]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2019, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
20 import socketserver
as SocketServer
25 from hwsim
import HWSimRadio
27 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
, require_under_vm
28 from wpasupplicant
import WpaSupplicant
29 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
33 openssl_imported
= True
35 openssl_imported
= False
37 def check_hlr_auc_gw_support():
38 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
39 raise HwsimSkip("No hlr_auc_gw available")
41 def check_eap_capa(dev
, method
):
42 res
= dev
.get_capability("eap")
44 raise HwsimSkip("EAP method %s not supported in the build" % method
)
46 def check_subject_match_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
49 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
51 def check_altsubject_match_support(dev
):
52 tls
= dev
.request("GET tls_library")
53 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
54 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
56 def check_domain_match(dev
):
57 tls
= dev
.request("GET tls_library")
58 if tls
.startswith("internal"):
59 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
61 def check_domain_suffix_match(dev
):
62 tls
= dev
.request("GET tls_library")
63 if tls
.startswith("internal"):
64 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
66 def check_domain_match_full(dev
):
67 tls
= dev
.request("GET tls_library")
68 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
69 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
71 def check_cert_probe_support(dev
):
72 tls
= dev
.request("GET tls_library")
73 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
74 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
76 def check_ext_cert_check_support(dev
):
77 tls
= dev
.request("GET tls_library")
78 if not tls
.startswith("OpenSSL"):
79 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
81 def check_ocsp_support(dev
):
82 tls
= dev
.request("GET tls_library")
83 #if tls.startswith("internal"):
84 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
85 #if "BoringSSL" in tls:
86 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
87 if tls
.startswith("wolfSSL"):
88 raise HwsimSkip("OCSP not supported with this TLS library: " + tls
)
90 def check_pkcs5_v15_support(dev
):
91 tls
= dev
.request("GET tls_library")
92 if "BoringSSL" in tls
or "GnuTLS" in tls
:
93 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
95 def check_ocsp_multi_support(dev
):
96 tls
= dev
.request("GET tls_library")
97 if not tls
.startswith("internal"):
98 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
99 as_hapd
= hostapd
.Hostapd("as")
100 res
= as_hapd
.request("GET tls_library")
102 if not res
.startswith("internal"):
103 raise HwsimSkip("Authentication server does not support ocsp_multi")
105 def check_pkcs12_support(dev
):
106 tls
= dev
.request("GET tls_library")
107 #if tls.startswith("internal"):
108 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
109 if tls
.startswith("wolfSSL"):
110 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls
)
112 def check_dh_dsa_support(dev
):
113 tls
= dev
.request("GET tls_library")
114 if tls
.startswith("internal"):
115 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
118 with
open(fname
, "r") as f
:
119 lines
= f
.readlines()
127 if "-----BEGIN" in l
:
129 return base64
.b64decode(cert
)
131 def eap_connect(dev
, hapd
, method
, identity
,
132 sha256
=False, expect_failure
=False, local_error_report
=False,
133 maybe_local_error
=False, report_failure
=False, **kwargs
):
134 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
135 eap
=method
, identity
=identity
,
136 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
138 eap_check_auth(dev
, method
, True, sha256
=sha256
,
139 expect_failure
=expect_failure
,
140 local_error_report
=local_error_report
,
141 maybe_local_error
=maybe_local_error
,
142 report_failure
=report_failure
)
145 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
147 raise Exception("No connection event received from hostapd")
150 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
151 expect_failure
=False, local_error_report
=False,
152 maybe_local_error
=False, report_failure
=False):
153 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
155 raise Exception("Association and EAP start timed out")
156 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
157 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
159 raise Exception("EAP method selection timed out")
160 if "CTRL-EVENT-EAP-FAILURE" in ev
:
161 if maybe_local_error
:
163 raise Exception("Could not select EAP method")
165 raise Exception("Unexpected EAP method")
167 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
169 raise Exception("EAP failure timed out")
170 ev
= dev
.wait_disconnected(timeout
=10)
171 if maybe_local_error
and "locally_generated=1" in ev
:
173 if not local_error_report
:
174 if "reason=23" not in ev
:
175 raise Exception("Proper reason code for disconnection not reported")
178 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
179 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
181 raise Exception("EAP success timed out")
182 if "CTRL-EVENT-EAP-SUCCESS" not in ev
:
183 raise Exception("EAP failed")
185 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
187 raise Exception("EAP success timed out")
190 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
192 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
194 raise Exception("Association with the AP timed out")
195 status
= dev
.get_status()
196 if status
["wpa_state"] != "COMPLETED":
197 raise Exception("Connection not completed")
199 if status
["suppPortStatus"] != "Authorized":
200 raise Exception("Port not authorized")
201 if "selectedMethod" not in status
:
202 logger
.info("Status: " + str(status
))
203 raise Exception("No selectedMethod in status")
204 if method
not in status
["selectedMethod"]:
205 raise Exception("Incorrect EAP method status")
207 e
= "WPA2-EAP-SHA256"
209 e
= "WPA2/IEEE 802.1X/EAP"
211 e
= "WPA/IEEE 802.1X/EAP"
212 if status
["key_mgmt"] != e
:
213 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
216 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
217 dev
.request("REAUTHENTICATE")
218 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
219 expect_failure
=expect_failure
)
221 def test_ap_wpa2_eap_sim(dev
, apdev
):
222 """WPA2-Enterprise connection using EAP-SIM"""
223 check_hlr_auc_gw_support()
224 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
225 hapd
= hostapd
.add_ap(apdev
[0], params
)
226 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
227 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
228 hwsim_utils
.test_connectivity(dev
[0], hapd
)
229 eap_reauth(dev
[0], "SIM")
231 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
232 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
233 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
234 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
237 logger
.info("Negative test with incorrect key")
238 dev
[0].request("REMOVE_NETWORK all")
239 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
240 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
243 logger
.info("Invalid GSM-Milenage key")
244 dev
[0].request("REMOVE_NETWORK all")
245 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
246 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
249 logger
.info("Invalid GSM-Milenage key(2)")
250 dev
[0].request("REMOVE_NETWORK all")
251 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
252 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
255 logger
.info("Invalid GSM-Milenage key(3)")
256 dev
[0].request("REMOVE_NETWORK all")
257 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
258 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
261 logger
.info("Invalid GSM-Milenage key(4)")
262 dev
[0].request("REMOVE_NETWORK all")
263 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
264 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
267 logger
.info("Missing key configuration")
268 dev
[0].request("REMOVE_NETWORK all")
269 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
272 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
273 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
274 check_hlr_auc_gw_support()
278 raise HwsimSkip("No sqlite3 module available")
279 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
280 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
281 params
['auth_server_port'] = "1814"
282 hapd
= hostapd
.add_ap(apdev
[0], params
)
283 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
284 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
286 logger
.info("SIM fast re-authentication")
287 eap_reauth(dev
[0], "SIM")
289 logger
.info("SIM full auth with pseudonym")
292 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
293 eap_reauth(dev
[0], "SIM")
295 logger
.info("SIM full auth with permanent identity")
298 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
299 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
300 eap_reauth(dev
[0], "SIM")
302 logger
.info("SIM reauth with mismatching MK")
305 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
306 eap_reauth(dev
[0], "SIM", expect_failure
=True)
307 dev
[0].request("REMOVE_NETWORK all")
309 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
310 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
313 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
314 eap_reauth(dev
[0], "SIM")
317 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
318 logger
.info("SIM reauth with mismatching counter")
319 eap_reauth(dev
[0], "SIM")
320 dev
[0].request("REMOVE_NETWORK all")
322 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
323 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
326 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
327 logger
.info("SIM reauth with max reauth count reached")
328 eap_reauth(dev
[0], "SIM")
330 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
331 """EAP-SIM configuration options"""
332 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
333 hapd
= hostapd
.add_ap(apdev
[0], params
)
334 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
335 identity
="1232010000000000",
336 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
337 phase1
="sim_min_num_chal=1",
338 wait_connect
=False, scan_freq
="2412")
339 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
341 raise Exception("No EAP error message seen")
342 dev
[0].request("REMOVE_NETWORK all")
344 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
345 identity
="1232010000000000",
346 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
347 phase1
="sim_min_num_chal=4",
348 wait_connect
=False, scan_freq
="2412")
349 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
351 raise Exception("No EAP error message seen (2)")
352 dev
[0].request("REMOVE_NETWORK all")
354 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
355 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
356 phase1
="sim_min_num_chal=2")
357 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
358 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
359 anonymous_identity
="345678")
361 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
362 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
364 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
366 dev
[0].request("SET external_sim 0")
368 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
369 check_hlr_auc_gw_support()
370 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
371 hostapd
.add_ap(apdev
[0], params
)
372 dev
[0].request("SET external_sim 1")
373 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
374 identity
="1232010000000000",
375 wait_connect
=False, scan_freq
="2412")
376 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
378 raise Exception("Network connected timed out")
380 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
382 raise Exception("Wait for external SIM processing request timed out")
384 if p
[1] != "GSM-AUTH":
385 raise Exception("Unexpected CTRL-REQ-SIM type")
386 rid
= p
[0].split('-')[3]
389 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
390 # This will fail during processing, but the ctrl_iface command succeeds
391 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
392 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
394 raise Exception("EAP failure not reported")
395 dev
[0].request("DISCONNECT")
396 dev
[0].wait_disconnected()
399 dev
[0].select_network(id, freq
="2412")
400 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
402 raise Exception("Wait for external SIM processing request timed out")
404 if p
[1] != "GSM-AUTH":
405 raise Exception("Unexpected CTRL-REQ-SIM type")
406 rid
= p
[0].split('-')[3]
407 # This will fail during GSM auth validation
408 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
409 raise Exception("CTRL-RSP-SIM failed")
410 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
412 raise Exception("EAP failure not reported")
413 dev
[0].request("DISCONNECT")
414 dev
[0].wait_disconnected()
417 dev
[0].select_network(id, freq
="2412")
418 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
420 raise Exception("Wait for external SIM processing request timed out")
422 if p
[1] != "GSM-AUTH":
423 raise Exception("Unexpected CTRL-REQ-SIM type")
424 rid
= p
[0].split('-')[3]
425 # This will fail during GSM auth validation
426 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
427 raise Exception("CTRL-RSP-SIM failed")
428 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
430 raise Exception("EAP failure not reported")
431 dev
[0].request("DISCONNECT")
432 dev
[0].wait_disconnected()
435 dev
[0].select_network(id, freq
="2412")
436 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
438 raise Exception("Wait for external SIM processing request timed out")
440 if p
[1] != "GSM-AUTH":
441 raise Exception("Unexpected CTRL-REQ-SIM type")
442 rid
= p
[0].split('-')[3]
443 # This will fail during GSM auth validation
444 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
445 raise Exception("CTRL-RSP-SIM failed")
446 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
448 raise Exception("EAP failure not reported")
449 dev
[0].request("DISCONNECT")
450 dev
[0].wait_disconnected()
453 dev
[0].select_network(id, freq
="2412")
454 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
456 raise Exception("Wait for external SIM processing request timed out")
458 if p
[1] != "GSM-AUTH":
459 raise Exception("Unexpected CTRL-REQ-SIM type")
460 rid
= p
[0].split('-')[3]
461 # This will fail during GSM auth validation
462 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
463 raise Exception("CTRL-RSP-SIM failed")
464 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
466 raise Exception("EAP failure not reported")
467 dev
[0].request("DISCONNECT")
468 dev
[0].wait_disconnected()
471 dev
[0].select_network(id, freq
="2412")
472 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
474 raise Exception("Wait for external SIM processing request timed out")
476 if p
[1] != "GSM-AUTH":
477 raise Exception("Unexpected CTRL-REQ-SIM type")
478 rid
= p
[0].split('-')[3]
479 # This will fail during GSM auth validation
480 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
481 raise Exception("CTRL-RSP-SIM failed")
482 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
484 raise Exception("EAP failure not reported")
485 dev
[0].request("DISCONNECT")
486 dev
[0].wait_disconnected()
489 dev
[0].select_network(id, freq
="2412")
490 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
492 raise Exception("Wait for external SIM processing request timed out")
494 if p
[1] != "GSM-AUTH":
495 raise Exception("Unexpected CTRL-REQ-SIM type")
496 rid
= p
[0].split('-')[3]
497 # This will fail during GSM auth validation
498 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
499 raise Exception("CTRL-RSP-SIM failed")
500 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
502 raise Exception("EAP failure not reported")
504 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
505 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
507 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
509 dev
[0].request("SET external_sim 0")
511 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
512 check_hlr_auc_gw_support()
513 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
514 hostapd
.add_ap(apdev
[0], params
)
515 dev
[0].request("SET external_sim 1")
516 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
517 identity
="1232010000000000",
518 wait_connect
=False, scan_freq
="2412")
520 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
522 raise Exception("Wait for external SIM processing request timed out")
524 if p
[1] != "GSM-AUTH":
525 raise Exception("Unexpected CTRL-REQ-SIM type")
526 rid
= p
[0].split('-')[3]
527 rand
= p
[2].split(' ')[0]
529 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
531 "auth_serv/hlr_auc_gw.milenage_db",
532 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
533 if "GSM-AUTH-RESP" not in res
:
534 raise Exception("Unexpected hlr_auc_gw response")
535 resp
= res
.split(' ')[2].rstrip()
537 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
538 dev
[0].wait_connected(timeout
=15)
539 dev
[0].request("DISCONNECT")
540 dev
[0].wait_disconnected()
542 # Replace SIM, but forget to drop the previous pseudonym identity
543 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
544 dev
[0].select_network(id, freq
="2412")
546 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
548 raise Exception("Wait for external SIM processing request timed out")
550 if p
[1] != "GSM-AUTH":
551 raise Exception("Unexpected CTRL-REQ-SIM type")
552 rid
= p
[0].split('-')[3]
553 rand
= p
[2].split(' ')[0]
555 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
557 "auth_serv/hlr_auc_gw.milenage_db",
558 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
559 if "GSM-AUTH-RESP" not in res
:
560 raise Exception("Unexpected hlr_auc_gw response")
561 resp
= res
.split(' ')[2].rstrip()
563 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
564 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
566 raise Exception("EAP-Failure not reported")
567 dev
[0].request("DISCONNECT")
568 dev
[0].wait_disconnected()
570 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
571 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
573 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
575 dev
[0].request("SET external_sim 0")
577 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
578 check_hlr_auc_gw_support()
579 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
580 hostapd
.add_ap(apdev
[0], params
)
581 dev
[0].request("SET external_sim 1")
582 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
583 identity
="1232010000000000",
584 wait_connect
=False, scan_freq
="2412")
586 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
588 raise Exception("Wait for external SIM processing request timed out")
590 if p
[1] != "GSM-AUTH":
591 raise Exception("Unexpected CTRL-REQ-SIM type")
592 rid
= p
[0].split('-')[3]
593 rand
= p
[2].split(' ')[0]
595 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
597 "auth_serv/hlr_auc_gw.milenage_db",
598 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
599 if "GSM-AUTH-RESP" not in res
:
600 raise Exception("Unexpected hlr_auc_gw response")
601 resp
= res
.split(' ')[2].rstrip()
603 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
604 dev
[0].wait_connected(timeout
=15)
605 dev
[0].request("DISCONNECT")
606 dev
[0].wait_disconnected()
608 # Replace SIM and drop the previous pseudonym identity
609 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
610 dev
[0].set_network(id, "anonymous_identity", "NULL")
611 dev
[0].select_network(id, freq
="2412")
613 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
615 raise Exception("Wait for external SIM processing request timed out")
617 if p
[1] != "GSM-AUTH":
618 raise Exception("Unexpected CTRL-REQ-SIM type")
619 rid
= p
[0].split('-')[3]
620 rand
= p
[2].split(' ')[0]
622 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
624 "auth_serv/hlr_auc_gw.milenage_db",
625 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
626 if "GSM-AUTH-RESP" not in res
:
627 raise Exception("Unexpected hlr_auc_gw response")
628 resp
= res
.split(' ')[2].rstrip()
630 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
631 dev
[0].wait_connected()
632 dev
[0].request("DISCONNECT")
633 dev
[0].wait_disconnected()
635 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
636 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
638 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
640 dev
[0].request("SET external_sim 0")
642 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
643 check_hlr_auc_gw_support()
644 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
645 hostapd
.add_ap(apdev
[0], params
)
646 dev
[0].request("SET external_sim 1")
647 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
648 wait_connect
=False, scan_freq
="2412")
650 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
652 raise Exception("Request for identity timed out")
653 rid
= ev
.split(':')[0].split('-')[-1]
654 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
656 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
658 raise Exception("Wait for external SIM processing request timed out")
660 if p
[1] != "GSM-AUTH":
661 raise Exception("Unexpected CTRL-REQ-SIM type")
662 rid
= p
[0].split('-')[3]
663 rand
= p
[2].split(' ')[0]
665 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
667 "auth_serv/hlr_auc_gw.milenage_db",
668 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
669 if "GSM-AUTH-RESP" not in res
:
670 raise Exception("Unexpected hlr_auc_gw response")
671 resp
= res
.split(' ')[2].rstrip()
673 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
674 dev
[0].wait_connected(timeout
=15)
675 dev
[0].request("DISCONNECT")
676 dev
[0].wait_disconnected()
678 # Replace SIM and drop the previous permanent and pseudonym identities
679 dev
[0].set_network(id, "identity", "NULL")
680 dev
[0].set_network(id, "anonymous_identity", "NULL")
681 dev
[0].select_network(id, freq
="2412")
683 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
685 raise Exception("Request for identity timed out")
686 rid
= ev
.split(':')[0].split('-')[-1]
687 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
689 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
691 raise Exception("Wait for external SIM processing request timed out")
693 if p
[1] != "GSM-AUTH":
694 raise Exception("Unexpected CTRL-REQ-SIM type")
695 rid
= p
[0].split('-')[3]
696 rand
= p
[2].split(' ')[0]
698 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
700 "auth_serv/hlr_auc_gw.milenage_db",
701 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
702 if "GSM-AUTH-RESP" not in res
:
703 raise Exception("Unexpected hlr_auc_gw response")
704 resp
= res
.split(' ')[2].rstrip()
706 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
707 dev
[0].wait_connected()
708 dev
[0].request("DISCONNECT")
709 dev
[0].wait_disconnected()
711 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
712 """EAP-SIM with external GSM auth and auth failing"""
714 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
716 dev
[0].request("SET external_sim 0")
718 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
719 check_hlr_auc_gw_support()
720 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
721 hostapd
.add_ap(apdev
[0], params
)
722 dev
[0].request("SET external_sim 1")
723 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
724 identity
="1232010000000000",
725 wait_connect
=False, scan_freq
="2412")
727 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
729 raise Exception("Wait for external SIM processing request timed out")
731 rid
= p
[0].split('-')[3]
732 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
733 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
735 raise Exception("EAP failure not reported")
736 dev
[0].request("REMOVE_NETWORK all")
737 dev
[0].wait_disconnected()
739 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
740 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
742 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
744 dev
[0].request("SET external_sim 0")
746 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
747 check_hlr_auc_gw_support()
748 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
749 hostapd
.add_ap(apdev
[0], params
)
750 dev
[0].request("SET external_sim 1")
751 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
752 identity
="1232010000000000",
753 wait_connect
=False, scan_freq
="2412")
755 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
757 raise Exception("Wait for external SIM processing request timed out")
759 if p
[1] != "GSM-AUTH":
760 raise Exception("Unexpected CTRL-REQ-SIM type")
761 rid
= p
[0].split('-')[3]
762 rand
= p
[2].split(' ')[0]
764 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
766 "auth_serv/hlr_auc_gw.milenage_db",
767 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
768 if "GSM-AUTH-RESP" not in res
:
769 raise Exception("Unexpected hlr_auc_gw response")
770 resp
= res
.split(' ')[2].rstrip()
772 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
773 dev
[0].wait_connected(timeout
=15)
775 # Verify that EAP-SIM Reauthentication can be used after a profile change
776 # that does not affect EAP parameters.
