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2651 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2652 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2653 params
['pwd_group'] = "0"
2654 hostapd
.add_ap(apdev
[0], params
)
2655 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2656 identity
="pwd user", password
="secret password",
2657 scan_freq
="2412", wait_connect
=False)
2658 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2660 raise Exception("Timeout on EAP failure report")
2662 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2663 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2664 check_eap_capa(dev
[0], "PWD")
2665 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2666 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2667 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2668 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2669 "pwd_group": "19", "fragment_size": "40" }
2670 hapd
= hostapd
.add_ap(apdev
[0], params
)
2671 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2673 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2674 """WPA2-Enterprise connection using EAP-GPSK"""
2675 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2676 hapd
= hostapd
.add_ap(apdev
[0], params
)
2677 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2678 password
="abcdefghijklmnop0123456789abcdef")
2679 eap_reauth(dev
[0], "GPSK")
2681 logger
.info("Test forced algorithm selection")
2682 for phase1
in [ "cipher=1", "cipher=2" ]:
2683 dev
[0].set_network_quoted(id, "phase1", phase1
)
2684 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2686 raise Exception("EAP success timed out")
2687 dev
[0].wait_connected(timeout
=10)
2689 logger
.info("Test failed algorithm negotiation")
2690 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2691 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2693 raise Exception("EAP failure timed out")
2695 logger
.info("Negative test with incorrect password")
2696 dev
[0].request("REMOVE_NETWORK all")
2697 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2698 password
="ffcdefghijklmnop0123456789abcdef",
2699 expect_failure
=True)
2701 def test_ap_wpa2_eap_sake(dev
, apdev
):
2702 """WPA2-Enterprise connection using EAP-SAKE"""
2703 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2704 hapd
= hostapd
.add_ap(apdev
[0], params
)
2705 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2706 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2707 eap_reauth(dev
[0], "SAKE")
2709 logger
.info("Negative test with incorrect password")
2710 dev
[0].request("REMOVE_NETWORK all")
2711 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2712 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2713 expect_failure
=True)
2715 def test_ap_wpa2_eap_eke(dev
, apdev
):
2716 """WPA2-Enterprise connection using EAP-EKE"""
2717 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2718 hapd
= hostapd
.add_ap(apdev
[0], params
)
2719 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2720 eap_reauth(dev
[0], "EKE")
2722 logger
.info("Test forced algorithm selection")
2723 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
2724 "dhgroup=4 encr=1 prf=2 mac=2",
2725 "dhgroup=3 encr=1 prf=2 mac=2",
2726 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2727 dev
[0].set_network_quoted(id, "phase1", phase1
)
2728 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2730 raise Exception("EAP success timed out")
2731 dev
[0].wait_connected(timeout
=10)
2733 logger
.info("Test failed algorithm negotiation")
2734 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2735 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2737 raise Exception("EAP failure timed out")
2739 logger
.info("Negative test with incorrect password")
2740 dev
[0].request("REMOVE_NETWORK all")
2741 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
2742 expect_failure
=True)
2744 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2745 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2746 if not params
['long']:
2747 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2748 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2749 hostapd
.add_ap(apdev
[0], params
)
2752 for i
in range(100):
2754 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2755 identity
="eke user", password
="hello",
2756 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2757 scan_freq
="2412", wait_connect
=False)
2759 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2760 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2762 raise Exception("No connected/disconnected event")
2763 if "CTRL-EVENT-DISCONNECTED" in ev
:
2765 # The RADIUS server limits on active sessions can be hit when
2766 # going through this test case, so try to give some more time
2767 # for the server to remove sessions.
2768 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2769 dev
[j
].request("REMOVE_NETWORK all")
2773 dev
[j
].request("REMOVE_NETWORK all")
2774 dev
[j
].wait_disconnected()
2775 dev
[j
].dump_monitor()
2776 logger
.info("Total success=%d failure=%d" % (success
, fail
))
2778 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2779 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2780 params
= int_eap_server_params()
2781 params
['server_id'] = 'example.server@w1.fi'
2782 hapd
= hostapd
.add_ap(apdev
[0], params
)
2783 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2785 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2786 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2787 params
= int_eap_server_params()
2788 hapd
= hostapd
.add_ap(apdev
[0], params
)
2789 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2791 for count
,func
in [ (1, "eap_eke_build_commit"),
2792 (2, "eap_eke_build_commit"),
2793 (3, "eap_eke_build_commit"),
2794 (1, "eap_eke_build_confirm"),
2795 (2, "eap_eke_build_confirm"),
2796 (1, "eap_eke_process_commit"),
2797 (2, "eap_eke_process_commit"),
2798 (1, "eap_eke_process_confirm"),
2799 (1, "eap_eke_process_identity"),
2800 (2, "eap_eke_process_identity"),
2801 (3, "eap_eke_process_identity"),
2802 (4, "eap_eke_process_identity") ]:
2803 with
alloc_fail(hapd
, count
, func
):
2804 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2805 expect_failure
=True)
2806 dev
[0].request("REMOVE_NETWORK all")
2808 for count
,func
,pw
in [ (1, "eap_eke_init", "hello"),
2809 (1, "eap_eke_get_session_id", "hello"),
2810 (1, "eap_eke_getKey", "hello"),
2811 (1, "eap_eke_build_msg", "hello"),
2812 (1, "eap_eke_build_failure", "wrong"),
2813 (1, "eap_eke_build_identity", "hello"),
2814 (2, "eap_eke_build_identity", "hello") ]:
2815 with
alloc_fail(hapd
, count
, func
):
2816 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2817 eap
="EKE", identity
="eke user", password
=pw
,
2818 wait_connect
=False, scan_freq
="2412")
2819 # This would eventually time out, but we can stop after having
2820 # reached the allocation failure.
2823 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2825 dev
[0].request("REMOVE_NETWORK all")
2827 for count
in range(1, 1000):
2829 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2830 dev
[0].connect("test-wpa2-eap",
2831 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2832 eap
="EKE", identity
="eke user", password
=pw
,
2833 wait_connect
=False, scan_freq
="2412")
2834 # This would eventually time out, but we can stop after having
2835 # reached the allocation failure.
2838 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2840 dev
[0].request("REMOVE_NETWORK all")
2841 except Exception, e
:
2842 if str(e
) == "Allocation failure did not trigger":
2844 raise Exception("Too few allocation failures")
2845 logger
.info("%d allocation failures tested" % (count
- 1))
2849 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
2850 """WPA2-Enterprise connection using EAP-IKEv2"""
2851 check_eap_capa(dev
[0], "IKEV2")
2852 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2853 hapd
= hostapd
.add_ap(apdev
[0], params
)
2854 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2855 password
="ike password")
2856 eap_reauth(dev
[0], "IKEV2")
2857 dev
[0].request("REMOVE_NETWORK all")
2858 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2859 password
="ike password", fragment_size
="50")
2861 logger
.info("Negative test with incorrect password")
2862 dev
[0].request("REMOVE_NETWORK all")
2863 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2864 password
="ike-password", expect_failure
=True)
2865 dev
[0].request("REMOVE_NETWORK all")
2867 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2868 password
="ike password", fragment_size
="0")
2869 dev
[0].request("REMOVE_NETWORK all")
2870 dev
[0].wait_disconnected()
2872 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
2873 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2874 check_eap_capa(dev
[0], "IKEV2")
2875 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2876 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2877 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2878 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2879 "fragment_size": "50" }
2880 hapd
= hostapd
.add_ap(apdev
[0], params
)
2881 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2882 password
="ike password")
2883 eap_reauth(dev
[0], "IKEV2")
2885 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
2886 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2887 check_eap_capa(dev
[0], "IKEV2")
2888 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2889 hostapd
.add_ap(apdev
[0], params
)
2891 tests
= [ (1, "dh_init"),
2893 (1, "dh_derive_shared") ]
2894 for count
, func
in tests
:
2895 with
alloc_fail(dev
[0], count
, func
):
2896 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2897 identity
="ikev2 user", password
="ike password",
2898 wait_connect
=False, scan_freq
="2412")
2899 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2901 raise Exception("EAP method not selected")
2903 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2906 dev
[0].request("REMOVE_NETWORK all")
2908 tests
= [ (1, "os_get_random;dh_init") ]
2909 for count
, func
in tests
:
2910 with
fail_test(dev
[0], count
, func
):
2911 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2912 identity
="ikev2 user", password
="ike password",
2913 wait_connect
=False, scan_freq
="2412")
2914 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2916 raise Exception("EAP method not selected")
2918 if "0:" in dev
[0].request("GET_FAIL"):
2921 dev
[0].request("REMOVE_NETWORK all")
2923 def test_ap_wpa2_eap_pax(dev
, apdev
):
2924 """WPA2-Enterprise connection using EAP-PAX"""
2925 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2926 hapd
= hostapd
.add_ap(apdev
[0], params
)
2927 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2928 password_hex
="0123456789abcdef0123456789abcdef")
2929 eap_reauth(dev
[0], "PAX")
2931 logger
.info("Negative test with incorrect password")
2932 dev
[0].request("REMOVE_NETWORK all")
2933 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2934 password_hex
="ff23456789abcdef0123456789abcdef",
2935 expect_failure
=True)
2937 def test_ap_wpa2_eap_psk(dev
, apdev
):
2938 """WPA2-Enterprise connection using EAP-PSK"""
2939 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2940 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2941 params
["ieee80211w"] = "2"
2942 hapd
= hostapd
.add_ap(apdev
[0], params
)
2943 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
2944 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
2945 eap_reauth(dev
[0], "PSK", sha256
=True)
2946 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2947 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2949 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
2950 if 'flags' not in bss
:
2951 raise Exception("Could not get BSS flags from BSS table")
2952 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
2953 raise Exception("Unexpected BSS flags: " + bss
['flags'])
2955 logger
.info("Negative test with incorrect password")
2956 dev
[0].request("REMOVE_NETWORK all")
2957 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
2958 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
2959 expect_failure
=True)
2961 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
2962 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2963 skip_with_fips(dev
[0])
2964 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2965 hostapd
.add_ap(apdev
[0], params
)
2966 tests
= [ (1, "=aes_128_eax_encrypt"),
2967 (1, "=aes_128_eax_decrypt") ]
2968 for count
, func
in tests
:
2969 with
alloc_fail(dev
[0], count
, func
):
2970 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2971 identity
="psk.user@example.com",
2972 password_hex
="0123456789abcdef0123456789abcdef",
2973 wait_connect
=False, scan_freq
="2412")
2974 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2976 raise Exception("EAP method not selected")
2977 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
2978 note
="Failure not triggered: %d:%s" % (count
, func
))
2979 dev
[0].request("REMOVE_NETWORK all")
2980 dev
[0].wait_disconnected()
2982 tests
= [ (1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
2983 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2984 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2985 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2986 (1, "omac1_aes_vector"),
2987 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2988 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2989 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2990 (1, "aes_ctr_encrypt;aes_128_eax_decrypt") ]
2991 for count
, func
in tests
:
2992 with
fail_test(dev
[0], count
, func
):
2993 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2994 identity
="psk.user@example.com",
2995 password_hex
="0123456789abcdef0123456789abcdef",
2996 wait_connect
=False, scan_freq
="2412")
2997 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2999 raise Exception("EAP method not selected")
3000 wait_fail_trigger(dev
[0], "GET_FAIL",
3001 note
="Failure not triggered: %d:%s" % (count
, func
))
3002 dev
[0].request("REMOVE_NETWORK all")
3003 dev
[0].wait_disconnected()
3005 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
3006 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3007 identity
="psk.user@example.com",
3008 password_hex
="0123456789abcdef0123456789abcdef",
3009 wait_connect
=False, scan_freq
="2412")
3010 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3012 raise Exception("EAP method failure not reported")
3013 dev
[0].request("REMOVE_NETWORK all")
3014 dev
[0].wait_disconnected()
3016 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
3017 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
3018 check_eap_capa(dev
[0], "MSCHAPV2")
3019 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
3020 hapd
= hostapd
.add_ap(apdev
[0], params
)
3021 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
3022 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
3023 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
3025 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
3026 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3027 eap_reauth(dev
[0], "PEAP", rsn
=False)
3028 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3029 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
3030 status
= dev
[0].get_status(extra
="VERBOSE")
3031 if 'portControl' not in status
:
3032 raise Exception("portControl missing from STATUS-VERBOSE")
3033 if status
['portControl'] != 'Auto':
3034 raise Exception("Unexpected portControl value: " + status
['portControl'])
3035 if 'eap_session_id' not in status
:
3036 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3037 if not status
['eap_session_id'].startswith("19"):
3038 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
3040 def test_ap_wpa2_eap_interactive(dev
, apdev
):
3041 """WPA2-Enterprise connection using interactive identity/password entry"""
3042 check_eap_capa(dev
[0], "MSCHAPV2")
3043 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3044 hapd
= hostapd
.add_ap(apdev
[0], params
)
3046 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
3047 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3049 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3050 "TTLS", "ttls", None, "auth=MSCHAPV2",
3051 "DOMAIN\mschapv2 user", "password"),
3052 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3053 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3054 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3055 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3056 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3057 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3058 ("Connection with dynamic PEAP/EAP-GTC password entry",
3059 "PEAP", None, "user", "auth=GTC", None, "password") ]
3060 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
3062 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
3063 anonymous_identity
=anon
, identity
=identity
,
3064 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
3065 wait_connect
=False, scan_freq
="2412")
3067 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3069 raise Exception("Request for identity timed out")
3070 id = ev
.split(':')[0].split('-')[-1]
3071 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3072 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
3074 raise Exception("Request for password timed out")
3075 id = ev
.split(':')[0].split('-')[-1]
3076 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
3077 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
3078 dev
[0].wait_connected(timeout
=10)
3079 dev
[0].request("REMOVE_NETWORK all")
3081 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
3082 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3083 check_eap_capa(dev
