]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ieee8021x.py
2 # Copyright (c) 2013-2019, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
7 from remotehost
import remote_compatible
16 from utils
import skip_with_fips
17 from tshark
import run_tshark
19 logger
= logging
.getLogger()
21 def test_ieee8021x_wep104(dev
, apdev
):
22 """IEEE 802.1X connection using dynamic WEP104"""
23 skip_with_fips(dev
[0])
24 params
= hostapd
.radius_params()
25 params
["ssid"] = "ieee8021x-wep"
26 params
["ieee8021x"] = "1"
27 params
["wep_key_len_broadcast"] = "13"
28 params
["wep_key_len_unicast"] = "13"
29 hapd
= hostapd
.add_ap(apdev
[0], params
)
31 dev
[0].connect("ieee8021x-wep", key_mgmt
="IEEE8021X", eap
="PSK",
32 identity
="psk.user@example.com",
33 password_hex
="0123456789abcdef0123456789abcdef",
35 hwsim_utils
.test_connectivity(dev
[0], hapd
)
37 def test_ieee8021x_wep40(dev
, apdev
):
38 """IEEE 802.1X connection using dynamic WEP40"""
39 skip_with_fips(dev
[0])
40 params
= hostapd
.radius_params()
41 params
["ssid"] = "ieee8021x-wep"
42 params
["ieee8021x"] = "1"
43 params
["wep_key_len_broadcast"] = "5"
44 params
["wep_key_len_unicast"] = "5"
45 hapd
= hostapd
.add_ap(apdev
[0], params
)
47 dev
[0].connect("ieee8021x-wep", key_mgmt
="IEEE8021X", eap
="PSK",
48 identity
="psk.user@example.com",
49 password_hex
="0123456789abcdef0123456789abcdef",
51 hwsim_utils
.test_connectivity(dev
[0], hapd
)
53 def test_ieee8021x_wep_index_workaround(dev
, apdev
):
54 """IEEE 802.1X and EAPOL-Key index workaround"""
55 skip_with_fips(dev
[0])
56 params
= hostapd
.radius_params()
57 params
["ssid"] = "ieee8021x-wep"
58 params
["ieee8021x"] = "1"
59 params
["wep_key_len_broadcast"] = "5"
60 params
["eapol_key_index_workaround"] = "1"
61 hapd
= hostapd
.add_ap(apdev
[0], params
)
63 dev
[0].connect("ieee8021x-wep", key_mgmt
="IEEE8021X", eapol_flags
="1",
65 identity
="psk.user@example.com",
66 password_hex
="0123456789abcdef0123456789abcdef",
69 def test_ieee8021x_open(dev
, apdev
):
70 """IEEE 802.1X connection using open network"""
71 params
= hostapd
.radius_params()
72 params
["ssid"] = "ieee8021x-open"
73 params
["ieee8021x"] = "1"
74 hapd
= hostapd
.add_ap(apdev
[0], params
)
76 id = dev
[0].connect("ieee8021x-open", key_mgmt
="IEEE8021X", eapol_flags
="0",
77 eap
="PSK", identity
="psk.user@example.com",
78 password_hex
="0123456789abcdef0123456789abcdef",
80 hwsim_utils
.test_connectivity(dev
[0], hapd
)
82 logger
.info("Test EAPOL-Logoff")
83 dev
[0].request("LOGOFF")
84 ev
= dev
[0].wait_event(["CTRL-EVENT-DISCONNECTED"])
86 raise Exception("Did not get disconnected")
87 if "reason=23" not in ev
:
88 raise Exception("Unexpected disconnection reason")
90 dev
[0].request("LOGON")
91 dev
[0].connect_network(id)
92 hwsim_utils
.test_connectivity(dev
[0], hapd
)
94 def test_ieee8021x_static_wep40(dev
, apdev
):
95 """IEEE 802.1X connection using static WEP40"""
96 run_static_wep(dev
, apdev
, '"hello"')
98 def test_ieee8021x_static_wep104(dev
, apdev
):
99 """IEEE 802.1X connection using static WEP104"""
100 run_static_wep(dev
, apdev
, '"hello-there-/"')
102 def run_static_wep(dev
, apdev
, key
):
103 params
= hostapd
.radius_params()
104 params
["ssid"] = "ieee8021x-wep"
105 params
["ieee8021x"] = "1"
106 params
["wep_key0"] = key
107 hapd
= hostapd
.add_ap(apdev
[0], params
)
109 dev
[0].connect("ieee8021x-wep", key_mgmt
="IEEE8021X", eap
="PSK",
110 identity
="psk.user@example.com",