777 dev
[0].set_network(id, "bssid", "any")
778 eap_reauth(dev
[0], "SIM")
780 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
781 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
783 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
785 dev
[0].request("SET external_sim 0")
787 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
788 check_hlr_auc_gw_support()
789 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
790 hostapd
.add_ap(apdev
[0], params
)
791 dev
[0].request("SET external_sim 1")
792 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
793 identity
="1232010000000000",
794 wait_connect
=False, scan_freq
="2412")
796 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
798 raise Exception("Wait for external SIM processing request timed out")
800 if p
[1] != "GSM-AUTH":
801 raise Exception("Unexpected CTRL-REQ-SIM type")
802 rid
= p
[0].split('-')[3]
803 rand
= p
[2].split(' ')[0]
805 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
807 "auth_serv/hlr_auc_gw.milenage_db",
808 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
809 if "GSM-AUTH-RESP" not in res
:
810 raise Exception("Unexpected hlr_auc_gw response")
811 resp
= res
.split(' ')[2].rstrip()
813 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
814 dev
[0].wait_connected(timeout
=15)
816 # Verify that EAP-SIM Reauthentication can be used after network profile
817 # SET_NETWORK commands that do not actually change previously set
819 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
820 dev
[0].set_network(id, "eap", "SIM")
821 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
822 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
823 eap_reauth(dev
[0], "SIM")
825 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
826 """EAP-SIM and OOM"""
827 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
828 hostapd
.add_ap(apdev
[0], params
)
829 tests
= [ (1, "milenage_f2345"),
830 (2, "milenage_f2345"),
831 (3, "milenage_f2345"),
832 (4, "milenage_f2345"),
833 (5, "milenage_f2345"),
834 (6, "milenage_f2345"),
835 (7, "milenage_f2345"),
836 (8, "milenage_f2345"),
837 (9, "milenage_f2345"),
838 (10, "milenage_f2345"),
839 (11, "milenage_f2345"),
840 (12, "milenage_f2345") ]
841 for count
, func
in tests
:
842 with
fail_test(dev
[0], count
, func
):
843 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
844 identity
="1232010000000000",
845 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
846 wait_connect
=False, scan_freq
="2412")
847 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
849 raise Exception("EAP method not selected")
850 dev
[0].wait_disconnected()
851 dev
[0].request("REMOVE_NETWORK all")
853 def test_ap_wpa2_eap_aka(dev
, apdev
):
854 """WPA2-Enterprise connection using EAP-AKA"""
855 check_hlr_auc_gw_support()
856 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
857 hapd
= hostapd
.add_ap(apdev
[0], params
)
858 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
859 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
860 hwsim_utils
.test_connectivity(dev
[0], hapd
)
861 eap_reauth(dev
[0], "AKA")
863 logger
.info("Negative test with incorrect key")
864 dev
[0].request("REMOVE_NETWORK all")
865 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
866 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
869 logger
.info("Invalid Milenage key")
870 dev
[0].request("REMOVE_NETWORK all")
871 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
872 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
875 logger
.info("Invalid Milenage key(2)")
876 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
877 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
880 logger
.info("Invalid Milenage key(3)")
881 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
882 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
885 logger
.info("Invalid Milenage key(4)")
886 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
887 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
890 logger
.info("Invalid Milenage key(5)")
891 dev
[0].request("REMOVE_NETWORK all")
892 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
893 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
896 logger
.info("Invalid Milenage key(6)")
897 dev
[0].request("REMOVE_NETWORK all")
898 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
899 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
902 logger
.info("Missing key configuration")
903 dev
[0].request("REMOVE_NETWORK all")
904 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
907 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
908 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
909 check_hlr_auc_gw_support()
913 raise HwsimSkip("No sqlite3 module available")
914 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
915 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
916 params
['auth_server_port'] = "1814"
917 hapd
= hostapd
.add_ap(apdev
[0], params
)
918 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
919 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
921 logger
.info("AKA fast re-authentication")
922 eap_reauth(dev
[0], "AKA")
924 logger
.info("AKA full auth with pseudonym")
927 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
928 eap_reauth(dev
[0], "AKA")
930 logger
.info("AKA full auth with permanent identity")
933 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
934 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
935 eap_reauth(dev
[0], "AKA")
937 logger
.info("AKA reauth with mismatching MK")
940 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
941 eap_reauth(dev
[0], "AKA", expect_failure
=True)
942 dev
[0].request("REMOVE_NETWORK all")
944 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
945 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
948 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
949 eap_reauth(dev
[0], "AKA")
952 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
953 logger
.info("AKA reauth with mismatching counter")
954 eap_reauth(dev
[0], "AKA")
955 dev
[0].request("REMOVE_NETWORK all")
957 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
958 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
961 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
962 logger
.info("AKA reauth with max reauth count reached")
963 eap_reauth(dev
[0], "AKA")
965 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
966 """EAP-AKA configuration options"""
967 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
968 hapd
= hostapd
.add_ap(apdev
[0], params
)
969 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
970 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
971 anonymous_identity
="2345678")
973 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
974 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
976 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
978 dev
[0].request("SET external_sim 0")
980 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
981 check_hlr_auc_gw_support()
982 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
983 hostapd
.add_ap(apdev
[0], params
)
984 dev
[0].request("SET external_sim 1")
985 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
986 identity
="0232010000000000",
987 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
988 wait_connect
=False, scan_freq
="2412")
989 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
991 raise Exception("Network connected timed out")
993 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
995 raise Exception("Wait for external SIM processing request timed out")
997 if p
[1] != "UMTS-AUTH":
998 raise Exception("Unexpected CTRL-REQ-SIM type")
999 rid
= p
[0].split('-')[3]
1002 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
1003 # This will fail during processing, but the ctrl_iface command succeeds
1004 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1005 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1007 raise Exception("EAP failure not reported")
1008 dev
[0].request("DISCONNECT")
1009 dev
[0].wait_disconnected()
1011 dev
[0].dump_monitor()
1013 dev
[0].select_network(id, freq
="2412")
1014 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1016 raise Exception("Wait for external SIM processing request timed out")
1017 p
= ev
.split(':', 2)
1018 if p
[1] != "UMTS-AUTH":
1019 raise Exception("Unexpected CTRL-REQ-SIM type")
1020 rid
= p
[0].split('-')[3]
1021 # This will fail during UMTS auth validation
1022 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1023 raise Exception("CTRL-RSP-SIM failed")
1024 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1026 raise Exception("Wait for external SIM processing request timed out")
1027 p
= ev
.split(':', 2)
1028 if p
[1] != "UMTS-AUTH":
1029 raise Exception("Unexpected CTRL-REQ-SIM type")
1030 rid
= p
[0].split('-')[3]
1031 # This will fail during UMTS auth validation
1032 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1033 raise Exception("CTRL-RSP-SIM failed")
1034 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1036 raise Exception("EAP failure not reported")
1037 dev
[0].request("DISCONNECT")
1038 dev
[0].wait_disconnected()
1040 dev
[0].dump_monitor()
1042 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1044 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1045 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1046 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1047 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1048 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1050 dev
[0].select_network(id, freq
="2412")
1051 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1053 raise Exception("Wait for external SIM processing request timed out")
1054 p
= ev
.split(':', 2)
1055 if p
[1] != "UMTS-AUTH":
1056 raise Exception("Unexpected CTRL-REQ-SIM type")
1057 rid
= p
[0].split('-')[3]
1058 # This will fail during UMTS auth validation
1059 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1060 raise Exception("CTRL-RSP-SIM failed")
1061 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1063 raise Exception("EAP failure not reported")
1064 dev
[0].request("DISCONNECT")
1065 dev
[0].wait_disconnected()
1067 dev
[0].dump_monitor()
1069 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1070 """EAP-AKA with external UMTS auth and auth failing"""
1072 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1074 dev
[0].request("SET external_sim 0")
1076 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1077 check_hlr_auc_gw_support()
1078 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1079 hostapd
.add_ap(apdev
[0], params
)
1080 dev
[0].request("SET external_sim 1")
1081 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1082 identity
="0232010000000000",
1083 wait_connect
=False, scan_freq
="2412")
1085 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1087 raise Exception("Wait for external SIM processing request timed out")
1088 p
= ev
.split(':', 2)
1089 rid
= p
[0].split('-')[3]
1090 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1091 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1093 raise Exception("EAP failure not reported")
1094 dev
[0].request("REMOVE_NETWORK all")
1095 dev
[0].wait_disconnected()
1097 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1098 """WPA2-Enterprise connection using EAP-AKA'"""
1099 check_hlr_auc_gw_support()
1100 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1101 hapd
= hostapd
.add_ap(apdev
[0], params
)
1102 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1103 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1104 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1105 eap_reauth(dev
[0], "AKA'")
1107 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1108 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1109 identity
="6555444333222111@both",
1110 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1111 wait_connect
=False, scan_freq
="2412")
1112 dev
[1].wait_connected(timeout
=15)
1114 logger
.info("Negative test with incorrect key")
1115 dev
[0].request("REMOVE_NETWORK all")
1116 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1117 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1118 expect_failure
=True)
1120 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1121 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1122 check_hlr_auc_gw_support()
1126 raise HwsimSkip("No sqlite3 module available")
1127 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1128 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1129 params
['auth_server_port'] = "1814"
1130 hapd
= hostapd
.add_ap(apdev
[0], params
)
1131 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1132 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1134 logger
.info("AKA' fast re-authentication")
1135 eap_reauth(dev
[0], "AKA'")
1137 logger
.info("AKA' full auth with pseudonym")
1140 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1141 eap_reauth(dev
[0], "AKA'")
1143 logger
.info("AKA' full auth with permanent identity")
1146 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1147 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1148 eap_reauth(dev
[0], "AKA'")
1150 logger
.info("AKA' reauth with mismatching k_aut")
1153 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1154 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1155 dev
[0].request("REMOVE_NETWORK all")
1157 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1158 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1161 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1162 eap_reauth(dev
[0], "AKA'")
1165 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1166 logger
.info("AKA' reauth with mismatching counter")
1167 eap_reauth(dev
[0], "AKA'")
1168 dev
[0].request("REMOVE_NETWORK all")
1170 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1171 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1174 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1175 logger
.info("AKA' reauth with max reauth count reached")
1176 eap_reauth(dev
[0], "AKA'")
1178 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1179 """EAP-AKA' with external UMTS auth and auth failing"""
1181 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1183 dev
[0].request("SET external_sim 0")
1185 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1186 check_hlr_auc_gw_support()
1187 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1188 hostapd
.add_ap(apdev
[0], params
)
1189 dev
[0].request("SET external_sim 1")
1190 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1191 identity
="6555444333222111",
1192 wait_connect
=False, scan_freq
="2412")
1194 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1196 raise Exception("Wait for external SIM processing request timed out")
1197 p
= ev
.split(':', 2)
1198 rid
= p
[0].split('-')[3]
1199 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1200 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1202 raise Exception("EAP failure not reported")
1203 dev
[0].request("REMOVE_NETWORK all")
1204 dev
[0].wait_disconnected()
1206 def test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1207 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1209 _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
)
1211 dev
[0].request("SET external_sim 0")
1213 def _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1214 check_hlr_auc_gw_support()
1215 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1216 hostapd
.add_ap(apdev
[0], params
)
1217 dev
[0].request("SET external_sim 1")
1218 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1219 identity
="6555444333222111",
1220 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1221 wait_connect
=False, scan_freq
="2412")
1222 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1224 raise Exception("Network connected timed out")
1226 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1228 raise Exception("Wait for external SIM processing request timed out")
1229 p
= ev
.split(':', 2)
1230 if p
[1] != "UMTS-AUTH":
1231 raise Exception("Unexpected CTRL-REQ-SIM type")
1232 rid
= p
[0].split('-')[3]
1233 # This will fail during UMTS auth validation
1234 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1235 raise Exception("CTRL-RSP-SIM failed")
1236 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1238 raise Exception("Wait for external SIM processing request timed out")
1240 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1241 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1242 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1243 hapd
= hostapd
.add_ap(apdev
[0], params
)
1244 key_mgmt
= hapd
.get_config()['key_mgmt']
1245 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1246 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1247 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1248 anonymous_identity
="ttls", password
="password",
1249 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1250 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1251 eap_reauth(dev
[0], "TTLS")
1252 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1253 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1255 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1256 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1257 check_subject_match_support(dev
[0])
1258 check_altsubject_match_support(dev
[0])
1259 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1260 hapd
= hostapd
.add_ap(apdev
[0], params
)
1261 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1262 anonymous_identity
="ttls", password
="password",
1263 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1264 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1265 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1266 eap_reauth(dev
[0], "TTLS")
1268 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1269 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1270 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1271 hapd
= hostapd
.add_ap(apdev
[0], params
)
1272 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1273 anonymous_identity
="ttls", password
="wrong",
1274 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1275 expect_failure
=True)
1276 eap_connect(dev
[1], hapd
, "TTLS", "user",
1277 anonymous_identity
="ttls", password
="password",
1278 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1279 expect_failure
=True)
1281 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1282 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1283 skip_with_fips(dev
[0])
1284 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1285 hapd
= hostapd
.add_ap(apdev
[0], params
)
1286 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1287 anonymous_identity
="ttls", password
="password",
1288 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1289 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1290 eap_reauth(dev
[0], "TTLS")
1292 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1293 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1294 skip_with_fips(dev
[0])
1295 check_altsubject_match_support(dev
[0])
1296 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1297 hapd
= hostapd
.add_ap(apdev
[0], params
)
1298 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1299 anonymous_identity
="ttls", password
="password",
1300 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1301 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1302 eap_reauth(dev
[0], "TTLS")
1304 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1305 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1306 skip_with_fips(dev
[0])
1307 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1308 hapd
= hostapd
.add_ap(apdev
[0], params
)
1309 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1310 anonymous_identity
="ttls", password
="wrong",
1311 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1312 expect_failure
=True)
1313 eap_connect(dev
[1], hapd
, "TTLS", "user",
1314 anonymous_identity
="ttls", password
="password",
1315 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1316 expect_failure
=True)
1318 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1319 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1320 skip_with_fips(dev
[0])
1321 check_domain_suffix_match(dev
[0])
1322 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1323 hapd
= hostapd
.add_ap(apdev
[0], params
)
1324 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1325 anonymous_identity
="ttls", password
="password",
1326 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1327 domain_suffix_match
="server.w1.fi")
1328 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1329 eap_reauth(dev
[0], "TTLS")
1330 dev
[0].request("REMOVE_NETWORK all")
1331 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1332 anonymous_identity
="ttls", password
="password",
1333 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1334 fragment_size
="200")
1335 dev
[0].request("REMOVE_NETWORK all")
1336 dev
[0].wait_disconnected()
1337 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1338 anonymous_identity
="ttls",
1339 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1340 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1342 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1343 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1344 skip_with_fips(dev
[0])
1345 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1346 hapd
= hostapd
.add_ap(apdev
[0], params
)
1347 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1348 anonymous_identity
="ttls", password
="wrong",
1349 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1350 expect_failure
=True)
1351 eap_connect(dev
[1], hapd
, "TTLS", "user",
1352 anonymous_identity
="ttls", password
="password",
1353 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1354 expect_failure
=True)
1355 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1356 anonymous_identity
="ttls", password
="password",
1357 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1358 expect_failure
=True)
1360 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1361 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1362 check_domain_suffix_match(dev
[0])
1363 check_eap_capa(dev
[0], "MSCHAPV2")
1364 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1365 hapd
= hostapd
.add_ap(apdev
[0], params
)
1366 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1367 anonymous_identity
="ttls", password
="password",
1368 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1369 domain_suffix_match
="server.w1.fi")
1370 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1371 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1372 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1373 eap_reauth(dev
[0], "TTLS")
1374 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1375 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1376 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1377 raise Exception("dot1xAuthEapolFramesRx did not increase")
1378 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1379 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1380 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1381 raise Exception("backendAuthSuccesses did not increase")
1383 logger
.info("Password as hash value")
1384 dev
[0].request("REMOVE_NETWORK all")
1385 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1386 anonymous_identity
="ttls",
1387 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1388 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1390 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1391 """EAP-TTLS with invalid phase2 parameter values"""
1392 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1393 hostapd
.add_ap(apdev
[0], params
)
1394 tests
= [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1395 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1396 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1398 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1399 identity
="DOMAIN\mschapv2 user",
1400 anonymous_identity
="ttls", password
="password",
1401 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1402 wait_connect
=False, scan_freq
="2412")
1403 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1404 if ev
is None or "method=21" not in ev
:
1405 raise Exception("EAP-TTLS not started")
1406 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1407 "CTRL-EVENT-CONNECTED"], timeout
=5)
1408 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1409 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1410 dev
[0].request("REMOVE_NETWORK all")
1411 dev
[0].wait_disconnected()
1412 dev
[0].dump_monitor()
1414 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1415 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1416 check_domain_match_full(dev
[0])
1417 skip_with_fips(dev
[0])
1418 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1419 hapd
= hostapd
.add_ap(apdev
[0], params
)
1420 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1421 anonymous_identity
="ttls", password
="password",
1422 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1423 domain_suffix_match
="w1.fi")
1424 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1425 eap_reauth(dev
[0], "TTLS")
1427 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1428 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1429 check_domain_match(dev
[0])
1430 skip_with_fips(dev
[0])
1431 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1432 hapd
= hostapd
.add_ap(apdev
[0], params
)
1433 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1434 anonymous_identity
="ttls", password
="password",
1435 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1436 domain_match
="Server.w1.fi")
1437 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1438 eap_reauth(dev
[0], "TTLS")
1440 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1441 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1442 skip_with_fips(dev
[0])
1443 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1444 hapd
= hostapd
.add_ap(apdev
[0], params
)
1445 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1446 anonymous_identity
="ttls", password
="password1",
1447 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1448 expect_failure
=True)
1449 eap_connect(dev
[1], hapd
, "TTLS", "user",
1450 anonymous_identity
="ttls", password
="password",
1451 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1452 expect_failure
=True)
1454 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1455 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1456 skip_with_fips(dev
[0])
1457 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1458 hapd
= hostapd
.add_ap(apdev
[0], params
)
1459 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1460 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1461 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1462 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1463 anonymous_identity
="ttls",
1464 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1465 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1466 for p
in [ "80", "41c041e04141e041", 257*"41" ]:
1467 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1468 eap
="TTLS", identity
="utf8-user-hash",
1469 anonymous_identity
="ttls", password_hex
=p
,
1470 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1471 wait_connect
=False, scan_freq
="2412")
1472 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1474 raise Exception("No failure reported")
1475 dev
[2].request("REMOVE_NETWORK all")
1476 dev
[2].wait_disconnected()
1478 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1479 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1480 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1481 hapd
= hostapd
.add_ap(apdev
[0], params
)
1482 eap_connect(dev
[0], hapd
, "TTLS", "user",
1483 anonymous_identity
="ttls", password
="password",
1484 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1485 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1486 eap_reauth(dev
[0], "TTLS")
1488 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1489 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1490 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1491 hapd
= hostapd
.add_ap(apdev
[0], params
)
1492 eap_connect(dev
[0], hapd
, "TTLS", "user",
1493 anonymous_identity
="ttls", password
="wrong",
1494 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1495 expect_failure
=True)
1497 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1498 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1499 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1500 hapd
= hostapd
.add_ap(apdev
[0], params
)
1501 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1502 anonymous_identity
="ttls", password
="password",
1503 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1504 expect_failure
=True)
1506 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1507 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1508 params
= int_eap_server_params()
1509 hapd
= hostapd
.add_ap(apdev
[0], params
)
1510 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1511 eap_connect(dev
[0], hapd
, "TTLS", "user",
1512 anonymous_identity
="ttls", password
="password",
1513 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1514 expect_failure
=True)
1515 dev
[0].request("REMOVE_NETWORK all")
1517 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1518 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1519 eap
="TTLS", identity
="user",
1520 anonymous_identity
="ttls", password
="password",
1521 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1522 wait_connect
=False, scan_freq
="2412")
1523 # This would eventually time out, but we can stop after having reached
1524 # the allocation failure.
1527 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1530 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1531 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1532 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1533 hapd
= hostapd
.add_ap(apdev
[0], params
)
1535 tests
= [ "eap_gtc_init",
1536 "eap_msg_alloc;eap_gtc_process" ]
1538 with
alloc_fail(dev
[0], 1, func
):
1539 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1541 eap
="TTLS", identity
="user",
1542 anonymous_identity
="ttls", password
="password",
1543 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1545 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1546 dev
[0].request("REMOVE_NETWORK all")
1547 dev
[0].wait_disconnected()
1549 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1550 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1551 check_eap_capa(dev
[0], "MD5")
1552 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1553 hapd
= hostapd
.add_ap(apdev
[0], params
)
1554 eap_connect(dev
[0], hapd
, "TTLS", "user",
1555 anonymous_identity
="ttls", password
="password",
1556 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1557 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1558 eap_reauth(dev
[0], "TTLS")
1560 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1561 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1562 check_eap_capa(dev
[0], "MD5")
1563 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1564 hapd
= hostapd
.add_ap(apdev
[0], params
)
1565 eap_connect(dev
[0], hapd
, "TTLS", "user",
1566 anonymous_identity
="ttls", password
="wrong",
1567 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1568 expect_failure
=True)
1570 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1571 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1572 check_eap_capa(dev
[0], "MD5")
1573 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1574 hapd
= hostapd
.add_ap(apdev
[0], params
)
1575 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1576 anonymous_identity
="ttls", password
="password",
1577 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1578 expect_failure
=True)
1580 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1581 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1582 check_eap_capa(dev
[0], "MD5")
1583 params
= int_eap_server_params()
1584 hapd
= hostapd
.add_ap(apdev
[0], params
)
1585 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1586 eap_connect(dev
[0], hapd
, "TTLS", "user",
1587 anonymous_identity
="ttls", password
="password",
1588 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1589 expect_failure
=True)
1590 dev
[0].request("REMOVE_NETWORK all")
1592 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1593 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1594 eap
="TTLS", identity
="user",
1595 anonymous_identity
="ttls", password
="password",
1596 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1597 wait_connect
=False, scan_freq
="2412")
1598 # This would eventually time out, but we can stop after having reached
1599 # the allocation failure.
1602 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1605 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1606 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1607 check_eap_capa(dev
[0], "MSCHAPV2")
1608 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1609 hapd
= hostapd
.add_ap(apdev
[0], params
)
1610 eap_connect(dev
[0], hapd
, "TTLS", "user",
1611 anonymous_identity
="ttls", password
="password",
1612 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1613 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1614 eap_reauth(dev
[0], "TTLS")
1616 logger
.info("Negative test with incorrect password")
1617 dev
[0].request("REMOVE_NETWORK all")
1618 eap_connect(dev
[0], hapd
, "TTLS", "user",
1619 anonymous_identity
="ttls", password
="password1",
1620 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1621 expect_failure
=True)
1623 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1624 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1625 check_eap_capa(dev
[0], "MSCHAPV2")
1626 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1627 hapd
= hostapd
.add_ap(apdev
[0], params
)
1628 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1629 anonymous_identity
="ttls", password
="password",
1630 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1631 expect_failure
=True)
1633 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1634 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1635 check_eap_capa(dev
[0], "MSCHAPV2")
1636 params
= int_eap_server_params()
1637 hapd
= hostapd
.add_ap(apdev
[0], params
)
1638 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1639 eap_connect(dev
[0], hapd
, "TTLS", "user",
1640 anonymous_identity
="ttls", password
="password",
1641 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1642 expect_failure
=True)
1643 dev
[0].request("REMOVE_NETWORK all")
1645 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1646 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1647 eap
="TTLS", identity
="user",
1648 anonymous_identity
="ttls", password
="password",
1649 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1650 wait_connect
=False, scan_freq
="2412")
1651 # This would eventually time out, but we can stop after having reached
1652 # the allocation failure.
1655 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1657 dev
[0].request("REMOVE_NETWORK all")
1659 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1660 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1661 eap
="TTLS", identity
="user",
1662 anonymous_identity
="ttls", password
="password",
1663 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1664 wait_connect
=False, scan_freq
="2412")
1665 # This would eventually time out, but we can stop after having reached
1666 # the allocation failure.
1669 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1671 dev
[0].request("REMOVE_NETWORK all")
1673 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1674 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1675 eap
="TTLS", identity
="user",
1676 anonymous_identity
="ttls", password
="wrong",
1677 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1678 wait_connect
=False, scan_freq
="2412")
1679 # This would eventually time out, but we can stop after having reached
1680 # the allocation failure.
1683 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1685 dev
[0].request("REMOVE_NETWORK all")
1687 def test_ap_wpa2_eap_ttls_eap_sim(dev
, apdev
):
1688 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1689 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1690 hapd
= hostapd
.add_ap(apdev
[0], params
)
1691 eap_connect(dev
[0], hapd
, "TTLS", "1232010000000000",
1692 anonymous_identity
="1232010000000000@ttls",
1693 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1694 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM")
1695 eap_reauth(dev
[0], "TTLS")
1697 def run_ext_sim_auth(dev
):
1698 ev
= dev
.wait_event(["CTRL-REQ-SIM"], timeout
=15)
1700 raise Exception("Wait for external SIM processing request timed out")
1701 p
= ev
.split(':', 2)
1702 if p
[1] != "GSM-AUTH":
1703 raise Exception("Unexpected CTRL-REQ-SIM type")
1704 rid
= p
[0].split('-')[3]
1705 rand
= p
[2].split(' ')[0]
1707 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
1709 "auth_serv/hlr_auc_gw.milenage_db",
1710 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
1711 if "GSM-AUTH-RESP" not in res
:
1712 raise Exception("Unexpected hlr_auc_gw response")
1713 resp
= res
.split(' ')[2].rstrip()
1715 dev
.request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1716 dev
.wait_connected(timeout
=15)
1719 dev
.request("REAUTHENTICATE")
1720 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1722 raise Exception("EAP reauthentication did not succeed")
1723 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=5)
1725 raise Exception("Key negotiation did not complete")
1728 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1729 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1730 check_hlr_auc_gw_support()
1732 run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
)
1734 dev
[0].request("SET external_sim 0")
1736 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1737 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1738 hapd
= hostapd
.add_ap(apdev
[0], params
)
1739 dev
[0].request("SET external_sim 1")
1740 dev
[0].connect("test-wpa2-eap", eap
="TTLS", key_mgmt
="WPA-EAP",
1741 identity
="1232010000000000",
1742 anonymous_identity
="1232010000000000@ttls",
1743 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1744 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM",
1745 wait_connect
=False, scan_freq
="2412")
1746 run_ext_sim_auth(dev
[0])
1748 def test_ap_wpa2_eap_peap_eap_sim(dev
, apdev
):
1749 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1750 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1751 hapd
= hostapd
.add_ap(apdev
[0], params
)
1752 eap_connect(dev
[0], hapd
, "PEAP", "1232010000000000",
1753 anonymous_identity
="1232010000000000@peap",
1754 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1755 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1756 eap_reauth(dev
[0], "PEAP")
1758 def test_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1759 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1760 check_hlr_auc_gw_support()
1762 run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
)
1764 dev
[0].request("SET external_sim 0")
1766 def run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1767 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1768 hapd
= hostapd
.add_ap(apdev
[0], params
)
1769 dev
[0].request("SET external_sim 1")
1770 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1771 identity
="1232010000000000",
1772 anonymous_identity
="1232010000000000@peap",
1773 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1774 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1775 wait_connect
=False, scan_freq
="2412")
1776 run_ext_sim_auth(dev
[0])
1778 def test_ap_wpa2_eap_fast_eap_sim(dev
, apdev
):
1779 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1780 check_eap_capa(dev
[0], "FAST")
1781 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1782 hapd
= hostapd
.add_ap(apdev
[0], params
)
1783 eap_connect(dev
[0], hapd
, "FAST", "1232010000000000",
1784 anonymous_identity
="1232010000000000@fast",
1785 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1786 phase1
="fast_provisioning=2",
1787 pac_file
="blob://fast_pac_auth_sim",
1788 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1789 eap_reauth(dev
[0], "FAST")
1791 def test_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1792 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1793 check_hlr_auc_gw_support()
1795 run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
)
1797 dev
[0].request("SET external_sim 0")
1799 def run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1800 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1801 hapd
= hostapd
.add_ap(apdev
[0], params
)
1802 dev
[0].request("SET external_sim 1")
1803 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1804 identity
="1232010000000000",
1805 anonymous_identity
="1232010000000000@peap",
1806 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1807 phase1
="fast_provisioning=2",
1808 pac_file
="blob://fast_pac_auth_sim",
1809 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1810 wait_connect
=False, scan_freq
="2412")
1811 run_ext_sim_auth(dev
[0])
1813 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1814 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1815 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1816 hapd
= hostapd
.add_ap(apdev
[0], params
)
1817 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1818 anonymous_identity
="0232010000000000@ttls",
1819 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1820 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1821 eap_reauth(dev
[0], "TTLS")
1823 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1824 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1825 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1826 hapd
= hostapd
.add_ap(apdev
[0], params
)
1827 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1828 anonymous_identity
="0232010000000000@peap",
1829 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1830 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1831 eap_reauth(dev
[0], "PEAP")
1833 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1834 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1835 check_eap_capa(dev
[0], "FAST")
1836 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1837 hapd
= hostapd
.add_ap(apdev
[0], params
)
1838 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
1839 anonymous_identity
="0232010000000000@fast",
1840 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1841 phase1
="fast_provisioning=2",
1842 pac_file
="blob://fast_pac_auth_aka",
1843 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1844 eap_reauth(dev
[0], "FAST")
1846 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1847 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1848 check_eap_capa(dev
[0], "MSCHAPV2")
1849 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1850 hapd
= hostapd
.add_ap(apdev
[0], params
)
1851 eap_connect(dev
[0], hapd
, "PEAP", "user",
1852 anonymous_identity
="peap", password
="password",
1853 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1854 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1855 eap_reauth(dev
[0], "PEAP")
1856 dev
[0].request("REMOVE_NETWORK all")
1857 eap_connect(dev
[0], hapd
, "PEAP", "user",
1858 anonymous_identity
="peap", password
="password",
1859 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1860 fragment_size
="200")
1862 logger
.info("Password as hash value")
1863 dev
[0].request("REMOVE_NETWORK all")
1864 eap_connect(dev
[0], hapd
, "PEAP", "user",
1865 anonymous_identity
="peap",
1866 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1867 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1869 logger
.info("Negative test with incorrect password")
1870 dev
[0].request("REMOVE_NETWORK all")
1871 eap_connect(dev
[0], hapd
, "PEAP", "user",
1872 anonymous_identity
="peap", password
="password1",
1873 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1874 expect_failure
=True)
1876 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1877 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1878 check_eap_capa(dev
[0], "MSCHAPV2")
1879 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1880 hapd
= hostapd
.add_ap(apdev
[0], params
)
1881 eap_connect(dev
[0], hapd
, "PEAP", r
"DOMAIN\user3",
1882 anonymous_identity
="peap", password
="password",
1883 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1884 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1885 eap_reauth(dev
[0], "PEAP")
1887 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1888 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1889 check_eap_capa(dev
[0], "MSCHAPV2")
1890 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1891 hapd
= hostapd
.add_ap(apdev
[0], params
)
1892 eap_connect(dev
[0], hapd
, "PEAP", "user",
1893 anonymous_identity
="peap", password
="wrong",
1894 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1895 expect_failure
=True)
1897 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1898 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1899 check_eap_capa(dev
[0], "MSCHAPV2")
1900 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1901 hapd
= hostapd
.add_ap(apdev
[0], params
)
1902 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1903 ca_cert
="auth_serv/ca.pem",
1904 phase1
="peapver=0 crypto_binding=2",
1905 phase2
="auth=MSCHAPV2")
1906 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1907 eap_reauth(dev
[0], "PEAP")
1909 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1910 ca_cert
="auth_serv/ca.pem",
1911 phase1
="peapver=0 crypto_binding=1",
1912 phase2
="auth=MSCHAPV2")
1913 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1914 ca_cert
="auth_serv/ca.pem",
1915 phase1
="peapver=0 crypto_binding=0",
1916 phase2
="auth=MSCHAPV2")
1918 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1919 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1920 check_eap_capa(dev
[0], "MSCHAPV2")
1921 params
= int_eap_server_params()
1922 hapd
= hostapd
.add_ap(apdev
[0], params
)
1923 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1924 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1925 ca_cert
="auth_serv/ca.pem",
1926 phase1
="peapver=0 crypto_binding=2",
1927 phase2
="auth=MSCHAPV2",
1928 expect_failure
=True, local_error_report
=True)
1930 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1931 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1932 check_eap_capa(dev
[0], "MSCHAPV2")
1933 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1934 hapd
= hostapd
.add_ap(apdev
[0], params
)
1935 eap_connect(dev
[0], hapd
, "PEAP", "user",
1936 anonymous_identity
="peap", password
="password",
1937 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1938 phase1
="peapver=0 peaplabel=1",
1939 expect_failure
=True)
1940 dev
[0].request("REMOVE_NETWORK all")
1941 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1943 anonymous_identity
="peap", password
="password",
1944 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1945 phase1
="peap_outer_success=0",
1946 wait_connect
=False, scan_freq
="2412")
1947 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1949 raise Exception("No EAP success seen")
1950 # This won't succeed to connect with peap_outer_success=0, so stop here.