[0], "MSCHAPV2")
3084 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3085 hapd
= hostapd
.add_ap(apdev
[0], params
)
3087 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
3088 only_add_network
=True)
3090 req_id
= "DOMAIN\mschapv2 user"
3091 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3092 anonymous_identity
="ttls", identity
=None,
3093 password
="password",
3094 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3095 wait_connect
=False, scan_freq
="2412")
3096 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3098 raise Exception("Request for identity timed out")
3099 id = ev
.split(':')[0].split('-')[-1]
3100 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3101 dev
[0].wait_connected(timeout
=10)
3103 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
3104 raise Exception("Failed to enable network")
3105 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
3107 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3108 dev
[0].request("REMOVE_NETWORK all")
3110 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
3111 """WPA2-Enterprise connection using EAP vendor test"""
3112 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3113 hapd
= hostapd
.add_ap(apdev
[0], params
)
3114 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
3115 eap_reauth(dev
[0], "VENDOR-TEST")
3116 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
3119 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
3120 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3121 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3122 hostapd
.add_ap(apdev
[0], params
)
3124 tests
= [ "eap_vendor_test_init",
3125 "eap_msg_alloc;eap_vendor_test_process",
3126 "eap_vendor_test_getKey" ]
3128 with
alloc_fail(dev
[0], 1, func
):
3129 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
3131 eap
="VENDOR-TEST", identity
="vendor-test",
3133 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3134 dev
[0].request("REMOVE_NETWORK all")
3135 dev
[0].wait_disconnected()
3137 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
3138 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3139 check_eap_capa(dev
[0], "FAST")
3140 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3141 hapd
= hostapd
.add_ap(apdev
[0], params
)
3142 eap_connect(dev
[0], hapd
, "FAST", "user",
3143 anonymous_identity
="FAST", password
="password",
3144 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3145 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
3146 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3147 res
= eap_reauth(dev
[0], "FAST")
3148 if res
['tls_session_reused'] != '1':
3149 raise Exception("EAP-FAST could not use PAC session ticket")
3151 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
3152 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3153 check_eap_capa(dev
[0], "FAST")
3154 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
3155 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
3156 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3157 hapd
= hostapd
.add_ap(apdev
[0], params
)
3160 eap_connect(dev
[0], hapd
, "FAST", "user",
3161 anonymous_identity
="FAST", password
="password",
3162 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3163 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3164 with
open(pac_file
, "r") as f
:
3166 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3167 raise Exception("PAC file header missing")
3168 if "PAC-Key=" not in data
:
3169 raise Exception("PAC-Key missing from PAC file")
3170 dev
[0].request("REMOVE_NETWORK all")
3171 eap_connect(dev
[0], hapd
, "FAST", "user",
3172 anonymous_identity
="FAST", password
="password",
3173 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3176 eap_connect(dev
[1], hapd
, "FAST", "user",
3177 anonymous_identity
="FAST", password
="password",
3178 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3179 phase1
="fast_provisioning=1 fast_pac_format=binary",
3181 dev
[1].request("REMOVE_NETWORK all")
3182 eap_connect(dev
[1], hapd
, "FAST", "user",
3183 anonymous_identity
="FAST", password
="password",
3184 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3185 phase1
="fast_pac_format=binary",
3193 os
.remove(pac_file2
)
3197 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3198 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3199 check_eap_capa(dev
[0], "FAST")
3200 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3201 hapd
= hostapd
.add_ap(apdev
[0], params
)
3202 eap_connect(dev
[0], hapd
, "FAST", "user",
3203 anonymous_identity
="FAST", password
="password",
3204 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3205 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3206 pac_file
="blob://fast_pac_bin")
3207 res
= eap_reauth(dev
[0], "FAST")
3208 if res
['tls_session_reused'] != '1':
3209 raise Exception("EAP-FAST could not use PAC session ticket")
3211 # Verify fast_max_pac_list_len=0 special case
3212 dev
[0].request("REMOVE_NETWORK all")
3213 dev
[0].wait_disconnected()
3214 eap_connect(dev
[0], hapd
, "FAST", "user",
3215 anonymous_identity
="FAST", password
="password",
3216 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3217 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3218 pac_file
="blob://fast_pac_bin")
3220 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3221 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3222 check_eap_capa(dev
[0], "FAST")
3223 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3224 hostapd
.add_ap(apdev
[0], params
)
3226 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3227 identity
="user", anonymous_identity
="FAST",
3228 password
="password",
3229 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3230 pac_file
="blob://fast_pac_not_in_use",
3231 wait_connect
=False, scan_freq
="2412")
3232 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3234 raise Exception("Timeout on EAP failure report")
3235 dev
[0].request("REMOVE_NETWORK all")
3237 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3238 identity
="user", anonymous_identity
="FAST",
3239 password
="password",
3240 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3241 wait_connect
=False, scan_freq
="2412")
3242 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3244 raise Exception("Timeout on EAP failure report")
3246 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3247 """EAP-FAST and binary PAC errors"""
3248 check_eap_capa(dev
[0], "FAST")
3249 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3250 hapd
= hostapd
.add_ap(apdev
[0], params
)
3252 tests
= [ (1, "=eap_fast_save_pac_bin"),
3253 (1, "eap_fast_write_pac"),
3254 (2, "eap_fast_write_pac"), ]
3255 for count
, func
in tests
:
3256 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3257 raise Exception("Could not set blob")
3259 with
alloc_fail(dev
[0], count
, func
):
3260 eap_connect(dev
[0], hapd
, "FAST", "user",
3261 anonymous_identity
="FAST", password
="password",
3262 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3263 phase1
="fast_provisioning=1 fast_pac_format=binary",
3264 pac_file
="blob://fast_pac_bin_errors")
3265 dev
[0].request("REMOVE_NETWORK all")
3266 dev
[0].wait_disconnected()
3268 tests
= [ "00", "000000000000", "6ae4920c0001",
3270 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3271 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3272 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3273 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3275 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3276 raise Exception("Could not set blob")
3278 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3279 identity
="user", anonymous_identity
="FAST",
3280 password
="password",
3281 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3282 phase1
="fast_provisioning=1 fast_pac_format=binary",
3283 pac_file
="blob://fast_pac_bin_errors",
3284 scan_freq
="2412", wait_connect
=False)
3285 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3288 raise Exception("Failure not reported")
3289 dev
[0].request("REMOVE_NETWORK all")
3290 dev
[0].wait_disconnected()
3292 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3293 tests
= [ (1, "eap_fast_load_pac_bin"),
3294 (2, "eap_fast_load_pac_bin"),
3295 (3, "eap_fast_load_pac_bin") ]
3296 for count
, func
in tests
:
3297 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3298 raise Exception("Could not set blob")
3300 with
alloc_fail(dev
[0], count
, func
):
3301 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3302 identity
="user", anonymous_identity
="FAST",
3303 password
="password",
3304 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3305 phase1
="fast_provisioning=1 fast_pac_format=binary",
3306 pac_file
="blob://fast_pac_bin_errors",
3307 scan_freq
="2412", wait_connect
=False)
3308 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3311 raise Exception("Failure not reported")
3312 dev
[0].request("REMOVE_NETWORK all")
3313 dev
[0].wait_disconnected()
3315 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3316 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3317 raise Exception("Could not set blob")
3319 eap_connect(dev
[0], hapd
, "FAST", "user",
3320 anonymous_identity
="FAST", password
="password",
3321 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3322 phase1
="fast_provisioning=1 fast_pac_format=binary",
3323 pac_file
="blob://fast_pac_bin_errors")
3324 dev
[0].request("REMOVE_NETWORK all")
3325 dev
[0].wait_disconnected()
3327 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3328 tests
= [ (1, "eap_fast_pac_get_a_id"),
3329 (2, "eap_fast_pac_get_a_id") ]
3330 for count
, func
in tests
:
3331 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3332 raise Exception("Could not set blob")
3333 with
alloc_fail(dev
[0], count
, func
):
3334 eap_connect(dev
[0], hapd
, "FAST", "user",
3335 anonymous_identity
="FAST", password
="password",
3336 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3337 phase1
="fast_provisioning=1 fast_pac_format=binary",
3338 pac_file
="blob://fast_pac_bin_errors")
3339 dev
[0].request("REMOVE_NETWORK all")
3340 dev
[0].wait_disconnected()
3342 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3343 """EAP-FAST and text PAC errors"""
3344 check_eap_capa(dev
[0], "FAST")
3345 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3346 hostapd
.add_ap(apdev
[0], params
)
3348 tests
= [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3349 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3350 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3351 (1, "eap_fast_parse_start"),
3352 (1, "eap_fast_save_pac") ]
3353 for count
, func
in tests
:
3354 dev
[0].request("FLUSH")
3355 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3356 raise Exception("Could not set blob")
3358 with
alloc_fail(dev
[0], count
, func
):
3359 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3360 identity
="user", anonymous_identity
="FAST",
3361 password
="password",
3362 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3363 phase1
="fast_provisioning=1",
3364 pac_file
="blob://fast_pac_text_errors",
3365 scan_freq
="2412", wait_connect
=False)
3366 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3367 dev
[0].request("REMOVE_NETWORK all")
3368 dev
[0].wait_disconnected()
3370 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3374 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + pac
.encode("hex")):
3375 raise Exception("Could not set blob")
3377 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3378 identity
="user", anonymous_identity
="FAST",
3379 password
="password",
3380 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3381 phase1
="fast_provisioning=1",
3382 pac_file
="blob://fast_pac_text_errors",
3383 scan_freq
="2412", wait_connect
=False)
3384 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3386 raise Exception("Failure not reported")
3387 dev
[0].request("REMOVE_NETWORK all")
3388 dev
[0].wait_disconnected()
3390 dev
[0].request("FLUSH")
3391 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3392 raise Exception("Could not set blob")
3394 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3396 params
= int_eap_server_params()
3397 params
['ssid'] = "test-wpa2-eap-2"
3398 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3399 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3400 params
['eap_fast_a_id_info'] = "test server %d" % i
3402 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3404 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3405 identity
="user", anonymous_identity
="FAST",
3406 password
="password",
3407 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3408 phase1
="fast_provisioning=1",
3409 pac_file
="blob://fast_pac_text_errors",
3410 scan_freq
="2412", wait_connect
=False)
3411 dev
[0].wait_connected()
3412 dev
[0].request("REMOVE_NETWORK all")
3413 dev
[0].wait_disconnected()
3417 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3418 """EAP-FAST and PAC list truncation"""
3419 check_eap_capa(dev
[0], "FAST")
3420 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3421 raise Exception("Could not set blob")
3423 params
= int_eap_server_params()
3424 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3425 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3426 params
['eap_fast_a_id_info'] = "test server %d" % i
3427 hapd
= hostapd
.add_ap(apdev
[0], params
)
3429 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3430 identity
="user", anonymous_identity
="FAST",
3431 password
="password",
3432 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3433 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3434 pac_file
="blob://fast_pac_truncate",
3435 scan_freq
="2412", wait_connect
=False)
3436 dev
[0].wait_connected()
3437 dev
[0].request("REMOVE_NETWORK all")
3438 dev
[0].wait_disconnected()
3442 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3443 """EAP-FAST and PAC refresh"""
3444 check_eap_capa(dev
[0], "FAST")
3445 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3446 raise Exception("Could not set blob")
3448 params
= int_eap_server_params()
3449 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3450 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3451 params
['eap_fast_a_id_info'] = "test server %d" % i
3452 params
['pac_key_refresh_time'] = "1"
3453 params
['pac_key_lifetime'] = "10"
3454 hapd
= hostapd
.add_ap(apdev
[0], params
)
3456 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3457 identity
="user", anonymous_identity
="FAST",
3458 password
="password",
3459 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3460 phase1
="fast_provisioning=1",
3461 pac_file
="blob://fast_pac_refresh",
3462 scan_freq
="2412", wait_connect
=False)
3463 dev
[0].wait_connected()
3464 dev
[0].request("REMOVE_NETWORK all")
3465 dev
[0].wait_disconnected()
3470 params
= int_eap_server_params()
3471 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3472 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3473 params
['eap_fast_a_id_info'] = "test server %d" % i
3474 params
['pac_key_refresh_time'] = "10"
3475 params
['pac_key_lifetime'] = "10"
3476 hapd
= hostapd
.add_ap(apdev
[0], params
)
3478 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3479 identity
="user", anonymous_identity
="FAST",
3480 password
="password",
3481 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3482 phase1
="fast_provisioning=1",
3483 pac_file
="blob://fast_pac_refresh",
3484 scan_freq
="2412", wait_connect
=False)
3485 dev
[0].wait_connected()
3486 dev
[0].request("REMOVE_NETWORK all")
3487 dev
[0].wait_disconnected()
3491 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3492 """EAP-FAST and PAC lifetime"""
3493 check_eap_capa(dev
[0], "FAST")
3494 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3495 raise Exception("Could not set blob")
3498 params
= int_eap_server_params()
3499 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3500 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3501 params
['eap_fast_a_id_info'] = "test server %d" % i
3502 params
['pac_key_refresh_time'] = "0"
3503 params
['pac_key_lifetime'] = "2"
3504 hapd
= hostapd
.add_ap(apdev
[0], params
)
3506 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3507 identity
="user", anonymous_identity
="FAST",
3508 password
="password",
3509 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3510 phase1
="fast_provisioning=2",
3511 pac_file
="blob://fast_pac_refresh",
3512 scan_freq
="2412", wait_connect
=False)
3513 dev
[0].wait_connected()
3514 dev
[0].request("DISCONNECT")
3515 dev
[0].wait_disconnected()
3518 dev
[0].request("PMKSA_FLUSH")
3519 dev
[0].request("RECONNECT")
3520 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3522 raise Exception("No EAP-Failure seen after expired PAC")
3523 dev
[0].request("DISCONNECT")
3524 dev
[0].wait_disconnected()
3526 dev
[0].select_network(id)
3527 dev
[0].wait_connected()
3528 dev
[0].request("REMOVE_NETWORK all")
3529 dev
[0].wait_disconnected()
3531 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3532 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3533 check_eap_capa(dev
[0], "FAST")
3534 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3535 hapd
= hostapd
.add_ap(apdev
[0], params
)
3536 eap_connect(dev
[0], hapd
, "FAST", "user",
3537 anonymous_identity
="FAST", password
="password",
3538 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3539 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3540 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3541 res
= eap_reauth(dev
[0], "FAST")
3542 if res
['tls_session_reused'] != '1':
3543 raise Exception("EAP-FAST could not use PAC session ticket")
3545 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3546 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3547 check_eap_capa(dev