111 password_hex
="0123456789abcdef0123456789abcdef",
112 wep_key0
=key
, eapol_flags
="0",
114 hwsim_utils
.test_connectivity(dev
[0], hapd
)
116 def test_ieee8021x_proto(dev
, apdev
):
117 """IEEE 802.1X and EAPOL supplicant protocol testing"""
118 params
= hostapd
.radius_params()
119 params
["ssid"] = "ieee8021x-open"
120 params
["ieee8021x"] = "1"
121 hapd
= hostapd
.add_ap(apdev
[0], params
)
122 bssid
= apdev
[0]['bssid']
124 dev
[1].request("SET ext_eapol_frame_io 1")
125 dev
[1].connect("ieee8021x-open", key_mgmt
="IEEE8021X", eapol_flags
="0",
126 eap
="PSK", identity
="psk.user@example.com",
127 password_hex
="0123456789abcdef0123456789abcdef",
128 scan_freq
="2412", wait_connect
=False)
129 id = dev
[0].connect("ieee8021x-open", key_mgmt
="IEEE8021X", eapol_flags
="0",
130 eap
="PSK", identity
="psk.user@example.com",
131 password_hex
="0123456789abcdef0123456789abcdef",
133 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=5)
135 start
= dev
[0].get_mib()
139 "020000050a93000501",
140 "020300050a93000501",
141 "0203002c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
142 "0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
143 "0203002c0100050000000000000000000000000000000000000000000000000000000000000000000000000000000000",
144 "02aa00050a93000501"]
146 res
= dev
[0].request("EAPOL_RX " + bssid
+ " " + frame
)
148 raise Exception("EAPOL_RX to wpa_supplicant failed")
149 dev
[1].request("EAPOL_RX " + bssid
+ " " + frame
)
151 stop
= dev
[0].get_mib()
153 logger
.info("MIB before test frames: " + str(start
))
154 logger
.info("MIB after test frames: " + str(stop
))
156 vals
= ['dot1xSuppInvalidEapolFramesRx',
157 'dot1xSuppEapLengthErrorFramesRx']
159 if int(stop
[val
]) <= int(start
[val
]):
160 raise Exception(val
+ " did not increase")
163 def test_ieee8021x_eapol_start(dev
, apdev
):
164 """IEEE 802.1X and EAPOL-Start retransmissions"""
165 params
= hostapd
.radius_params()
166 params
["ssid"] = "ieee8021x-open"
167 params
["ieee8021x"] = "1"
168 hapd
= hostapd
.add_ap(apdev
[0], params
)
169 bssid
= apdev
[0]['bssid']
170 addr0
= dev
[0].own_addr()
172 hapd
.set("ext_eapol_frame_io", "1")
174 dev
[0].request("SET EAPOL::startPeriod 1")
175 dev
[0].request("SET EAPOL::maxStart 1")
176 dev
[0].connect("ieee8021x-open", key_mgmt
="IEEE8021X", eapol_flags
="0",
177 eap
="PSK", identity
="psk.user@example.com",
178 password_hex
="0123456789abcdef0123456789abcdef",
179 scan_freq
="2412", wait_connect
=False)
182 pae
= dev
[0].get_status_field('Supplicant PAE state')
184 mib
= hapd
.get_sta(addr0
, info
="eapol")
185 if mib
['auth_pae_state'] != 'AUTHENTICATING':
186 raise Exception("Unexpected Auth PAE state: " + mib
['auth_pae_state'])
191 raise Exception("PAE state HELD not reached")
192 dev
[0].wait_disconnected()
194 dev
[0].request("SET EAPOL::startPeriod 30")
195 dev
[0].request("SET EAPOL::maxStart 3")
197 def test_ieee8021x_held(dev
, apdev
):
198 """IEEE 802.1X and HELD state"""
199 params
= hostapd
.radius_params()
200 params
["ssid"] = "ieee8021x-open"
201 params
["ieee8021x"] = "1"
202 hapd
= hostapd
.add_ap(apdev
[0], params
)
203 bssid
= apdev
[0]['bssid']
205 hapd
.set("ext_eapol_frame_io", "1")
207 dev
[0].request("SET EAPOL::startPeriod 1")
208 dev
[0].request("SET EAPOL::maxStart 0")
209 dev
[0].request("SET EAPOL::heldPeriod 1")
210 dev
[0].connect("ieee8021x-open", key_mgmt
="IEEE8021X", eapol_flags
="0",
211 eap
="PSK", identity
="psk.user@example.com",