1951 dev
[0].request("REMOVE_NETWORK all")
1952 dev
[0].wait_disconnected()
1953 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1954 ca_cert
="auth_serv/ca.pem",
1955 phase1
="peap_outer_success=1",
1956 phase2
="auth=MSCHAPV2")
1957 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1958 ca_cert
="auth_serv/ca.pem",
1959 phase1
="peap_outer_success=2",
1960 phase2
="auth=MSCHAPV2")
1961 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1963 anonymous_identity
="peap", password
="password",
1964 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1965 phase1
="peapver=1 peaplabel=1",
1966 wait_connect
=False, scan_freq
="2412")
1967 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1969 raise Exception("No EAP success seen")
1970 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1972 raise Exception("Unexpected connection")
1974 tests
= [ ("peap-ver0", ""),
1976 ("peap-ver0", "peapver=0"),
1977 ("peap-ver1", "peapver=1") ]
1978 for anon
,phase1
in tests
:
1979 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1980 identity
="user", anonymous_identity
=anon
,
1981 password
="password", phase1
=phase1
,
1982 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1984 dev
[0].request("REMOVE_NETWORK all")
1985 dev
[0].wait_disconnected()
1987 tests
= [ ("peap-ver0", "peapver=1"),
1988 ("peap-ver1", "peapver=0") ]
1989 for anon
,phase1
in tests
:
1990 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1991 identity
="user", anonymous_identity
=anon
,
1992 password
="password", phase1
=phase1
,
1993 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1994 wait_connect
=False, scan_freq
="2412")
1995 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1997 raise Exception("No EAP-Failure seen")
1998 dev
[0].request("REMOVE_NETWORK all")
1999 dev
[0].wait_disconnected()
2001 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2002 ca_cert
="auth_serv/ca.pem",
2003 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
2004 phase2
="auth=MSCHAPV2")
2006 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
2007 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
2008 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2009 hapd
= hostapd
.add_ap(apdev
[0], params
)
2010 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
2011 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
2012 ca_cert2
="auth_serv/ca.pem",
2013 client_cert2
="auth_serv/user.pem",
2014 private_key2
="auth_serv/user.key")
2015 eap_reauth(dev
[0], "PEAP")
2017 def test_ap_wpa2_eap_tls(dev
, apdev
):
2018 """WPA2-Enterprise connection using EAP-TLS"""
2019 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2020 hapd
= hostapd
.add_ap(apdev
[0], params
)
2021 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2022 client_cert
="auth_serv/user.pem",
2023 private_key
="auth_serv/user.key")
2024 eap_reauth(dev
[0], "TLS")
2026 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
2027 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2028 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2029 hapd
= hostapd
.add_ap(apdev
[0], params
)
2030 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2031 client_cert
="auth_serv/user.pem",
2032 private_key
="auth_serv/user.key.pkcs8",
2033 private_key_passwd
="whatever")
2035 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
2036 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
2037 check_pkcs5_v15_support(dev
[0])
2038 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2039 hapd
= hostapd
.add_ap(apdev
[0], params
)
2040 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2041 client_cert
="auth_serv/user.pem",
2042 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
2043 private_key_passwd
="whatever")
2045 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
2046 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2047 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2048 hapd
= hostapd
.add_ap(apdev
[0], params
)
2049 cert
= read_pem("auth_serv/ca.pem")
2050 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2051 raise Exception("Could not set cacert blob")
2052 cert
= read_pem("auth_serv/user.pem")
2053 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
2054 raise Exception("Could not set usercert blob")
2055 key
= read_pem("auth_serv/user.rsa-key")
2056 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
2057 raise Exception("Could not set cacert blob")
2058 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2059 client_cert
="blob://usercert",
2060 private_key
="blob://userkey")
2062 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
2063 """EAP-TLS and config blob missing"""
2064 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2065 hostapd
.add_ap(apdev
[0], params
)
2066 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2067 identity
="tls user",
2068 ca_cert
="blob://testing-blob-does-not-exist",
2069 client_cert
="blob://testing-blob-does-not-exist",
2070 private_key
="blob://testing-blob-does-not-exist",
2071 wait_connect
=False, scan_freq
="2412")
2072 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
2074 raise Exception("EAP failure not reported")
2075 dev
[0].request("REMOVE_NETWORK all")
2076 dev
[0].wait_disconnected()
2078 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
2079 """EAP-TLS and TLS Message Length in unfragmented packets"""
2080 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2081 hapd
= hostapd
.add_ap(apdev
[0], params
)
2082 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2083 phase1
="include_tls_length=1",
2084 client_cert
="auth_serv/user.pem",
2085 private_key
="auth_serv/user.key")
2087 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
2088 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2089 check_pkcs12_support(dev
[0])
2090 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2091 hapd
= hostapd
.add_ap(apdev
[0], params
)
2092 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2093 private_key
="auth_serv/user.pkcs12",
2094 private_key_passwd
="whatever")
2095 dev
[0].request("REMOVE_NETWORK all")
2096 dev
[0].wait_disconnected()
2098 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2099 identity
="tls user",
2100 ca_cert
="auth_serv/ca.pem",
2101 private_key
="auth_serv/user.pkcs12",
2102 wait_connect
=False, scan_freq
="2412")
2103 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2105 raise Exception("Request for private key passphrase timed out")
2106 id = ev
.split(':')[0].split('-')[-1]
2107 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2108 dev
[0].wait_connected(timeout
=10)
2109 dev
[0].request("REMOVE_NETWORK all")
2110 dev
[0].wait_disconnected()
2112 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2113 # different files to cover both cases of the extra certificate being the
2114 # one that signed the client certificate and it being unrelated to the
2115 # client certificate.
2116 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2118 eap_connect(dev
[0], hapd
, "TLS", "tls user",
2119 ca_cert
="auth_serv/ca.pem",
2121 private_key_passwd
="whatever")
2122 dev
[0].request("REMOVE_NETWORK all")
2123 dev
[0].wait_disconnected()
2125 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
2126 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2127 check_pkcs12_support(dev
[0])
2128 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2129 hapd
= hostapd
.add_ap(apdev
[0], params
)
2130 cert
= read_pem("auth_serv/ca.pem")
2131 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2132 raise Exception("Could not set cacert blob")
2133 with
open("auth_serv/user.pkcs12", "rb") as f
:
2134 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
2135 raise Exception("Could not set pkcs12 blob")
2136 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2137 private_key
="blob://pkcs12",
2138 private_key_passwd
="whatever")
2140 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
2141 """WPA2-Enterprise negative test - incorrect trust root"""
2142 check_eap_capa(dev
[0], "MSCHAPV2")
2143 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2144 hostapd
.add_ap(apdev
[0], params
)
2145 cert
= read_pem("auth_serv/ca-incorrect.pem")
2146 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2147 raise Exception("Could not set cacert blob")
2148 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2149 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2150 password
="password", phase2
="auth=MSCHAPV2",
2151 ca_cert
="blob://cacert",
2152 wait_connect
=False, scan_freq
="2412")
2153 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2154 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2155 password
="password", phase2
="auth=MSCHAPV2",
2156 ca_cert
="auth_serv/ca-incorrect.pem",
2157 wait_connect
=False, scan_freq
="2412")
2159 for dev
in (dev
[0], dev
[1]):
2160 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2162 raise Exception("Association and EAP start timed out")
2164 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2166 raise Exception("EAP method selection timed out")
2167 if "TTLS" not in ev
:
2168 raise Exception("Unexpected EAP method")
2170 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2171 "CTRL-EVENT-EAP-SUCCESS",
2172 "CTRL-EVENT-EAP-FAILURE",
2173 "CTRL-EVENT-CONNECTED",
2174 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2176 raise Exception("EAP result timed out")
2177 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2178 raise Exception("TLS certificate error not reported")
2180 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2181 "CTRL-EVENT-EAP-FAILURE",
2182 "CTRL-EVENT-CONNECTED",
2183 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2185 raise Exception("EAP result(2) timed out")
2186 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2187 raise Exception("EAP failure not reported")
2189 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2190 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2192 raise Exception("EAP result(3) timed out")
2193 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2194 raise Exception("Disconnection not reported")
2196 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2198 raise Exception("Network block disabling not reported")
2200 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2201 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2202 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2203 hapd
= hostapd
.add_ap(apdev
[0], params
)
2204 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2205 identity
="pap user", anonymous_identity
="ttls",
2206 password
="password", phase2
="auth=PAP",
2207 ca_cert
="auth_serv/ca.pem",
2208 wait_connect
=True, scan_freq
="2412")
2209 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2210 identity
="pap user", anonymous_identity
="ttls",
2211 password
="password", phase2
="auth=PAP",
2212 ca_cert
="auth_serv/ca-incorrect.pem",
2213 only_add_network
=True, scan_freq
="2412")
2215 dev
[0].request("DISCONNECT")
2216 dev
[0].wait_disconnected()
2217 dev
[0].dump_monitor()
2218 dev
[0].select_network(id, freq
="2412")
2220 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2222 raise Exception("EAP-TTLS not re-started")
2224 ev
= dev
[0].wait_disconnected(timeout
=15)
2225 if "reason=23" not in ev
:
2226 raise Exception("Proper reason code for disconnection not reported")
2228 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2229 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2230 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2231 hapd
= hostapd
.add_ap(apdev
[0], params
)
2232 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2233 identity
="pap user", anonymous_identity
="ttls",
2234 password
="password", phase2
="auth=PAP",
2235 wait_connect
=True, scan_freq
="2412")
2236 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2237 identity
="pap user", anonymous_identity
="ttls",
2238 password
="password", phase2
="auth=PAP",
2239 ca_cert
="auth_serv/ca-incorrect.pem",
2240 only_add_network
=True, scan_freq
="2412")
2242 dev
[0].request("DISCONNECT")
2243 dev
[0].wait_disconnected()
2244 dev
[0].dump_monitor()
2245 dev
[0].select_network(id, freq
="2412")
2247 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2249 raise Exception("EAP-TTLS not re-started")
2251 ev
= dev
[0].wait_disconnected(timeout
=15)
2252 if "reason=23" not in ev
:
2253 raise Exception("Proper reason code for disconnection not reported")
2255 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2256 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2257 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2258 hapd
= hostapd
.add_ap(apdev
[0], params
)
2259 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2260 identity
="pap user", anonymous_identity
="ttls",
2261 password
="password", phase2
="auth=PAP",
2262 ca_cert
="auth_serv/ca.pem",
2263 wait_connect
=True, scan_freq
="2412")
2264 dev
[0].request("DISCONNECT")
2265 dev
[0].wait_disconnected()
2266 dev
[0].dump_monitor()
2267 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2268 dev
[0].select_network(id, freq
="2412")
2270 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2272 raise Exception("EAP-TTLS not re-started")
2274 ev
= dev
[0].wait_disconnected(timeout
=15)
2275 if "reason=23" not in ev
:
2276 raise Exception("Proper reason code for disconnection not reported")
2278 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2279 """WPA2-Enterprise negative test - domain suffix mismatch"""
2280 check_domain_suffix_match(dev
[0])
2281 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2282 hostapd
.add_ap(apdev
[0], params
)
2283 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2284 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2285 password
="password", phase2
="auth=MSCHAPV2",
2286 ca_cert
="auth_serv/ca.pem",
2287 domain_suffix_match
="incorrect.example.com",
2288 wait_connect
=False, scan_freq
="2412")
2290 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2292 raise Exception("Association and EAP start timed out")
2294 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2296 raise Exception("EAP method selection timed out")
2297 if "TTLS" not in ev
:
2298 raise Exception("Unexpected EAP method")
2300 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2301 "CTRL-EVENT-EAP-SUCCESS",
2302 "CTRL-EVENT-EAP-FAILURE",
2303 "CTRL-EVENT-CONNECTED",
2304 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2306 raise Exception("EAP result timed out")
2307 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2308 raise Exception("TLS certificate error not reported")
2309 if "Domain suffix mismatch" not in ev
:
2310 raise Exception("Domain suffix mismatch not reported")
2312 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2313 "CTRL-EVENT-EAP-FAILURE",
2314 "CTRL-EVENT-CONNECTED",
2315 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2317 raise Exception("EAP result(2) timed out")
2318 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2319 raise Exception("EAP failure not reported")
2321 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2322 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2324 raise Exception("EAP result(3) timed out")
2325 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2326 raise Exception("Disconnection not reported")
2328 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2330 raise Exception("Network block disabling not reported")
2332 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2333 """WPA2-Enterprise negative test - domain mismatch"""
2334 check_domain_match(dev
[0])
2335 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2336 hostapd
.add_ap(apdev
[0], params
)
2337 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2338 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2339 password
="password", phase2
="auth=MSCHAPV2",
2340 ca_cert
="auth_serv/ca.pem",
2341 domain_match
="w1.fi",
2342 wait_connect
=False, scan_freq
="2412")
2344 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2346 raise Exception("Association and EAP start timed out")
2348 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2350 raise Exception("EAP method selection timed out")
2351 if "TTLS" not in ev
:
2352 raise Exception("Unexpected EAP method")
2354 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2355 "CTRL-EVENT-EAP-SUCCESS",
2356 "CTRL-EVENT-EAP-FAILURE",
2357 "CTRL-EVENT-CONNECTED",
2358 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2360 raise Exception("EAP result timed out")
2361 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2362 raise Exception("TLS certificate error not reported")
2363 if "Domain mismatch" not in ev
:
2364 raise Exception("Domain mismatch not reported")
2366 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2367 "CTRL-EVENT-EAP-FAILURE",
2368 "CTRL-EVENT-CONNECTED",
2369 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2371 raise Exception("EAP result(2) timed out")
2372 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2373 raise Exception("EAP failure not reported")
2375 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2376 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2378 raise Exception("EAP result(3) timed out")
2379 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2380 raise Exception("Disconnection not reported")
2382 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2384 raise Exception("Network block disabling not reported")
2386 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2387 """WPA2-Enterprise negative test - subject mismatch"""
2388 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2389 hostapd
.add_ap(apdev
[0], params
)
2390 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2391 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2392 password
="password", phase2
="auth=MSCHAPV2",
2393 ca_cert
="auth_serv/ca.pem",
2394 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2395 wait_connect
=False, scan_freq
="2412")
2397 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2399 raise Exception("Association and EAP start timed out")
2401 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2402 "EAP: Failed to initialize EAP method"], timeout
=10)
2404 raise Exception("EAP method selection timed out")
2405 if "EAP: Failed to initialize EAP method" in ev
:
2406 tls
= dev
[0].request("GET tls_library")
2407 if tls
.startswith("OpenSSL"):
2408 raise Exception("Failed to select EAP method")
2409 logger
.info("subject_match not supported - connection failed, so test succeeded")
2411 if "TTLS" not in ev
:
2412 raise Exception("Unexpected EAP method")
2414 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2415 "CTRL-EVENT-EAP-SUCCESS",
2416 "CTRL-EVENT-EAP-FAILURE",
2417 "CTRL-EVENT-CONNECTED",
2418 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2420 raise Exception("EAP result timed out")
2421 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2422 raise Exception("TLS certificate error not reported")
2423 if "Subject mismatch" not in ev
:
2424 raise Exception("Subject mismatch not reported")
2426 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2427 "CTRL-EVENT-EAP-FAILURE",
2428 "CTRL-EVENT-CONNECTED",
2429 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2431 raise Exception("EAP result(2) timed out")
2432 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2433 raise Exception("EAP failure not reported")
2435 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2436 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2438 raise Exception("EAP result(3) timed out")
2439 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2440 raise Exception("Disconnection not reported")
2442 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2444 raise Exception("Network block disabling not reported")
2446 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2447 """WPA2-Enterprise negative test - altsubject mismatch"""
2448 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2449 hostapd
.add_ap(apdev
[0], params
)
2451 tests
= [ "incorrect.example.com",
2452 "DNS:incorrect.example.com",
2456 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2458 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2459 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2460 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2461 password
="password", phase2
="auth=MSCHAPV2",
2462 ca_cert
="auth_serv/ca.pem",
2463 altsubject_match
=match
,
2464 wait_connect
=False, scan_freq
="2412")
2466 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2468 raise Exception("Association and EAP start timed out")
2470 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2471 "EAP: Failed to initialize EAP method"], timeout
=10)
2473 raise Exception("EAP method selection timed out")
2474 if "EAP: Failed to initialize EAP method" in ev
:
2475 tls
= dev
[0].request("GET tls_library")
2476 if tls
.startswith("OpenSSL"):
2477 raise Exception("Failed to select EAP method")
2478 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2480 if "TTLS" not in ev
:
2481 raise Exception("Unexpected EAP method")
2483 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2484 "CTRL-EVENT-EAP-SUCCESS",
2485 "CTRL-EVENT-EAP-FAILURE",
2486 "CTRL-EVENT-CONNECTED",
2487 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2489 raise Exception("EAP result timed out")
2490 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2491 raise Exception("TLS certificate error not reported")
2492 if "AltSubject mismatch" not in ev
:
2493 raise Exception("altsubject mismatch not reported")
2495 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2496 "CTRL-EVENT-EAP-FAILURE",
2497 "CTRL-EVENT-CONNECTED",
2498 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2500 raise Exception("EAP result(2) timed out")
2501 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2502 raise Exception("EAP failure not reported")
2504 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2505 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2507 raise Exception("EAP result(3) timed out")
2508 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2509 raise Exception("Disconnection not reported")
2511 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2513 raise Exception("Network block disabling not reported")
2515 dev
[0].request("REMOVE_NETWORK all")
2517 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2518 """WPA2-Enterprise connection using UNAUTH-TLS"""
2519 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2520 hapd
= hostapd
.add_ap(apdev
[0], params
)
2521 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2522 ca_cert
="auth_serv/ca.pem")
2523 eap_reauth(dev
[0], "UNAUTH-TLS")
2525 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2526 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2527 check_cert_probe_support(dev
[0])
2528 skip_with_fips(dev
[0])
2529 srv_cert_hash
= "4704e62784f36cc5fd964c6410402f4938773bb471dce9d42939bf22fdbdb2dd"
2530 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2531 hapd
= hostapd
.add_ap(apdev
[0], params
)
2532 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2533 identity
="probe", ca_cert
="probe://",
2534 wait_connect
=False, scan_freq
="2412")
2535 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2537 raise Exception("Association and EAP start timed out")
2538 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2540 raise Exception("No peer server certificate event seen")
2541 if "hash=" + srv_cert_hash
not in ev
:
2542 raise Exception("Expected server certificate hash not reported")
2543 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2545 raise Exception("EAP result timed out")
2546 if "Server certificate chain probe" not in ev
:
2547 raise Exception("Server certificate probe not reported")
2548 dev
[0].wait_disconnected(timeout
=10)
2549 dev
[0].request("REMOVE_NETWORK all")
2551 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2552 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2553 password
="password", phase2
="auth=MSCHAPV2",
2554 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2555 wait_connect
=False, scan_freq
="2412")
2556 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2558 raise Exception("Association and EAP start timed out")
2559 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2561 raise Exception("EAP result timed out")
2562 if "Server certificate mismatch" not in ev
:
2563 raise Exception("Server certificate mismatch not reported")
2564 dev
[0].wait_disconnected(timeout
=10)
2565 dev
[0].request("REMOVE_NETWORK all")
2567 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2568 anonymous_identity
="ttls", password
="password",
2569 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2570 phase2
="auth=MSCHAPV2")
2572 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2573 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2574 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2575 hostapd
.add_ap(apdev
[0], params
)
2576 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2577 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2578 password
="password", phase2
="auth=MSCHAPV2",
2579 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2580 wait_connect
=False, scan_freq
="2412")
2581 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2582 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2583 password
="password", phase2
="auth=MSCHAPV2",
2584 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2585 wait_connect
=False, scan_freq
="2412")
2586 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2587 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2588 password
="password", phase2
="auth=MSCHAPV2",
2589 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2590 wait_connect
=False, scan_freq
="2412")
2591 for i
in range(0, 3):
2592 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2594 raise Exception("Association and EAP start timed out")
2595 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2597 raise Exception("Did not report EAP method initialization failure")
2599 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2600 """WPA2-Enterprise connection using EAP-pwd"""
2601 check_eap_capa(dev
[0], "PWD")
2602 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2603 hapd
= hostapd
.add_ap(apdev
[0], params
)
2604 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2605 eap_reauth(dev
[0], "PWD")
2606 dev
[0].request("REMOVE_NETWORK all")
2608 eap_connect(dev
[1], hapd
, "PWD",
2609 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2610 password
="secret password",
2613 logger
.info("Negative test with incorrect password")
2614 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2615 expect_failure
=True, local_error_report
=True)
2617 eap_connect(dev
[0], hapd
, "PWD",
2618 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2619 password
="secret password",
2622 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2623 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2624 check_eap_capa(dev
[0], "PWD")
2625 skip_with_fips(dev
[0])
2626 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2627 hapd
= hostapd
.add_ap(apdev
[0], params
)
2628 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2629 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2630 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2631 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2632 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2633 expect_failure
=True, local_error_report
=True)
2635 def test_ap_wpa2_eap_pwd_salt_sha1(dev
, apdev
):
2636 """WPA2-Enterprise connection using EAP-pwd and salted password SHA-1"""
2637 check_eap_capa(dev
[0], "PWD")
2638 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2639 hapd
= hostapd
.add_ap(apdev
[0], params
)
2640 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha1",
2641 password
="secret password")
2643 def test_ap_wpa2_eap_pwd_salt_sha256(dev
, apdev
):
2644 """WPA2-Enterprise connection using EAP-pwd and salted password SHA256"""
2645 check_eap_capa(dev
[0], "PWD")
2646 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2647 hapd
= hostapd
.add_ap(apdev
[0], params
)
2648 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha256",
2649 password
="secret password")
2651 def test_ap_wpa2_eap_pwd_salt_sha512(dev
, apdev
):
2652 """WPA2-Enterprise connection using EAP-pwd and salted password SHA512"""
2653 check_eap_capa(dev
[0], "PWD")
2654 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2655 hapd
= hostapd
.add_ap(apdev
[0], params
)
2656 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha512",
2657 password
="secret password")
2659 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2660 """WPA2-Enterprise connection using various EAP-pwd groups"""
2661 check_eap_capa(dev
[0], "PWD")
2662 tls
= dev
[0].request("GET tls_library")
2663 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2664 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2665 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2666 groups
= [ 19, 20, 21, 25, 26 ]
2667 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2668 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2669 groups
+= [ 27, 28, 29, 30 ]
2670 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.1" in tls
and "run=OpenSSL 1.1" in tls
:
2671 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2672 groups
+= [ 27, 28, 29, 30 ]
2674 logger
.info("Group %d" % i
)
2675 params
['pwd_group'] = str(i
)
2676 hapd
= hostapd
.add_ap(apdev
[0], params
)
2678 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2679 password
="secret password")
2680 dev
[0].request("REMOVE_NETWORK all")
2681 dev
[0].wait_disconnected()
2682 dev
[0].dump_monitor()
2684 if "BoringSSL" in tls
and i
in [ 25 ]:
2685 logger
.info("Ignore connection failure with group %d with BoringSSL" % i
)
2686 dev
[0].request("DISCONNECT")
2688 dev
[0].request("REMOVE_NETWORK all")
2689 dev
[0].dump_monitor()
2693 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2694 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2695 check_eap_capa(dev
[0], "PWD")
2696 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2697 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2698 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2699 params
['pwd_group'] = "0"
2700 hostapd
.add_ap(apdev
[0], params
)
2701 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2702 identity
="pwd user", password
="secret password",
2703 scan_freq
="2412", wait_connect
=False)
2704 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2706 raise Exception("Timeout on EAP failure report")
2708 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2709 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2710 check_eap_capa(dev
[0], "PWD")
2711 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2712 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2713 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2714 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2715 "pwd_group": "19", "fragment_size": "40" }
2716 hapd
= hostapd
.add_ap(apdev
[0], params
)
2717 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2719 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2720 """WPA2-Enterprise connection using EAP-GPSK"""
2721 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2722 hapd
= hostapd
.add_ap(apdev
[0], params
)
2723 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2724 password
="abcdefghijklmnop0123456789abcdef")
2725 eap_reauth(dev
[0], "GPSK")
2727 logger
.info("Test forced algorithm selection")
2728 for phase1
in [ "cipher=1", "cipher=2" ]:
2729 dev
[0].set_network_quoted(id, "phase1", phase1
)
2730 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2732 raise Exception("EAP success timed out")
2733 dev
[0].wait_connected(timeout
=10)
2735 logger
.info("Test failed algorithm negotiation")
2736 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2737 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2739 raise Exception("EAP failure timed out")
2741 logger
.info("Negative test with incorrect password")
2742 dev
[0].request("REMOVE_NETWORK all")
2743 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2744 password
="ffcdefghijklmnop0123456789abcdef",
2745 expect_failure
=True)
2747 def test_ap_wpa2_eap_sake(dev
, apdev
):
2748 """WPA2-Enterprise connection using EAP-SAKE"""
2749 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2750 hapd
= hostapd
.add_ap(apdev
[0], params
)
2751 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2752 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2753 eap_reauth(dev
[0], "SAKE")
2755 logger
.info("Negative test with incorrect password")
2756 dev
[0].request("REMOVE_NETWORK all")
2757 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2758 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2759 expect_failure
=True)
2761 def test_ap_wpa2_eap_eke(dev
, apdev
):
2762 """WPA2-Enterprise connection using EAP-EKE"""
2763 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2764 hapd
= hostapd
.add_ap(apdev
[0], params
)
2765 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2766 eap_reauth(dev
[0], "EKE")
2768 logger
.info("Test forced algorithm selection")
2769 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
2770 "dhgroup=4 encr=1 prf=2 mac=2",
2771 "dhgroup=3 encr=1 prf=2 mac=2",
2772 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2773 dev
[0].set_network_quoted(id, "phase1", phase1
)
2774 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2776 raise Exception("EAP success timed out")
2777 dev
[0].wait_connected(timeout
=10)
2779 logger
.info("Test failed algorithm negotiation")
2780 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2781 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2783 raise Exception("EAP failure timed out")
2785 logger
.info("Negative test with incorrect password")
2786 dev
[0].request("REMOVE_NETWORK all")
2787 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
2788 expect_failure
=True)
2790 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2791 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2792 if not params
['long']:
2793 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2794 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2795 hostapd
.add_ap(apdev
[0], params
)
2798 for i
in range(100):
2800 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2801 identity
="eke user", password
="hello",
2802 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2803 scan_freq
="2412", wait_connect
=False)
2805 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2806 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2808 raise Exception("No connected/disconnected event")
2809 if "CTRL-EVENT-DISCONNECTED" in ev
:
2811 # The RADIUS server limits on active sessions can be hit when
2812 # going through this test case, so try to give some more time
2813 # for the server to remove sessions.