[0], "FAST")
3548 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3549 hapd
= hostapd
.add_ap(apdev
[0], params
)
3550 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3551 anonymous_identity
="FAST", password
="password",
3552 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3553 phase1
="fast_provisioning=2",
3554 pac_file
="blob://fast_pac_auth")
3555 dev
[0].set_network_quoted(id, "identity", "user2")
3556 dev
[0].wait_disconnected()
3557 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3559 raise Exception("EAP-FAST not started")
3560 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3562 raise Exception("EAP failure not reported")
3563 dev
[0].wait_disconnected()
3565 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3566 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3567 check_eap_capa(dev
[0], "FAST")
3568 tls
= dev
[0].request("GET tls_library")
3569 if tls
.startswith("OpenSSL"):
3570 func
= "tls_connection_get_eap_fast_key"
3572 elif tls
.startswith("internal"):
3573 func
= "tls_connection_prf"
3576 raise HwsimSkip("Unsupported TLS library")
3577 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3578 hapd
= hostapd
.add_ap(apdev
[0], params
)
3579 with
alloc_fail(dev
[0], count
, func
):
3580 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3581 identity
="user", anonymous_identity
="FAST",
3582 password
="password", ca_cert
="auth_serv/ca.pem",
3584 phase1
="fast_provisioning=2",
3585 pac_file
="blob://fast_pac_auth",
3586 wait_connect
=False, scan_freq
="2412")
3587 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3589 raise Exception("EAP failure not reported")
3590 dev
[0].request("DISCONNECT")
3592 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3593 """EAP-FAST/MSCHAPv2 and server OOM"""
3594 check_eap_capa(dev
[0], "FAST")
3596 params
= int_eap_server_params()
3597 params
['dh_file'] = 'auth_serv/dh.conf'
3598 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3599 params
['eap_fast_a_id'] = '1011'
3600 params
['eap_fast_a_id_info'] = 'another test server'
3601 hapd
= hostapd
.add_ap(apdev
[0], params
)
3603 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3604 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3605 anonymous_identity
="FAST", password
="password",
3606 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3607 phase1
="fast_provisioning=1",
3608 pac_file
="blob://fast_pac",
3609 expect_failure
=True)
3610 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3612 raise Exception("No EAP failure reported")
3613 dev
[0].wait_disconnected()
3614 dev
[0].request("DISCONNECT")
3616 dev
[0].select_network(id, freq
="2412")
3618 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3619 """EAP-FAST and different TLS cipher suites"""
3620 check_eap_capa(dev
[0], "FAST")
3621 tls
= dev
[0].request("GET tls_library")
3622 if not tls
.startswith("OpenSSL"):
3623 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
3625 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3626 hapd
= hostapd
.add_ap(apdev
[0], params
)
3628 dev
[0].request("SET blob fast_pac_ciphers ")
3629 eap_connect(dev
[0], hapd
, "FAST", "user",
3630 anonymous_identity
="FAST", password
="password",
3631 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3632 phase1
="fast_provisioning=2",
3633 pac_file
="blob://fast_pac_ciphers")
3634 res
= dev
[0].get_status_field('EAP TLS cipher')
3635 dev
[0].request("REMOVE_NETWORK all")
3636 dev
[0].wait_disconnected()
3637 if res
!= "DHE-RSA-AES256-SHA":
3638 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3640 tests
= [ "DHE-RSA-AES128-SHA",
3644 "DHE-RSA-AES256-SHA" ]
3645 for cipher
in tests
:
3646 dev
[0].dump_monitor()
3647 logger
.info("Testing " + cipher
)
3649 eap_connect(dev
[0], hapd
, "FAST", "user",
3650 openssl_ciphers
=cipher
,
3651 anonymous_identity
="FAST", password
="password",
3652 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3653 pac_file
="blob://fast_pac_ciphers")
3654 except Exception, e
:
3655 if "Could not select EAP method" in str(e
) and cipher
== "RC4-SHA":
3656 tls
= dev
[0].request("GET tls_library")
3657 if "run=OpenSSL 1.1" in tls
:
3658 logger
.info("Allow failure due to missing TLS library support")
3659 dev
[0].request("REMOVE_NETWORK all")
3660 dev
[0].wait_disconnected()
3663 res
= dev
[0].get_status_field('EAP TLS cipher')
3664 dev
[0].request("REMOVE_NETWORK all")
3665 dev
[0].wait_disconnected()
3667 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3669 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3670 """EAP-FAST and provisioning options"""
3671 check_eap_capa(dev
[0], "FAST")
3672 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3673 raise Exception("Could not set blob")
3676 params
= int_eap_server_params()
3677 params
['disable_pmksa_caching'] = '1'
3678 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3679 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3680 params
['eap_fast_a_id_info'] = "test server %d" % i
3681 params
['eap_fast_prov'] = "0"
3682 hapd
= hostapd
.add_ap(apdev
[0], params
)
3684 logger
.info("Provisioning attempt while server has provisioning disabled")
3685 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3686 identity
="user", anonymous_identity
="FAST",
3687 password
="password",
3688 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3689 phase1
="fast_provisioning=2",
3690 pac_file
="blob://fast_pac_prov",
3691 scan_freq
="2412", wait_connect
=False)
3692 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3695 raise Exception("EAP result not reported")
3696 if "parameter='failure'" not in ev
:
3697 raise Exception("Unexpected EAP result: " + ev
)
3698 dev
[0].wait_disconnected()
3699 dev
[0].request("DISCONNECT")
3700 dev
[0].dump_monitor()
3703 logger
.info("Authenticated provisioning")
3704 hapd
.set("eap_fast_prov", "2")
3707 dev
[0].select_network(id, freq
="2412")
3708 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3711 raise Exception("EAP result not reported")
3712 if "parameter='success'" not in ev
:
3713 raise Exception("Unexpected EAP result: " + ev
)
3714 dev
[0].wait_connected()
3715 dev
[0].request("DISCONNECT")
3716 dev
[0].wait_disconnected()
3717 dev
[0].dump_monitor()
3720 logger
.info("Provisioning disabled - using previously provisioned PAC")
3721 hapd
.set("eap_fast_prov", "0")
3724 dev
[0].select_network(id, freq
="2412")
3725 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3728 raise Exception("EAP result not reported")
3729 if "parameter='success'" not in ev
:
3730 raise Exception("Unexpected EAP result: " + ev
)
3731 dev
[0].wait_connected()
3732 dev
[0].request("DISCONNECT")
3733 dev
[0].wait_disconnected()
3734 dev
[0].dump_monitor()
3736 logger
.info("Drop PAC and verify connection failure")
3737 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3738 raise Exception("Could not set blob")
3740 dev
[0].select_network(id, freq
="2412")
3741 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3744 raise Exception("EAP result not reported")
3745 if "parameter='failure'" not in ev
:
3746 raise Exception("Unexpected EAP result: " + ev
)
3747 dev
[0].wait_disconnected()
3748 dev
[0].request("DISCONNECT")
3749 dev
[0].dump_monitor()
3752 logger
.info("Anonymous provisioning")
3753 hapd
.set("eap_fast_prov", "1")
3755 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3756 dev
[0].select_network(id, freq
="2412")
3757 # Anonymous provisioning results in EAP-Failure first
3758 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3761 raise Exception("EAP result not reported")
3762 if "parameter='failure'" not in ev
:
3763 raise Exception("Unexpected EAP result: " + ev
)
3764 dev
[0].wait_disconnected()
3765 # And then the actual data connection
3766 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3769 raise Exception("EAP result not reported")
3770 if "parameter='success'" not in ev
:
3771 raise Exception("Unexpected EAP result: " + ev
)
3772 dev
[0].wait_connected()
3773 dev
[0].request("DISCONNECT")
3774 dev
[0].wait_disconnected()
3775 dev
[0].dump_monitor()
3778 logger
.info("Provisioning disabled - using previously provisioned PAC")
3779 hapd
.set("eap_fast_prov", "0")
3782 dev
[0].select_network(id, freq
="2412")
3783 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3786 raise Exception("EAP result not reported")
3787 if "parameter='success'" not in ev
:
3788 raise Exception("Unexpected EAP result: " + ev
)
3789 dev
[0].wait_connected()
3790 dev
[0].request("DISCONNECT")
3791 dev
[0].wait_disconnected()
3792 dev
[0].dump_monitor()
3794 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
3795 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3796 check_ocsp_support(dev
[0])
3797 check_pkcs12_support(dev
[0])
3798 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3799 hapd
= hostapd
.add_ap(apdev
[0], params
)
3800 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3801 private_key
="auth_serv/user.pkcs12",
3802 private_key_passwd
="whatever", ocsp
=2)
3804 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
3805 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3806 check_ocsp_multi_support(dev
[0])
3807 check_pkcs12_support(dev
[0])
3809 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3810 hapd
= hostapd
.add_ap(apdev
[0], params
)
3811 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3812 private_key
="auth_serv/user.pkcs12",
3813 private_key_passwd
="whatever", ocsp
=2)
3815 def int_eap_server_params():
3816 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3817 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3818 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3819 "ca_cert": "auth_serv/ca.pem",
3820 "server_cert": "auth_serv/server.pem",
3821 "private_key": "auth_serv/server.key",
3822 "dh_file": "auth_serv/dh.conf" }
3825 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
3826 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3827 check_ocsp_support(dev
[0])
3828 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
3829 if not os
.path
.exists(ocsp
):
3830 raise HwsimSkip("No OCSP response available")
3831 params
= int_eap_server_params()
3832 params
["ocsp_stapling_response"] = ocsp
3833 hostapd
.add_ap(apdev
[0], params
)
3834 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3835 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3836 private_key
="auth_serv/user.pkcs12",
3837 private_key_passwd
="whatever", ocsp
=2,
3840 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
3841 """EAP-TLS and CA signed OCSP response (good)"""
3842 check_ocsp_support(dev
[0])
3843 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
3844 if not os
.path
.exists(ocsp
):
3845 raise HwsimSkip("No OCSP response available")
3846 params
= int_eap_server_params()
3847 params
["ocsp_stapling_response"] = ocsp
3848 hostapd
.add_ap(apdev
[0], params
)
3849 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3850 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3851 private_key
="auth_serv/user.pkcs12",
3852 private_key_passwd
="whatever", ocsp
=2,
3855 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
3856 """EAP-TLS and CA signed OCSP response (revoked)"""
3857 check_ocsp_support(dev
[0])
3858 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
3859 if not os
.path
.exists(ocsp
):
3860 raise HwsimSkip("No OCSP response available")
3861 params
= int_eap_server_params()
3862 params
["ocsp_stapling_response"] = ocsp
3863 hostapd
.add_ap(apdev
[0], params
)
3864 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3865 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3866 private_key
="auth_serv/user.pkcs12",
3867 private_key_passwd
="whatever", ocsp
=2,
3868 wait_connect
=False, scan_freq
="2412")
3871 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3873 raise Exception("Timeout on EAP status")
3874 if 'bad certificate status response' in ev
:
3876 if 'certificate revoked' in ev
:
3880 raise Exception("Unexpected number of EAP status messages")
3882 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3884 raise Exception("Timeout on EAP failure report")
3886 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
3887 """EAP-TLS and CA signed OCSP response (unknown)"""
3888 check_ocsp_support(dev
[0])
3889 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
3890 if not os
.path
.exists(ocsp
):
3891 raise HwsimSkip("No OCSP response available")
3892 params
= int_eap_server_params()
3893 params
["ocsp_stapling_response"] = ocsp
3894 hostapd
.add_ap(apdev
[0], params
)
3895 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3896 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3897 private_key
="auth_serv/user.pkcs12",
3898 private_key_passwd
="whatever", ocsp
=2,
3899 wait_connect
=False, scan_freq
="2412")
3902 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3904 raise Exception("Timeout on EAP status")
3905 if 'bad certificate status response' in ev
:
3909 raise Exception("Unexpected number of EAP status messages")
3911 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3913 raise Exception("Timeout on EAP failure report")
3915 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
3916 """EAP-TLS and server signed OCSP response"""
3917 check_ocsp_support(dev
[0])
3918 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
3919 if not os
.path
.exists(ocsp
):
3920 raise HwsimSkip("No OCSP response available")
3921 params
= int_eap_server_params()
3922 params
["ocsp_stapling_response"] = ocsp
3923 hostapd
.add_ap(apdev
[0], params
)
3924 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3925 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3926 private_key
="auth_serv/user.pkcs12",
3927 private_key_passwd
="whatever", ocsp
=2,
3928 wait_connect
=False, scan_freq
="2412")
3931 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3933 raise Exception("Timeout on EAP status")
3934 if 'bad certificate status response' in ev
:
3938 raise Exception("Unexpected number of EAP status messages")
3940 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3942 raise Exception("Timeout on EAP failure report")
3944 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
3945 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3946 check_ocsp_support(dev
[0])
3947 params
= int_eap_server_params()
3948 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3949 hostapd
.add_ap(apdev
[0], params
)
3950 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3951 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3952 private_key
="auth_serv/user.pkcs12",
3953 private_key_passwd
="whatever", ocsp
=2,
3954 wait_connect
=False, scan_freq
="2412")
3957 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3959 raise Exception("Timeout on EAP status")
3960 if 'bad certificate status response' in ev
:
3964 raise Exception("Unexpected number of EAP status messages")
3966 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3968 raise Exception("Timeout on EAP failure report")
3970 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
3971 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3972 check_ocsp_support(dev
[0])
3973 params
= int_eap_server_params()
3974 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
3975 hostapd
.add_ap(apdev
[0], params
)
3976 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3977 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3978 private_key
="auth_serv/user.pkcs12",
3979 private_key_passwd
="whatever", ocsp
=2,
3980 wait_connect
=False, scan_freq
="2412")
3983 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3985 raise Exception("Timeout on EAP status")
3986 if 'bad certificate status response' in ev
:
3990 raise Exception("Unexpected number of EAP status messages")
3992 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3994 raise Exception("Timeout on EAP failure report")
3996 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
3997 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
3998 check_ocsp_support(dev
[0])
3999 params
= int_eap_server_params()
4000 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
4001 hostapd
.add_ap(apdev
[0], params
)
4002 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4003 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4004 private_key
="auth_serv/user.pkcs12",
4005 private_key_passwd
="whatever", ocsp
=2,
4006 wait_connect
=False, scan_freq
="2412")
4009 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4011 raise Exception("Timeout on EAP status")
4012 if 'bad certificate status response' in ev
:
4016 raise Exception("Unexpected number of EAP status messages")
4018 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4020 raise Exception("Timeout on EAP failure report")
4022 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
4023 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4024 check_ocsp_support(dev
[0])
4025 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
4026 if not os
.path
.exists(ocsp
):
4027 raise HwsimSkip("No OCSP response available")
4028 params
= int_eap_server_params()
4029 params
["ocsp_stapling_response"] = ocsp
4030 hostapd
.add_ap(apdev
[0], params
)
4031 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4032 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4033 anonymous_identity
="ttls", password
="password",
4034 phase2
="auth=PAP", ocsp
=2,
4035 wait_connect
=False, scan_freq
="2412")
4038 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4040 raise Exception("Timeout on EAP status")
4041 if 'bad certificate status response' in ev
:
4043 if 'certificate revoked' in ev
:
4047 raise Exception("Unexpected number of EAP status messages")
4049 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4051 raise Exception("Timeout on EAP failure report")
