X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=tests%2Fhwsim%2Ftest_ap_eap.py;h=da1d2e3c407d259bdd4124d2850a5c00950de988;hb=8eb45bde3814504e3242e2c6c24bd6440312fae6;hp=2c7295daf82384b815040fcf55f9ba6c1ec4edaf;hpb=f9dd43eac2b287260a100330bf93a9f70a50e97b;p=thirdparty%2Fhostap.git diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 2c7295daf..da1d2e3c4 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -12,10 +12,12 @@ import subprocess import logging logger = logging.getLogger() import os +import socket +import SocketServer import hwsim_utils import hostapd -from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips +from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger from wpasupplicant import WpaSupplicant from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations @@ -38,6 +40,16 @@ def check_altsubject_match_support(dev): if not tls.startswith("OpenSSL"): raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls) +def check_domain_match(dev): + tls = dev.request("GET tls_library") + if tls.startswith("internal"): + raise HwsimSkip("domain_match not supported with this TLS library: " + tls) + +def check_domain_suffix_match(dev): + tls = dev.request("GET tls_library") + if tls.startswith("internal"): + raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls) + def check_domain_match_full(dev): tls = dev.request("GET tls_library") if not tls.startswith("OpenSSL"): @@ -45,13 +57,25 @@ def check_domain_match_full(dev): def check_cert_probe_support(dev): tls = dev.request("GET tls_library") - if not tls.startswith("OpenSSL"): + if not tls.startswith("OpenSSL") and not tls.startswith("internal"): raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls) def check_ocsp_support(dev): tls = dev.request("GET tls_library") - if "BoringSSL" in tls: + if tls.startswith("internal"): raise HwsimSkip("OCSP not supported with this TLS library: " + tls) + #if "BoringSSL" in tls: + # raise HwsimSkip("OCSP not supported with this TLS library: " + tls) + +def check_pkcs12_support(dev): + tls = dev.request("GET tls_library") + if tls.startswith("internal"): + raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls) + +def check_dh_dsa_support(dev): + tls = dev.request("GET tls_library") + if tls.startswith("internal"): + raise HwsimSkip("DH DSA not supported with this TLS library: " + tls) def read_pem(fname): with open(fname, "r") as f: @@ -615,6 +639,7 @@ def _test_ap_wpa2_eap_aka_ext(dev, apdev): dev[0].request("DISCONNECT") dev[0].wait_disconnected() time.sleep(0.1) + dev[0].dump_monitor() dev[0].select_network(id, freq="2412") ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15) @@ -643,6 +668,7 @@ def _test_ap_wpa2_eap_aka_ext(dev, apdev): dev[0].request("DISCONNECT") dev[0].wait_disconnected() time.sleep(0.1) + dev[0].dump_monitor() tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344", ":UMTS-AUTH:34", @@ -669,6 +695,7 @@ def _test_ap_wpa2_eap_aka_ext(dev, apdev): dev[0].request("DISCONNECT") dev[0].wait_disconnected() time.sleep(0.1) + dev[0].dump_monitor() def test_ap_wpa2_eap_aka_prime(dev, apdev): """WPA2-Enterprise connection using EAP-AKA'""" @@ -832,6 +859,7 @@ def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev): def test_ap_wpa2_eap_ttls_mschap(dev, apdev): """WPA2-Enterprise connection using EAP-TTLS/MSCHAP""" skip_with_fips(dev[0]) + check_domain_suffix_match(dev[0]) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hapd = hostapd.add_ap(apdev[0]['ifname'], params) eap_connect(dev[0], apdev[0], "TTLS", "mschap user", @@ -866,6 +894,7 @@ def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev): def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev): """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2""" + check_domain_suffix_match(dev[0]) check_eap_capa(dev[0], "MSCHAPV2") params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) @@ -910,6 +939,7 @@ def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev): def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev): """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)""" + check_domain_match(dev[0]) skip_with_fips(dev[0]) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) @@ -948,6 +978,17 @@ def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev): anonymous_identity="ttls", password_hex="hash:bd5844fad2489992da7fe8c5a01559cf", ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") + for p in [ "80", "41c041e04141e041", 257*"41" ]: + dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", + eap="TTLS", identity="utf8-user-hash", + anonymous_identity="ttls", password_hex=p, + ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", + wait_connect=False, scan_freq="2412") + ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1) + if ev is None: + raise Exception("No failure reported") + dev[2].request("REMOVE_NETWORK all") + dev[2].wait_disconnected() def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev): """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC""" @@ -1305,6 +1346,24 @@ def test_ap_wpa2_eap_tls(dev, apdev): private_key="auth_serv/user.key") eap_reauth(dev[0], "TLS") +def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev): + """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key""" + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hostapd.add_ap(apdev[0]['ifname'], params) + eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem", + client_cert="auth_serv/user.pem", + private_key="auth_serv/user.key.pkcs8", + private_key_passwd="whatever") + +def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev): + """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key""" + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hostapd.add_ap(apdev[0]['ifname'], params) + eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem", + client_cert="auth_serv/user.pem", + private_key="auth_serv/user.key.pkcs8.pkcs5v15", + private_key_passwd="whatever") + def test_ap_wpa2_eap_tls_blob(dev, apdev): """WPA2-Enterprise connection using EAP-TLS and config blobs""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") @@ -1324,6 +1383,7 @@ def test_ap_wpa2_eap_tls_blob(dev, apdev): def test_ap_wpa2_eap_tls_pkcs12(dev, apdev): """WPA2-Enterprise connection using EAP-TLS and PKCS#12""" + check_pkcs12_support(dev[0]) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem", @@ -1361,6 +1421,7 @@ def test_ap_wpa2_eap_tls_pkcs12(dev, apdev): def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev): """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob""" + check_pkcs12_support(dev[0]) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) cert = read_pem("auth_serv/ca.pem") @@ -1513,6 +1574,7 @@ def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev): def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev): """WPA2-Enterprise negative test - domain suffix mismatch""" + check_domain_suffix_match(dev[0]) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", @@ -1566,6 +1628,7 @@ def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev): def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev): """WPA2-Enterprise negative test - domain mismatch""" + check_domain_match(dev[0]) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", @@ -1760,7 +1823,7 @@ def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev): """WPA2-Enterprise connection using EAP-TTLS and server certificate hash""" check_cert_probe_support(dev[0]) skip_with_fips(dev[0]) - srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd" + srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", @@ -1873,18 +1936,27 @@ def test_ap_wpa2_eap_pwd_groups(dev, apdev): params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP", "rsn_pairwise": "CCMP", "ieee8021x": "1", "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" } - for i in [ 19, 20, 21, 25, 26 ]: + groups = [ 19, 20, 21, 25, 26 ] + if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls: + logger.info("Add Brainpool EC groups since OpenSSL is new enough") + groups += [ 27, 28, 29, 30 ] + for i in groups: + logger.info("Group %d" % i) params['pwd_group'] = str(i) hostapd.add_ap(apdev[0]['ifname'], params) - dev[0].request("REMOVE_NETWORK all") try: eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password") + dev[0].request("REMOVE_NETWORK all") + dev[0].wait_disconnected() + dev[0].dump_monitor() except: if "BoringSSL" in tls and i in [ 25 ]: logger.info("Ignore connection failure with group %d with BoringSSL" % i) dev[0].request("DISCONNECT") time.sleep(0.1) + dev[0].request("REMOVE_NETWORK all") + dev[0].dump_monitor() continue raise @@ -2269,6 +2341,36 @@ def test_ap_wpa2_eap_interactive(dev, apdev): dev[0].wait_connected(timeout=10) dev[0].request("REMOVE_NETWORK all") +def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev): + """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK""" + check_eap_capa(dev[0], "MSCHAPV2") + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hostapd.add_ap(apdev[0]['ifname'], params) + hapd = hostapd.Hostapd(apdev[0]['ifname']) + + id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412", + only_add_network=True) + + req_id = "DOMAIN\mschapv2 user" + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", + anonymous_identity="ttls", identity=None, + password="password", + ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", + wait_connect=False, scan_freq="2412") + ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"]) + if ev is None: + raise Exception("Request for identity timed out") + id = ev.split(':')[0].split('-')[-1] + dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id) + dev[0].wait_connected(timeout=10) + + if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)): + raise Exception("Failed to enable network") + ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1) + if ev is not None: + raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK") + dev[0].request("REMOVE_NETWORK all") + def test_ap_wpa2_eap_vendor_test(dev, apdev): """WPA2-Enterprise connection using EAP vendor test""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") @@ -2415,9 +2517,18 @@ def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev): def test_ap_wpa2_eap_fast_prf_oom(dev, apdev): """WPA2-Enterprise connection using EAP-FAST and OOM in PRF""" check_eap_capa(dev[0], "FAST") + tls = dev[0].request("GET tls_library") + if tls.startswith("OpenSSL"): + func = "openssl_tls_prf" + count = 2 + elif tls.startswith("internal"): + func = "tls_connection_prf" + count = 1 + else: + raise HwsimSkip("Unsupported TLS library") params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hapd = hostapd.add_ap(apdev[0]['ifname'], params) - with alloc_fail(dev[0], 2, "openssl_tls_prf"): + with alloc_fail(dev[0], count, func): dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST", identity="user", anonymous_identity="FAST", password="password", ca_cert="auth_serv/ca.pem", @@ -2474,6 +2585,110 @@ def int_eap_server_params(): "private_key": "auth_serv/server.key" } return params +def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params): + """EAP-TLS and CA signed OCSP response (good)""" + check_ocsp_support(dev[0]) + ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der") + if not os.path.exists(ocsp): + raise HwsimSkip("No OCSP response available") + params = int_eap_server_params() + params["ocsp_stapling_response"] = ocsp + hostapd.add_ap(apdev[0]['ifname'], params) + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", + identity="tls user", ca_cert="auth_serv/ca.pem", + private_key="auth_serv/user.pkcs12", + private_key_passwd="whatever", ocsp=2, + scan_freq="2412") + +def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params): + """EAP-TLS and CA signed OCSP response (revoked)""" + check_ocsp_support(dev[0]) + ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der") + if not os.path.exists(ocsp): + raise HwsimSkip("No OCSP response available") + params = int_eap_server_params() + params["ocsp_stapling_response"] = ocsp + hostapd.add_ap(apdev[0]['ifname'], params) + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", + identity="tls user", ca_cert="auth_serv/ca.pem", + private_key="auth_serv/user.pkcs12", + private_key_passwd="whatever", ocsp=2, + wait_connect=False, scan_freq="2412") + count = 0 + while True: + ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"]) + if ev is None: + raise Exception("Timeout on EAP status") + if 'bad certificate status response' in ev: + break + if 'certificate revoked' in ev: + break + count = count + 1 + if count > 10: + raise Exception("Unexpected number of EAP status messages") + + ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"]) + if ev is None: + raise Exception("Timeout on EAP failure report") + +def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params): + """EAP-TLS and CA signed OCSP response (unknown)""" + check_ocsp_support(dev[0]) + ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der") + if not os.path.exists(ocsp): + raise HwsimSkip("No OCSP response available") + params = int_eap_server_params() + params["ocsp_stapling_response"] = ocsp + hostapd.add_ap(apdev[0]['ifname'], params) + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", + identity="tls user", ca_cert="auth_serv/ca.pem", + private_key="auth_serv/user.pkcs12", + private_key_passwd="whatever", ocsp=2, + wait_connect=False, scan_freq="2412") + count = 0 + while True: + ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"]) + if ev is None: + raise Exception("Timeout on EAP status") + if 'bad certificate status response' in ev: + break + count = count + 1 + if count > 10: + raise Exception("Unexpected number of EAP status messages") + + ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"]) + if ev is None: + raise