2814 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2815 dev
[j
].request("REMOVE_NETWORK all")
2819 dev
[j
].request("REMOVE_NETWORK all")
2820 dev
[j
].wait_disconnected()
2821 dev
[j
].dump_monitor()
2822 logger
.info("Total success=%d failure=%d" % (success
, fail
))
2824 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2825 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2826 params
= int_eap_server_params()
2827 params
['server_id'] = 'example.server@w1.fi'
2828 hapd
= hostapd
.add_ap(apdev
[0], params
)
2829 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2831 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2832 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2833 params
= int_eap_server_params()
2834 hapd
= hostapd
.add_ap(apdev
[0], params
)
2835 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2837 for count
,func
in [ (1, "eap_eke_build_commit"),
2838 (2, "eap_eke_build_commit"),
2839 (3, "eap_eke_build_commit"),
2840 (1, "eap_eke_build_confirm"),
2841 (2, "eap_eke_build_confirm"),
2842 (1, "eap_eke_process_commit"),
2843 (2, "eap_eke_process_commit"),
2844 (1, "eap_eke_process_confirm"),
2845 (1, "eap_eke_process_identity"),
2846 (2, "eap_eke_process_identity"),
2847 (3, "eap_eke_process_identity"),
2848 (4, "eap_eke_process_identity") ]:
2849 with
alloc_fail(hapd
, count
, func
):
2850 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2851 expect_failure
=True)
2852 dev
[0].request("REMOVE_NETWORK all")
2854 for count
,func
,pw
in [ (1, "eap_eke_init", "hello"),
2855 (1, "eap_eke_get_session_id", "hello"),
2856 (1, "eap_eke_getKey", "hello"),
2857 (1, "eap_eke_build_msg", "hello"),
2858 (1, "eap_eke_build_failure", "wrong"),
2859 (1, "eap_eke_build_identity", "hello"),
2860 (2, "eap_eke_build_identity", "hello") ]:
2861 with
alloc_fail(hapd
, count
, func
):
2862 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2863 eap
="EKE", identity
="eke user", password
=pw
,
2864 wait_connect
=False, scan_freq
="2412")
2865 # This would eventually time out, but we can stop after having
2866 # reached the allocation failure.
2869 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2871 dev
[0].request("REMOVE_NETWORK all")
2873 for count
in range(1, 1000):
2875 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2876 dev
[0].connect("test-wpa2-eap",
2877 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2878 eap
="EKE", identity
="eke user", password
=pw
,
2879 wait_connect
=False, scan_freq
="2412")
2880 # This would eventually time out, but we can stop after having
2881 # reached the allocation failure.
2884 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2886 dev
[0].request("REMOVE_NETWORK all")
2887 except Exception as e
:
2888 if str(e
) == "Allocation failure did not trigger":
2890 raise Exception("Too few allocation failures")
2891 logger
.info("%d allocation failures tested" % (count
- 1))
2895 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
2896 """WPA2-Enterprise connection using EAP-IKEv2"""
2897 check_eap_capa(dev
[0], "IKEV2")
2898 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2899 hapd
= hostapd
.add_ap(apdev
[0], params
)
2900 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2901 password
="ike password")
2902 eap_reauth(dev
[0], "IKEV2")
2903 dev
[0].request("REMOVE_NETWORK all")
2904 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2905 password
="ike password", fragment_size
="50")
2907 logger
.info("Negative test with incorrect password")
2908 dev
[0].request("REMOVE_NETWORK all")
2909 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2910 password
="ike-password", expect_failure
=True)
2911 dev
[0].request("REMOVE_NETWORK all")
2913 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2914 password
="ike password", fragment_size
="0")
2915 dev
[0].request("REMOVE_NETWORK all")
2916 dev
[0].wait_disconnected()
2918 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
2919 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2920 check_eap_capa(dev
[0], "IKEV2")
2921 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2922 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2923 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2924 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2925 "fragment_size": "50" }
2926 hapd
= hostapd
.add_ap(apdev
[0], params
)
2927 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2928 password
="ike password")
2929 eap_reauth(dev
[0], "IKEV2")
2931 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
2932 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2933 check_eap_capa(dev
[0], "IKEV2")
2934 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2935 hostapd
.add_ap(apdev
[0], params
)
2937 tests
= [ (1, "dh_init"),
2939 (1, "dh_derive_shared") ]
2940 for count
, func
in tests
:
2941 with
alloc_fail(dev
[0], count
, func
):
2942 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2943 identity
="ikev2 user", password
="ike password",
2944 wait_connect
=False, scan_freq
="2412")
2945 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2947 raise Exception("EAP method not selected")
2949 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2952 dev
[0].request("REMOVE_NETWORK all")
2954 tls
= dev
[0].request("GET tls_library")
2955 if not tls
.startswith("wolfSSL"):
2956 tests
= [ (1, "os_get_random;dh_init") ]
2958 tests
= [ (1, "crypto_dh_init;dh_init") ]
2959 for count
, func
in tests
:
2960 with
fail_test(dev
[0], count
, func
):
2961 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2962 identity
="ikev2 user", password
="ike password",
2963 wait_connect
=False, scan_freq
="2412")
2964 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2966 raise Exception("EAP method not selected")
2968 if "0:" in dev
[0].request("GET_FAIL"):
2971 dev
[0].request("REMOVE_NETWORK all")
2973 def test_ap_wpa2_eap_pax(dev
, apdev
):
2974 """WPA2-Enterprise connection using EAP-PAX"""
2975 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2976 hapd
= hostapd
.add_ap(apdev
[0], params
)
2977 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2978 password_hex
="0123456789abcdef0123456789abcdef")
2979 eap_reauth(dev
[0], "PAX")
2981 logger
.info("Negative test with incorrect password")
2982 dev
[0].request("REMOVE_NETWORK all")
2983 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2984 password_hex
="ff23456789abcdef0123456789abcdef",
2985 expect_failure
=True)
2987 def test_ap_wpa2_eap_psk(dev
, apdev
):
2988 """WPA2-Enterprise connection using EAP-PSK"""
2989 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2990 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2991 params
["ieee80211w"] = "2"
2992 hapd
= hostapd
.add_ap(apdev
[0], params
)
2993 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
2994 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
2995 eap_reauth(dev
[0], "PSK", sha256
=True)
2996 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2997 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2999 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
3000 if 'flags' not in bss
:
3001 raise Exception("Could not get BSS flags from BSS table")
3002 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
3003 raise Exception("Unexpected BSS flags: " + bss
['flags'])
3005 logger
.info("Negative test with incorrect password")
3006 dev
[0].request("REMOVE_NETWORK all")
3007 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3008 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
3009 expect_failure
=True)
3011 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
3012 """WPA2-Enterprise connection using EAP-PSK and OOM"""
3013 skip_with_fips(dev
[0])
3014 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3015 hostapd
.add_ap(apdev
[0], params
)
3016 tests
= [ (1, "=aes_128_eax_encrypt"),
3017 (1, "=aes_128_eax_decrypt") ]
3018 for count
, func
in tests
:
3019 with
alloc_fail(dev
[0], count
, func
):
3020 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3021 identity
="psk.user@example.com",
3022 password_hex
="0123456789abcdef0123456789abcdef",
3023 wait_connect
=False, scan_freq
="2412")
3024 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3026 raise Exception("EAP method not selected")
3027 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
3028 note
="Failure not triggered: %d:%s" % (count
, func
))
3029 dev
[0].request("REMOVE_NETWORK all")
3030 dev
[0].wait_disconnected()
3032 tests
= [ (1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
3033 (1, "omac1_aes_128;aes_128_eax_encrypt"),
3034 (2, "omac1_aes_128;aes_128_eax_encrypt"),
3035 (3, "omac1_aes_128;aes_128_eax_encrypt"),
3036 (1, "omac1_aes_vector"),
3037 (1, "omac1_aes_128;aes_128_eax_decrypt"),
3038 (2, "omac1_aes_128;aes_128_eax_decrypt"),
3039 (3, "omac1_aes_128;aes_128_eax_decrypt"),
3040 (1, "aes_ctr_encrypt;aes_128_eax_decrypt") ]
3041 for count
, func
in tests
:
3042 with
fail_test(dev
[0], count
, func
):
3043 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3044 identity
="psk.user@example.com",
3045 password_hex
="0123456789abcdef0123456789abcdef",
3046 wait_connect
=False, scan_freq
="2412")
3047 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3049 raise Exception("EAP method not selected")
3050 wait_fail_trigger(dev
[0], "GET_FAIL",
3051 note
="Failure not triggered: %d:%s" % (count
, func
))
3052 dev
[0].request("REMOVE_NETWORK all")
3053 dev
[0].wait_disconnected()
3055 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
3056 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3057 identity
="psk.user@example.com",
3058 password_hex
="0123456789abcdef0123456789abcdef",
3059 wait_connect
=False, scan_freq
="2412")
3060 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3062 raise Exception("EAP method failure not reported")
3063 dev
[0].request("REMOVE_NETWORK all")
3064 dev
[0].wait_disconnected()
3066 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
3067 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
3068 check_eap_capa(dev
[0], "MSCHAPV2")
3069 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
3070 hapd
= hostapd
.add_ap(apdev
[0], params
)
3071 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
3072 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
3073 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
3075 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
3076 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3077 eap_reauth(dev
[0], "PEAP", rsn
=False)
3078 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3079 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
3080 status
= dev
[0].get_status(extra
="VERBOSE")
3081 if 'portControl' not in status
:
3082 raise Exception("portControl missing from STATUS-VERBOSE")
3083 if status
['portControl'] != 'Auto':
3084 raise Exception("Unexpected portControl value: " + status
['portControl'])
3085 if 'eap_session_id' not in status
:
3086 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3087 if not status
['eap_session_id'].startswith("19"):
3088 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
3090 def test_ap_wpa2_eap_interactive(dev
, apdev
):
3091 """WPA2-Enterprise connection using interactive identity/password entry"""
3092 check_eap_capa(dev
[0], "MSCHAPV2")
3093 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3094 hapd
= hostapd
.add_ap(apdev
[0], params
)
3096 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
3097 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3099 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3100 "TTLS", "ttls", None, "auth=MSCHAPV2",
3101 "DOMAIN\mschapv2 user", "password"),
3102 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3103 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3104 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3105 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3106 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3107 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3108 ("Connection with dynamic PEAP/EAP-GTC password entry",
3109 "PEAP", None, "user", "auth=GTC", None, "password") ]
3110 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
3112 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
3113 anonymous_identity
=anon
, identity
=identity
,
3114 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
3115 wait_connect
=False, scan_freq
="2412")
3117 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3119 raise Exception("Request for identity timed out")
3120 id = ev
.split(':')[0].split('-')[-1]
3121 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3122 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
3124 raise Exception("Request for password timed out")
3125 id = ev
.split(':')[0].split('-')[-1]
3126 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
3127 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
3128 dev
[0].wait_connected(timeout
=10)
3129 dev
[0].request("REMOVE_NETWORK all")
3131 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
3132 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3133 check_eap_capa(dev
[0], "MSCHAPV2")
3134 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3135 hapd
= hostapd
.add_ap(apdev
[0], params
)
3137 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
3138 only_add_network
=True)
3140 req_id
= "DOMAIN\mschapv2 user"
3141 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3142 anonymous_identity
="ttls", identity
=None,
3143 password
="password",
3144 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3145 wait_connect
=False, scan_freq
="2412")
3146 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3148 raise Exception("Request for identity timed out")
3149 id = ev
.split(':')[0].split('-')[-1]
3150 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3151 dev
[0].wait_connected(timeout
=10)
3153 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
3154 raise Exception("Failed to enable network")
3155 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
3157 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3158 dev
[0].request("REMOVE_NETWORK all")
3160 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
3161 """WPA2-Enterprise connection using EAP vendor test"""
3162 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3163 hapd
= hostapd
.add_ap(apdev
[0], params
)
3164 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
3165 eap_reauth(dev
[0], "VENDOR-TEST")
3166 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
3169 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
3170 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3171 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3172 hostapd
.add_ap(apdev
[0], params
)
3174 tests
= [ "eap_vendor_test_init",
3175 "eap_msg_alloc;eap_vendor_test_process",
3176 "eap_vendor_test_getKey" ]
3178 with
alloc_fail(dev
[0], 1, func
):
3179 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
3181 eap
="VENDOR-TEST", identity
="vendor-test",
3183 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3184 dev
[0].request("REMOVE_NETWORK all")
3185 dev
[0].wait_disconnected()
3187 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
3188 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3189 check_eap_capa(dev
[0], "FAST")
3190 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3191 hapd
= hostapd
.add_ap(apdev
[0], params
)
3192 eap_connect(dev
[0], hapd
, "FAST", "user",
3193 anonymous_identity
="FAST", password
="password",
3194 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3195 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
3196 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3197 res
= eap_reauth(dev
[0], "FAST")
3198 if res
['tls_session_reused'] != '1':
3199 raise Exception("EAP-FAST could not use PAC session ticket")
3201 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
3202 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3203 check_eap_capa(dev
[0], "FAST")
3204 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
3205 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
3206 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3207 hapd
= hostapd
.add_ap(apdev
[0], params
)
3210 eap_connect(dev
[0], hapd
, "FAST", "user",
3211 anonymous_identity
="FAST", password
="password",
3212 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3213 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3214 with
open(pac_file
, "r") as f
:
3216 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3217 raise Exception("PAC file header missing")
3218 if "PAC-Key=" not in data
:
3219 raise Exception("PAC-Key missing from PAC file")
3220 dev
[0].request("REMOVE_NETWORK all")
3221 eap_connect(dev
[0], hapd
, "FAST", "user",
3222 anonymous_identity
="FAST", password
="password",
3223 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3226 eap_connect(dev
[1], hapd
, "FAST", "user",
3227 anonymous_identity
="FAST", password
="password",
3228 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3229 phase1
="fast_provisioning=1 fast_pac_format=binary",
3231 dev
[1].request("REMOVE_NETWORK all")
3232 eap_connect(dev
[1], hapd
, "FAST", "user",
3233 anonymous_identity
="FAST", password
="password",
3234 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3235 phase1
="fast_pac_format=binary",
3243 os
.remove(pac_file2
)
3247 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3248 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3249 check_eap_capa(dev
[0], "FAST")
3250 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3251 hapd
= hostapd
.add_ap(apdev
[0], params
)
3252 eap_connect(dev
[0], hapd
, "FAST", "user",
3253 anonymous_identity
="FAST", password
="password",
3254 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3255 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3256 pac_file
="blob://fast_pac_bin")
3257 res
= eap_reauth(dev
[0], "FAST")
3258 if res
['tls_session_reused'] != '1':
3259 raise Exception("EAP-FAST could not use PAC session ticket")
3261 # Verify fast_max_pac_list_len=0 special case
3262 dev
[0].request("REMOVE_NETWORK all")
3263 dev
[0].wait_disconnected()
3264 eap_connect(dev
[0], hapd
, "FAST", "user",
3265 anonymous_identity
="FAST", password
="password",
3266 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3267 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3268 pac_file
="blob://fast_pac_bin")
3270 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3271 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3272 check_eap_capa(dev
[0], "FAST")
3273 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3274 hostapd
.add_ap(apdev
[0], params
)
3276 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3277 identity
="user", anonymous_identity
="FAST",
3278 password
="password",
3279 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3280 pac_file
="blob://fast_pac_not_in_use",
3281 wait_connect
=False, scan_freq
="2412")
3282 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3284 raise Exception("Timeout on EAP failure report")
3285 dev
[0].request("REMOVE_NETWORK all")
3287 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3288 identity
="user", anonymous_identity
="FAST",
3289 password
="password",
3290 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3291 wait_connect
=False, scan_freq
="2412")
3292 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3294 raise Exception("Timeout on EAP failure report")
3296 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3297 """EAP-FAST and binary PAC errors"""
3298 check_eap_capa(dev
[0], "FAST")
3299 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3300 hapd
= hostapd
.add_ap(apdev
[0], params
)
3302 tests
= [ (1, "=eap_fast_save_pac_bin"),
3303 (1, "eap_fast_write_pac"),
3304 (2, "eap_fast_write_pac"), ]
3305 for count
, func
in tests
:
3306 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3307 raise Exception("Could not set blob")
3309 with
alloc_fail(dev
[0], count
, func
):
3310 eap_connect(dev
[0], hapd
, "FAST", "user",
3311 anonymous_identity
="FAST", password
="password",
3312 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3313 phase1
="fast_provisioning=1 fast_pac_format=binary",
3314 pac_file
="blob://fast_pac_bin_errors")
3315 dev
[0].request("REMOVE_NETWORK all")
3316 dev
[0].wait_disconnected()
3318 tests
= [ "00", "000000000000", "6ae4920c0001",
3320 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3321 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3322 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3323 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3325 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3326 raise Exception("Could not set blob")
3328 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3329 identity
="user", anonymous_identity
="FAST",
3330 password
="password",
3331 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3332 phase1
="fast_provisioning=1 fast_pac_format=binary",
3333 pac_file
="blob://fast_pac_bin_errors",
3334 scan_freq
="2412", wait_connect
=False)
3335 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3338 raise Exception("Failure not reported")
3339 dev
[0].request("REMOVE_NETWORK all")
3340 dev
[0].wait_disconnected()
3342 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3343 tests
= [ (1, "eap_fast_load_pac_bin"),
3344 (2, "eap_fast_load_pac_bin"),
3345 (3, "eap_fast_load_pac_bin") ]
3346 for count
, func
in tests
:
3347 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3348 raise Exception("Could not set blob")
3350 with
alloc_fail(dev
[0], count
, func
):
3351 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3352 identity
="user", anonymous_identity
="FAST",
3353 password
="password",
3354 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3355 phase1
="fast_provisioning=1 fast_pac_format=binary",
3356 pac_file
="blob://fast_pac_bin_errors",
3357 scan_freq
="2412", wait_connect
=False)
3358 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3361 raise Exception("Failure not reported")
3362 dev
[0].request("REMOVE_NETWORK all")
3363 dev
[0].wait_disconnected()
3365 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3366 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3367 raise Exception("Could not set blob")
3369 eap_connect(dev
[0], hapd
, "FAST", "user",
3370 anonymous_identity
="FAST", password
="password",
3371 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3372 phase1
="fast_provisioning=1 fast_pac_format=binary",
3373 pac_file
="blob://fast_pac_bin_errors")
3374 dev
[0].request("REMOVE_NETWORK all")
3375 dev
[0].wait_disconnected()
3377 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3378 tests
= [ (1, "eap_fast_pac_get_a_id"),
3379 (2, "eap_fast_pac_get_a_id") ]
3380 for count
, func
in tests
:
3381 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3382 raise Exception("Could not set blob")
3383 with
alloc_fail(dev
[0], count
, func
):
3384 eap_connect(dev
[0], hapd
, "FAST", "user",
3385 anonymous_identity
="FAST", password
="password",
3386 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3387 phase1
="fast_provisioning=1 fast_pac_format=binary",
3388 pac_file
="blob://fast_pac_bin_errors")
3389 dev
[0].request("REMOVE_NETWORK all")
3390 dev
[0].wait_disconnected()
3392 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3393 """EAP-FAST and text PAC errors"""
3394 check_eap_capa(dev
[0], "FAST")
3395 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3396 hostapd
.add_ap(apdev
[0], params
)
3398 tests
= [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3399 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3400 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3401 (1, "eap_fast_parse_start"),
3402 (1, "eap_fast_save_pac") ]
3403 for count
, func
in tests
:
3404 dev
[0].request("FLUSH")
3405 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3406 raise Exception("Could not set blob")
3408 with
alloc_fail(dev
[0], count
, func
):
3409 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3410 identity
="user", anonymous_identity
="FAST",
3411 password
="password",
3412 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3413 phase1
="fast_provisioning=1",
3414 pac_file
="blob://fast_pac_text_errors",
3415 scan_freq
="2412", wait_connect
=False)
3416 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3417 dev
[0].request("REMOVE_NETWORK all")
3418 dev
[0].wait_disconnected()
3420 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3424 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + pac
.encode("hex")):
3425 raise Exception("Could not set blob")
3427 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3428 identity
="user", anonymous_identity
="FAST",
3429 password
="password",
3430 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3431 phase1
="fast_provisioning=1",
3432 pac_file
="blob://fast_pac_text_errors",
3433 scan_freq
="2412", wait_connect
=False)
3434 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3436 raise Exception("Failure not reported")
3437 dev
[0].request("REMOVE_NETWORK all")
3438 dev
[0].wait_disconnected()
3440 dev
[0].request("FLUSH")
3441 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3442 raise Exception("Could not set blob")
3444 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3446 params
= int_eap_server_params()
3447 params
['ssid'] = "test-wpa2-eap-2"
3448 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3449 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3450 params
['eap_fast_a_id_info'] = "test server %d" % i
3452 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3454 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3455 identity
="user", anonymous_identity
="FAST",
3456 password
="password",
3457 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3458 phase1
="fast_provisioning=1",
3459 pac_file
="blob://fast_pac_text_errors",
3460 scan_freq
="2412", wait_connect
=False)
3461 dev
[0].wait_connected()
3462 dev
[0].request("REMOVE_NETWORK all")
3463 dev
[0].wait_disconnected()
3467 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3468 """EAP-FAST and PAC list truncation"""
3469 check_eap_capa(dev
[0], "FAST")
3470 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3471 raise Exception("Could not set blob")
3473 params
= int_eap_server_params()
3474 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3475 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3476 params
['eap_fast_a_id_info'] = "test server %d" % i
3477 hapd
= hostapd
.add_ap(apdev
[0], params
)
3479 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3480 identity
="user", anonymous_identity
="FAST",
3481 password
="password",
3482 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3483 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3484 pac_file
="blob://fast_pac_truncate",
3485 scan_freq
="2412", wait_connect
=False)
3486 dev
[0].wait_connected()
3487 dev
[0].request("REMOVE_NETWORK all")
3488 dev
[0].wait_disconnected()
3492 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3493 """EAP-FAST and PAC refresh"""
3494 check_eap_capa(dev
[0], "FAST")
3495 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3496 raise Exception("Could not set blob")
3498 params
= int_eap_server_params()
3499 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3500 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3501 params
['eap_fast_a_id_info'] = "test server %d" % i
3502 params
['pac_key_refresh_time'] = "1"
3503 params
['pac_key_lifetime'] = "10"
3504 hapd
= hostapd
.add_ap(apdev
[0], params
)
3506 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3507 identity
="user", anonymous_identity
="FAST",
3508 password
="password",
3509 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3510 phase1
="fast_provisioning=1",
3511 pac_file
="blob://fast_pac_refresh",
3512 scan_freq
="2412", wait_connect
=False)
3513 dev
[0].wait_connected()
3514 dev
[0].request("REMOVE_NETWORK all")
3515 dev
[0].wait_disconnected()
3520 params
= int_eap_server_params()
3521 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3522 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3523 params
['eap_fast_a_id_info'] = "test server %d" % i
3524 params
['pac_key_refresh_time'] = "10"
3525 params
['pac_key_lifetime'] = "10"
3526 hapd
= hostapd
.add_ap(apdev
[0], params
)
3528 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3529 identity
="user", anonymous_identity
="FAST",
3530 password
="password",
3531 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3532 phase1
="fast_provisioning=1",
3533 pac_file
="blob://fast_pac_refresh",
3534 scan_freq
="2412", wait_connect
=False)
3535 dev
[0].wait_connected()
3536 dev
[0].request("REMOVE_NETWORK all")
3537 dev
[0].wait_disconnected()
3541 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3542 """EAP-FAST and PAC lifetime"""
3543 check_eap_capa(dev
[0], "FAST")
3544 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3545 raise Exception("Could not set blob")
3548 params
= int_eap_server_params()
3549 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3550 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3551 params
['eap_fast_a_id_info'] = "test server %d" % i
3552 params
['pac_key_refresh_time'] = "0"
3553 params
['pac_key_lifetime'] = "2"
3554 hapd
= hostapd
.add_ap(apdev
[0], params
)
3556 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3557 identity
="user", anonymous_identity
="FAST",
3558 password
="password",
3559 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3560 phase1
="fast_provisioning=2",
3561 pac_file
="blob://fast_pac_refresh",
3562 scan_freq
="2412", wait_connect
=False)
3563 dev
[0].wait_connected()
3564 dev
[0].request("DISCONNECT")
3565 dev
[0].wait_disconnected()
3568 dev
[0].request("PMKSA_FLUSH")
3569 dev
[0].request("RECONNECT")
3570 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3572 raise Exception("No EAP-Failure seen after expired PAC")
3573 dev
[0].request("DISCONNECT")
3574 dev
[0].wait_disconnected()
3576 dev
[0].select_network(id)
3577 dev
[0].wait_connected()
3578 dev
[0].request("REMOVE_NETWORK all")
3579 dev
[0].wait_disconnected()
3581 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3582 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3583 check_eap_capa(dev
[0], "FAST")
3584 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3585 hapd
= hostapd
.add_ap(apdev
[0], params
)
3586 eap_connect(dev
[0], hapd
, "FAST", "user",
3587 anonymous_identity
="FAST", password
="password",
3588 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3589 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3590 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3591 res