4053 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
4054 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4055 check_ocsp_support(dev
[0])
4056 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4057 if not os
.path
.exists(ocsp
):
4058 raise HwsimSkip("No OCSP response available")
4059 params
= int_eap_server_params()
4060 params
["ocsp_stapling_response"] = ocsp
4061 hostapd
.add_ap(apdev
[0], params
)
4062 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4063 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4064 anonymous_identity
="ttls", password
="password",
4065 phase2
="auth=PAP", ocsp
=2,
4066 wait_connect
=False, scan_freq
="2412")
4069 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4071 raise Exception("Timeout on EAP status")
4072 if 'bad certificate status response' in ev
:
4076 raise Exception("Unexpected number of EAP status messages")
4078 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4080 raise Exception("Timeout on EAP failure report")
4082 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
4083 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4084 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4085 if not os
.path
.exists(ocsp
):
4086 raise HwsimSkip("No OCSP response available")
4087 params
= int_eap_server_params()
4088 params
["ocsp_stapling_response"] = ocsp
4089 hostapd
.add_ap(apdev
[0], params
)
4090 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4091 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4092 anonymous_identity
="ttls", password
="password",
4093 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
4095 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
4096 """EAP-TLS with intermediate server/user CA"""
4097 params
= int_eap_server_params()
4098 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4099 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4100 params
["private_key"] = "auth_serv/iCA-server/server.key"
4101 hostapd
.add_ap(apdev
[0], params
)
4102 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4103 identity
="tls user",
4104 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4105 client_cert
="auth_serv/iCA-user/user.pem",
4106 private_key
="auth_serv/iCA-user/user.key",
4109 def root_ocsp(cert
):
4110 ca
= "auth_serv/ca.pem"
4112 fd2
, fn2
= tempfile
.mkstemp()
4115 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-sha256",
4116 "-cert", cert
, "-no_nonce", "-text" ]
4117 logger
.info(' '.join(arg
))
4118 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4119 stderr
=subprocess
.PIPE
)
4120 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4124 if cmd
.returncode
!= 0:
4125 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4126 logger
.info("OCSP request:\n" + res
)
4128 fd
, fn
= tempfile
.mkstemp()
4130 arg
= [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4131 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
4132 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4133 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4135 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4136 stderr
=subprocess
.PIPE
)
4137 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4141 if cmd
.returncode
!= 0:
4142 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4143 logger
.info("OCSP response:\n" + res
)
4147 def ica_ocsp(cert
, md
="-sha256"):
4148 prefix
= "auth_serv/iCA-server/"
4149 ca
= prefix
+ "cacert.pem"
4150 cert
= prefix
+ cert
4152 fd2
, fn2
= tempfile
.mkstemp()
4155 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, md
,
4156 "-cert", cert
, "-no_nonce", "-text" ]
4157 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4158 stderr
=subprocess
.PIPE
)
4159 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4163 if cmd
.returncode
!= 0:
4164 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4165 logger
.info("OCSP request:\n" + res
)
4167 fd
, fn
= tempfile
.mkstemp()
4169 arg
= [ "openssl", "ocsp", "-index", prefix
+ "index.txt",
4170 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
4171 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4172 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4174 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4175 stderr
=subprocess
.PIPE
)
4176 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4180 if cmd
.returncode
!= 0:
4181 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4182 logger
.info("OCSP response:\n" + res
)
4186 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4187 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4188 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha256")
4190 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev
, apdev
, params
):
4191 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4192 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha1")
4194 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, md
):
4195 params
= int_eap_server_params()
4196 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4197 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4198 params
["private_key"] = "auth_serv/iCA-server/server.key"
4199 fn
= ica_ocsp("server.pem", md
)
4200 params
["ocsp_stapling_response"] = fn
4202 hostapd
.add_ap(apdev
[0], params
)
4203 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4204 identity
="tls user",
4205 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4206 client_cert
="auth_serv/iCA-user/user.pem",
4207 private_key
="auth_serv/iCA-user/user.key",
4208 scan_freq
="2412", ocsp
=2)
4212 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4213 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4214 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4217 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev
, apdev
, params
):
4218 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4219 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4222 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
, md
):
4223 params
= int_eap_server_params()
4224 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4225 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4226 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4227 fn
= ica_ocsp("server-revoked.pem", md
)
4228 params
["ocsp_stapling_response"] = fn
4230 hostapd
.add_ap(apdev
[0], params
)
4231 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4232 identity
="tls user",
4233 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4234 client_cert
="auth_serv/iCA-user/user.pem",
4235 private_key
="auth_serv/iCA-user/user.key",
4236 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4239 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4240 "CTRL-EVENT-EAP-SUCCESS"])
4242 raise Exception("Timeout on EAP status")
4243 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4244 raise Exception("Unexpected EAP-Success")
4245 if 'bad certificate status response' in ev
:
4247 if 'certificate revoked' in ev
:
4251 raise Exception("Unexpected number of EAP status messages")
4253 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4255 raise Exception("Timeout on EAP failure report")
4256 dev
[0].request("REMOVE_NETWORK all")
4257 dev
[0].wait_disconnected()
4261 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4262 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4263 check_ocsp_support(dev
[0])
4264 check_ocsp_multi_support(dev
[0])
4266 params
= int_eap_server_params()
4267 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4268 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4269 params
["private_key"] = "auth_serv/iCA-server/server.key"
4270 fn
= ica_ocsp("server.pem")
4271 params
["ocsp_stapling_response"] = fn
4273 hostapd
.add_ap(apdev
[0], params
)
4274 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4275 identity
="tls user",
4276 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4277 client_cert
="auth_serv/iCA-user/user.pem",
4278 private_key
="auth_serv/iCA-user/user.key",
4279 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4282 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4283 "CTRL-EVENT-EAP-SUCCESS"])
4285 raise Exception("Timeout on EAP status")
4286 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4287 raise Exception("Unexpected EAP-Success")
4288 if 'bad certificate status response' in ev
:
4290 if 'certificate revoked' in ev
:
4294 raise Exception("Unexpected number of EAP status messages")
4296 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4298 raise Exception("Timeout on EAP failure report")
4299 dev
[0].request("REMOVE_NETWORK all")
4300 dev
[0].wait_disconnected()
4304 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4305 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4306 check_ocsp_support(dev
[0])
4307 check_ocsp_multi_support(dev
[0])
4309 params
= int_eap_server_params()
4310 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4311 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4312 params
["private_key"] = "auth_serv/iCA-server/server.key"
4313 fn
= ica_ocsp("server.pem")
4314 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4315 params
["ocsp_stapling_response"] = fn
4317 with
open(fn
, "r") as f
:
4318 resp_server
= f
.read()
4319 with
open(fn2
, "r") as f
:
4322 fd3
, fn3
= tempfile
.mkstemp()
4324 f
= os
.fdopen(fd3
, 'w')
4325 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4326 f
.write(resp_server
)
4327 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4331 params
["ocsp_stapling_response_multi"] = fn3
4333 hostapd
.add_ap(apdev
[0], params
)
4334 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4335 identity
="tls user",
4336 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4337 client_cert
="auth_serv/iCA-user/user.pem",
4338 private_key
="auth_serv/iCA-user/user.key",
4339 scan_freq
="2412", ocsp
=3)
4340 dev
[0].request("REMOVE_NETWORK all")
4341 dev
[0].wait_disconnected()
4347 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4348 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4349 check_ocsp_support(dev
[0])
4350 check_ocsp_multi_support(dev
[0])
4352 ocsp_revoked
= os
.path
.join(params
['logdir'],
4353 "ocsp-resp-ca-signed-revoked.der")
4354 if not os
.path
.exists(ocsp_revoked
):
4355 raise HwsimSkip("No OCSP response (revoked) available")
4356 ocsp_unknown
= os
.path
.join(params
['logdir'],
4357 "ocsp-resp-ca-signed-unknown.der")
4358 if not os
.path
.exists(ocsp_unknown
):
4359 raise HwsimSkip("No OCSP response(unknown) available")
4361 with
open(ocsp_revoked
, "r") as f
:
4362 resp_revoked
= f
.read()
4363 with
open(ocsp_unknown
, "r") as f
:
4364 resp_unknown
= f
.read()
4366 fd
, fn
= tempfile
.mkstemp()
4368 # This is not really a valid order of the OCSPResponse items in the
4369 # list, but this works for now to verify parsing and processing of
4370 # multiple responses.
4371 f
= os
.fdopen(fd
, 'w')
4372 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4373 f
.write(resp_unknown
)
4374 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4375 f
.write(resp_revoked
)
4376 f
.write(struct
.pack(">L", 0)[1:4])
4377 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4378 f
.write(resp_unknown
)
4381 params
= int_eap_server_params()
4382 params
["ocsp_stapling_response_multi"] = fn
4383 hostapd
.add_ap(apdev
[0], params
)
4384 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4385 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4386 private_key
="auth_serv/user.pkcs12",
4387 private_key_passwd
="whatever", ocsp
=1,
4388 wait_connect
=False, scan_freq
="2412")
4391 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4392 "CTRL-EVENT-EAP-SUCCESS"])
4394 raise Exception("Timeout on EAP status")
4395 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4396 raise Exception("Unexpected EAP-Success")
4397 if 'bad certificate status response' in ev
:
4399 if 'certificate revoked' in ev
:
4403 raise Exception("Unexpected number of EAP status messages")
4407 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4408 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4409 check_domain_match_full(dev
[0])
4410 params
= int_eap_server_params()
4411 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4412 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4413 hostapd
.add_ap(apdev
[0], params
)
4414 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4415 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4416 private_key
="auth_serv/user.pkcs12",
4417 private_key_passwd
="whatever",
4418 domain_suffix_match
="server3.w1.fi",
4421 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4422 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4423 check_domain_match(dev
[0])
4424 params
= int_eap_server_params()
4425 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4426 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4427 hostapd
.add_ap(apdev
[0], params
)
4428 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4429 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4430 private_key
="auth_serv/user.pkcs12",
4431 private_key_passwd
="whatever",
4432 domain_match
="server3.w1.fi",
4435 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4436 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4437 check_domain_match_full(dev
[0])
4438 params
= int_eap_server_params()
4439 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4440 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4441 hostapd
.add_ap(apdev
[0], params
)
4442 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4443 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4444 private_key
="auth_serv/user.pkcs12",
4445 private_key_passwd
="whatever",
4446 domain_suffix_match
="w1.fi",
4449 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4450 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4451 check_domain_suffix_match(dev
[0])
4452 params
= int_eap_server_params()
4453 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4454 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4455 hostapd
.add_ap(apdev
[0], params
)
4456 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4457 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4458 private_key
="auth_serv/user.pkcs12",
4459 private_key_passwd
="whatever",
4460 domain_suffix_match
="example.com",
4463 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4464 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4465 private_key
="auth_serv/user.pkcs12",
4466 private_key_passwd
="whatever",
4467 domain_suffix_match
="erver3.w1.fi",
4470 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4472 raise Exception("Timeout on EAP failure report")
4473 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4475 raise Exception("Timeout on EAP failure report (2)")
4477 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4478 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4479 check_domain_match(dev
[0])
4480 params
= int_eap_server_params()
4481 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4482 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4483 hostapd
.add_ap(apdev
[0], params
)
4484 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4485 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4486 private_key
="auth_serv/user.pkcs12",
4487 private_key_passwd
="whatever",
4488 domain_match
="example.com",
4491 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4492 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4493 private_key
="auth_serv/user.pkcs12",
4494 private_key_passwd
="whatever",
4495 domain_match
="w1.fi",
4498 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4500 raise Exception("Timeout on EAP failure report")
4501 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4503 raise Exception("Timeout on EAP failure report (2)")
4505 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4506 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4507 skip_with_fips(dev
[0])
4508 params
= int_eap_server_params()
4509 params
["server_cert"] = "auth_serv/server-expired.pem"
4510 params
["private_key"] = "auth_serv/server-expired.key"
4511 hostapd
.add_ap(apdev
[0], params
)
4512 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4513 identity
="mschap user", password
="password",
4514 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4517 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4519 raise Exception("Timeout on EAP certificate error report")
4520 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4521 raise Exception("Unexpected failure reason: " + ev
)
4522 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4524 raise Exception("Timeout on EAP failure report")
4526 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4527 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4528 skip_with_fips(dev
[0])
4529 params
= int_eap_server_params()
4530 params
["server_cert"] = "auth_serv/server-expired.pem"
4531 params
["private_key"] = "auth_serv/server-expired.key"
4532 hostapd
.add_ap(apdev
[0], params
)
4533 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4534 identity
="mschap user", password
="password",
4535 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4536 phase1
="tls_disable_time_checks=1",
4539 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4540 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4541 skip_with_fips(dev
[0])
4542 params
= int_eap_server_params()
4543 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4544 params
["private_key"] = "auth_serv/server-long-duration.key"
4545 hostapd
.add_ap(apdev
[0], params
)
4546 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4547 identity
="mschap user", password
="password",
4548 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4551 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4552 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4553 skip_with_fips(dev