212 password_hex
="0123456789abcdef0123456789abcdef",
213 scan_freq
="2412", wait_connect
=False)
216 pae
= dev
[0].get_status_field('Supplicant PAE state')
222 raise Exception("PAE state HELD not reached")
224 hapd
.set("ext_eapol_frame_io", "0")
226 pae
= dev
[0].get_status_field('Supplicant PAE state')
232 raise Exception("PAE state HELD not left")
233 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
234 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
236 raise Exception("Connection timed out")
237 if "CTRL-EVENT-DISCONNECTED" in ev
:
238 raise Exception("Unexpected disconnection")
240 dev
[0].request("SET EAPOL::startPeriod 30")
241 dev
[0].request("SET EAPOL::maxStart 3")
242 dev
[0].request("SET EAPOL::heldPeriod 60")
244 def send_eapol_key(dev
, bssid
, signkey
, frame_start
, frame_end
):
245 zero_sign
= "00000000000000000000000000000000"
246 frame
= frame_start
+ zero_sign
+ frame_end
247 hmac_obj
= hmac
.new(binascii
.unhexlify(signkey
))
248 hmac_obj
.update(binascii
.unhexlify(frame
))
249 sign
= hmac_obj
.digest()
250 frame
= frame_start
+ binascii
.hexlify(sign
).decode() + frame_end
251 dev
.request("EAPOL_RX " + bssid
+ " " + frame
)
253 def test_ieee8021x_eapol_key(dev
, apdev
):
254 """IEEE 802.1X connection and EAPOL-Key protocol tests"""
255 skip_with_fips(dev
[0])
256 params
= hostapd
.radius_params()
257 params
["ssid"] = "ieee8021x-wep"
258 params
["ieee8021x"] = "1"
259 params
["wep_key_len_broadcast"] = "5"
260 params
["wep_key_len_unicast"] = "5"
261 hapd
= hostapd
.add_ap(apdev
[0], params
)
262 bssid
= apdev
[0]['bssid']
264 dev
[0].connect("ieee8021x-wep", key_mgmt
="IEEE8021X", eap
="VENDOR-TEST",
265 identity
="vendor-test", scan_freq
="2412")
267 # Hardcoded MSK from VENDOR-TEST
268 encrkey
= "1111111111111111111111111111111111111111111111111111111111111111"
269 signkey
= "2222222222222222222222222222222222222222222222222222222222222222"
271 # EAPOL-Key replay counter does not increase
272 send_eapol_key(dev
[0], bssid
, signkey
,
273 "02030031" + "010005" + "0000000000000000" + "056c22d109f29d4d9fb9b9ccbad33283" + "02",
276 # EAPOL-Key too large Key Length field value
277 send_eapol_key(dev
[0], bssid
, signkey
,
278 "02030031" + "010021" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02",
281 # EAPOL-Key too much key data
282 send_eapol_key(dev
[0], bssid
, signkey
,
283 "0203004d" + "010005" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02",
286 # EAPOL-Key too little key data
287 send_eapol_key(dev
[0], bssid
, signkey
,
288 "02030030" + "010005" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02",
291 # EAPOL-Key with no key data and too long WEP key length
292 send_eapol_key(dev
[0], bssid
, signkey
,
293 "0203002c" + "010020" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02",
296 def test_ieee8021x_reauth(dev
, apdev
):
297 """IEEE 802.1X and EAPOL_REAUTH request"""
298 params
= hostapd
.radius_params()
299 params
["ssid"] = "ieee8021x-open"
300 params
["ieee8021x"] = "1"
301 hapd
= hostapd
.add_ap(apdev
[0], params
)
303 dev
[0].connect("ieee8021x-open", key_mgmt
="IEEE8021X", eapol_flags
="0",
304 eap
="PSK", identity
="psk.user@example.com",
305 password_hex
="0123456789abcdef0123456789abcdef",
308 hapd
.request("EAPOL_REAUTH " + dev
[0].own_addr())
309 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=5)
311 raise Exception("EAP authentication did not start")
312 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