= eap_reauth(dev
[0], "FAST")
3592 if res
['tls_session_reused'] != '1':
3593 raise Exception("EAP-FAST could not use PAC session ticket")
3595 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3596 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3597 check_eap_capa(dev
[0], "FAST")
3598 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3599 hapd
= hostapd
.add_ap(apdev
[0], params
)
3600 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3601 anonymous_identity
="FAST", password
="password",
3602 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3603 phase1
="fast_provisioning=2",
3604 pac_file
="blob://fast_pac_auth")
3605 dev
[0].set_network_quoted(id, "identity", "user2")
3606 dev
[0].wait_disconnected()
3607 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3609 raise Exception("EAP-FAST not started")
3610 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3612 raise Exception("EAP failure not reported")
3613 dev
[0].wait_disconnected()
3615 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3616 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3617 check_eap_capa(dev
[0], "FAST")
3618 tls
= dev
[0].request("GET tls_library")
3619 if tls
.startswith("OpenSSL"):
3620 func
= "tls_connection_get_eap_fast_key"
3622 elif tls
.startswith("internal"):
3623 func
= "tls_connection_prf"
3626 raise HwsimSkip("Unsupported TLS library")
3627 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3628 hapd
= hostapd
.add_ap(apdev
[0], params
)
3629 with
alloc_fail(dev
[0], count
, func
):
3630 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3631 identity
="user", anonymous_identity
="FAST",
3632 password
="password", ca_cert
="auth_serv/ca.pem",
3634 phase1
="fast_provisioning=2",
3635 pac_file
="blob://fast_pac_auth",
3636 wait_connect
=False, scan_freq
="2412")
3637 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3639 raise Exception("EAP failure not reported")
3640 dev
[0].request("DISCONNECT")
3642 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3643 """EAP-FAST/MSCHAPv2 and server OOM"""
3644 check_eap_capa(dev
[0], "FAST")
3646 params
= int_eap_server_params()
3647 params
['dh_file'] = 'auth_serv/dh.conf'
3648 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3649 params
['eap_fast_a_id'] = '1011'
3650 params
['eap_fast_a_id_info'] = 'another test server'
3651 hapd
= hostapd
.add_ap(apdev
[0], params
)
3653 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3654 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3655 anonymous_identity
="FAST", password
="password",
3656 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3657 phase1
="fast_provisioning=1",
3658 pac_file
="blob://fast_pac",
3659 expect_failure
=True)
3660 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3662 raise Exception("No EAP failure reported")
3663 dev
[0].wait_disconnected()
3664 dev
[0].request("DISCONNECT")
3666 dev
[0].select_network(id, freq
="2412")
3668 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3669 """EAP-FAST and different TLS cipher suites"""
3670 check_eap_capa(dev
[0], "FAST")
3671 tls
= dev
[0].request("GET tls_library")
3672 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
3673 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls
)
3675 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3676 hapd
= hostapd
.add_ap(apdev
[0], params
)
3678 dev
[0].request("SET blob fast_pac_ciphers ")
3679 eap_connect(dev
[0], hapd
, "FAST", "user",
3680 anonymous_identity
="FAST", password
="password",
3681 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3682 phase1
="fast_provisioning=2",
3683 pac_file
="blob://fast_pac_ciphers")
3684 res
= dev
[0].get_status_field('EAP TLS cipher')
3685 dev
[0].request("REMOVE_NETWORK all")
3686 dev
[0].wait_disconnected()
3687 if res
!= "DHE-RSA-AES256-SHA":
3688 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3690 tests
= [ "DHE-RSA-AES128-SHA",
3694 "DHE-RSA-AES256-SHA" ]
3695 for cipher
in tests
:
3696 dev
[0].dump_monitor()
3697 logger
.info("Testing " + cipher
)
3699 eap_connect(dev
[0], hapd
, "FAST", "user",
3700 openssl_ciphers
=cipher
,
3701 anonymous_identity
="FAST", password
="password",
3702 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3703 pac_file
="blob://fast_pac_ciphers",
3704 report_failure
=True)
3705 except Exception as e
:
3706 if cipher
== "RC4-SHA" and \
3707 ("Could not select EAP method" in str(e
) or \
3708 "EAP failed" in str(e
)):
3709 if "run=OpenSSL 1.1" in tls
:
3710 logger
.info("Allow failure due to missing TLS library support")
3711 dev
[0].request("REMOVE_NETWORK all")
3712 dev
[0].wait_disconnected()
3715 res
= dev
[0].get_status_field('EAP TLS cipher')
3716 dev
[0].request("REMOVE_NETWORK all")
3717 dev
[0].wait_disconnected()
3719 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3721 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3722 """EAP-FAST and provisioning options"""
3723 check_eap_capa(dev
[0], "FAST")
3724 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3725 raise Exception("Could not set blob")
3728 params
= int_eap_server_params()
3729 params
['disable_pmksa_caching'] = '1'
3730 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3731 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3732 params
['eap_fast_a_id_info'] = "test server %d" % i
3733 params
['eap_fast_prov'] = "0"
3734 hapd
= hostapd
.add_ap(apdev
[0], params
)
3736 logger
.info("Provisioning attempt while server has provisioning disabled")
3737 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3738 identity
="user", anonymous_identity
="FAST",
3739 password
="password",
3740 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3741 phase1
="fast_provisioning=2",
3742 pac_file
="blob://fast_pac_prov",
3743 scan_freq
="2412", wait_connect
=False)
3744 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3747 raise Exception("EAP result not reported")
3748 if "parameter='failure'" not in ev
:
3749 raise Exception("Unexpected EAP result: " + ev
)
3750 dev
[0].wait_disconnected()
3751 dev
[0].request("DISCONNECT")
3752 dev
[0].dump_monitor()
3755 logger
.info("Authenticated provisioning")
3756 hapd
.set("eap_fast_prov", "2")
3759 dev
[0].select_network(id, freq
="2412")
3760 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3763 raise Exception("EAP result not reported")
3764 if "parameter='success'" not in ev
:
3765 raise Exception("Unexpected EAP result: " + ev
)
3766 dev
[0].wait_connected()
3767 dev
[0].request("DISCONNECT")
3768 dev
[0].wait_disconnected()
3769 dev
[0].dump_monitor()
3772 logger
.info("Provisioning disabled - using previously provisioned PAC")
3773 hapd
.set("eap_fast_prov", "0")
3776 dev
[0].select_network(id, freq
="2412")
3777 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3780 raise Exception("EAP result not reported")
3781 if "parameter='success'" not in ev
:
3782 raise Exception("Unexpected EAP result: " + ev
)
3783 dev
[0].wait_connected()
3784 dev
[0].request("DISCONNECT")
3785 dev
[0].wait_disconnected()
3786 dev
[0].dump_monitor()
3788 logger
.info("Drop PAC and verify connection failure")
3789 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3790 raise Exception("Could not set blob")
3792 dev
[0].select_network(id, freq
="2412")
3793 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3796 raise Exception("EAP result not reported")
3797 if "parameter='failure'" not in ev
:
3798 raise Exception("Unexpected EAP result: " + ev
)
3799 dev
[0].wait_disconnected()
3800 dev
[0].request("DISCONNECT")
3801 dev
[0].dump_monitor()
3804 logger
.info("Anonymous provisioning")
3805 hapd
.set("eap_fast_prov", "1")
3807 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3808 dev
[0].select_network(id, freq
="2412")
3809 # Anonymous provisioning results in EAP-Failure first
3810 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3813 raise Exception("EAP result not reported")
3814 if "parameter='failure'" not in ev
:
3815 raise Exception("Unexpected EAP result: " + ev
)
3816 dev
[0].wait_disconnected()
3817 # And then the actual data connection
3818 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3821 raise Exception("EAP result not reported")
3822 if "parameter='success'" not in ev
:
3823 raise Exception("Unexpected EAP result: " + ev
)
3824 dev
[0].wait_connected()
3825 dev
[0].request("DISCONNECT")
3826 dev
[0].wait_disconnected()
3827 dev
[0].dump_monitor()
3830 logger
.info("Provisioning disabled - using previously provisioned PAC")
3831 hapd
.set("eap_fast_prov", "0")
3834 dev
[0].select_network(id, freq
="2412")
3835 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3838 raise Exception("EAP result not reported")
3839 if "parameter='success'" not in ev
:
3840 raise Exception("Unexpected EAP result: " + ev
)
3841 dev
[0].wait_connected()
3842 dev
[0].request("DISCONNECT")
3843 dev
[0].wait_disconnected()
3844 dev
[0].dump_monitor()
3846 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
3847 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3848 check_ocsp_support(dev
[0])
3849 check_pkcs12_support(dev
[0])
3850 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3851 hapd
= hostapd
.add_ap(apdev
[0], params
)
3852 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3853 private_key
="auth_serv/user.pkcs12",
3854 private_key_passwd
="whatever", ocsp
=2)
3856 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
3857 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3858 check_ocsp_multi_support(dev
[0])
3859 check_pkcs12_support(dev
[0])
3861 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3862 hapd
= hostapd
.add_ap(apdev
[0], params
)
3863 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3864 private_key
="auth_serv/user.pkcs12",
3865 private_key_passwd
="whatever", ocsp
=2)
3867 def int_eap_server_params():
3868 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3869 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3870 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3871 "ca_cert": "auth_serv/ca.pem",
3872 "server_cert": "auth_serv/server.pem",
3873 "private_key": "auth_serv/server.key",
3874 "dh_file": "auth_serv/dh.conf" }
3877 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
3878 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3879 check_ocsp_support(dev
[0])
3880 check_pkcs12_support(dev
[0])
3881 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
3882 if not os
.path
.exists(ocsp
):
3883 raise HwsimSkip("No OCSP response available")
3884 params
= int_eap_server_params()
3885 params
["ocsp_stapling_response"] = ocsp
3886 hostapd
.add_ap(apdev
[0], params
)
3887 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3888 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3889 private_key
="auth_serv/user.pkcs12",
3890 private_key_passwd
="whatever", ocsp
=2,
3893 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
3894 """EAP-TLS and CA signed OCSP response (good)"""
3895 check_ocsp_support(dev
[0])
3896 check_pkcs12_support(dev
[0])
3897 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
3898 if not os
.path
.exists(ocsp
):
3899 raise HwsimSkip("No OCSP response available")
3900 params
= int_eap_server_params()
3901 params
["ocsp_stapling_response"] = ocsp
3902 hostapd
.add_ap(apdev
[0], params
)
3903 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3904 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3905 private_key
="auth_serv/user.pkcs12",
3906 private_key_passwd
="whatever", ocsp
=2,
3909 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
3910 """EAP-TLS and CA signed OCSP response (revoked)"""
3911 check_ocsp_support(dev
[0])
3912 check_pkcs12_support(dev
[0])
3913 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
3914 if not os
.path
.exists(ocsp
):
3915 raise HwsimSkip("No OCSP response available")
3916 params
= int_eap_server_params()
3917 params
["ocsp_stapling_response"] = ocsp
3918 hostapd
.add_ap(apdev
[0], params
)
3919 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3920 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3921 private_key
="auth_serv/user.pkcs12",
3922 private_key_passwd
="whatever", ocsp
=2,
3923 wait_connect
=False, scan_freq
="2412")
3926 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3928 raise Exception("Timeout on EAP status")
3929 if 'bad certificate status response' in ev
:
3931 if 'certificate revoked' in ev
:
3935 raise Exception("Unexpected number of EAP status messages")
3937 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3939 raise Exception("Timeout on EAP failure report")
3941 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
3942 """EAP-TLS and CA signed OCSP response (unknown)"""
3943 check_ocsp_support(dev
[0])
3944 check_pkcs12_support(dev
[0])
3945 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
3946 if not os
.path
.exists(ocsp
):
3947 raise HwsimSkip("No OCSP response available")
3948 params
= int_eap_server_params()
3949 params
["ocsp_stapling_response"] = ocsp
3950 hostapd
.add_ap(apdev
[0], params
)
3951 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3952 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3953 private_key
="auth_serv/user.pkcs12",
3954 private_key_passwd
="whatever", ocsp
=2,
3955 wait_connect
=False, scan_freq
="2412")
3958 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3960 raise Exception("Timeout on EAP status")
3961 if 'bad certificate status response' in ev
:
3965 raise Exception("Unexpected number of EAP status messages")
3967 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3969 raise Exception("Timeout on EAP failure report")
3971 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
3972 """EAP-TLS and server signed OCSP response"""
3973 check_ocsp_support(dev
[0])
3974 check_pkcs12_support(dev
[0])
3975 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
3976 if not os
.path
.exists(ocsp
):
3977 raise HwsimSkip("No OCSP response available")
3978 params
= int_eap_server_params()
3979 params
["ocsp_stapling_response"] = ocsp
3980 hostapd
.add_ap(apdev
[0], params
)
3981 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3982 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3983 private_key
="auth_serv/user.pkcs12",
3984 private_key_passwd
="whatever", ocsp
=2,
3985 wait_connect
=False, scan_freq
="2412")
3988 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3990 raise Exception("Timeout on EAP status")
3991 if 'bad certificate status response' in ev
:
3995 raise Exception("Unexpected number of EAP status messages")
3997 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3999 raise Exception("Timeout on EAP failure report")
4001 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
4002 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
4003 check_ocsp_support(dev
[0])
4004 check_pkcs12_support(dev
[0])
4005 params
= int_eap_server_params()
4006 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
4007 hostapd
.add_ap(apdev
[0], params
)
4008 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4009 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4010 private_key
="auth_serv/user.pkcs12",
4011 private_key_passwd
="whatever", ocsp
=2,
4012 wait_connect
=False, scan_freq
="2412")
4015 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4017 raise Exception("Timeout on EAP status")
4018 if 'bad certificate status response' in ev
:
4022 raise Exception("Unexpected number of EAP status messages")
4024 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4026 raise Exception("Timeout on EAP failure report")
4028 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
4029 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
4030 check_ocsp_support(dev
[0])
4031 check_pkcs12_support(dev
[0])
4032 params
= int_eap_server_params()
4033 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
4034 hostapd
.add_ap(apdev
[0], params
)
4035 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4036 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4037 private_key
="auth_serv/user.pkcs12",
4038 private_key_passwd
="whatever", ocsp
=2,
4039 wait_connect
=False, scan_freq
="2412")
4042 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4044 raise Exception("Timeout on EAP status")
4045 if 'bad certificate status response' in ev
:
4049 raise Exception("Unexpected number of EAP status messages")
4051 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4053 raise Exception("Timeout on EAP failure report")
4055 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
4056 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
4057 check_ocsp_support(dev
[0])
4058 check_pkcs12_support(dev
[0])
4059 params
= int_eap_server_params()
4060 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
4061 hostapd
.add_ap(apdev
[0], params
)
4062 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4063 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4064 private_key
="auth_serv/user.pkcs12",
4065 private_key_passwd
="whatever", ocsp
=2,
4066 wait_connect
=False, scan_freq
="2412")
4069 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4071 raise Exception("Timeout on EAP status")
4072 if 'bad certificate status response' in ev
:
4076 raise Exception("Unexpected number of EAP status messages")
4078 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4080 raise Exception("Timeout on EAP failure report")
4082 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
4083 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4084 check_ocsp_support(dev
[0])
4085 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
4086 if not os
.path
.exists(ocsp
):
4087 raise HwsimSkip("No OCSP response available")
4088 params
= int_eap_server_params()
4089 params
["ocsp_stapling_response"] = ocsp
4090 hostapd
.add_ap(apdev
[0], params
)
4091 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4092 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4093 anonymous_identity
="ttls", password
="password",
4094 phase2
="auth=PAP", ocsp
=2,
4095 wait_connect
=False, scan_freq
="2412")
4098 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4100 raise Exception("Timeout on EAP status")
4101 if 'bad certificate status response' in ev
:
4103 if 'certificate revoked' in ev
:
4107 raise Exception("Unexpected number of EAP status messages")
4109 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4111 raise Exception("Timeout on EAP failure report")
4113 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
4114 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4115 check_ocsp_support(dev
[0])
4116 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4117 if not os
.path
.exists(ocsp
):
4118 raise HwsimSkip("No OCSP response available")
4119 params
= int_eap_server_params()
4120 params
["ocsp_stapling_response"] = ocsp
4121 hostapd
.add_ap(apdev
[0], params
)
4122 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4123 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4124 anonymous_identity
="ttls", password
="password",
4125 phase2
="auth=PAP", ocsp
=2,
4126 wait_connect
=False, scan_freq
="2412")
4129 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4131 raise Exception("Timeout on EAP status")
4132 if 'bad certificate status response' in ev
:
4136 raise Exception("Unexpected number of EAP status messages")
4138 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4140 raise Exception("Timeout on EAP failure report")
4142 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
4143 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4144 check_ocsp_support(dev
[0])
4145 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4146 if not os
.path
.exists(ocsp
):
4147 raise HwsimSkip("No OCSP response available")
4148 params
= int_eap_server_params()
4149 params
["ocsp_stapling_response"] = ocsp
4150 hostapd
.add_ap(apdev
[0], params
)
4151 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4152 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4153 anonymous_identity
="ttls", password
="password",
4154 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
4156 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
4157 """EAP-TLS with intermediate server/user CA"""
4158 params
= int_eap_server_params()
4159 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4160 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4161 params
["private_key"] = "auth_serv/iCA-server/server.key"
4162 hostapd
.add_ap(apdev
[0], params
)
4163 tls
= dev
[0].request("GET tls_library")
4164 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4165 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4166 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4168 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4169 client_cert
= "auth_serv/iCA-user/user.pem"
4170 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4171 identity
="tls user",
4173 client_cert
=client_cert
,
4174 private_key
="auth_serv/iCA-user/user.key",
4177 def root_ocsp(cert
):
4178 ca
= "auth_serv/ca.pem"
4180 fd2
, fn2
= tempfile
.mkstemp()
4183 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-sha256",
4184 "-cert", cert
, "-no_nonce", "-text" ]
4185 logger
.info(' '.join(arg
))
4186 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4187 stderr
=subprocess
.PIPE
)
4188 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4192 if cmd
.returncode
!= 0:
4193 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4194 logger
.info("OCSP request:\n" + res
)
4196 fd
, fn
= tempfile
.mkstemp()
4198 arg
= [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4199 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
4200 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4201 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4203 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4204 stderr
=subprocess
.PIPE
)
4205 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4209 if cmd
.returncode
!= 0:
4210 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4211 logger
.info("OCSP response:\n" + res
)
4215 def ica_ocsp(cert
, md
="-sha256"):
4216 prefix
= "auth_serv/iCA-server/"
4217 ca
= prefix
+ "cacert.pem"
4218 cert
= prefix
+ cert
4220 fd2
, fn2
= tempfile
.mkstemp()
4223 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, md
,
4224 "-cert", cert
, "-no_nonce", "-text" ]
4225 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4226 stderr
=subprocess
.PIPE
)
4227 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4231 if cmd
.returncode
!= 0:
4232 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4233 logger
.info("OCSP request:\n" + res
)
4235 fd
, fn
= tempfile
.mkstemp()
4237 arg
= [ "openssl", "ocsp", "-index", prefix
+ "index.txt",
4238 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
4239 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4240 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4242 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4243 stderr
=subprocess
.PIPE
)
4244 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4248 if cmd
.returncode
!= 0:
4249 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4250 logger
.info("OCSP response:\n" + res
)
4254 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4255 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4256 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha256")
4258 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev
, apdev
, params
):
4259 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4260 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha1")
4262 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, md
):
4263 params
= int_eap_server_params()
4264 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4265 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4266 params
["private_key"] = "auth_serv/iCA-server/server.key"
4267 fn
= ica_ocsp("server.pem", md
)
4268 params
["ocsp_stapling_response"] = fn
4270 hostapd
.add_ap(apdev
[0], params
)
4271 tls
= dev
[0].request("GET tls_library")
4272 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4273 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4274 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4276 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4277 client_cert
= "auth_serv/iCA-user/user.pem"
4278 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4279 identity
="tls user",
4281 client_cert
=client_cert
,
4282 private_key
="auth_serv/iCA-user/user.key",
4283 scan_freq
="2412", ocsp
=2)
4287 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4288 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4289 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4292 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev
, apdev
, params
):
4293 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4294 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4297 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
, md
):
4298 check_ocsp_support(dev
[0])
4299 params
= int_eap_server_params()
4300 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4301 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4302 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4303 fn
= ica_ocsp("server-revoked.pem", md
)
4304 params
["ocsp_stapling_response"] = fn
4306 hostapd
.add_ap(apdev
[0], params
)
4307 tls
= dev
[0].request("GET tls_library")
4308 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4309 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4310 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4312 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4313 client_cert
= "auth_serv/iCA-user/user.pem"
4314 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4315 identity
="tls user",
4317 client_cert
=client_cert
,
4318 private_key
="auth_serv/iCA-user/user.key",
4319 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4322 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4323 "CTRL-EVENT-EAP-SUCCESS"])
4325 raise Exception("Timeout on EAP status")
4326 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4327 raise Exception("Unexpected EAP-Success")
4328 if 'bad certificate status response' in ev
:
4330 if 'certificate revoked' in ev
:
4334 raise Exception("Unexpected number of EAP status messages")
4336 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4338 raise Exception("Timeout on EAP failure report")
4339 dev
[0].request("REMOVE_NETWORK all")
4340 dev
[0].wait_disconnected()
4344 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4345 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4346 check_ocsp_support(dev
[0])
4347 check_ocsp_multi_support(dev
[0])
4349 params
= int_eap_server_params()
4350 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4351 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4352 params
["private_key"] = "auth_serv/iCA-server/server.key"
4353 fn
= ica_ocsp("server.pem")
4354 params
["ocsp_stapling_response"] = fn
4356 hostapd
.add_ap(apdev
[0], params
)
4357 tls
= dev
[0].request("GET tls_library")
4358 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4359 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4360 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4362 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4363 client_cert
= "auth_serv/iCA-user/user.pem"
4364 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4365 identity
="tls user",
4367 client_cert
=client_cert
,
4368 private_key
="auth_serv/iCA-user/user.key",
4369 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4372 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4373 "CTRL-EVENT-EAP-SUCCESS"])
4375 raise Exception("Timeout on EAP status")
4376 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4377 raise Exception("Unexpected EAP-Success")
4378 if 'bad certificate status response' in ev
:
4380 if 'certificate revoked' in ev
:
4384 raise Exception("Unexpected number of EAP status messages")
4386 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4388 raise Exception("Timeout on EAP failure report")
4389 dev
[0].request("REMOVE_NETWORK all")
4390 dev
[0].wait_disconnected()
4394 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4395 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4396 check_ocsp_support(dev
[0])
4397 check_ocsp_multi_support(dev
[0])
4399 params
= int_eap_server_params()
4400 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4401 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4402 params
["private_key"] = "auth_serv/iCA-server/server.key"
4403 fn
= ica_ocsp("server.pem")
4404 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4405 params
["ocsp_stapling_response"] = fn
4407 with
open(fn
, "r") as f
:
4408 resp_server
= f
.read()
4409 with
open(fn2
, "r") as f
:
4412 fd3
, fn3
= tempfile
.mkstemp()
4414 f
= os
.fdopen(fd3
, 'w')
4415 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4416 f
.write(resp_server
)
4417 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4421 params
["ocsp_stapling_response_multi"] = fn3
4423 hostapd
.add_ap(apdev
[0], params
)
4424 tls
= dev
[0].request("GET tls_library")
4425 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4426 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4427 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4429 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4430 client_cert
= "auth_serv/iCA-user/user.pem"
4431 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4432 identity
="tls user",
4434 client_cert
=client_cert
,
4435 private_key
="auth_serv/iCA-user/user.key",
4436 scan_freq
="2412", ocsp
=3)
4437 dev
[0].request("REMOVE_NETWORK all")
4438 dev
[0].wait_disconnected()
4444 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4445 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4446 check_ocsp_support(dev
[0])
4447 check_ocsp_multi_support(dev
[0])
4448 check_pkcs12_support(dev
[0])
4450 ocsp_revoked
= os
.path
.join(params
['logdir'],
4451 "ocsp-resp-ca-signed-revoked.der")
4452 if not os
.path
.exists(ocsp_revoked
):
4453 raise HwsimSkip("No OCSP response (revoked) available")
4454 ocsp_unknown
= os
.path
.join(params
['logdir'],
4455 "ocsp-resp-ca-signed-unknown.der")
4456 if not os
.path
.exists(ocsp_unknown
):
4457 raise HwsimSkip("No OCSP response(unknown) available")
4459 with
open(ocsp_revoked
, "r") as f
:
4460 resp_revoked
= f
.read()
4461 with
open(ocsp_unknown
, "r") as f
:
4462 resp_unknown
= f
.read()
4464 fd
, fn
= tempfile
.mkstemp()
4466 # This is not really a valid order of the OCSPResponse items in the
4467 # list, but this works for now to verify parsing and processing of
4468 # multiple responses.