[0])
4554 params
= int_eap_server_params()
4555 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4556 params
["private_key"] = "auth_serv/server-eku-client.key"
4557 hostapd
.add_ap(apdev
[0], params
)
4558 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4559 identity
="mschap user", password
="password",
4560 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4563 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4565 raise Exception("Timeout on EAP failure report")
4567 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4568 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4569 skip_with_fips(dev
[0])
4570 params
= int_eap_server_params()
4571 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4572 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4573 hostapd
.add_ap(apdev
[0], params
)
4574 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4575 identity
="mschap user", password
="password",
4576 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4579 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4580 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4581 skip_with_fips(dev
[0])
4582 params
= int_eap_server_params()
4583 del params
["server_cert"]
4584 params
["private_key"] = "auth_serv/server.pkcs12"
4585 hostapd
.add_ap(apdev
[0], params
)
4586 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4587 identity
="mschap user", password
="password",
4588 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4591 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
4592 """EAP-TTLS and server PKCS#12 file with extra certs"""
4593 skip_with_fips(dev
[0])
4594 params
= int_eap_server_params()
4595 del params
["server_cert"]
4596 params
["private_key"] = "auth_serv/server-extra.pkcs12"
4597 params
["private_key_passwd"] = "whatever"
4598 hostapd
.add_ap(apdev
[0], params
)
4599 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4600 identity
="mschap user", password
="password",
4601 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4604 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
4605 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4606 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4607 hapd
= hostapd
.add_ap(apdev
[0], params
)
4608 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4609 anonymous_identity
="ttls", password
="password",
4610 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4611 dh_file
="auth_serv/dh.conf")
4613 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
4614 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4615 check_dh_dsa_support(dev
[0])
4616 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4617 hapd
= hostapd
.add_ap(apdev
[0], params
)
4618 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4619 anonymous_identity
="ttls", password
="password",
4620 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4621 dh_file
="auth_serv/dsaparam.pem")
4623 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4624 """EAP-TTLS and DH params file not found"""
4625 skip_with_fips(dev
[0])
4626 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4627 hostapd
.add_ap(apdev
[0], params
)
4628 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4629 identity
="mschap user", password
="password",
4630 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4631 dh_file
="auth_serv/dh-no-such-file.conf",
4632 scan_freq
="2412", wait_connect
=False)
4633 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4635 raise Exception("EAP failure timed out")
4636 dev
[0].request("REMOVE_NETWORK all")
4637 dev
[0].wait_disconnected()
4639 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4640 """EAP-TTLS and invalid DH params file"""
4641 skip_with_fips(dev
[0])
4642 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4643 hostapd
.add_ap(apdev
[0], params
)
4644 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4645 identity
="mschap user", password
="password",
4646 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4647 dh_file
="auth_serv/ca.pem",
4648 scan_freq
="2412", wait_connect
=False)
4649 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4651 raise Exception("EAP failure timed out")
4652 dev
[0].request("REMOVE_NETWORK all")
4653 dev
[0].wait_disconnected()
4655 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
4656 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4657 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4658 hapd
= hostapd
.add_ap(apdev
[0], params
)
4659 dh
= read_pem("auth_serv/dh2.conf")
4660 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
4661 raise Exception("Could not set dhparams blob")
4662 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4663 anonymous_identity
="ttls", password
="password",
4664 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4665 dh_file
="blob://dhparams")
4667 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
4668 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4669 params
= int_eap_server_params()
4670 params
["dh_file"] = "auth_serv/dh2.conf"
4671 hapd
= hostapd
.add_ap(apdev
[0], params
)
4672 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4673 anonymous_identity
="ttls", password
="password",
4674 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4676 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
4677 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4678 params
= int_eap_server_params()
4679 params
["dh_file"] = "auth_serv/dsaparam.pem"
4680 hapd
= hostapd
.add_ap(apdev
[0], params
)
4681 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4682 anonymous_identity
="ttls", password
="password",
4683 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4685 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4686 """EAP-TLS server and dhparams file not found"""
4687 params
= int_eap_server_params()
4688 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
4689 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4690 if "FAIL" not in hapd
.request("ENABLE"):
4691 raise Exception("Invalid configuration accepted")
4693 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4694 """EAP-TLS server and invalid dhparams file"""
4695 params
= int_eap_server_params()
4696 params
["dh_file"] = "auth_serv/ca.pem"
4697 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4698 if "FAIL" not in hapd
.request("ENABLE"):
4699 raise Exception("Invalid configuration accepted")
4701 def test_ap_wpa2_eap_reauth(dev
, apdev
):
4702 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4703 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4704 params
['eap_reauth_period'] = '2'
4705 hapd
= hostapd
.add_ap(apdev
[0], params
)
4706 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4707 password_hex
="0123456789abcdef0123456789abcdef")
4708 logger
.info("Wait for reauthentication")
4709 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
4711 raise Exception("Timeout on reauthentication")
4712 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4714 raise Exception("Timeout on reauthentication")
4715 for i
in range(0, 20):
4716 state
= dev
[0].get_status_field("wpa_state")
4717 if state
== "COMPLETED":
4720 if state
!= "COMPLETED":
4721 raise Exception("Reauthentication did not complete")
4723 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
4724 """Optional displayable message in EAP Request-Identity"""
4725 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4726 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4727 hapd
= hostapd
.add_ap(apdev
[0], params
)
4728 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4729 password_hex
="0123456789abcdef0123456789abcdef")
4731 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
4732 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4733 check_hlr_auc_gw_support()
4734 params
= int_eap_server_params()
4735 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4736 params
['eap_sim_aka_result_ind'] = "1"
4737 hapd
= hostapd
.add_ap(apdev
[0], params
)
4739 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
4740 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4741 phase1
="result_ind=1")
4742 eap_reauth(dev
[0], "SIM")
4743 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
4744 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4746 dev
[0].request("REMOVE_NETWORK all")
4747 dev
[1].request("REMOVE_NETWORK all")
4749 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
4750 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4751 phase1
="result_ind=1")
4752 eap_reauth(dev
[0], "AKA")
4753 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
4754 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4756 dev
[0].request("REMOVE_NETWORK all")
4757 dev
[1].request("REMOVE_NETWORK all")
4759 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
4760 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4761 phase1
="result_ind=1")
4762 eap_reauth(dev
[0], "AKA'")
4763 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
4764 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4766 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
4767 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4768 check_hlr_auc_gw_support()
4769 params
= int_eap_server_params()
4770 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4771 params
['eap_sim_db_timeout'] = "0"
4772 params
['disable_pmksa_caching'] = '1'
4773 hapd
= hostapd
.add_ap(apdev
[0], params
)
4775 # Run multiple iterations to make it more likely to hit the case where the
4776 # DB request times out and response is lost.
4778 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
4779 identity
="1232010000000000",
4780 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4781 wait_connect
=False, scan_freq
="2412")
4782 ev
= dev
[0].wait_event([ "CTRL-EVENT-CONNECTED",
4783 "CTRL-EVENT-DISCONNECTED" ],
4786 raise Exception("No connection result")
4787 dev
[0].request("REMOVE_NETWORK all")
4788 if "CTRL-EVENT-DISCONNECTED" in ev
:
4790 dev
[0].wait_disconnected()
4793 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
4794 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4795 skip_with_fips(dev
[0])
4796 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4797 hostapd
.add_ap(apdev
[0], params
)
4798 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4799 eap
="TTLS", identity
="mschap user",
4800 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
4801 anonymous_identity
="ttls", password
="password",
4802 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4804 ev
= dev
[0].wait_event(["EAP: more than",
4805 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
4806 if ev
is None or "EAP: more than" not in ev
:
4807 raise Exception("EAP roundtrip limit not reached")
4809 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
4810 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4811 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4812 hostapd
.add_ap(apdev
[0], params
)
4813 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4814 eap
="PSK", identity
="vendor-test",
4815 password_hex
="ff23456789abcdef0123456789abcdef",
4819 for i
in range(0, 5):
4820 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
4822 raise Exception("Association and EAP start timed out")
4823 if "refuse proposed method" in ev
:
4827 raise Exception("Unexpected EAP status: " + ev
)
4829 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4831 raise Exception("EAP failure timed out")
4833 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
4834 """WPA2-Enterprise connection using SQLite for user DB"""
4835 skip_with_fips(dev
[0])
4839 raise HwsimSkip("No sqlite3 module available")
4840 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
4845 con
= sqlite3
.connect(dbfile
)
4848 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4849 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4850 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4851 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4852 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4853 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4854 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4855 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4858 params
= int_eap_server_params()
4859 params
["eap_user_file"] = "sqlite:" + dbfile
4860 hapd
= hostapd
.add_ap(apdev
[0], params
)
4861 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
4862 anonymous_identity
="ttls", password
="password",
4863 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4864 dev
[0].request("REMOVE_NETWORK all")
4865 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
4866 anonymous_identity
="ttls", password
="password",
4867 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
4868 dev
[1].request("REMOVE_NETWORK all")
4869 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
4870 anonymous_identity
="ttls", password
="password",
4871 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
4872 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
4873 anonymous_identity
="ttls", password
="password",
4874 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4878 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
4879 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4880 params
= int_eap_server_params()
4881 hostapd
.add_ap(apdev
[0], params
)
4882 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4883 identity
="\x80", password
="password", wait_connect
=False)
4884 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4885 identity
="a\x80", password
="password", wait_connect
=False)
4886 for i
in range(0, 2):
4887 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4889 raise Exception("Association and EAP start timed out")
4890 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4892 raise Exception("EAP method selection timed out")
4894 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
4895 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4896 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4897 hostapd
.add_ap(apdev
[0], params
)
4898 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4899 identity
="\x80", password
="password", wait_connect
=False)
4900 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4901 identity
="a\x80", password
="password", wait_connect
=False)
4902 for i
in range(0, 2):
4903 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4905 raise Exception("Association and EAP start timed out")
4906 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4908 raise Exception("EAP method selection timed out")
4910 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
4911 """OpenSSL cipher suite configuration on wpa_supplicant"""
4912 tls
= dev
[0].request("GET tls_library")
4913 if not tls
.startswith("OpenSSL"):
4914 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
4915 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4916 hapd
= hostapd
.add_ap(apdev
[0], params
)
4917 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4918 anonymous_identity
="ttls", password
="password",
4919 openssl_ciphers
="AES128",
4920 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4921 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
4922 anonymous_identity
="ttls", password
="password",
4923 openssl_ciphers
="EXPORT",
4924 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4925 expect_failure
=True, maybe_local_error
=True)
4926 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4927 identity
="pap user", anonymous_identity
="ttls",
4928 password
="password",
4929 openssl_ciphers
="FOO",
4930 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4932 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
4934 raise Exception("EAP failure after invalid openssl_ciphers not reported")
4935 dev
[2].request("DISCONNECT")
4937 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
4938 """OpenSSL cipher suite configuration on hostapd"""
4939 tls
= dev
[0].request("GET tls_library")
4940 if not tls
.startswith("OpenSSL"):
4941 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
4942 params
= int_eap_server_params()
4943 params
['openssl_ciphers'] = "AES256"
4944 hapd
= hostapd
.add_ap(apdev
[0], params
)
4945 tls
= hapd
.request("GET tls_library")
4946 if not tls
.startswith("OpenSSL"):
4947 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
4948 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4949 anonymous_identity
="ttls", password
="password",
4950 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4951 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
4952 anonymous_identity
="ttls", password
="password",
4953 openssl_ciphers
="AES128",
4954 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4955 expect_failure
=True)
4956 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
4957 anonymous_identity
="ttls", password
="password",
4958 openssl_ciphers
="HIGH:!ADH",
4959 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4961 params
['openssl_ciphers'] = "FOO"
4962 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
4963 if "FAIL" not in hapd2
.request("ENABLE"):
4964 raise Exception("Invalid openssl_ciphers value accepted")
4966 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
4967 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
4968 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4969 hapd
= hostapd
.add_ap(apdev
[0], p
)
4970 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
4971 pid
= find_wpas_process(dev
[0])
4972 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
4973 anonymous_identity
="ttls", password
=password
,
4974 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4975 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
4976 # event has been delivered, so verify that wpa_supplicant has returned to
4977 # eloop before reading process memory.