Exception("Timeout on EAP failure report") + +def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params): + """EAP-TLS and server signed OCSP response""" + check_ocsp_support(dev[0]) + ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der") + if not os.path.exists(ocsp): + raise HwsimSkip("No OCSP response available") + params = int_eap_server_params() + params["ocsp_stapling_response"] = ocsp + hostapd.add_ap(apdev[0]['ifname'], params) + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", + identity="tls user", ca_cert="auth_serv/ca.pem", + private_key="auth_serv/user.pkcs12", + private_key_passwd="whatever", ocsp=2, + wait_connect=False, scan_freq="2412") + count = 0 + while True: + ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"]) + if ev is None: + raise Exception("Timeout on EAP status") + if 'bad certificate status response' in ev: + break + count = count + 1 + if count > 10: + raise Exception("Unexpected number of EAP status messages") + + ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"]) + if ev is None: + raise Exception("Timeout on EAP failure report") + def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev): """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data""" check_ocsp_support(dev[0]) @@ -2627,6 +2842,7 @@ def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params): def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev): """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)""" + check_domain_match_full(dev[0]) params = int_eap_server_params() params["server_cert"] = "auth_serv/server-no-dnsname.pem" params["private_key"] = "auth_serv/server-no-dnsname.key" @@ -2640,6 +2856,7 @@ def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev): def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev): """WPA2-Enterprise using EAP-TLS and domainmatch (CN)""" + check_domain_match(dev[0]) params = int_eap_server_params() params["server_cert"] = "auth_serv/server-no-dnsname.pem" params["private_key"] = "auth_serv/server-no-dnsname.key" @@ -2667,6 +2884,7 @@ def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev): def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev): """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)""" + check_domain_suffix_match(dev[0]) params = int_eap_server_params() params["server_cert"] = "auth_serv/server-no-dnsname.pem" params["private_key"] = "auth_serv/server-no-dnsname.key" @@ -2694,6 +2912,7 @@ def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev): def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev): """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)""" + check_domain_match(dev[0]) params = int_eap_server_params() params["server_cert"] = "auth_serv/server-no-dnsname.pem" params["private_key"] = "auth_serv/server-no-dnsname.key" @@ -2816,6 +3035,7 @@ def test_ap_wpa2_eap_ttls_dh_params(dev, apdev): def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev): """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)""" + check_dh_dsa_support(dev[0]) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) eap_connect(dev[0], apdev[0], "TTLS", "pap user", @@ -3204,6 +3424,7 @@ def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params): if tk in buf: raise Exception("TK found from memory") if gtk in buf: + get_key_locations(buf, gtk, "GTK") raise Exception("GTK found from memory") logger.info("Checking keys in memory after disassociation") @@ -3288,16 +3509,22 @@ def _test_ap_wpa2_eap_in_bridge(dev, apdev): subprocess.call(['iw', ifname, 'set', '4addr', 'on']) subprocess.check_call(['brctl', 'addif', br_ifname, ifname]) wpas.interface_add(ifname, br_ifname=br_ifname) + wpas.dump_monitor() id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com", password_hex="0123456789abcdef0123456789abcdef") + wpas.dump_monitor() eap_reauth(wpas, "PAX") + wpas.dump_monitor() # Try again as a regression test for packet socket workaround eap_reauth(wpas, "PAX") + wpas.dump_monitor() wpas.request("DISCONNECT") wpas.wait_disconnected() + wpas.dump_monitor() wpas.request("RECONNECT") wpas.wait_connected() + wpas.dump_monitor() def test_ap_wpa2_eap_session_ticket(dev, apdev): """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled""" @@ -3361,6 +3588,7 @@ def test_ap_wpa2_eap_tls_oom(dev, apdev): """EAP-TLS and OOM""" check_subject_match_support(dev[0]) check_altsubject_match_support(dev[0]) + check_domain_match(dev[0]) check_domain_match_full(dev[0]) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") @@ -3432,6 +3660,9 @@ def