4469 f
= os
.fdopen(fd
, 'w')
4470 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4471 f
.write(resp_unknown
)
4472 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4473 f
.write(resp_revoked
)
4474 f
.write(struct
.pack(">L", 0)[1:4])
4475 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4476 f
.write(resp_unknown
)
4479 params
= int_eap_server_params()
4480 params
["ocsp_stapling_response_multi"] = fn
4481 hostapd
.add_ap(apdev
[0], params
)
4482 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4483 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4484 private_key
="auth_serv/user.pkcs12",
4485 private_key_passwd
="whatever", ocsp
=1,
4486 wait_connect
=False, scan_freq
="2412")
4489 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4490 "CTRL-EVENT-EAP-SUCCESS"])
4492 raise Exception("Timeout on EAP status")
4493 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4494 raise Exception("Unexpected EAP-Success")
4495 if 'bad certificate status response' in ev
:
4497 if 'certificate revoked' in ev
:
4501 raise Exception("Unexpected number of EAP status messages")
4505 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4506 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4507 check_domain_match_full(dev
[0])
4508 check_pkcs12_support(dev
[0])
4509 params
= int_eap_server_params()
4510 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4511 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4512 hostapd
.add_ap(apdev
[0], params
)
4513 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4514 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4515 private_key
="auth_serv/user.pkcs12",
4516 private_key_passwd
="whatever",
4517 domain_suffix_match
="server3.w1.fi",
4520 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4521 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4522 check_domain_match(dev
[0])
4523 check_pkcs12_support(dev
[0])
4524 params
= int_eap_server_params()
4525 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4526 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4527 hostapd
.add_ap(apdev
[0], params
)
4528 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4529 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4530 private_key
="auth_serv/user.pkcs12",
4531 private_key_passwd
="whatever",
4532 domain_match
="server3.w1.fi",
4535 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4536 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4537 check_domain_match_full(dev
[0])
4538 check_pkcs12_support(dev
[0])
4539 params
= int_eap_server_params()
4540 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4541 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4542 hostapd
.add_ap(apdev
[0], params
)
4543 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4544 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4545 private_key
="auth_serv/user.pkcs12",
4546 private_key_passwd
="whatever",
4547 domain_suffix_match
="w1.fi",
4550 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4551 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4552 check_domain_suffix_match(dev
[0])
4553 check_pkcs12_support(dev
[0])
4554 params
= int_eap_server_params()
4555 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4556 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4557 hostapd
.add_ap(apdev
[0], params
)
4558 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4559 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4560 private_key
="auth_serv/user.pkcs12",
4561 private_key_passwd
="whatever",
4562 domain_suffix_match
="example.com",
4565 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4566 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4567 private_key
="auth_serv/user.pkcs12",
4568 private_key_passwd
="whatever",
4569 domain_suffix_match
="erver3.w1.fi",
4572 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4574 raise Exception("Timeout on EAP failure report")
4575 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4577 raise Exception("Timeout on EAP failure report (2)")
4579 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4580 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4581 check_domain_match(dev
[0])
4582 check_pkcs12_support(dev
[0])
4583 params
= int_eap_server_params()
4584 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4585 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4586 hostapd
.add_ap(apdev
[0], params
)
4587 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4588 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4589 private_key
="auth_serv/user.pkcs12",
4590 private_key_passwd
="whatever",
4591 domain_match
="example.com",
4594 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4595 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4596 private_key
="auth_serv/user.pkcs12",
4597 private_key_passwd
="whatever",
4598 domain_match
="w1.fi",
4601 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4603 raise Exception("Timeout on EAP failure report")
4604 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4606 raise Exception("Timeout on EAP failure report (2)")
4608 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4609 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4610 skip_with_fips(dev
[0])
4611 params
= int_eap_server_params()
4612 params
["server_cert"] = "auth_serv/server-expired.pem"
4613 params
["private_key"] = "auth_serv/server-expired.key"
4614 hostapd
.add_ap(apdev
[0], params
)
4615 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4616 identity
="mschap user", password
="password",
4617 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4620 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4622 raise Exception("Timeout on EAP certificate error report")
4623 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4624 raise Exception("Unexpected failure reason: " + ev
)
4625 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4627 raise Exception("Timeout on EAP failure report")
4629 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4630 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4631 skip_with_fips(dev
[0])
4632 params
= int_eap_server_params()
4633 params
["server_cert"] = "auth_serv/server-expired.pem"
4634 params
["private_key"] = "auth_serv/server-expired.key"
4635 hostapd
.add_ap(apdev
[0], params
)
4636 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4637 identity
="mschap user", password
="password",
4638 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4639 phase1
="tls_disable_time_checks=1",
4642 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4643 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4644 skip_with_fips(dev
[0])
4645 params
= int_eap_server_params()
4646 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4647 params
["private_key"] = "auth_serv/server-long-duration.key"
4648 hostapd
.add_ap(apdev
[0], params
)
4649 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4650 identity
="mschap user", password
="password",
4651 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4654 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4655 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4656 skip_with_fips(dev
[0])
4657 params
= int_eap_server_params()
4658 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4659 params
["private_key"] = "auth_serv/server-eku-client.key"
4660 hostapd
.add_ap(apdev
[0], params
)
4661 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4662 identity
="mschap user", password
="password",
4663 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4666 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4668 raise Exception("Timeout on EAP failure report")
4670 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4671 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4672 skip_with_fips(dev
[0])
4673 params
= int_eap_server_params()
4674 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4675 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4676 hostapd
.add_ap(apdev
[0], params
)
4677 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4678 identity
="mschap user", password
="password",
4679 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4682 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4683 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4684 skip_with_fips(dev
[0])
4685 params
= int_eap_server_params()
4686 del params
["server_cert"]
4687 params
["private_key"] = "auth_serv/server.pkcs12"
4688 hostapd
.add_ap(apdev
[0], params
)
4689 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4690 identity
="mschap user", password
="password",
4691 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4694 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
4695 """EAP-TTLS and server PKCS#12 file with extra certs"""
4696 skip_with_fips(dev
[0])
4697 params
= int_eap_server_params()
4698 del params
["server_cert"]
4699 params
["private_key"] = "auth_serv/server-extra.pkcs12"
4700 params
["private_key_passwd"] = "whatever"
4701 hostapd
.add_ap(apdev
[0], params
)
4702 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4703 identity
="mschap user", password
="password",
4704 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4707 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
4708 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4709 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4710 hapd
= hostapd
.add_ap(apdev
[0], params
)
4711 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4712 anonymous_identity
="ttls", password
="password",
4713 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4714 dh_file
="auth_serv/dh.conf")
4716 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
4717 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4718 check_dh_dsa_support(dev
[0])
4719 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4720 hapd
= hostapd
.add_ap(apdev
[0], params
)
4721 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4722 anonymous_identity
="ttls", password
="password",
4723 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4724 dh_file
="auth_serv/dsaparam.pem")
4726 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4727 """EAP-TTLS and DH params file not found"""
4728 skip_with_fips(dev
[0])
4729 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4730 hostapd
.add_ap(apdev
[0], params
)
4731 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4732 identity
="mschap user", password
="password",
4733 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4734 dh_file
="auth_serv/dh-no-such-file.conf",
4735 scan_freq
="2412", wait_connect
=False)
4736 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4738 raise Exception("EAP failure timed out")
4739 dev
[0].request("REMOVE_NETWORK all")
4740 dev
[0].wait_disconnected()
4742 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4743 """EAP-TTLS and invalid DH params file"""
4744 skip_with_fips(dev
[0])
4745 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4746 hostapd
.add_ap(apdev
[0], params
)
4747 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4748 identity
="mschap user", password
="password",
4749 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4750 dh_file
="auth_serv/ca.pem",
4751 scan_freq
="2412", wait_connect
=False)
4752 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4754 raise Exception("EAP failure timed out")
4755 dev
[0].request("REMOVE_NETWORK all")
4756 dev
[0].wait_disconnected()
4758 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
4759 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4760 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4761 hapd
= hostapd
.add_ap(apdev
[0], params
)
4762 dh
= read_pem("auth_serv/dh2.conf")
4763 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
4764 raise Exception("Could not set dhparams blob")
4765 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4766 anonymous_identity
="ttls", password
="password",
4767 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4768 dh_file
="blob://dhparams")
4770 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
4771 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4772 params
= int_eap_server_params()
4773 params
["dh_file"] = "auth_serv/dh2.conf"
4774 hapd
= hostapd
.add_ap(apdev
[0], params
)
4775 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4776 anonymous_identity
="ttls", password
="password",
4777 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4779 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
4780 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4781 params
= int_eap_server_params()
4782 params
["dh_file"] = "auth_serv/dsaparam.pem"
4783 hapd
= hostapd
.add_ap(apdev
[0], params
)
4784 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4785 anonymous_identity
="ttls", password
="password",
4786 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4788 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4789 """EAP-TLS server and dhparams file not found"""
4790 params
= int_eap_server_params()
4791 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
4792 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4793 if "FAIL" not in hapd
.request("ENABLE"):
4794 raise Exception("Invalid configuration accepted")
4796 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4797 """EAP-TLS server and invalid dhparams file"""
4798 params
= int_eap_server_params()
4799 params
["dh_file"] = "auth_serv/ca.pem"
4800 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4801 if "FAIL" not in hapd
.request("ENABLE"):
4802 raise Exception("Invalid configuration accepted")
4804 def test_ap_wpa2_eap_reauth(dev
, apdev
):
4805 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4806 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4807 params
['eap_reauth_period'] = '2'
4808 hapd
= hostapd
.add_ap(apdev
[0], params
)
4809 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4810 password_hex
="0123456789abcdef0123456789abcdef")
4811 logger
.info("Wait for reauthentication")
4812 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
4814 raise Exception("Timeout on reauthentication")
4815 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4817 raise Exception("Timeout on reauthentication")
4818 for i
in range(0, 20):
4819 state
= dev
[0].get_status_field("wpa_state")
4820 if state
== "COMPLETED":
4823 if state
!= "COMPLETED":
4824 raise Exception("Reauthentication did not complete")
4826 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
4827 """Optional displayable message in EAP Request-Identity"""
4828 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4829 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4830 hapd
= hostapd
.add_ap(apdev
[0], params
)
4831 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4832 password_hex
="0123456789abcdef0123456789abcdef")
4834 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
4835 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4836 check_hlr_auc_gw_support()
4837 params
= int_eap_server_params()
4838 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4839 params
['eap_sim_aka_result_ind'] = "1"
4840 hapd
= hostapd
.add_ap(apdev
[0], params
)
4842 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
4843 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4844 phase1
="result_ind=1")
4845 eap_reauth(dev
[0], "SIM")
4846 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
4847 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4849 dev
[0].request("REMOVE_NETWORK all")
4850 dev
[1].request("REMOVE_NETWORK all")
4852 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
4853 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4854 phase1
="result_ind=1")
4855 eap_reauth(dev
[0], "AKA")
4856 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
4857 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4859 dev
[0].request("REMOVE_NETWORK all")
4860 dev
[1].request("REMOVE_NETWORK all")
4862 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
4863 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4864 phase1
="result_ind=1")
4865 eap_reauth(dev
[0], "AKA'")
4866 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
4867 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4869 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
4870 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4871 check_hlr_auc_gw_support()
4872 params
= int_eap_server_params()
4873 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4874 params
['eap_sim_db_timeout'] = "0"
4875 params
['disable_pmksa_caching'] = '1'
4876 hapd
= hostapd
.add_ap(apdev
[0], params
)
4878 # Run multiple iterations to make it more likely to hit the case where the
4879 # DB request times out and response is lost.
4881 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
4882 identity
="1232010000000000",
4883 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4884 wait_connect
=False, scan_freq
="2412")
4885 ev
= dev
[0].wait_event([ "CTRL-EVENT-CONNECTED",
4886 "CTRL-EVENT-DISCONNECTED" ],
4889 raise Exception("No connection result")
4890 dev
[0].request("REMOVE_NETWORK all")
4891 if "CTRL-EVENT-DISCONNECTED" in ev
:
4893 dev
[0].wait_disconnected()
4896 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
4897 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4898 skip_with_fips(dev
[0])
4899 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4900 hostapd
.add_ap(apdev
[0], params
)
4901 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4902 eap
="TTLS", identity
="mschap user",
4903 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
4904 anonymous_identity
="ttls", password
="password",
4905 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4907 ev
= dev
[0].wait_event(["EAP: more than",
4908 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
4909 if ev
is None or "EAP: more than" not in ev
:
4910 raise Exception("EAP roundtrip limit not reached")
4912 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
4913 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4914 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4915 hostapd
.add_ap(apdev
[0], params
)
4916 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4917 eap
="PSK", identity
="vendor-test",
4918 password_hex
="ff23456789abcdef0123456789abcdef",
4922 for i
in range(0, 5):
4923 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
4925 raise Exception("Association and EAP start timed out")
4926 if "refuse proposed method" in ev
:
4930 raise Exception("Unexpected EAP status: " + ev
)
4932 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4934 raise Exception("EAP failure timed out")
4936 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
4937 """WPA2-Enterprise connection using SQLite for user DB"""
4938 skip_with_fips(dev
[0])
4942 raise HwsimSkip("No sqlite3 module available")
4943 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
4948 con
= sqlite3
.connect(dbfile
)
4951 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4952 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4953 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4954 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4955 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4956 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4957 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4958 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4961 params
= int_eap_server_params()
4962 params
["eap_user_file"] = "sqlite:" + dbfile
4963 hapd
= hostapd
.add_ap(apdev
[0], params
)
4964 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
4965 anonymous_identity
="ttls", password
="password",
4966 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4967 dev
[0].request("REMOVE_NETWORK all")
4968 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
4969 anonymous_identity
="ttls", password
="password",
4970 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
4971 dev
[1].request("REMOVE_NETWORK all")
4972 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
4973 anonymous_identity
="ttls", password
="password",
4974 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
4975 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
4976 anonymous_identity
="ttls", password
="password",
4977 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4981 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
4982 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4983 params
= int_eap_server_params()
4984 hostapd
.add_ap(apdev
[0], params
)
4985 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4986 identity
="\x80", password
="password", wait_connect
=False)
4987 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4988 identity
="a\x80", password
="password", wait_connect
=False)
4989 for i
in range(0, 2):
4990 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4992 raise Exception("Association and EAP start timed out")
4993 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4995 raise Exception("EAP method selection timed out")
4997 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
4998 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4999 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5000 hostapd
.add_ap(apdev
[0], params
)
5001 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5002 identity
="\x80", password
="password", wait_connect
=False)
5003 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5004 identity
="a\x80", password
="password", wait_connect
=False)
5005 for i
in range(0, 2):
5006 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5008 raise Exception("Association and EAP start timed out")
5009 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5011 raise Exception("EAP method selection timed out")
5013 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
5014 """OpenSSL cipher suite configuration on wpa_supplicant"""
5015 tls
= dev
[0].request("GET tls_library")
5016 if not tls
.startswith("OpenSSL"):
5017 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
5018 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5019 hapd
= hostapd
.add_ap(apdev
[0], params
)
5020 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5021 anonymous_identity
="ttls", password
="password",
5022 openssl_ciphers
="AES128",
5023 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5024 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5025 anonymous_identity
="ttls", password
="password",
5026 openssl_ciphers
="EXPORT",
5027 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5028 expect_failure
=True, maybe_local_error
=True)
5029 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5030 identity
="pap user", anonymous_identity
="ttls",
5031 password
="password",
5032 openssl_ciphers
="FOO",
5033 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5035 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5037 raise Exception("EAP failure after invalid openssl_ciphers not reported")
5038 dev
[2].request("DISCONNECT")
5040 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
5041 """OpenSSL cipher suite configuration on hostapd"""
5042 tls
= dev
[0].request("GET tls_library")
5043 if not tls
.startswith("OpenSSL"):
5044 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
5045 params
= int_eap_server_params()
5046 params
['openssl_ciphers'] = "AES256"
5047 hapd
= hostapd
.add_ap(apdev
[0], params
)
5048 tls
= hapd
.request("GET tls_library")
5049 if not tls
.startswith("OpenSSL"):
5050 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5051 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5052 anonymous_identity
="ttls", password
="password",
5053 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5054 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5055 anonymous_identity
="ttls", password
="password",
5056 openssl_ciphers
="AES128",
5057 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5058 expect_failure
=True)
5059 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
5060 anonymous_identity
="ttls", password
="password",
5061 openssl_ciphers
="HIGH:!ADH",
5062 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5064 params
['openssl_ciphers'] = "FOO"
5065 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
5066 if "FAIL" not in hapd2
.request("ENABLE"):
5067 if "run=OpenSSL 1.1.1" in tls
:
5068 logger
.info("Ignore acceptance of an invalid openssl_ciphers value with OpenSSL 1.1.1")
5070 raise Exception("Invalid openssl_ciphers value accepted")
5072 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
5073 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5074 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5075 hapd
= hostapd
.add_ap(apdev
[0], p
)
5076 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5077 pid
= find_wpas_process(dev
[0])
5078 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
5079 anonymous_identity
="ttls", password
=password
,
5080 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5081 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5082 # event has been delivered, so verify that wpa_supplicant has returned to
5083 # eloop before reading process memory.