4980 buf
= read_process_memory(pid
, password
)
4982 dev
[0].request("DISCONNECT")
4983 dev
[0].wait_disconnected()
4991 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
4992 for l
in f
.readlines():
4993 if "EAP-TTLS: Derived key - hexdump" in l
:
4994 val
= l
.strip().split(':')[3].replace(' ', '')
4995 msk
= binascii
.unhexlify(val
)
4996 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
4997 val
= l
.strip().split(':')[3].replace(' ', '')
4998 emsk
= binascii
.unhexlify(val
)
4999 if "WPA: PMK - hexdump" in l
:
5000 val
= l
.strip().split(':')[3].replace(' ', '')
5001 pmk
= binascii
.unhexlify(val
)
5002 if "WPA: PTK - hexdump" in l
:
5003 val
= l
.strip().split(':')[3].replace(' ', '')
5004 ptk
= binascii
.unhexlify(val
)
5005 if "WPA: Group Key - hexdump" in l
:
5006 val
= l
.strip().split(':')[3].replace(' ', '')
5007 gtk
= binascii
.unhexlify(val
)
5008 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
5009 raise Exception("Could not find keys from debug log")
5011 raise Exception("Unexpected GTK length")
5017 fname
= os
.path
.join(params
['logdir'],
5018 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5020 logger
.info("Checking keys in memory while associated")
5021 get_key_locations(buf
, password
, "Password")
5022 get_key_locations(buf
, pmk
, "PMK")
5023 get_key_locations(buf
, msk
, "MSK")
5024 get_key_locations(buf
, emsk
, "EMSK")
5025 if password
not in buf
:
5026 raise HwsimSkip("Password not found while associated")
5028 raise HwsimSkip("PMK not found while associated")
5030 raise Exception("KCK not found while associated")
5032 raise Exception("KEK not found while associated")
5034 # raise Exception("TK found from memory")
5036 logger
.info("Checking keys in memory after disassociation")
5037 buf
= read_process_memory(pid
, password
)
5039 # Note: Password is still present in network configuration
5040 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5042 get_key_locations(buf
, password
, "Password")
5043 get_key_locations(buf
, pmk
, "PMK")
5044 get_key_locations(buf
, msk
, "MSK")
5045 get_key_locations(buf
, emsk
, "EMSK")
5046 verify_not_present(buf
, kck
, fname
, "KCK")
5047 verify_not_present(buf
, kek
, fname
, "KEK")
5048 verify_not_present(buf
, tk
, fname
, "TK")
5050 get_key_locations(buf
, gtk
, "GTK")
5051 verify_not_present(buf
, gtk
, fname
, "GTK")
5053 dev
[0].request("PMKSA_FLUSH")
5054 dev
[0].set_network_quoted(id, "identity", "foo")
5055 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5056 buf
= read_process_memory(pid
, password
)
5057 get_key_locations(buf
, password
, "Password")
5058 get_key_locations(buf
, pmk
, "PMK")
5059 get_key_locations(buf
, msk
, "MSK")
5060 get_key_locations(buf
, emsk
, "EMSK")
5061 verify_not_present(buf
, pmk
, fname
, "PMK")
5063 dev
[0].request("REMOVE_NETWORK all")
5065 logger
.info("Checking keys in memory after network profile removal")
5066 buf
= read_process_memory(pid
, password
)
5068 get_key_locations(buf
, password
, "Password")
5069 get_key_locations(buf
, pmk
, "PMK")
5070 get_key_locations(buf
, msk
, "MSK")
5071 get_key_locations(buf
, emsk
, "EMSK")
5072 verify_not_present(buf
, password
, fname
, "password")
5073 verify_not_present(buf
, pmk
, fname
, "PMK")
5074 verify_not_present(buf
, kck
, fname
, "KCK")
5075 verify_not_present(buf
, kek
, fname
, "KEK")
5076 verify_not_present(buf
, tk
, fname
, "TK")
5077 verify_not_present(buf
, gtk
, fname
, "GTK")
5078 verify_not_present(buf
, msk
, fname
, "MSK")
5079 verify_not_present(buf
, emsk
, fname
, "EMSK")
5081 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
5082 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5083 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5084 hapd
= hostapd
.add_ap(apdev
[0], params
)
5085 bssid
= apdev
[0]['bssid']
5086 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5087 anonymous_identity
="ttls", password
="password",
5088 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5090 # Send unexpected WEP EAPOL-Key; this gets dropped
5091 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5093 raise Exception("EAPOL_RX to wpa_supplicant failed")
5095 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5096 """WPA2-EAP and wpas interface in a bridge"""
5100 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
5102 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
5103 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
5104 subprocess
.call(['brctl', 'delbr', br_ifname
])
5105 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
5107 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5108 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5109 hapd
= hostapd
.add_ap(apdev
[0], params
)
5113 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
5114 subprocess
.call(['brctl', 'addbr', br_ifname
])
5115 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
5116 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
5117 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
5118 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
5119 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
5122 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
5123 password_hex
="0123456789abcdef0123456789abcdef")
5125 eap_reauth(wpas
, "PAX")
5127 # Try again as a regression test for packet socket workaround
5128 eap_reauth(wpas
, "PAX")
5130 wpas
.request("DISCONNECT")
5131 wpas
.wait_disconnected()
5133 wpas
.request("RECONNECT")
5134 wpas
.wait_connected()
5137 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
5138 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5139 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5140 hapd
= hostapd
.add_ap(apdev
[0], params
)
5141 key_mgmt
= hapd
.get_config()['key_mgmt']
5142 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5143 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5144 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5145 anonymous_identity
="ttls", password
="password",
5146 ca_cert
="auth_serv/ca.pem",
5147 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
5148 eap_reauth(dev
[0], "TTLS")
5150 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
5151 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5152 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5153 hapd
= hostapd
.add_ap(apdev
[0], params
)
5154 key_mgmt
= hapd
.get_config()['key_mgmt']
5155 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5156 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5157 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5158 anonymous_identity
="ttls", password
="password",
5159 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5161 eap_reauth(dev
[0], "TTLS")
5163 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
5164 """EAP-TLS and server checking CRL"""
5165 params
= int_eap_server_params()
5166 params
['check_crl'] = '1'
5167 hapd
= hostapd
.add_ap(apdev
[0], params
)
5169 # check_crl=1 and no CRL available --> reject connection
5170 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5171 client_cert
="auth_serv/user.pem",
5172 private_key
="auth_serv/user.key", expect_failure
=True)
5173 dev
[0].request("REMOVE_NETWORK all")
5176 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
5179 # check_crl=1 and valid CRL --> accept
5180 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5181 client_cert
="auth_serv/user.pem",
5182 private_key
="auth_serv/user.key")
5183 dev
[0].request("REMOVE_NETWORK all")
5186 hapd
.set("check_crl", "2")
5189 # check_crl=2 and valid CRL --> accept
5190 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5191 client_cert
="auth_serv/user.pem",
5192 private_key
="auth_serv/user.key")
5193 dev
[0].request("REMOVE_NETWORK all")
5195 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5196 """EAP-TLS and OOM"""
5197 check_subject_match_support(dev
[0])
5198 check_altsubject_match_support(dev
[0])
5199 check_domain_match(dev
[0])
5200 check_domain_match_full(dev
[0])
5202 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5203 hostapd
.add_ap(apdev
[0], params
)
5205 tests
= [ (1, "tls_connection_set_subject_match"),
5206 (2, "tls_connection_set_subject_match"),
5207 (3, "tls_connection_set_subject_match"),
5208 (4, "tls_connection_set_subject_match") ]
5209 for count
, func
in tests
:
5210 with
alloc_fail(dev
[0], count
, func
):
5211 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5212 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5213 client_cert
="auth_serv/user.pem",
5214 private_key
="auth_serv/user.key",
5215 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5216 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5217 domain_suffix_match
="server.w1.fi",
5218 domain_match
="server.w1.fi",
5219 wait_connect
=False, scan_freq
="2412")
5220 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5221 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5223 raise Exception("No passphrase request")
5224 dev
[0].request("REMOVE_NETWORK all")
5225 dev
[0].wait_disconnected()
5227 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5228 """WPA2-Enterprise connection using MAC ACL"""
5229 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5230 params
["macaddr_acl"] = "2"
5231 hapd
= hostapd
.add_ap(apdev
[0], params
)
5232 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5233 client_cert
="auth_serv/user.pem",
5234 private_key
="auth_serv/user.key")
5236 def test_ap_wpa2_eap_oom(dev
, apdev
):
5237 """EAP server and OOM"""
5238 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5239 hapd
= hostapd
.add_ap(apdev
[0], params
)
5240 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5242 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5243 # The first attempt fails, but STA will send EAPOL-Start to retry and
5245 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5246 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5247 client_cert
="auth_serv/user.pem",
5248 private_key
="auth_serv/user.key",
5251 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5252 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5253 client_cert
="auth_serv/user.pem",
5254 private_key
="auth_serv/user.key",
5256 ver
= dev
.get_status_field("eap_tls_version")
5258 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5260 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5261 """EAP-TLS and TLS version configuration"""
5262 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5263 hapd
= hostapd
.add_ap(apdev
[0], params
)
5265 tls
= dev
[0].request("GET tls_library")
5266 if tls
.startswith("OpenSSL"):
5267 if "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
5268 check_tls_ver(dev
[0], hapd
,
5269 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5271 elif tls
.startswith("internal"):
5272 check_tls_ver(dev
[0], hapd
,
5273 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5274 check_tls_ver(dev
[1], hapd
,
5275 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5276 check_tls_ver(dev
[2], hapd
,
5277 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5279 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
5280 """RSN element protocol testing for EAP cases on STA side"""
5281 bssid
= apdev
[0]['bssid']
5282 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5283 # This is the RSN element used normally by hostapd
5284 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5285 hapd
= hostapd
.add_ap(apdev
[0], params
)
5286 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5287 identity
="gpsk user",
5288 password
="abcdefghijklmnop0123456789abcdef",
5291 tests
= [ ('No RSN Capabilities field',
5292 '30120100000fac040100000fac040100000fac01'),
5293 ('No AKM Suite fields',
5294 '300c0100000fac040100000fac04'),
5295 ('No Pairwise Cipher Suite fields',
5296 '30060100000fac04'),
5297 ('No Group Data Cipher Suite field',
5299 for txt
,ie
in tests
:
5300 dev
[0].request("DISCONNECT")
5301 dev
[0].wait_disconnected()
5304 hapd
.set('own_ie_override', ie
)
5306 dev
[0].request("BSS_FLUSH 0")
5307 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
5308 dev
[0].select_network(id, freq
=2412)
5309 dev
[0].wait_connected()
5311 dev
[0].request("DISCONNECT")
5312 dev
[0].wait_disconnected()
5313 dev
[0].flush_scan_cache()
5315 def check_tls_session_resumption_capa(dev
, hapd
):
5316 tls
= hapd
.request("GET tls_library")
5317 if not tls
.startswith("OpenSSL"):
5318 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5320 tls
= dev
.request("GET tls_library")
5321 if not tls
.startswith("OpenSSL"):
5322 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
5324 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
5325 """EAP-TTLS/PAP session resumption"""
5326 params
= int_eap_server_params()
5327 params
['tls_session_lifetime'] = '60'
5328 hapd
= hostapd
.add_ap(apdev
[0], params
)
5329 check_tls_session_resumption_capa(dev
[0], hapd
)
5330 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5331 anonymous_identity
="ttls", password
="password",
5332 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5334 if dev
[0].get_status_field("tls_session_reused") != '0':
5335 raise Exception("Unexpected session resumption on the first connection")
5337 dev
[0].request("REAUTHENTICATE")
5338 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5340 raise Exception("EAP success timed out")
5341 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5343 raise Exception("Key handshake with the AP timed out")
5344 if dev
[0].get_status_field("tls_session_reused") != '1':
5345 raise Exception("Session resumption not used on the second connection")
5347 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
5348 """EAP-TTLS/CHAP session resumption"""
5349 params
= int_eap_server_params()
5350 params
['tls_session_lifetime'] = '60'
5351 hapd
= hostapd
.add_ap(apdev
[0], params
)
5352 check_tls_session_resumption_capa(dev
[0], hapd
)
5353 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
5354 anonymous_identity
="ttls", password
="password",
5355 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
5356 if dev
[0].get_status_field("tls_session_reused") != '0':
5357 raise Exception("Unexpected session resumption on the first connection")
5359 dev
[0].request("REAUTHENTICATE")
5360 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5362 raise Exception("EAP success timed out")
5363 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5365 raise Exception("Key handshake with the AP timed out")
5366 if dev
[0].get_status_field("tls_session_reused") != '1':
5367 raise Exception("Session resumption not used on the second connection")
5369 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
5370 """EAP-TTLS/MSCHAP session resumption"""
5371 check_domain_suffix_match(dev
[0])
5372 params
= int_eap_server_params()
5373 params
['tls_session_lifetime'] = '60'
5374 hapd
= hostapd
.add_ap(apdev
[0], params
)
5375 check_tls_session_resumption_capa(dev
[0], hapd
)
5376 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
5377 anonymous_identity
="ttls", password
="password",
5378 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5379 domain_suffix_match
="server.w1.fi")
5380 if dev
[0].get_status_field("tls_session_reused") != '0':
5381 raise Exception("Unexpected session resumption on the first connection")
5383 dev
[0].request("REAUTHENTICATE")
5384 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5386 raise Exception("EAP success timed out")
5387 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5389 raise Exception("Key handshake with the AP timed out")
5390 if dev
[0].get_status_field("tls_session_reused") != '1':
5391 raise Exception("Session resumption not used on the second connection")
5393 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
5394 """EAP-TTLS/MSCHAPv2 session resumption"""
5395 check_domain_suffix_match(dev
[0])
5396 check_eap_capa(dev
[0], "MSCHAPV2")
5397 params
= int_eap_server_params()
5398 params
['tls_session_lifetime'] = '60'
5399 hapd
= hostapd
.add_ap(apdev
[0], params
)
5400 check_tls_session_resumption_capa(dev
[0], hapd
)
5401 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
5402 anonymous_identity
="ttls", password
="password",
5403 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5404 domain_suffix_match
="server.w1.fi")
5405 if dev
[0].get_status_field("tls_session_reused") != '0':
5406 raise Exception("Unexpected session resumption on the first connection")
5408 dev
[0].request("REAUTHENTICATE")
5409 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5411 raise Exception("EAP success timed out")
5412 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5414 raise Exception("Key handshake with the AP timed out")
5415 if dev
[0].get_status_field("tls_session_reused") != '1':
5416 raise Exception("Session resumption not used on the second connection")
5418 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
5419 """EAP-TTLS/EAP-GTC session resumption"""
5420 params
= int_eap_server_params()
5421 params
['tls_session_lifetime'] = '60'
5422 hapd
= hostapd
.add_ap(apdev
[0], params
)
5423 check_tls_session_resumption_capa(dev
[0], hapd
)
5424 eap_connect(dev
[0], hapd
, "TTLS", "user",
5425 anonymous_identity
="ttls", password
="password",
5426 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
5427 if dev