314 raise Exception("EAP authentication did not succeed")
316 hwsim_utils
.test_connectivity(dev
[0], hapd
)
318 def test_ieee8021x_reauth_wep(dev
, apdev
, params
):
319 """IEEE 802.1X and EAPOL_REAUTH request with WEP"""
320 logdir
= params
['logdir']
322 params
= hostapd
.radius_params()
323 params
["ssid"] = "ieee8021x-open"
324 params
["ieee8021x"] = "1"
325 params
["wep_key_len_broadcast"] = "13"
326 params
["wep_key_len_unicast"] = "13"
327 hapd
= hostapd
.add_ap(apdev
[0], params
)
329 dev
[0].connect("ieee8021x-open", key_mgmt
="IEEE8021X",
330 eap
="PSK", identity
="psk.user@example.com",
331 password_hex
="0123456789abcdef0123456789abcdef",
333 hwsim_utils
.test_connectivity(dev
[0], hapd
)
335 hapd
.request("EAPOL_REAUTH " + dev
[0].own_addr())
336 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=5)
338 raise Exception("EAP authentication did not start")
339 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
341 raise Exception("EAP authentication did not succeed")
343 hwsim_utils
.test_connectivity(dev
[0], hapd
)
345 out
= run_tshark(os
.path
.join(logdir
, "hwsim0.pcapng"),
346 "llc.type == 0x888e", ["eapol.type", "eap.code"])
348 raise Exception("Could not find EAPOL frames in capture")
352 for line
in out
.splitlines():
356 if vals
[0] == '0' and len(vals
) == 2:
361 logger
.info("num_eapol_key: %d" % num_eapol_key
)
362 logger
.info("num_eap_req: %d" % num_eap_req
)
363 logger
.info("num_eap_resp: %d" % num_eap_resp
)
364 if num_eapol_key
< 4:
365 raise Exception("Did not see four unencrypted EAPOL-Key frames")
367 raise Exception("Did not see six unencrypted EAP-Request frames")
369 raise Exception("Did not see six unencrypted EAP-Response frames")
371 def test_ieee8021x_set_conf(dev
, apdev
):
372 """IEEE 802.1X and EAPOL_SET command"""
373 params
= hostapd
.radius_params()
374 params
["ssid"] = "ieee8021x-open"
375 params
["ieee8021x"] = "1"
376 hapd
= hostapd
.add_ap(apdev
[0], params
)
378 dev
[0].connect("ieee8021x-open", key_mgmt
="IEEE8021X", eapol_flags
="0",
379 eap
="PSK", identity
="psk.user@example.com",
380 password_hex
="0123456789abcdef0123456789abcdef",
383 addr0
= dev
[0].own_addr()
384 tests
= ["EAPOL_SET 1",
385 "EAPOL_SET %sfoo bar" % addr0
,
386 "EAPOL_SET %s foo" % addr0
,
387 "EAPOL_SET %s foo bar" % addr0
,
388 "EAPOL_SET %s AdminControlledDirections bar" % addr0
,
389 "EAPOL_SET %s AdminControlledPortControl bar" % addr0
,
390 "EAPOL_SET %s reAuthEnabled bar" % addr0
,
391 "EAPOL_SET %s KeyTransmissionEnabled bar" % addr0
,
392 "EAPOL_SET 11:22:33:44:55:66 AdminControlledDirections Both"]
394 if "FAIL" not in hapd
.request(t
):
395 raise Exception("Invalid EAPOL_SET command accepted: " + t
)
397 tests
= [("AdminControlledDirections", "adminControlledDirections", "In"),
398 ("AdminControlledDirections", "adminControlledDirections",
400 ("quietPeriod", "quietPeriod", "13"),
401 ("serverTimeout", "serverTimeout", "7"),
402 ("reAuthPeriod", "reAuthPeriod", "1234"),
403 ("reAuthEnabled", "reAuthEnabled", "FALSE"),
404 ("reAuthEnabled", "reAuthEnabled", "TRUE"),
405 ("KeyTransmissionEnabled", "keyTxEnabled", "TRUE"),
406 ("KeyTransmissionEnabled", "keyTxEnabled", "FALSE"),
407 ("AdminControlledPortControl", "portControl", "ForceAuthorized"),
408 ("AdminControlledPortControl", "portControl",
409 "ForceUnauthorized"),
410 ("AdminControlledPortControl", "portControl", "Auto")]
411 for param
, mibparam
, val
in tests
:
412 if "OK" not in hapd