5086 buf
= read_process_memory(pid
, password
)
5088 dev
[0].request("DISCONNECT")
5089 dev
[0].wait_disconnected()
5097 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
5098 for l
in f
.readlines():
5099 if "EAP-TTLS: Derived key - hexdump" in l
:
5100 val
= l
.strip().split(':')[3].replace(' ', '')
5101 msk
= binascii
.unhexlify(val
)
5102 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
5103 val
= l
.strip().split(':')[3].replace(' ', '')
5104 emsk
= binascii
.unhexlify(val
)
5105 if "WPA: PMK - hexdump" in l
:
5106 val
= l
.strip().split(':')[3].replace(' ', '')
5107 pmk
= binascii
.unhexlify(val
)
5108 if "WPA: PTK - hexdump" in l
:
5109 val
= l
.strip().split(':')[3].replace(' ', '')
5110 ptk
= binascii
.unhexlify(val
)
5111 if "WPA: Group Key - hexdump" in l
:
5112 val
= l
.strip().split(':')[3].replace(' ', '')
5113 gtk
= binascii
.unhexlify(val
)
5114 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
5115 raise Exception("Could not find keys from debug log")
5117 raise Exception("Unexpected GTK length")
5123 fname
= os
.path
.join(params
['logdir'],
5124 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5126 logger
.info("Checking keys in memory while associated")
5127 get_key_locations(buf
, password
, "Password")
5128 get_key_locations(buf
, pmk
, "PMK")
5129 get_key_locations(buf
, msk
, "MSK")
5130 get_key_locations(buf
, emsk
, "EMSK")
5131 if password
not in buf
:
5132 raise HwsimSkip("Password not found while associated")
5134 raise HwsimSkip("PMK not found while associated")
5136 raise Exception("KCK not found while associated")
5138 raise Exception("KEK not found while associated")
5140 # raise Exception("TK found from memory")
5142 logger
.info("Checking keys in memory after disassociation")
5143 buf
= read_process_memory(pid
, password
)
5145 # Note: Password is still present in network configuration
5146 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5148 get_key_locations(buf
, password
, "Password")
5149 get_key_locations(buf
, pmk
, "PMK")
5150 get_key_locations(buf
, msk
, "MSK")
5151 get_key_locations(buf
, emsk
, "EMSK")
5152 verify_not_present(buf
, kck
, fname
, "KCK")
5153 verify_not_present(buf
, kek
, fname
, "KEK")
5154 verify_not_present(buf
, tk
, fname
, "TK")
5156 get_key_locations(buf
, gtk
, "GTK")
5157 verify_not_present(buf
, gtk
, fname
, "GTK")
5159 dev
[0].request("PMKSA_FLUSH")
5160 dev
[0].set_network_quoted(id, "identity", "foo")
5161 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5162 buf
= read_process_memory(pid
, password
)
5163 get_key_locations(buf
, password
, "Password")
5164 get_key_locations(buf
, pmk
, "PMK")
5165 get_key_locations(buf
, msk
, "MSK")
5166 get_key_locations(buf
, emsk
, "EMSK")
5167 verify_not_present(buf
, pmk
, fname
, "PMK")
5169 dev
[0].request("REMOVE_NETWORK all")
5171 logger
.info("Checking keys in memory after network profile removal")
5172 buf
= read_process_memory(pid
, password
)
5174 get_key_locations(buf
, password
, "Password")
5175 get_key_locations(buf
, pmk
, "PMK")
5176 get_key_locations(buf
, msk
, "MSK")
5177 get_key_locations(buf
, emsk
, "EMSK")
5178 verify_not_present(buf
, password
, fname
, "password")
5179 verify_not_present(buf
, pmk
, fname
, "PMK")
5180 verify_not_present(buf
, kck
, fname
, "KCK")
5181 verify_not_present(buf
, kek
, fname
, "KEK")
5182 verify_not_present(buf
, tk
, fname
, "TK")
5183 verify_not_present(buf
, gtk
, fname
, "GTK")
5184 verify_not_present(buf
, msk
, fname
, "MSK")
5185 verify_not_present(buf
, emsk
, fname
, "EMSK")
5187 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
5188 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5189 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5190 hapd
= hostapd
.add_ap(apdev
[0], params
)
5191 bssid
= apdev
[0]['bssid']
5192 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5193 anonymous_identity
="ttls", password
="password",
5194 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5196 # Send unexpected WEP EAPOL-Key; this gets dropped
5197 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5199 raise Exception("EAPOL_RX to wpa_supplicant failed")
5201 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5202 """WPA2-EAP and wpas interface in a bridge"""
5206 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
5208 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
5209 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
5210 subprocess
.call(['brctl', 'delbr', br_ifname
])
5211 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
5213 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5214 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5215 hapd
= hostapd
.add_ap(apdev
[0], params
)
5219 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
5220 subprocess
.call(['brctl', 'addbr', br_ifname
])
5221 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
5222 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
5223 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
5224 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
5225 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
5228 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
5229 password_hex
="0123456789abcdef0123456789abcdef")
5231 eap_reauth(wpas
, "PAX")
5233 # Try again as a regression test for packet socket workaround
5234 eap_reauth(wpas
, "PAX")
5236 wpas
.request("DISCONNECT")
5237 wpas
.wait_disconnected()
5239 wpas
.request("RECONNECT")
5240 wpas
.wait_connected()
5243 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
5244 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5245 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5246 hapd
= hostapd
.add_ap(apdev
[0], params
)
5247 key_mgmt
= hapd
.get_config()['key_mgmt']
5248 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5249 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5250 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5251 anonymous_identity
="ttls", password
="password",
5252 ca_cert
="auth_serv/ca.pem",
5253 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
5254 eap_reauth(dev
[0], "TTLS")
5256 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
5257 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5258 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5259 hapd
= hostapd
.add_ap(apdev
[0], params
)
5260 key_mgmt
= hapd
.get_config()['key_mgmt']
5261 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5262 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5263 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5264 anonymous_identity
="ttls", password
="password",
5265 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5267 eap_reauth(dev
[0], "TTLS")
5269 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
5270 """EAP-TLS and server checking CRL"""
5271 params
= int_eap_server_params()
5272 params
['check_crl'] = '1'
5273 hapd
= hostapd
.add_ap(apdev
[0], params
)
5275 # check_crl=1 and no CRL available --> reject connection
5276 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5277 client_cert
="auth_serv/user.pem",
5278 private_key
="auth_serv/user.key", expect_failure
=True)
5279 dev
[0].request("REMOVE_NETWORK all")
5282 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
5285 # check_crl=1 and valid CRL --> accept
5286 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5287 client_cert
="auth_serv/user.pem",
5288 private_key
="auth_serv/user.key")
5289 dev
[0].request("REMOVE_NETWORK all")
5292 hapd
.set("check_crl", "2")
5295 # check_crl=2 and valid CRL --> accept
5296 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5297 client_cert
="auth_serv/user.pem",
5298 private_key
="auth_serv/user.key")
5299 dev
[0].request("REMOVE_NETWORK all")
5301 def test_ap_wpa2_eap_tls_crl_reload(dev
, apdev
, params
):
5302 """EAP-TLS and server reloading CRL from ca_cert"""
5303 ca_cert
= os
.path
.join(params
['logdir'],
5304 "ap_wpa2_eap_tls_crl_reload.ca_cert")
5305 with
open('auth_serv/ca.pem', 'r') as f
:
5306 only_cert
= f
.read()
5307 with
open('auth_serv/ca-and-crl.pem', 'r') as f
:
5308 cert_and_crl
= f
.read()
5309 with
open(ca_cert
, 'w') as f
:
5311 params
= int_eap_server_params()
5312 params
['ca_cert'] = ca_cert
5313 params
['check_crl'] = '1'
5314 params
['crl_reload_interval'] = '1'
5315 hapd
= hostapd
.add_ap(apdev
[0], params
)
5317 # check_crl=1 and no CRL available --> reject connection
5318 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5319 client_cert
="auth_serv/user.pem",
5320 private_key
="auth_serv/user.key", expect_failure
=True)
5321 dev
[0].request("REMOVE_NETWORK all")
5322 dev
[0].dump_monitor()
5324 with
open(ca_cert
, 'w') as f
:
5325 f
.write(cert_and_crl
)
5328 # check_crl=1 and valid CRL --> accept
5329 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5330 client_cert
="auth_serv/user.pem",
5331 private_key
="auth_serv/user.key")
5332 dev
[0].request("REMOVE_NETWORK all")
5333 dev
[0].wait_disconnected()
5335 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5336 """EAP-TLS and OOM"""
5337 check_subject_match_support(dev
[0])
5338 check_altsubject_match_support(dev
[0])
5339 check_domain_match(dev
[0])
5340 check_domain_match_full(dev
[0])
5342 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5343 hostapd
.add_ap(apdev
[0], params
)
5345 tests
= [ (1, "tls_connection_set_subject_match"),
5346 (2, "tls_connection_set_subject_match"),
5347 (3, "tls_connection_set_subject_match"),
5348 (4, "tls_connection_set_subject_match") ]
5349 for count
, func
in tests
:
5350 with
alloc_fail(dev
[0], count
, func
):
5351 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5352 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5353 client_cert
="auth_serv/user.pem",
5354 private_key
="auth_serv/user.key",
5355 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5356 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5357 domain_suffix_match
="server.w1.fi",
5358 domain_match
="server.w1.fi",
5359 wait_connect
=False, scan_freq
="2412")
5360 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5361 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5363 raise Exception("No passphrase request")
5364 dev
[0].request("REMOVE_NETWORK all")
5365 dev
[0].wait_disconnected()
5367 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5368 """WPA2-Enterprise connection using MAC ACL"""
5369 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5370 params
["macaddr_acl"] = "2"
5371 hapd
= hostapd
.add_ap(apdev
[0], params
)
5372 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5373 client_cert
="auth_serv/user.pem",
5374 private_key
="auth_serv/user.key")
5376 def test_ap_wpa2_eap_oom(dev
, apdev
):
5377 """EAP server and OOM"""
5378 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5379 hapd
= hostapd
.add_ap(apdev
[0], params
)
5380 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5382 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5383 # The first attempt fails, but STA will send EAPOL-Start to retry and
5385 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5386 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5387 client_cert
="auth_serv/user.pem",
5388 private_key
="auth_serv/user.key",
5391 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5392 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5393 client_cert
="auth_serv/user.pem",
5394 private_key
="auth_serv/user.key",
5396 ver
= dev
.get_status_field("eap_tls_version")
5398 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5400 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5401 """EAP-TLS and TLS version configuration"""
5402 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5403 hapd
= hostapd
.add_ap(apdev
[0], params
)
5405 tls
= dev
[0].request("GET tls_library")
5406 if tls
.startswith("OpenSSL"):
5407 if "build=OpenSSL 1.0.1" not in tls
and "run=OpenSSL 1.0.1" not in tls
:
5408 check_tls_ver(dev
[0], hapd
,
5409 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5411 if tls
.startswith("wolfSSL"):
5412 if ("build=3.10.0" in tls
and "run=3.10.0" in tls
) or \
5413 ("build=3.13.0" in tls
and "run=3.13.0" in tls
):
5414 check_tls_ver(dev
[0], hapd
,
5415 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5417 elif tls
.startswith("internal"):
5418 check_tls_ver(dev
[0], hapd
,
5419 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5420 check_tls_ver(dev
[1], hapd
,
5421 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5422 check_tls_ver(dev
[2], hapd
,
5423 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5424 if "run=OpenSSL 1.1.1" in tls
:
5425 check_tls_ver(dev
[0], hapd
,
5426 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
5428 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
5429 """RSN element protocol testing for EAP cases on STA side"""
5430 bssid
= apdev
[0]['bssid']
5431 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5432 # This is the RSN element used normally by hostapd
5433 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5434 hapd
= hostapd
.add_ap(apdev
[0], params
)
5435 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5436 identity
="gpsk user",
5437 password
="abcdefghijklmnop0123456789abcdef",
5440 tests
= [ ('No RSN Capabilities field',
5441 '30120100000fac040100000fac040100000fac01'),
5442 ('No AKM Suite fields',
5443 '300c0100000fac040100000fac04'),
5444 ('No Pairwise Cipher Suite fields',
5445 '30060100000fac04'),
5446 ('No Group Data Cipher Suite field',
5448 for txt
,ie
in tests
:
5449 dev
[0].request("DISCONNECT")
5450 dev
[0].wait_disconnected()
5453 hapd
.set('own_ie_override', ie
)
5455 dev
[0].request("BSS_FLUSH 0")
5456 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
5457 dev
[0].select_network(id, freq
=2412)
5458 dev
[0].wait_connected()
5460 dev
[0].request("DISCONNECT")
5461 dev
[0].wait_disconnected()
5462 dev
[0].flush_scan_cache()
5464 def check_tls_session_resumption_capa(dev
, hapd
):
5465 tls
= hapd
.request("GET tls_library")
5466 if not tls
.startswith("OpenSSL"):
5467 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls
)
5469 tls
= dev
.request("GET tls_library")
5470 if not tls
.startswith("OpenSSL"):
5471 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
5473 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
5474 """EAP-TTLS/PAP session resumption"""
5475 params
= int_eap_server_params()
5476 params
['tls_session_lifetime'] = '60'
5477 hapd
= hostapd
.add_ap(apdev
[0], params
)
5478 check_tls_session_resumption_capa(dev
[0], hapd
)
5479 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5480 anonymous_identity
="ttls", password
="password",
5481 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5483 if dev
[0].get_status_field("tls_session_reused") != '0':
5484 raise Exception("Unexpected session resumption on the first connection")
5486 dev
[0].request("REAUTHENTICATE")
5487 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5489 raise Exception("EAP success timed out")
5490 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5492 raise Exception("Key handshake with the AP timed out")
5493 if dev
[0].get_status_field("tls_session_reused") != '1':
5494 raise Exception("Session resumption not used on the second connection")
5495 hwsim_utils
.test_connectivity(dev
[0], hapd
)
5497 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
5498 """EAP-TTLS/CHAP session resumption"""
5499 params
= int_eap_server_params()
5500 params
['tls_session_lifetime'] = '60'
5501 hapd
= hostapd
.add_ap(apdev
[0], params
)
5502 check_tls_session_resumption_capa(dev
[0], hapd
)
5503 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
5504 anonymous_identity
="ttls", password
="password",
5505 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
5506 if dev
[0].get_status_field("tls_session_reused") != '0':
5507 raise Exception("Unexpected session resumption on the first connection")
5509 dev
[0].request("REAUTHENTICATE")
5510 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5512 raise Exception("EAP success timed out")
5513 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5515 raise Exception("Key handshake with the AP timed out")
5516 if dev
[0].get_status_field("tls_session_reused") != '1':
5517 raise Exception("Session resumption not used on the second connection")
5519 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
5520 """EAP-TTLS/MSCHAP session resumption"""
5521 check_domain_suffix_match(dev
[0])
5522 params
= int_eap_server_params()
5523 params
['tls_session_lifetime'] = '60'
5524 hapd
= hostapd
.add_ap(apdev
[0], params
)
5525 check_tls_session_resumption_capa(dev
[0], hapd
)
5526 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
5527 anonymous_identity
="ttls", password
="password",
5528 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5529 domain_suffix_match
="server.w1.fi")
5530 if dev
[0].get_status_field("tls_session_reused") != '0':
5531 raise Exception("Unexpected session resumption on the first connection")
5533 dev
[0].request("REAUTHENTICATE")
5534 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5536 raise Exception("EAP success timed out")
5537 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5539 raise Exception("Key handshake with the AP timed out")
5540 if dev
[0].get_status_field("tls_session_reused") != '1':
5541 raise Exception("Session resumption not used on the second connection")
5543 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
5544 """EAP-TTLS/MSCHAPv2 session resumption"""
5545 check_domain_suffix_match(dev
[0])
5546 check_eap_capa(dev
[0], "MSCHAPV2")
5547 params
= int_eap_server_params()
5548 params
['tls_session_lifetime'] = '60'
5549 hapd
= hostapd
.add_ap(apdev
[0], params
)
5550 check_tls_session_resumption_capa(dev
[0], hapd
)
5551 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
5552 anonymous_identity
="ttls", password
="password",
5553 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5554 domain_suffix_match
="server.w1.fi")
5555 if dev
[0].get_status_field("tls_session_reused") != '0':
5556 raise Exception("Unexpected session resumption on the first connection")
5558 dev
[0].request("REAUTHENTICATE")
5559 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5561 raise Exception("EAP success timed out")
5562 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5564 raise Exception("Key handshake with the AP timed out")
5565 if dev
[0].get_status_field("tls_session_reused") != '1':
5566 raise Exception("Session resumption not used on the second connection")
5568 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
5569 """EAP-TTLS/EAP-GTC session resumption"""
5570 params
= int_eap_server_params()
5571 params
['tls_session_lifetime'] = '60'
5572 hapd
= hostapd
.add_ap(apdev
[0], params
)
5573 check_tls_session_resumption_capa(dev
[0], hapd
)
5574 eap_connect(dev
[0], hapd
, "TTLS", "user",
5575 anonymous_identity
="ttls", password
="password",
5576 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
5577 if dev
[0].get_status_field("tls_session_reused") != '0':
5578 raise Exception("Unexpected session resumption on the first connection")
5580 dev
[0].request("REAUTHENTICATE")
5581 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5583 raise Exception("EAP success timed out")
5584 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5586 raise Exception("Key handshake with the AP timed out")
5587 if dev
[0].get_status_field("tls_session_reused") != '1':
5588 raise Exception("Session resumption not used on the second connection")
5590 def test_eap_ttls_no_session_resumption(dev
, apdev
):
5591 """EAP-TTLS session resumption disabled on server"""
5592 params
= int_eap_server_params()
5593 params
['tls_session_lifetime'] = '0'
5594 hapd
= hostapd
.add_ap(apdev
[0], params
)
5595 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5596 anonymous_identity
="ttls", password
="password",
5597 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5599 if dev
[0].get_status_field("tls_session_reused") != '0':
5600 raise Exception("Unexpected session resumption on the first connection")
5602 dev
[0].request("REAUTHENTICATE")
5603 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5605 raise Exception("EAP success timed out")
5606 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5608 raise Exception("Key handshake with the AP timed out")
5609 if dev
[0].get_status_field("tls_session_reused") != '0':
5610 raise Exception("Unexpected session resumption on the second connection")
5612 def test_eap_peap_session_resumption(dev
, apdev
):
5613 """EAP-PEAP session resumption"""
5614 check_eap_capa(dev
[0], "MSCHAPV2")
5615 params
= int_eap_server_params()
5616 params
['tls_session_lifetime'] = '60'
5617 hapd
= hostapd
.add_ap(apdev
[0], params
)
5618 check_tls_session_resumption_capa(dev
[0], hapd
)
5619 eap_connect(dev
[0], hapd
, "PEAP", "user",
5620 anonymous_identity
="peap", password
="password",
5621 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5622 if dev
[0].get_status_field("tls_session_reused") != '0':
5623 raise Exception("Unexpected session resumption on the first connection")
5625 dev
[0].request("REAUTHENTICATE")
5626 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5628 raise Exception("EAP success timed out")
5629 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5631 raise Exception("Key handshake with the AP timed out")
5632 if dev
[0].get_status_field("tls_session_reused") != '1':
5633 raise Exception("Session resumption not used on the second connection")
5635 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
5636 """EAP-PEAP session resumption with crypto binding"""
5637 params
= int_eap_server_params()
5638 params
['tls_session_lifetime'] = '60'
5639 hapd
= hostapd
.add_ap(apdev
[0], params
)
5640 check_tls_session_resumption_capa(dev
[0], hapd
)
5641 eap_connect(dev
[0], hapd
, "PEAP", "user",
5642 anonymous_identity
="peap", password
="password",
5643 phase1
="peapver=0 crypto_binding=2",
5644 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5645 if dev
[0].get_status_field("tls_session_reused") != '0':
5646 raise Exception("Unexpected session resumption on the first connection")
5648 dev
[0].request("REAUTHENTICATE")
5649 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5651 raise Exception("EAP success timed out")
5652 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5654 raise Exception("Key handshake with the AP timed out")
5655 if dev
[0].get_status_field("tls_session_reused") != '1':
5656 raise Exception("Session resumption not used on the second connection")
5658 def test_eap_peap_no_session_resumption(dev
, apdev
):
5659 """EAP-PEAP session resumption disabled on server"""
5660 params
= int_eap_server_params()
5661 hapd
= hostapd
.add_ap(apdev
[0], params
)
5662 eap_connect(dev
[0], hapd
, "PEAP", "user",
5663 anonymous_identity
="peap", password
="password",
5664 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5665 if dev
[0].get_status_field("tls_session_reused") != '0':
5666 raise Exception("Unexpected session resumption on the first connection")
5668 dev
[0].request("REAUTHENTICATE")
5669 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5671 raise Exception("EAP success timed out")
5672 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5674 raise Exception("Key handshake with the AP timed out")
5675 if dev
[0].get_status_field("tls_session_reused") != '0':
5676 raise Exception("Unexpected session resumption on the second connection")
5678 def test_eap_tls_session_resumption(dev
, apdev
):
5679 """EAP-TLS session resumption"""
5680 params
= int_eap_server_params()
5681 params
['tls_session_lifetime'] = '60'
5682 hapd
= hostapd
.add_ap(apdev
[0], params
)
5683 check_tls_session_resumption_capa(dev
[0], hapd
)
5684 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5685 client_cert
="auth_serv/user.pem",
5686 private_key
="auth_serv/user.key")
5687 if dev
[0].get_status_field("tls_session_reused") != '0':
5688 raise Exception("Unexpected session resumption on the first connection")
5690 dev
[0].request("REAUTHENTICATE")
5691 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5693 raise Exception("EAP success timed out")
5694 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5696 raise Exception("Key handshake with the AP timed out")
5697 if dev
[0].get_status_field("tls_session_reused") != '1':
5698 raise Exception("Session resumption not used on the second connection")
5700 dev
[0].request("REAUTHENTICATE")
5701 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5703 raise Exception("EAP success timed out")
5704 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5706 raise Exception("Key handshake with the AP timed out")
5707 if dev
[0].get_status_field("tls_session_reused") != '1':
5708 raise Exception("Session resumption not used on the third connection")
5710 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
5711 """EAP-TLS session resumption"""
5712 params
= int_eap_server_params()
5713 params
['tls_session_lifetime'] = '1'
5714 hapd
= hostapd
.add_ap(apdev
[0], params
)
5715 check_tls_session_resumption_capa(dev
[0], hapd
)
5716 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5717 client_cert
="auth_serv/user.pem",
5718 private_key
="auth_serv/user.key")
5719 if dev
[0].get_status_field("tls_session_reused") != '0':
5720 raise Exception("Unexpected session resumption on the first connection")
5722 # Allow multiple attempts since OpenSSL may not expire the cached entry
5727 dev
[0].request("REAUTHENTICATE")
5728 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5730 raise Exception("EAP success timed out")
5731 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5733 raise Exception("Key handshake with the AP timed out")
5734 if dev
[0].get_status_field("tls_session_reused") == '0':
5736 if dev
[0].get_status_field("tls_session_reused") != '0':
5737 raise Exception("Session resumption used after lifetime expiration")
5739 def test_eap_tls_no_session_resumption(dev
, apdev
):
5740 """EAP-TLS session resumption disabled on server"""
5741 params
= int_eap_server_params()
5742 hapd
= hostapd
.add_ap(apdev
[0], params
)
5743 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5744 client_cert
="auth_serv/user.pem",
5745 private_key
="auth_serv/user.key")
5746 if dev
[0].get_status_field("tls_session_reused") != '0':
5747 raise Exception("Unexpected session resumption on the first connection")
5749 dev
[0].request("REAUTHENTICATE")
5750 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5752 raise Exception("EAP success timed out")
5753 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5755 raise Exception("Key handshake with the AP timed out")
5756 if dev
[0].get_status_field("tls_session_reused") != '0':
5757 raise Exception("Unexpected session resumption on the second connection")
5759 def test_eap_tls_session_resumption_radius(dev
, apdev
):
5760 """EAP-TLS session resumption (RADIUS)"""
5761 params
= { "ssid": "as", "beacon_int": "2000",
5762 "radius_server_clients": "auth_serv/radius_clients.conf",
5763 "radius_server_auth_port": '18128',
5765 "eap_user_file": "auth_serv/eap_user.conf",
5766 "ca_cert": "auth_serv/ca.pem",
5767 "server_cert": "auth_serv/server.pem",
5768 "private_key": "auth_serv/server.key",
5769 "tls_session_lifetime": "60" }
5770 authsrv
= hostapd
.add_ap(apdev
[1], params
)
5771 check_tls_session_resumption_capa(dev
[0], authsrv
)
5773 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5774 params
['auth_server_port'] = "18128"
5775 hapd
= hostapd
.add_ap(apdev
[0], params
)
5776 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5777 client_cert
="auth_serv/user.pem",
5778 private_key
="auth_serv/user.key")
5779 if dev
[0].get_status_field("tls_session_reused") != '0':
5780 raise Exception("Unexpected session resumption on the first connection")
5782 dev
[0].request("REAUTHENTICATE")
5783 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5785 raise Exception("EAP success timed out")
5786 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5788 raise Exception("Key handshake with the AP timed out")
5789 if dev
[0].get_status_field("tls_session_reused") != '1':
5790 raise Exception("Session resumption not used on the second connection")
5792 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
5793 """EAP-TLS session resumption disabled (RADIUS)"""
5794 params
= { "ssid": "as", "beacon_int": "2000",
5795 "radius_server_clients": "auth_serv/radius_clients.conf",
5796 "radius_server_auth_port": '18128',
5798 "eap_user_file": "auth_serv/eap_user.conf",
5799 "ca_cert": "auth_serv/ca.pem",
5800 "server_cert": "auth_serv/server.pem",
5801 "private_key": "auth_serv/server.key",
5802 "tls_session_lifetime": "0" }
5803 hostapd
.add_ap(apdev
[1], params
)
5805 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5806 params
['auth_server_port'] = "18128"
5807 hapd
= hostapd
.add_ap(apdev
[0], params
)
5808 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5809 client_cert
="auth_serv/user.pem",
5810 private_key
="auth_serv/user.key")
5811 if dev
[0].get_status_field("tls_session_reused") != '0':
5812 raise Exception("Unexpected session resumption on the first connection")
5814 dev
[0].request("REAUTHENTICATE")
5815 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5817 raise Exception("EAP success timed out")
5818 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5820 raise Exception("Key handshake with the AP timed out")
5821 if dev
[0].get_status_field("tls_session_reused") != '0':
5822 raise Exception("Unexpected session resumption on the second connection")
5824 def test_eap_mschapv2_errors(dev
, apdev
):
5825 """EAP-MSCHAPv2 error cases"""
5826 check_eap_capa(dev
[0], "MSCHAPV2")
5827 check_eap_capa(dev
[0], "FAST")
5829 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5830 hapd
= hostapd
.add_ap(apdev
[0], params
)
5831 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5832 identity
="phase1-user", password
="password",
5834 dev
[0].request("REMOVE_NETWORK all")
5835 dev
[0].wait_disconnected()
5837 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5838 (1, "nt_password_hash;mschapv2_derive_response"),
5839 (1, "nt_password_hash;=mschapv2_derive_response"),
5840 (1, "generate_nt_response;mschapv2_derive_response"),