[0].get_status_field("tls_session_reused") != '0':
5428 raise Exception("Unexpected session resumption on the first connection")
5430 dev
[0].request("REAUTHENTICATE")
5431 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5433 raise Exception("EAP success timed out")
5434 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5436 raise Exception("Key handshake with the AP timed out")
5437 if dev
[0].get_status_field("tls_session_reused") != '1':
5438 raise Exception("Session resumption not used on the second connection")
5440 def test_eap_ttls_no_session_resumption(dev
, apdev
):
5441 """EAP-TTLS session resumption disabled on server"""
5442 params
= int_eap_server_params()
5443 params
['tls_session_lifetime'] = '0'
5444 hapd
= hostapd
.add_ap(apdev
[0], params
)
5445 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5446 anonymous_identity
="ttls", password
="password",
5447 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5449 if dev
[0].get_status_field("tls_session_reused") != '0':
5450 raise Exception("Unexpected session resumption on the first connection")
5452 dev
[0].request("REAUTHENTICATE")
5453 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5455 raise Exception("EAP success timed out")
5456 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5458 raise Exception("Key handshake with the AP timed out")
5459 if dev
[0].get_status_field("tls_session_reused") != '0':
5460 raise Exception("Unexpected session resumption on the second connection")
5462 def test_eap_peap_session_resumption(dev
, apdev
):
5463 """EAP-PEAP session resumption"""
5464 params
= int_eap_server_params()
5465 params
['tls_session_lifetime'] = '60'
5466 hapd
= hostapd
.add_ap(apdev
[0], params
)
5467 check_tls_session_resumption_capa(dev
[0], hapd
)
5468 eap_connect(dev
[0], hapd
, "PEAP", "user",
5469 anonymous_identity
="peap", password
="password",
5470 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5471 if dev
[0].get_status_field("tls_session_reused") != '0':
5472 raise Exception("Unexpected session resumption on the first connection")
5474 dev
[0].request("REAUTHENTICATE")
5475 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5477 raise Exception("EAP success timed out")
5478 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5480 raise Exception("Key handshake with the AP timed out")
5481 if dev
[0].get_status_field("tls_session_reused") != '1':
5482 raise Exception("Session resumption not used on the second connection")
5484 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
5485 """EAP-PEAP session resumption with crypto binding"""
5486 params
= int_eap_server_params()
5487 params
['tls_session_lifetime'] = '60'
5488 hapd
= hostapd
.add_ap(apdev
[0], params
)
5489 check_tls_session_resumption_capa(dev
[0], hapd
)
5490 eap_connect(dev
[0], hapd
, "PEAP", "user",
5491 anonymous_identity
="peap", password
="password",
5492 phase1
="peapver=0 crypto_binding=2",
5493 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5494 if dev
[0].get_status_field("tls_session_reused") != '0':
5495 raise Exception("Unexpected session resumption on the first connection")
5497 dev
[0].request("REAUTHENTICATE")
5498 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5500 raise Exception("EAP success timed out")
5501 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5503 raise Exception("Key handshake with the AP timed out")
5504 if dev
[0].get_status_field("tls_session_reused") != '1':
5505 raise Exception("Session resumption not used on the second connection")
5507 def test_eap_peap_no_session_resumption(dev
, apdev
):
5508 """EAP-PEAP session resumption disabled on server"""
5509 params
= int_eap_server_params()
5510 hapd
= hostapd
.add_ap(apdev
[0], params
)
5511 eap_connect(dev
[0], hapd
, "PEAP", "user",
5512 anonymous_identity
="peap", password
="password",
5513 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5514 if dev
[0].get_status_field("tls_session_reused") != '0':
5515 raise Exception("Unexpected session resumption on the first connection")
5517 dev
[0].request("REAUTHENTICATE")
5518 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5520 raise Exception("EAP success timed out")
5521 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5523 raise Exception("Key handshake with the AP timed out")
5524 if dev
[0].get_status_field("tls_session_reused") != '0':
5525 raise Exception("Unexpected session resumption on the second connection")
5527 def test_eap_tls_session_resumption(dev
, apdev
):
5528 """EAP-TLS session resumption"""
5529 params
= int_eap_server_params()
5530 params
['tls_session_lifetime'] = '60'
5531 hapd
= hostapd
.add_ap(apdev
[0], params
)
5532 check_tls_session_resumption_capa(dev
[0], hapd
)
5533 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5534 client_cert
="auth_serv/user.pem",
5535 private_key
="auth_serv/user.key")
5536 if dev
[0].get_status_field("tls_session_reused") != '0':
5537 raise Exception("Unexpected session resumption on the first connection")
5539 dev
[0].request("REAUTHENTICATE")
5540 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5542 raise Exception("EAP success timed out")
5543 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5545 raise Exception("Key handshake with the AP timed out")
5546 if dev
[0].get_status_field("tls_session_reused") != '1':
5547 raise Exception("Session resumption not used on the second connection")
5549 dev
[0].request("REAUTHENTICATE")
5550 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5552 raise Exception("EAP success timed out")
5553 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5555 raise Exception("Key handshake with the AP timed out")
5556 if dev
[0].get_status_field("tls_session_reused") != '1':
5557 raise Exception("Session resumption not used on the third connection")
5559 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
5560 """EAP-TLS session resumption"""
5561 params
= int_eap_server_params()
5562 params
['tls_session_lifetime'] = '1'
5563 hapd
= hostapd
.add_ap(apdev
[0], params
)
5564 check_tls_session_resumption_capa(dev
[0], hapd
)
5565 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5566 client_cert
="auth_serv/user.pem",
5567 private_key
="auth_serv/user.key")
5568 if dev
[0].get_status_field("tls_session_reused") != '0':
5569 raise Exception("Unexpected session resumption on the first connection")
5571 # Allow multiple attempts since OpenSSL may not expire the cached entry
5576 dev
[0].request("REAUTHENTICATE")
5577 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5579 raise Exception("EAP success timed out")
5580 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5582 raise Exception("Key handshake with the AP timed out")
5583 if dev
[0].get_status_field("tls_session_reused") == '0':
5585 if dev
[0].get_status_field("tls_session_reused") != '0':
5586 raise Exception("Session resumption used after lifetime expiration")
5588 def test_eap_tls_no_session_resumption(dev
, apdev
):
5589 """EAP-TLS session resumption disabled on server"""
5590 params
= int_eap_server_params()
5591 hapd
= hostapd
.add_ap(apdev
[0], params
)
5592 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5593 client_cert
="auth_serv/user.pem",
5594 private_key
="auth_serv/user.key")
5595 if dev
[0].get_status_field("tls_session_reused") != '0':
5596 raise Exception("Unexpected session resumption on the first connection")
5598 dev
[0].request("REAUTHENTICATE")
5599 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5601 raise Exception("EAP success timed out")
5602 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5604 raise Exception("Key handshake with the AP timed out")
5605 if dev
[0].get_status_field("tls_session_reused") != '0':
5606 raise Exception("Unexpected session resumption on the second connection")
5608 def test_eap_tls_session_resumption_radius(dev
, apdev
):
5609 """EAP-TLS session resumption (RADIUS)"""
5610 params
= { "ssid": "as", "beacon_int": "2000",
5611 "radius_server_clients": "auth_serv/radius_clients.conf",
5612 "radius_server_auth_port": '18128',
5614 "eap_user_file": "auth_serv/eap_user.conf",
5615 "ca_cert": "auth_serv/ca.pem",
5616 "server_cert": "auth_serv/server.pem",
5617 "private_key": "auth_serv/server.key",
5618 "tls_session_lifetime": "60" }
5619 authsrv
= hostapd
.add_ap(apdev
[1], params
)
5620 check_tls_session_resumption_capa(dev
[0], authsrv
)
5622 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5623 params
['auth_server_port'] = "18128"
5624 hapd
= hostapd
.add_ap(apdev
[0], params
)
5625 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5626 client_cert
="auth_serv/user.pem",
5627 private_key
="auth_serv/user.key")
5628 if dev
[0].get_status_field("tls_session_reused") != '0':
5629 raise Exception("Unexpected session resumption on the first connection")
5631 dev
[0].request("REAUTHENTICATE")
5632 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5634 raise Exception("EAP success timed out")
5635 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5637 raise Exception("Key handshake with the AP timed out")
5638 if dev
[0].get_status_field("tls_session_reused") != '1':
5639 raise Exception("Session resumption not used on the second connection")
5641 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
5642 """EAP-TLS session resumption disabled (RADIUS)"""
5643 params
= { "ssid": "as", "beacon_int": "2000",
5644 "radius_server_clients": "auth_serv/radius_clients.conf",
5645 "radius_server_auth_port": '18128',
5647 "eap_user_file": "auth_serv/eap_user.conf",
5648 "ca_cert": "auth_serv/ca.pem",
5649 "server_cert": "auth_serv/server.pem",
5650 "private_key": "auth_serv/server.key",
5651 "tls_session_lifetime": "0" }
5652 hostapd
.add_ap(apdev
[1], params
)
5654 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5655 params
['auth_server_port'] = "18128"
5656 hapd
= hostapd
.add_ap(apdev
[0], params
)
5657 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5658 client_cert
="auth_serv/user.pem",
5659 private_key
="auth_serv/user.key")
5660 if dev
[0].get_status_field("tls_session_reused") != '0':
5661 raise Exception("Unexpected session resumption on the first connection")
5663 dev
[0].request("REAUTHENTICATE")
5664 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5666 raise Exception("EAP success timed out")
5667 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5669 raise Exception("Key handshake with the AP timed out")
5670 if dev
[0].get_status_field("tls_session_reused") != '0':
5671 raise Exception("Unexpected session resumption on the second connection")
5673 def test_eap_mschapv2_errors(dev
, apdev
):
5674 """EAP-MSCHAPv2 error cases"""
5675 check_eap_capa(dev
[0], "MSCHAPV2")
5676 check_eap_capa(dev
[0], "FAST")
5678 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5679 hapd
= hostapd
.add_ap(apdev
[0], params
)
5680 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5681 identity
="phase1-user", password
="password",
5683 dev
[0].request("REMOVE_NETWORK all")
5684 dev
[0].wait_disconnected()
5686 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5687 (1, "nt_password_hash;mschapv2_derive_response"),
5688 (1, "nt_password_hash;=mschapv2_derive_response"),
5689 (1, "generate_nt_response;mschapv2_derive_response"),
5690 (1, "generate_authenticator_response;mschapv2_derive_response"),
5691 (1, "nt_password_hash;=mschapv2_derive_response"),
5692 (1, "get_master_key;mschapv2_derive_response"),
5693 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5694 for count
, func
in tests
:
5695 with
fail_test(dev
[0], count
, func
):
5696 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5697 identity
="phase1-user", password
="password",
5698 wait_connect
=False, scan_freq
="2412")
5699 wait_fail_trigger(dev
[0], "GET_FAIL")
5700 dev
[0].request("REMOVE_NETWORK all")
5701 dev
[0].wait_disconnected()
5703 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5704 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5705 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5706 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5707 for count
, func
in tests
:
5708 with
fail_test(dev
[0], count
, func
):
5709 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5710 identity
="phase1-user",
5711 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
5712 wait_connect
=False, scan_freq
="2412")
5713 wait_fail_trigger(dev
[0], "GET_FAIL")
5714 dev
[0].request("REMOVE_NETWORK all")
5715 dev
[0].wait_disconnected()
5717 tests
= [ (1, "eap_mschapv2_init"),
5718 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5719 (1, "eap_msg_alloc;eap_mschapv2_success"),
5720 (1, "eap_mschapv2_getKey") ]
5721 for count
, func
in tests
:
5722 with
alloc_fail(dev
[0], count
, func
):
5723 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5724 identity
="phase1-user", password
="password",
5725 wait_connect
=False, scan_freq
="2412")
5726 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5727 dev
[0].request("REMOVE_NETWORK all")
5728 dev
[0].wait_disconnected()
5730 tests
= [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5731 for count
, func
in tests
:
5732 with
alloc_fail(dev
[0], count
, func
):
5733 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5734 identity
="phase1-user", password
="wrong password",
5735 wait_connect
=False, scan_freq
="2412")
5736 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5737 dev
[0].request("REMOVE_NETWORK all")
5738 dev
[0].wait_disconnected()
5740 tests
= [ (2, "eap_mschapv2_init"),
5741 (3, "eap_mschapv2_init") ]
5742 for count
, func
in tests
:
5743 with
alloc_fail(dev
[0], count
, func
):
5744 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
5745 anonymous_identity
="FAST", identity
="user",
5746 password
="password",
5747 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5748 phase1
="fast_provisioning=1",
5749 pac_file
="blob://fast_pac",
5750 wait_connect
=False, scan_freq
="2412")
5751 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5752 dev
[0].request("REMOVE_NETWORK all")
5753 dev
[0].wait_disconnected()
5755 def test_eap_gpsk_errors(dev
, apdev
):
5756 """EAP-GPSK error cases"""
5757 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5758 hapd
= hostapd
.add_ap(apdev
[0], params
)
5759 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5760 identity
="gpsk user",
5761 password
="abcdefghijklmnop0123456789abcdef",
5763 dev
[0].request("REMOVE_NETWORK all")
5764 dev
[0].wait_disconnected()
5766 tests
= [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5767 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5769 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5771 (1, "eap_gpsk_derive_keys_helper", None),
5772 (2, "eap_gpsk_derive_keys_helper", None),
5773 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5775 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5777 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5778 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5779 (1, "eap_gpsk_derive_mid_helper", None) ]
5780 for count
, func
, phase1
in tests
:
5781 with
fail_test(dev
[0], count
, func
):
5782 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5783 identity
="gpsk user",
5784 password
="abcdefghijklmnop0123456789abcdef",
5786 wait_connect
=False, scan_freq
="2412")
5787 wait_fail_trigger(dev
[0], "GET_FAIL")
5788 dev
[0].request("REMOVE_NETWORK all")
5789 dev
[0].wait_disconnected()
5791 tests
= [ (1, "eap_gpsk_init"),
5792 (2, "eap_gpsk_init"),
5793 (3, "eap_gpsk_init"),
5794 (1, "eap_gpsk_process_id_server"),
5795 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5796 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5797 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5798 (1, "eap_gpsk_derive_keys"),
5799 (1, "eap_gpsk_derive_keys_helper"),
5800 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5801 (1, "eap_gpsk_getKey"),
5802 (1, "eap_gpsk_get_emsk"),
5803 (1, "eap_gpsk_get_session_id") ]
5804 for count
, func
in tests
:
5805 with
alloc_fail(dev
[0], count
, func
):
5806 dev
[0].request("ERP_FLUSH")
5807 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5808 identity
="gpsk user@domain", erp
="1",
5809 password
="abcdefghijklmnop0123456789abcdef",
5810 wait_connect
=False, scan_freq
="2412")
5811 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5812 dev
[0].request("REMOVE_NETWORK all")
5813 dev
[0].wait_disconnected()
5815 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
5816 """EAP-SIM DB error cases"""
5817 sockpath
= '/tmp/hlr_auc_gw.sock-test'
5822 hparams
= int_eap_server_params()
5823 hparams
['eap_sim_db'] = 'unix:' + sockpath
5824 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
5826 # Initial test with hlr_auc_gw socket not available
5827 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5828 eap
="SIM", identity
="1232010000000000",
5829 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5830 scan_freq
="2412", wait_connect
=False)
5831 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5833 raise Exception("EAP-Failure not reported")
5834 dev
[0].wait_disconnected()
5835 dev
[0].request("DISCONNECT")
5837 # Test with invalid responses and response timeout
5839 class test_handler(SocketServer
.DatagramRequestHandler
):
5841 data
= self
.request
[0].strip()
5842 socket
= self
.request
[1]
5843 logger
.debug("Received hlr_auc_gw request: " + data