.request("EAPOL_SET %s %s %s" % (addr0
, param
, val
)):
413 raise Exception("Failed to set %s %s" % (param
, val
))
414 mib
= hapd
.get_sta(addr0
, info
="eapol")
415 if mib
[mibparam
] != val
:
416 raise Exception("Unexpected %s value: %s (expected %s)" % (param
, mib
[mibparam
], val
))
417 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
419 raise Exception("EAP authentication did not succeed")
421 hwsim_utils
.test_connectivity(dev
[0], hapd
)
423 def test_ieee8021x_auth_awhile(dev
, apdev
):
424 """IEEE 802.1X and EAPOL Authenticator aWhile handling"""
425 params
= hostapd
.radius_params()
426 params
["ssid"] = "ieee8021x-open"
427 params
["ieee8021x"] = "1"
428 params
['auth_server_port'] = "18129"
429 hapd
= hostapd
.add_ap(apdev
[0], params
)
430 bssid
= apdev
[0]['bssid']
431 addr0
= dev
[0].own_addr()
434 params
['ssid'] = 'as'
435 params
['beacon_int'] = '2000'
436 params
['radius_server_clients'] = 'auth_serv/radius_clients.conf'
437 params
['radius_server_auth_port'] = '18129'
438 params
['eap_server'] = '1'
439 params
['eap_user_file'] = 'auth_serv/eap_user.conf'
440 params
['ca_cert'] = 'auth_serv/ca.pem'
441 params
['server_cert'] = 'auth_serv/server.pem'
442 params
['private_key'] = 'auth_serv/server.key'
443 hapd1
= hostapd
.add_ap(apdev
[1], params
)
445 dev
[0].connect("ieee8021x-open", key_mgmt
="IEEE8021X", eapol_flags
="0",
446 eap
="PSK", identity
="psk.user@example.com",
447 password_hex
="0123456789abcdef0123456789abcdef",
450 if "OK" not in hapd
.request("EAPOL_SET %s serverTimeout 1" % addr0
):
451 raise Exception("Failed to set serverTimeout")
452 hapd
.request("EAPOL_REAUTH " + dev
[0].own_addr())
453 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=5)
456 mib
= hapd
.get_sta(addr0
, info
="eapol")
457 val
= int(mib
['aWhile'])
462 raise Exception("aWhile did not increase")
466 mib
= hapd
.get_sta(addr0
, info
="eapol")
467 val
= int(mib
['aWhile'])
471 ev
= hapd
.wait_event(["CTRL-EVENT-EAP-PROPOSED"], timeout
=10)
473 raise Exception("Authentication restart not seen")
475 def test_ieee8021x_open_leap(dev
, apdev
):
476 """IEEE 802.1X connection with LEAP included in configuration"""
477 params
= hostapd
.radius_params()
478 params
["ssid"] = "ieee8021x-open"
479 params
["ieee8021x"] = "1"
480 hapd
= hostapd
.add_ap(apdev
[0], params
)
482 dev
[1].connect("ieee8021x-open", key_mgmt
="IEEE8021X", eapol_flags
="0",
483 eap
="LEAP", identity
="psk.user@example.com",
484 password_hex
="0123456789abcdef0123456789abcdef",
485 scan_freq
="2412", wait_connect
=False)
486 dev
[0].connect("ieee8021x-open", key_mgmt
="IEEE8021X", eapol_flags
="0",
487 eap
="PSK LEAP", identity
="psk.user@example.com",
488 password_hex
="0123456789abcdef0123456789abcdef",
490 ev
= dev
[1].wait_event(["CTRL-EVENT-AUTH-REJECT"], timeout
=5)
491 dev
[1].request("DISCONNECT")
493 def test_ieee8021x_and_wpa_enabled(dev
, apdev
):
494 """IEEE 802.1X connection using dynamic WEP104 when WPA enabled"""
495 skip_with_fips(dev
[0])
496 params
= hostapd
.radius_params()
497 params
["ssid"] = "ieee8021x-wep"
498 params
["ieee8021x"] = "1"
499 params
["wep_key_len_broadcast"] = "13"
500 params
["wep_key_len_unicast"] = "13"
501 hapd
= hostapd
.add_ap(apdev
[0], params
)
503 dev
[0].connect("ieee8021x-wep", key_mgmt
="IEEE8021X WPA-EAP", eap
="PSK",
504 identity
="psk.user@example.com",
505 password_hex
="0123456789abcdef0123456789abcdef",
507 hwsim_utils
.test_connectivity(dev
[0], hapd
)