5841 (1, "generate_authenticator_response;mschapv2_derive_response"),
5842 (1, "nt_password_hash;=mschapv2_derive_response"),
5843 (1, "get_master_key;mschapv2_derive_response"),
5844 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5845 for count
, func
in tests
:
5846 with
fail_test(dev
[0], count
, func
):
5847 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5848 identity
="phase1-user", password
="password",
5849 wait_connect
=False, scan_freq
="2412")
5850 wait_fail_trigger(dev
[0], "GET_FAIL")
5851 dev
[0].request("REMOVE_NETWORK all")
5852 dev
[0].wait_disconnected()
5854 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5855 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5856 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5857 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5858 for count
, func
in tests
:
5859 with
fail_test(dev
[0], count
, func
):
5860 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5861 identity
="phase1-user",
5862 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
5863 wait_connect
=False, scan_freq
="2412")
5864 wait_fail_trigger(dev
[0], "GET_FAIL")
5865 dev
[0].request("REMOVE_NETWORK all")
5866 dev
[0].wait_disconnected()
5868 tests
= [ (1, "eap_mschapv2_init"),
5869 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5870 (1, "eap_msg_alloc;eap_mschapv2_success"),
5871 (1, "eap_mschapv2_getKey") ]
5872 for count
, func
in tests
:
5873 with
alloc_fail(dev
[0], count
, func
):
5874 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5875 identity
="phase1-user", password
="password",
5876 wait_connect
=False, scan_freq
="2412")
5877 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5878 dev
[0].request("REMOVE_NETWORK all")
5879 dev
[0].wait_disconnected()
5881 tests
= [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5882 for count
, func
in tests
:
5883 with
alloc_fail(dev
[0], count
, func
):
5884 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5885 identity
="phase1-user", password
="wrong password",
5886 wait_connect
=False, scan_freq
="2412")
5887 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5888 dev
[0].request("REMOVE_NETWORK all")
5889 dev
[0].wait_disconnected()
5891 tests
= [ (2, "eap_mschapv2_init"),
5892 (3, "eap_mschapv2_init") ]
5893 for count
, func
in tests
:
5894 with
alloc_fail(dev
[0], count
, func
):
5895 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
5896 anonymous_identity
="FAST", identity
="user",
5897 password
="password",
5898 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5899 phase1
="fast_provisioning=1",
5900 pac_file
="blob://fast_pac",
5901 wait_connect
=False, scan_freq
="2412")
5902 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5903 dev
[0].request("REMOVE_NETWORK all")
5904 dev
[0].wait_disconnected()
5906 def test_eap_gpsk_errors(dev
, apdev
):
5907 """EAP-GPSK error cases"""
5908 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5909 hapd
= hostapd
.add_ap(apdev
[0], params
)
5910 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5911 identity
="gpsk user",
5912 password
="abcdefghijklmnop0123456789abcdef",
5914 dev
[0].request("REMOVE_NETWORK all")
5915 dev
[0].wait_disconnected()
5917 tests
= [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5918 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5920 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5922 (1, "eap_gpsk_derive_keys_helper", None),
5923 (2, "eap_gpsk_derive_keys_helper", None),
5924 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5926 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5928 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5929 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5930 (1, "eap_gpsk_derive_mid_helper", None) ]
5931 for count
, func
, phase1
in tests
:
5932 with
fail_test(dev
[0], count
, func
):
5933 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5934 identity
="gpsk user",
5935 password
="abcdefghijklmnop0123456789abcdef",
5937 wait_connect
=False, scan_freq
="2412")
5938 wait_fail_trigger(dev
[0], "GET_FAIL")
5939 dev
[0].request("REMOVE_NETWORK all")
5940 dev
[0].wait_disconnected()
5942 tests
= [ (1, "eap_gpsk_init"),
5943 (2, "eap_gpsk_init"),
5944 (3, "eap_gpsk_init"),
5945 (1, "eap_gpsk_process_id_server"),
5946 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5947 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5948 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5949 (1, "eap_gpsk_derive_keys"),
5950 (1, "eap_gpsk_derive_keys_helper"),
5951 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5952 (1, "eap_gpsk_getKey"),
5953 (1, "eap_gpsk_get_emsk"),
5954 (1, "eap_gpsk_get_session_id") ]
5955 for count
, func
in tests
:
5956 with
alloc_fail(dev
[0], count
, func
):
5957 dev
[0].request("ERP_FLUSH")
5958 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5959 identity
="gpsk user@domain", erp
="1",
5960 password
="abcdefghijklmnop0123456789abcdef",
5961 wait_connect
=False, scan_freq
="2412")
5962 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5963 dev
[0].request("REMOVE_NETWORK all")
5964 dev
[0].wait_disconnected()
5966 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
5967 """EAP-SIM DB error cases"""
5968 sockpath
= '/tmp/hlr_auc_gw.sock-test'
5973 hparams
= int_eap_server_params()
5974 hparams
['eap_sim_db'] = 'unix:' + sockpath
5975 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
5977 # Initial test with hlr_auc_gw socket not available
5978 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5979 eap
="SIM", identity
="1232010000000000",
5980 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5981 scan_freq
="2412", wait_connect
=False)
5982 ev
= dev
[0].wait_event(["EAP-ERROR-CODE"], timeout
=10)
5984 raise Exception("EAP method specific error code not reported")
5985 if int(ev
.split()[1]) != 16384:
5986 raise Exception("Unexpected EAP method specific error code: " + ev
)
5987 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5989 raise Exception("EAP-Failure not reported")
5990 dev
[0].wait_disconnected()
5991 dev
[0].request("DISCONNECT")
5993 # Test with invalid responses and response timeout
5995 class test_handler(SocketServer
.DatagramRequestHandler
):
5997 data
= self
.request
[0].decode().strip()
5998 socket
= self
.request
[1]
5999 logger
.debug("Received hlr_auc_gw request: " + data
)
6000 # EAP-SIM DB: Failed to parse response string
6001 socket
.sendto(b
"FOO", self
.client_address
)
6002 # EAP-SIM DB: Failed to parse response string
6003 socket
.sendto(b
"FOO 1", self
.client_address
)
6004 # EAP-SIM DB: Unknown external response
6005 socket
.sendto(b
"FOO 1 2", self
.client_address
)
6006 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
6008 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
6011 dev
[0].select_network(id)
6012 server
.handle_request()
6013 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6015 raise Exception("EAP-Failure not reported")
6016 dev
[0].wait_disconnected()
6017 dev
[0].request("DISCONNECT")
6019 # Test with a valid response
6021 class test_handler2(SocketServer
.DatagramRequestHandler
):
6023 data
= self
.request
[0].decode().strip()
6024 socket
= self
.request
[1]
6025 logger
.debug("Received hlr_auc_gw request: " + data
)
6026 fname
= os
.path
.join(params
['logdir'],
6027 'hlr_auc_gw.milenage_db')
6028 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
6030 stdout
=subprocess
.PIPE
)
6031 res
= cmd
.stdout
.read().decode().strip()
6033 logger
.debug("hlr_auc_gw response: " + res
)
6034 socket
.sendto(res
.encode(), self
.client_address
)
6036 server
.RequestHandlerClass
= test_handler2
6038 dev
[0].select_network(id)
6039 server
.handle_request()
6040 dev
[0].wait_connected()
6041 dev
[0].request("DISCONNECT")
6042 dev
[0].wait_disconnected()
6044 def test_eap_tls_sha512(dev
, apdev
, params
):
6045 """EAP-TLS with SHA512 signature"""
6046 params
= int_eap_server_params()
6047 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6048 params
["server_cert"] = "auth_serv/sha512-server.pem"
6049 params
["private_key"] = "auth_serv/sha512-server.key"
6050 hostapd
.add_ap(apdev
[0], params
)
6052 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6053 identity
="tls user sha512",
6054 ca_cert
="auth_serv/sha512-ca.pem",
6055 client_cert
="auth_serv/sha512-user.pem",
6056 private_key
="auth_serv/sha512-user.key",
6058 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6059 identity
="tls user sha512",
6060 ca_cert
="auth_serv/sha512-ca.pem",
6061 client_cert
="auth_serv/sha384-user.pem",
6062 private_key
="auth_serv/sha384-user.key",
6065 def test_eap_tls_sha384(dev
, apdev
, params
):
6066 """EAP-TLS with SHA384 signature"""
6067 params
= int_eap_server_params()
6068 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6069 params
["server_cert"] = "auth_serv/sha384-server.pem"
6070 params
["private_key"] = "auth_serv/sha384-server.key"
6071 hostapd
.add_ap(apdev
[0], params
)
6073 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6074 identity
="tls user sha512",
6075 ca_cert
="auth_serv/sha512-ca.pem",
6076 client_cert
="auth_serv/sha512-user.pem",
6077 private_key
="auth_serv/sha512-user.key",
6079 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6080 identity
="tls user sha512",
6081 ca_cert
="auth_serv/sha512-ca.pem",
6082 client_cert
="auth_serv/sha384-user.pem",
6083 private_key
="auth_serv/sha384-user.key",
6086 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
6087 """WPA2-Enterprise AP and association request RSN IE differences"""
6088 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6089 hostapd
.add_ap(apdev
[0], params
)
6091 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
6092 params
["ieee80211w"] = "2"
6093 hostapd
.add_ap(apdev
[1], params
)
6095 # Success cases with optional RSN IE fields removed one by one
6096 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
6097 "30140100000fac040100000fac040100000fac010000"),
6098 ("Extra PMKIDCount field in RSN IE",
6099 "30160100000fac040100000fac040100000fac0100000000"),
6100 ("Extra Group Management Cipher Suite in RSN IE",
6101 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6102 ("Extra undefined extension field in RSN IE",
6103 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6104 ("RSN IE without RSN Capabilities",
6105 "30120100000fac040100000fac040100000fac01"),
6106 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6107 ("RSN IE without pairwise", "30060100000fac04"),
6108 ("RSN IE without group", "30020100") ]
6109 for title
, ie
in tests
:
6111 set_test_assoc_ie(dev
[0], ie
)
6112 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6113 identity
="gpsk user",
6114 password
="abcdefghijklmnop0123456789abcdef",
6116 dev
[0].request("REMOVE_NETWORK all")
6117 dev
[0].wait_disconnected()
6119 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
6120 "30140100000fac040100000fac040100000fac01cc00"),
6121 ("Group management cipher included in assoc req RSN IE",
6122 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
6123 for title
, ie
in tests
:
6125 set_test_assoc_ie(dev
[0], ie
)
6126 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6127 eap
="GPSK", identity
="gpsk user",
6128 password
="abcdefghijklmnop0123456789abcdef",
6130 dev
[0].request("REMOVE_NETWORK all")
6131 dev
[0].wait_disconnected()
6133 tests
= [ ("Invalid group cipher", "30060100000fac02", 41),
6134 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
6135 for title
, ie
, status
in tests
:
6137 set_test_assoc_ie(dev
[0], ie
)
6138 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6139 identity
="gpsk user",
6140 password
="abcdefghijklmnop0123456789abcdef",
6141 scan_freq
="2412", wait_connect
=False)
6142 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6144 raise Exception("Association rejection not reported")
6145 if "status_code=" + str(status
) not in ev
:
6146 raise Exception("Unexpected status code: " + ev
)
6147 dev
[0].request("REMOVE_NETWORK all")
6148 dev
[0].dump_monitor()
6150 tests
= [ ("Management frame protection not enabled",
6151 "30140100000fac040100000fac040100000fac010000", 31),
6152 ("Unsupported management group cipher",
6153 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46) ]
6154 for title
, ie
, status
in tests
:
6156 set_test_assoc_ie(dev
[0], ie
)
6157 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6158 eap
="GPSK", identity
="gpsk user",
6159 password
="abcdefghijklmnop0123456789abcdef",
6160 scan_freq
="2412", wait_connect
=False)
6161 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6163 raise Exception("Association rejection not reported")
6164 if "status_code=" + str(status
) not in ev
:
6165 raise Exception("Unexpected status code: " + ev
)
6166 dev
[0].request("REMOVE_NETWORK all")
6167 dev
[0].dump_monitor()
6169 def test_eap_tls_ext_cert_check(dev
, apdev
):
6170 """EAP-TLS and external server certification validation"""
6171 # With internal server certificate chain validation
6172 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6173 identity
="tls user",
6174 ca_cert
="auth_serv/ca.pem",
6175 client_cert
="auth_serv/user.pem",
6176 private_key
="auth_serv/user.key",
6177 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6178 only_add_network
=True)
6179 run_ext_cert_check(dev
, apdev
, id)
6181 def test_eap_ttls_ext_cert_check(dev
, apdev
):
6182 """EAP-TTLS and external server certification validation"""
6183 # Without internal server certificate chain validation
6184 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6185 identity
="pap user", anonymous_identity
="ttls",
6186 password
="password", phase2
="auth=PAP",
6187 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6188 only_add_network
=True)
6189 run_ext_cert_check(dev
, apdev
, id)
6191 def test_eap_peap_ext_cert_check(dev
, apdev
):
6192 """EAP-PEAP and external server certification validation"""
6193 # With internal server certificate chain validation
6194 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6195 identity
="user", anonymous_identity
="peap",
6196 ca_cert
="auth_serv/ca.pem",
6197 password
="password", phase2
="auth=MSCHAPV2",
6198 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6199 only_add_network
=True)
6200 run_ext_cert_check(dev
, apdev
, id)
6202 def test_eap_fast_ext_cert_check(dev
, apdev
):
6203 """EAP-FAST and external server certification validation"""
6204 check_eap_capa(dev
[0], "FAST")
6205 # With internal server certificate chain validation
6206 dev
[0].request("SET blob fast_pac_auth_ext ")
6207 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6208 identity
="user", anonymous_identity
="FAST",
6209 ca_cert
="auth_serv/ca.pem",
6210 password
="password", phase2
="auth=GTC",
6211 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
6212 pac_file
="blob://fast_pac_auth_ext",
6214 only_add_network
=True)
6215 run_ext_cert_check(dev
, apdev
, id)
6217 def run_ext_cert_check(dev
, apdev
, net_id
):
6218 check_ext_cert_check_support(dev
[0])
6219 if not openssl_imported
:
6220 raise HwsimSkip("OpenSSL python method not available")
6222 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6223 hapd
= hostapd
.add_ap(apdev
[0], params
)
6225 dev
[0].select_network(net_id
)
6228 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6229 "CTRL-REQ-EXT_CERT_CHECK",
6230 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6232 raise Exception("No peer server certificate event seen")
6233 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
6236 vals
= ev
.split(' ')
6238 if v
.startswith("depth="):
6239 depth
= int(v
.split('=')[1])
6240 elif v
.startswith("cert="):
6241 cert
= v
.split('=')[1]
6242 if depth
is not None and cert
:
6243 certs
[depth
] = binascii
.unhexlify(cert
)
6244 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
6245 raise Exception("Unexpected EAP-Success")
6246 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
6247 id = ev
.split(':')[0].split('-')[-1]
6250 raise Exception("Server certificate not received")
6252 raise Exception("Server certificate issuer not received")
6254 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6256 cn
= cert
.get_subject().commonName
6257 logger
.info("Server certificate CN=" + cn
)
6259 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6261 icn
= issuer
.get_subject().commonName
6262 logger
.info("Issuer certificate CN=" + icn
)
6264 if cn
!= "server.w1.fi":
6265 raise Exception("Unexpected server certificate CN: " + cn
)
6266 if icn
!= "Root CA":
6267 raise Exception("Unexpected server certificate issuer CN: " + icn
)
6269 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
6271 raise Exception("Unexpected EAP-Success before external check result indication")
6273 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6274 dev
[0].wait_connected()
6276 dev
[0].request("DISCONNECT")
6277 dev
[0].wait_disconnected()
6278 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
6279 raise Exception("PMKSA_FLUSH failed")
6280 dev
[0].request("SET blob fast_pac_auth_ext ")
6281 dev
[0].request("RECONNECT")
6283 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
6285 raise Exception("No peer server certificate event seen (2)")
6286 id = ev
.split(':')[0].split('-')[-1]
6287 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6288 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
6290 raise Exception("EAP-Failure not reported")
6291 dev
[0].request("REMOVE_NETWORK all")
6292 dev
[0].wait_disconnected()
6294 def test_eap_tls_errors(dev
, apdev
):
6295 """EAP-TLS error cases"""
6296 params
= int_eap_server_params()
6297 params
['fragment_size'] = '100'
6298 hostapd
.add_ap(apdev
[0], params
)
6299 with
alloc_fail(dev
[0], 1,
6300 "eap_peer_tls_reassemble_fragment"):
6301 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6302 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6303 client_cert
="auth_serv/user.pem",
6304 private_key
="auth_serv/user.key",
6305 wait_connect
=False, scan_freq
="2412")
6306 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6307 dev
[0].request("REMOVE_NETWORK all")
6308 dev
[0].wait_disconnected()
6310 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
6311 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6312 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6313 client_cert
="auth_serv/user.pem",
6314 private_key
="auth_serv/user.key",
6315 wait_connect
=False, scan_freq
="2412")
6316 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6317 dev
[0].request("REMOVE_NETWORK all")
6318 dev
[0].wait_disconnected()
6320 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
6321 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6322 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6323 client_cert
="auth_serv/user.pem",
6324 private_key
="auth_serv/user.key",
6326 wait_connect
=False, scan_freq
="2412")
6327 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6328 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
6330 raise Exception("No CTRL-REQ-PIN seen")
6331 dev
[0].request("REMOVE_NETWORK all")
6332 dev
[0].wait_disconnected()
6334 tests
= [ "eap_peer_tls_derive_key;eap_tls_success",
6335 "eap_peer_tls_derive_session_id;eap_tls_success",
6338 "eap_tls_get_session_id" ]
6340 with
alloc_fail(dev
[0], 1, func
):
6341 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6342 identity
="tls user@domain",
6343 ca_cert
="auth_serv/ca.pem",
6344 client_cert
="auth_serv/user.pem",
6345 private_key
="auth_serv/user.key",
6347 wait_connect
=False, scan_freq
="2412")
6348 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6349 dev
[0].request("REMOVE_NETWORK all")
6350 dev
[0].wait_disconnected()
6352 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6353 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6354 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6355 wait_connect
=False, scan_freq
="2412")
6356 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6357 dev
[0].request("REMOVE_NETWORK all")
6358 dev
[0].wait_disconnected()
6360 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6361 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6362 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6363 wait_connect
=False, scan_freq
="2412")
6364 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6365 dev
[0].request("REMOVE_NETWORK all")
6366 dev
[0].wait_disconnected()
6368 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6369 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6370 eap
="WFA-UNAUTH-TLS",
6371 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6372 wait_connect
=False, scan_freq
="2412")
6373 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6374 dev
[0].request("REMOVE_NETWORK all")
6375 dev
[0].wait_disconnected()
6377 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6378 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6379 eap
="WFA-UNAUTH-TLS",
6380 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6381 wait_connect
=False, scan_freq
="2412")
6382 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6383 dev
[0].request("REMOVE_NETWORK all")
6384 dev
[0].wait_disconnected()
6386 def test_ap_wpa2_eap_status(dev
, apdev
):
6387 """EAP state machine status information"""
6388 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6389 hostapd
.add_ap(apdev
[0], params
)
6390 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6391 identity
="cert user",
6392 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6393 ca_cert2
="auth_serv/ca.pem",
6394 client_cert2
="auth_serv/user.pem",
6395 private_key2
="auth_serv/user.key",
6396 scan_freq
="2412", wait_connect
=False)
6402 selected_methods
= []
6403 for i
in range(100000):
6404 s
= dev
[0].get_status(extra
="VERBOSE")
6405 if 'EAP state' in s
:
6406 state
= s
['EAP state']
6408 if state
not in states
:
6409 states
.append(state
)
6410 if state
== "SUCCESS":
6413 if 'methodState' in s
:
6414 val
= s
['methodState']
6415 if val
not in method_states
:
6416 method_states
.append(val
)
6419 if val
not in decisions
:
6420 decisions
.append(val
)
6421 if 'reqMethod' in s
:
6422 val
= s
['reqMethod']
6423 if val
not in req_methods
:
6424 req_methods
.append(val
)
6425 if 'selectedMethod' in s
:
6426 val
= s
['selectedMethod']
6427 if val
not in selected_methods
:
6428 selected_methods
.append(val
)
6429 logger
.info("Iterations: %d" % i
)
6430 logger
.info("EAP states: " + str(states
))
6431 logger
.info("methodStates: " + str(method_states
))
6432 logger
.info("decisions: " + str(decisions
))
6433 logger
.info("reqMethods: " + str(req_methods
))
6434 logger
.info("selectedMethods: " + str(selected_methods
))
6436 raise Exception("EAP did not succeed")
6437 dev
[0].wait_connected()
6438 dev
[0].request("REMOVE_NETWORK all")
6439 dev
[0].wait_disconnected()
6441 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
6442 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6443 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6444 params
['wpa_ptk_rekey'] = '2'
6445 hapd
= hostapd
.add_ap(apdev
[0], params
)
6446 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
6447 password
="abcdefghijklmnop0123456789abcdef")
6448 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
6450 raise Exception("PTK rekey timed out")
6451 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6453 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
6454 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6455 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6456 hapd
= hostapd
.add_ap(apdev
[0], params
)
6457 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
6458 identity
="gpsk user",
6459 password
="abcdefghijklmnop0123456789abcdef",
6462 def test_ap_wpa2_eap_psk_mac_addr_change(dev
, apdev
):
6463 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
6464 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6465 hapd
= hostapd
.add_ap(apdev
[0], params
)
6467 cmd
= subprocess
.Popen(['ps', '-eo', 'pid,command'], stdout
=subprocess
.PIPE
)
6468 res
= cmd
.stdout
.read().decode()
6471 for p
in res
.splitlines():
6472 if "wpa_supplicant" not in p
:
6474 if dev
[0].ifname
not in p
:
6476 pid
= int(p
.strip().split(' ')[0])
6478 logger
.info("Could not find wpa_supplicant PID")
6480 logger
.info("wpa_supplicant PID %d" % pid
)
6482 addr
= dev
[0].get_status_field("address")
6483 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6484 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6485 '02:11:22:33:44:55'])
6486 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6487 addr1
= dev
[0].get_status_field("address")
6488 if addr1
!= '02:11:22:33:44:55':
6489 raise Exception("Failed to change MAC address")
6491 # Scan using the externally set MAC address, stop the wpa_supplicant
6492 # process to avoid it from processing the ifdown event before the interface
6493 # is already UP, change the MAC address back, allow the wpa_supplicant
6494 # process to continue. This will result in the ifdown + ifup sequence of
6495 # RTM_NEWLINK events to be processed while the interface is already UP.
6497 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
6498 os
.kill(pid
, signal
.SIGSTOP
)
6501 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6502 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6504 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6506 os
.kill(pid
, signal
.SIGCONT
)
6508 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
6509 password_hex
="0123456789abcdef0123456789abcdef")
6511 addr2
= dev
[0].get_status_field("address")
6513 raise Exception("Failed to restore MAC address")
6515 def test_ap_wpa2_eap_server_get_id(dev
, apdev
):
6516 """Internal EAP server and dot1xAuthSessionUserName"""
6517 params
= int_eap_server_params()
6518 hapd
= hostapd
.add_ap(apdev
[0], params
)
6519 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6520 client_cert
="auth_serv/user.pem",
6521 private_key
="auth_serv/user.key")
6522 sta
= hapd
.get_sta(dev
[0].own_addr())
6523 if 'dot1xAuthSessionUserName' not in sta
:
6524 raise Exception("No dot1xAuthSessionUserName included")
6525 user
= sta
['dot1xAuthSessionUserName']
6526 if user
!= "tls user":
6527 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6529 def test_ap_wpa2_radius_server_get_id(dev
, apdev
):
6530 """External RADIUS server and dot1xAuthSessionUserName"""
6531 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6532 hapd
= hostapd
.add_ap(apdev
[0], params
)
6533 eap_connect(dev
[0], hapd
, "TTLS", "test-user",
6534 anonymous_identity
="ttls", password
="password",
6535 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
6536 sta
= hapd
.get_sta(dev
[0].own_addr())
6537 if 'dot1xAuthSessionUserName' not in sta
:
6538 raise Exception("No dot1xAuthSessionUserName included")
6539 user
= sta
['dot1xAuthSessionUserName']
6540 if user
!= "real-user":
6541 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6543 def test_openssl_systemwide_policy(dev
, apdev
, test_params
):
6544 """OpenSSL systemwide policy and overrides"""
6545 prefix
= "openssl_systemwide_policy"
6546 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
6548 with
HWSimRadio() as (radio
, iface
):
6549 run_openssl_systemwide_policy(iface
, apdev
, test_params
)
6551 if os
.path
.exists(pidfile
):
6552 with
open(pidfile
, 'r') as f
:
6553 pid
= int(f
.read().strip())
6554 os
.kill(pid
, signal
.SIGTERM
)
6556 def write_openssl_cnf(cnf
, MinProtocol
=None, CipherString
=None):
6557 with
open(cnf
, "w") as f
:
6558 f
.write("""openssl_conf = default_conf
6562 system_default = system_default_sect
6563 [system_default_sect]
6566 f
.write("MinProtocol = %s\n" % MinProtocol
)
6568 f
.write("CipherString = %s\n" % CipherString
)
6570 def run_openssl_systemwide_policy(iface
, apdev
, test_params
):
6571 prefix
= "openssl_systemwide_policy"
6572 logfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.log-wpas')
6573 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
6574 conffile
= os
.path
.join(test_params
['logdir'], prefix
+ '.conf')
6575 openssl_cnf
= os
.path
.join(test_params
['logdir'], prefix
+ '.openssl.cnf')
6577 write_openssl_cnf(openssl_cnf
, "TLSv1.2", "DEFAULT@SECLEVEL=2")
6579 with
open(conffile
, 'w') as f
:
6580 f
.write("ctrl_interface=DIR=/var/run/wpa_supplicant\n")
6582 params
= int_eap_server_params()
6583 params
['tls_flags'] = "[DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"
6585 hapd
= hostapd
.add_ap(apdev
[0], params
)
6587 prg
= os
.path
.join(test_params
['logdir'],
6588 'alt-wpa_supplicant/wpa_supplicant/wpa_supplicant')
6589 if not os
.path
.exists(prg
):
6590 prg
= '../../wpa_supplicant/wpa_supplicant'
6591 arg
= [ prg
, '-BddtK', '-P', pidfile
, '-f', logfile
,
6592 '-Dnl80211', '-c', conffile
, '-i', iface
]
6593 logger
.info("Start wpa_supplicant: " + str(arg
))
6594 subprocess
.call(arg
, env
={'OPENSSL_CONF': openssl_cnf
})
6595 wpas
= WpaSupplicant(ifname
=iface
)
6596 if "PONG" not in wpas
.request("PING"):
6597 raise Exception("Could not PING wpa_supplicant")
6598 tls
= wpas
.request("GET tls_library")
6599 if not tls
.startswith("OpenSSL"):
6600 raise HwsimSkip("Not using OpenSSL")
6602 # Use default configuration without any TLS version overrides. This should
6603 # end up using OpenSSL systemwide policy and result in failure to find a
6604 # compatible protocol version.
6605 ca_file
= os
.path
.join(os
.getcwd(), "auth_serv/ca.pem")
6606 id = wpas
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6607 identity
="pap user", anonymous_identity
="ttls",
6608 password
="password", phase2
="auth=PAP",
6610 scan_freq
="2412", wait_connect
=False)
6611 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
6613 raise Exception("EAP not started")
6614 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'"],
6617 raise HwsimSkip("OpenSSL systemwide policy not supported")
6618 wpas
.request("DISCONNECT")
6619 wpas
.wait_disconnected()
6622 # Explicitly allow TLSv1.0 to be used to override OpenSSL systemwide policy
6623 wpas
.set_network_quoted(id, "openssl_ciphers", "DEFAULT@SECLEVEL=1")
6624 wpas
.set_network_quoted(id, "phase1", "tls_disable_tlsv1_0=0")
6625 wpas
.select_network(id, freq
="2412")
6626 wpas
.wait_connected()
6628 wpas
.request("TERMINATE")