)
5844 # EAP-SIM DB: Failed to parse response string
5845 socket
.sendto("FOO", self
.client_address
)
5846 # EAP-SIM DB: Failed to parse response string
5847 socket
.sendto("FOO 1", self
.client_address
)
5848 # EAP-SIM DB: Unknown external response
5849 socket
.sendto("FOO 1 2", self
.client_address
)
5850 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
5852 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
5855 dev
[0].select_network(id)
5856 server
.handle_request()
5857 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5859 raise Exception("EAP-Failure not reported")
5860 dev
[0].wait_disconnected()
5861 dev
[0].request("DISCONNECT")
5863 # Test with a valid response
5865 class test_handler2(SocketServer
.DatagramRequestHandler
):
5867 data
= self
.request
[0].strip()
5868 socket
= self
.request
[1]
5869 logger
.debug("Received hlr_auc_gw request: " + data
)
5870 fname
= os
.path
.join(params
['logdir'],
5871 'hlr_auc_gw.milenage_db')
5872 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
5874 stdout
=subprocess
.PIPE
)
5875 res
= cmd
.stdout
.read().strip()
5877 logger
.debug("hlr_auc_gw response: " + res
)
5878 socket
.sendto(res
, self
.client_address
)
5880 server
.RequestHandlerClass
= test_handler2
5882 dev
[0].select_network(id)
5883 server
.handle_request()
5884 dev
[0].wait_connected()
5885 dev
[0].request("DISCONNECT")
5886 dev
[0].wait_disconnected()
5888 def test_eap_tls_sha512(dev
, apdev
, params
):
5889 """EAP-TLS with SHA512 signature"""
5890 params
= int_eap_server_params()
5891 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5892 params
["server_cert"] = "auth_serv/sha512-server.pem"
5893 params
["private_key"] = "auth_serv/sha512-server.key"
5894 hostapd
.add_ap(apdev
[0], params
)
5896 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5897 identity
="tls user sha512",
5898 ca_cert
="auth_serv/sha512-ca.pem",
5899 client_cert
="auth_serv/sha512-user.pem",
5900 private_key
="auth_serv/sha512-user.key",
5902 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5903 identity
="tls user sha512",
5904 ca_cert
="auth_serv/sha512-ca.pem",
5905 client_cert
="auth_serv/sha384-user.pem",
5906 private_key
="auth_serv/sha384-user.key",
5909 def test_eap_tls_sha384(dev
, apdev
, params
):
5910 """EAP-TLS with SHA384 signature"""
5911 params
= int_eap_server_params()
5912 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5913 params
["server_cert"] = "auth_serv/sha384-server.pem"
5914 params
["private_key"] = "auth_serv/sha384-server.key"
5915 hostapd
.add_ap(apdev
[0], params
)
5917 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5918 identity
="tls user sha512",
5919 ca_cert
="auth_serv/sha512-ca.pem",
5920 client_cert
="auth_serv/sha512-user.pem",
5921 private_key
="auth_serv/sha512-user.key",
5923 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5924 identity
="tls user sha512",
5925 ca_cert
="auth_serv/sha512-ca.pem",
5926 client_cert
="auth_serv/sha384-user.pem",
5927 private_key
="auth_serv/sha384-user.key",
5930 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
5931 """WPA2-Enterprise AP and association request RSN IE differences"""
5932 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5933 hostapd
.add_ap(apdev
[0], params
)
5935 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
5936 params
["ieee80211w"] = "2"
5937 hostapd
.add_ap(apdev
[1], params
)
5939 # Success cases with optional RSN IE fields removed one by one
5940 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
5941 "30140100000fac040100000fac040100000fac010000"),
5942 ("Extra PMKIDCount field in RSN IE",
5943 "30160100000fac040100000fac040100000fac0100000000"),
5944 ("Extra Group Management Cipher Suite in RSN IE",
5945 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
5946 ("Extra undefined extension field in RSN IE",
5947 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
5948 ("RSN IE without RSN Capabilities",
5949 "30120100000fac040100000fac040100000fac01"),
5950 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
5951 ("RSN IE without pairwise", "30060100000fac04"),
5952 ("RSN IE without group", "30020100") ]
5953 for title
, ie
in tests
:
5955 set_test_assoc_ie(dev
[0], ie
)
5956 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5957 identity
="gpsk user",
5958 password
="abcdefghijklmnop0123456789abcdef",
5960 dev
[0].request("REMOVE_NETWORK all")
5961 dev
[0].wait_disconnected()
5963 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
5964 "30140100000fac040100000fac040100000fac01cc00"),
5965 ("Group management cipher included in assoc req RSN IE",
5966 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
5967 for title
, ie
in tests
:
5969 set_test_assoc_ie(dev
[0], ie
)
5970 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
5971 eap
="GPSK", identity
="gpsk user",
5972 password
="abcdefghijklmnop0123456789abcdef",
5974 dev
[0].request("REMOVE_NETWORK all")
5975 dev
[0].wait_disconnected()
5977 tests
= [ ("Invalid group cipher", "30060100000fac02", 41),
5978 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
5979 for title
, ie
, status
in tests
:
5981 set_test_assoc_ie(dev
[0], ie
)
5982 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5983 identity
="gpsk user",
5984 password
="abcdefghijklmnop0123456789abcdef",
5985 scan_freq
="2412", wait_connect
=False)
5986 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5988 raise Exception("Association rejection not reported")
5989 if "status_code=" + str(status
) not in ev
:
5990 raise Exception("Unexpected status code: " + ev
)
5991 dev
[0].request("REMOVE_NETWORK all")
5992 dev
[0].dump_monitor()
5994 tests
= [ ("Management frame protection not enabled",
5995 "30140100000fac040100000fac040100000fac010000", 31),
5996 ("Unsupported management group cipher",
5997 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
5998 for title
, ie
, status
in tests
:
6000 set_test_assoc_ie(dev
[0], ie
)
6001 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6002 eap
="GPSK", identity
="gpsk user",
6003 password
="abcdefghijklmnop0123456789abcdef",
6004 scan_freq
="2412", wait_connect
=False)
6005 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6007 raise Exception("Association rejection not reported")
6008 if "status_code=" + str(status
) not in ev
:
6009 raise Exception("Unexpected status code: " + ev
)
6010 dev
[0].request("REMOVE_NETWORK all")
6011 dev
[0].dump_monitor()
6013 def test_eap_tls_ext_cert_check(dev
, apdev
):
6014 """EAP-TLS and external server certification validation"""
6015 # With internal server certificate chain validation
6016 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6017 identity
="tls user",
6018 ca_cert
="auth_serv/ca.pem",
6019 client_cert
="auth_serv/user.pem",
6020 private_key
="auth_serv/user.key",
6021 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6022 only_add_network
=True)
6023 run_ext_cert_check(dev
, apdev
, id)
6025 def test_eap_ttls_ext_cert_check(dev
, apdev
):
6026 """EAP-TTLS and external server certification validation"""
6027 # Without internal server certificate chain validation
6028 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6029 identity
="pap user", anonymous_identity
="ttls",
6030 password
="password", phase2
="auth=PAP",
6031 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6032 only_add_network
=True)
6033 run_ext_cert_check(dev
, apdev
, id)
6035 def test_eap_peap_ext_cert_check(dev
, apdev
):
6036 """EAP-PEAP and external server certification validation"""
6037 # With internal server certificate chain validation
6038 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6039 identity
="user", anonymous_identity
="peap",
6040 ca_cert
="auth_serv/ca.pem",
6041 password
="password", phase2
="auth=MSCHAPV2",
6042 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6043 only_add_network
=True)
6044 run_ext_cert_check(dev
, apdev
, id)
6046 def test_eap_fast_ext_cert_check(dev
, apdev
):
6047 """EAP-FAST and external server certification validation"""
6048 check_eap_capa(dev
[0], "FAST")
6049 # With internal server certificate chain validation
6050 dev
[0].request("SET blob fast_pac_auth_ext ")
6051 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6052 identity
="user", anonymous_identity
="FAST",
6053 ca_cert
="auth_serv/ca.pem",
6054 password
="password", phase2
="auth=GTC",
6055 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
6056 pac_file
="blob://fast_pac_auth_ext",
6058 only_add_network
=True)
6059 run_ext_cert_check(dev
, apdev
, id)
6061 def run_ext_cert_check(dev
, apdev
, net_id
):
6062 check_ext_cert_check_support(dev
[0])
6063 if not openssl_imported
:
6064 raise HwsimSkip("OpenSSL python method not available")
6066 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6067 hapd
= hostapd
.add_ap(apdev
[0], params
)
6069 dev
[0].select_network(net_id
)
6072 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6073 "CTRL-REQ-EXT_CERT_CHECK",
6074 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6076 raise Exception("No peer server certificate event seen")
6077 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
6080 vals
= ev
.split(' ')
6082 if v
.startswith("depth="):
6083 depth
= int(v
.split('=')[1])
6084 elif v
.startswith("cert="):
6085 cert
= v
.split('=')[1]
6086 if depth
is not None and cert
:
6087 certs
[depth
] = binascii
.unhexlify(cert
)
6088 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
6089 raise Exception("Unexpected EAP-Success")
6090 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
6091 id = ev
.split(':')[0].split('-')[-1]
6094 raise Exception("Server certificate not received")
6096 raise Exception("Server certificate issuer not received")
6098 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6100 cn
= cert
.get_subject().commonName
6101 logger
.info("Server certificate CN=" + cn
)
6103 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6105 icn
= issuer
.get_subject().commonName
6106 logger
.info("Issuer certificate CN=" + icn
)
6108 if cn
!= "server.w1.fi":
6109 raise Exception("Unexpected server certificate CN: " + cn
)
6110 if icn
!= "Root CA":
6111 raise Exception("Unexpected server certificate issuer CN: " + icn
)
6113 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
6115 raise Exception("Unexpected EAP-Success before external check result indication")
6117 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6118 dev
[0].wait_connected()
6120 dev
[0].request("DISCONNECT")
6121 dev
[0].wait_disconnected()
6122 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
6123 raise Exception("PMKSA_FLUSH failed")
6124 dev
[0].request("SET blob fast_pac_auth_ext ")
6125 dev
[0].request("RECONNECT")
6127 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
6129 raise Exception("No peer server certificate event seen (2)")
6130 id = ev
.split(':')[0].split('-')[-1]
6131 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6132 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
6134 raise Exception("EAP-Failure not reported")
6135 dev
[0].request("REMOVE_NETWORK all")
6136 dev
[0].wait_disconnected()
6138 def test_eap_tls_errors(dev
, apdev
):
6139 """EAP-TLS error cases"""
6140 params
= int_eap_server_params()
6141 params
['fragment_size'] = '100'
6142 hostapd
.add_ap(apdev
[0], params
)
6143 with
alloc_fail(dev
[0], 1,
6144 "eap_peer_tls_reassemble_fragment"):
6145 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6146 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6147 client_cert
="auth_serv/user.pem",
6148 private_key
="auth_serv/user.key",
6149 wait_connect
=False, scan_freq
="2412")
6150 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6151 dev
[0].request("REMOVE_NETWORK all")
6152 dev
[0].wait_disconnected()
6154 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
6155 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6156 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6157 client_cert
="auth_serv/user.pem",
6158 private_key
="auth_serv/user.key",
6159 wait_connect
=False, scan_freq
="2412")
6160 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6161 dev
[0].request("REMOVE_NETWORK all")
6162 dev
[0].wait_disconnected()
6164 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
6165 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6166 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6167 client_cert
="auth_serv/user.pem",
6168 private_key
="auth_serv/user.key",
6170 wait_connect
=False, scan_freq
="2412")
6171 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6172 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
6174 raise Exception("No CTRL-REQ-PIN seen")
6175 dev
[0].request("REMOVE_NETWORK all")
6176 dev
[0].wait_disconnected()
6178 tests
= [ "eap_peer_tls_derive_key;eap_tls_success",
6179 "eap_peer_tls_derive_session_id;eap_tls_success",
6182 "eap_tls_get_session_id" ]
6184 with
alloc_fail(dev
[0], 1, func
):
6185 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6186 identity
="tls user@domain",
6187 ca_cert
="auth_serv/ca.pem",
6188 client_cert
="auth_serv/user.pem",
6189 private_key
="auth_serv/user.key",
6191 wait_connect
=False, scan_freq
="2412")
6192 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6193 dev
[0].request("REMOVE_NETWORK all")
6194 dev
[0].wait_disconnected()
6196 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6197 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6198 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6199 wait_connect
=False, scan_freq
="2412")
6200 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6201 dev
[0].request("REMOVE_NETWORK all")
6202 dev
[0].wait_disconnected()
6204 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6205 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6206 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6207 wait_connect
=False, scan_freq
="2412")
6208 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6209 dev
[0].request("REMOVE_NETWORK all")
6210 dev
[0].wait_disconnected()
6212 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6213 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6214 eap
="WFA-UNAUTH-TLS",
6215 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6216 wait_connect
=False, scan_freq
="2412")
6217 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6218 dev
[0].request("REMOVE_NETWORK all")
6219 dev
[0].wait_disconnected()
6221 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6222 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6223 eap
="WFA-UNAUTH-TLS",
6224 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6225 wait_connect
=False, scan_freq
="2412")
6226 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6227 dev
[0].request("REMOVE_NETWORK all")
6228 dev
[0].wait_disconnected()
6230 def test_ap_wpa2_eap_status(dev
, apdev
):
6231 """EAP state machine status information"""
6232 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6233 hostapd
.add_ap(apdev
[0], params
)
6234 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6235 identity
="cert user",
6236 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6237 ca_cert2
="auth_serv/ca.pem",
6238 client_cert2
="auth_serv/user.pem",
6239 private_key2
="auth_serv/user.key",
6240 scan_freq
="2412", wait_connect
=False)
6246 selected_methods
= []
6247 for i
in range(100000):
6248 s
= dev
[0].get_status(extra
="VERBOSE")
6249 if 'EAP state' in s
:
6250 state
= s
['EAP state']
6252 if state
not in states
:
6253 states
.append(state
)
6254 if state
== "SUCCESS":
6257 if 'methodState' in s
:
6258 val
= s
['methodState']
6259 if val
not in method_states
:
6260 method_states
.append(val
)
6263 if val
not in decisions
:
6264 decisions
.append(val
)
6265 if 'reqMethod' in s
:
6266 val
= s
['reqMethod']
6267 if val
not in req_methods
:
6268 req_methods
.append(val
)
6269 if 'selectedMethod' in s
:
6270 val
= s
['selectedMethod']
6271 if val
not in selected_methods
:
6272 selected_methods
.append(val
)
6273 logger
.info("Iterations: %d" % i
)
6274 logger
.info("EAP states: " + str(states
))
6275 logger
.info("methodStates: " + str(method_states
))
6276 logger
.info("decisions: " + str(decisions
))
6277 logger
.info("reqMethods: " + str(req_methods
))
6278 logger
.info("selectedMethods: " + str(selected_methods
))
6280 raise Exception("EAP did not succeed")
6281 dev
[0].wait_connected()
6282 dev
[0].request("REMOVE_NETWORK all")
6283 dev
[0].wait_disconnected()
6285 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
6286 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6287 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6288 params
['wpa_ptk_rekey'] = '2'
6289 hapd
= hostapd
.add_ap(apdev
[0], params
)
6290 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
6291 password
="abcdefghijklmnop0123456789abcdef")
6292 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
6294 raise Exception("PTK rekey timed out")
6295 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6297 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
6298 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6299 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6300 hapd
= hostapd
.add_ap(apdev
[0], params
)
6301 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
6302 identity
="gpsk user",
6303 password
="abcdefghijklmnop0123456789abcdef",