test_ap_wpa2_eap_tls_versions(dev, apdev): check_tls_ver(dev[0], apdev[0], "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2") + elif tls.startswith("internal"): + check_tls_ver(dev[0], apdev[0], + "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2") check_tls_ver(dev[1], apdev[0], "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1") check_tls_ver(dev[2], apdev[0], @@ -3525,6 +3756,7 @@ def test_eap_ttls_chap_session_resumption(dev, apdev): def test_eap_ttls_mschap_session_resumption(dev, apdev): """EAP-TTLS/MSCHAP session resumption""" + check_domain_suffix_match(dev[0]) params = int_eap_server_params() params['tls_session_lifetime'] = '60' hapd = hostapd.add_ap(apdev[0]['ifname'], params) @@ -3548,6 +3780,7 @@ def test_eap_ttls_mschap_session_resumption(dev, apdev): def test_eap_ttls_mschapv2_session_resumption(dev, apdev): """EAP-TTLS/MSCHAPv2 session resumption""" + check_domain_suffix_match(dev[0]) check_eap_capa(dev[0], "MSCHAPV2") params = int_eap_server_params() params['tls_session_lifetime'] = '60' @@ -3801,3 +4034,260 @@ def test_eap_tls_no_session_resumption_radius(dev, apdev): raise Exception("Key handshake with the AP timed out") if dev[0].get_status_field("tls_session_reused") != '0': raise Exception("Unexpected session resumption on the second connection") + +def test_eap_mschapv2_errors(dev, apdev): + """EAP-MSCHAPv2 error cases""" + check_eap_capa(dev[0], "MSCHAPV2") + check_eap_capa(dev[0], "FAST") + + params = hostapd.wpa2_eap_params(ssid="test-wpa-eap") + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2", + identity="phase1-user", password="password", + scan_freq="2412") + dev[0].request("REMOVE_NETWORK all") + dev[0].wait_disconnected() + + tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"), + (1, "nt_password_hash;mschapv2_derive_response"), + (1, "nt_password_hash;=mschapv2_derive_response"), + (1, "generate_nt_response;mschapv2_derive_response"), + (1, "generate_authenticator_response;mschapv2_derive_response"), + (1, "nt_password_hash;=mschapv2_derive_response"), + (1, "get_master_key;mschapv2_derive_response"), + (1, "os_get_random;eap_mschapv2_challenge_reply") ] + for count, func in tests: + with fail_test(dev[0], count, func): + dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2", + identity="phase1-user", password="password", + wait_connect=False, scan_freq="2412") + wait_fail_trigger(dev[0], "GET_FAIL") + dev[0].request("REMOVE_NETWORK all") + dev[0].wait_disconnected() + + tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"), + (1, "hash_nt_password_hash;=mschapv2_derive_response"), + (1, "generate_nt_response_pwhash;mschapv2_derive_response"), + (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ] + for count, func in tests: + with fail_test(dev[0], count, func): + dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2", + identity="phase1-user", + password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c", + wait_connect=False, scan_freq="2412") + wait_fail_trigger(dev[0], "GET_FAIL") + dev[0].request("REMOVE_NETWORK all") + dev[0].wait_disconnected() + + tests = [ (1, "eap_mschapv2_init"), + (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"), + (1, "eap_msg_alloc;eap_mschapv2_success"), + (1, "eap_mschapv2_getKey") ] + for count, func in tests: + with alloc_fail(dev[0], count, func): + dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2", + identity="phase1-user", password="password", + wait_connect=False, scan_freq="2412") + wait_fail_trigger(dev[0], "GET_ALLOC_FAIL") + dev[0].request("REMOVE_NETWORK all") + dev[0].wait_disconnected() + + tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ] + for count, func in tests: + with alloc_fail(dev[0], count, func): + dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2", + identity="phase1-user", password="wrong password", + wait_connect=False, scan_freq="2412") + wait_fail_trigger(dev[0], "GET_ALLOC_FAIL") + dev[0].request("REMOVE_NETWORK all") + dev[0].wait_disconnected() + + tests = [ (2, "eap_mschapv2_init"), + (3, "eap_mschapv2_init") ] + for count, func in tests: + with alloc_fail(dev[0], count, func): + dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST", + anonymous_identity="FAST", identity="user", + password="password", + ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", + phase1="fast_provisioning=1", + pac_file="blob://fast_pac", + wait_connect=False, scan_freq="2412") + wait_fail_trigger(dev[0], "GET_ALLOC_FAIL") + dev[0].request("REMOVE_NETWORK all") + dev[0].wait_disconnected() + +def test_eap_gpsk_errors(dev, apdev): + """EAP-GPSK error cases""" + params = hostapd.wpa2_eap_params(ssid="test-wpa-eap") + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK", + identity="gpsk user", + password="abcdefghijklmnop0123456789abcdef", + scan_freq="2412") + dev[0].request("REMOVE_NETWORK all") + dev[0].wait_disconnected() + + tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None), + (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2", + "cipher=1"), + (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2", + "cipher=2"), + (1, "eap_gpsk_derive_keys_helper", None), + (2, "eap_gpsk_derive_keys_helper", None), + (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2", + "cipher=1"), + (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2", + "cipher=2"), + (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None), + (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None), + (1, "eap_gpsk_derive_mid_helper", None) ] + for count, func, phase1 in tests: + with fail_test(dev[0], count, func): + dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK", + identity="gpsk user", + password="abcdefghijklmnop0123456789abcdef", + phase1=phase1, + wait_connect=False, scan_freq="2412") + wait_fail_trigger(dev[0], "GET_FAIL") + dev[0].request("REMOVE_NETWORK all") + dev[0].wait_disconnected() + + tests = [ (1, "eap_gpsk_init"), + (2, "eap_gpsk_init"), + (3, "eap_gpsk_init"), + (1, "eap_gpsk_process_id_server"), + (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"), + (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"), + (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"), + (1, "eap_gpsk_derive_keys"), + (1, "eap_gpsk_derive_keys_helper"), + (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"), + (1, "eap_gpsk_getKey"), + (1, "eap_gpsk_get_emsk"), + (1, "eap_gpsk_get_session_id") ] + for count, func in tests: + with alloc_fail(dev[0], count, func): + dev[0].request("ERP_FLUSH") + dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK", + identity="gpsk user", erp="1", + password="abcdefghijklmnop0123456789abcdef", + wait_connect=False, scan_freq="2412") + wait_fail_trigger(dev[0], "GET_ALLOC_FAIL") + dev[0].request("REMOVE_NETWORK all") + dev[0].wait_disconnected() + +def test_ap_wpa2_eap_sim_db(dev, apdev, params): + """EAP-SIM DB error cases""" + sockpath = '/tmp/hlr_auc_gw.sock-test' + try: + os.remove(sockpath) + except: + pass + hparams = int_eap_server_params() + hparams['eap_sim_db'] = 'unix:' + sockpath + hapd = hostapd.add_ap(apdev[0]['ifname'], hparams) + + # Initial test with hlr_auc_gw socket not available + id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256", + eap="SIM", identity="1232010000000000", + password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581", + scan_freq="2412", wait_connect=False) + ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) + if ev is None: + raise Exception("EAP-Failure not reported") + dev[0].wait_disconnected() + dev[0].request("DISCONNECT") + + # Test with invalid responses and response timeout + + class test_handler(SocketServer.DatagramRequestHandler): + def handle(self): + data = self.request[0].strip() + socket = self.request[1] + logger.debug("Received hlr_auc_gw request: " + data) + # EAP-SIM DB: Failed to parse response string + socket.sendto("FOO", self.client_address) + # EAP-SIM DB: Failed to parse response string + socket.sendto("FOO 1", self.client_address) + # EAP-SIM DB: Unknown external response + socket.sendto("FOO 1 2", self.client_address) + logger.info("No proper response - wait for pending eap_sim_db request timeout") + + server = SocketServer.UnixDatagramServer(sockpath, test_handler) + server.timeout = 1 + + dev[0].select_network(id) + server.handle_request() + ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) + if ev is None: + raise Exception("EAP-Failure not reported") + dev[0].wait_disconnected() + dev[0].request("DISCONNECT") + + # Test with a valid response + + class test_handler2(SocketServer.DatagramRequestHandler): + def handle(self): + data = self.request[0].strip() + socket = self.request[1] + logger.debug("Received hlr_auc_gw request: " + data) + fname = os.path.join(params['logdir'], + 'hlr_auc_gw.milenage_db') + cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw', + '-m', fname, data], + stdout=subprocess.PIPE) + res = cmd.stdout.read().strip() + cmd.stdout.close() + logger.debug("hlr_auc_gw response: " + res) + socket.sendto(res, self.client_address) + + server.RequestHandlerClass = test_handler2 + + dev[0].select_network(id) + server.handle_request() + dev[0].wait_connected() + dev[0].request("DISCONNECT") + dev[0].wait_disconnected() + +def test_eap_tls_sha512(dev, apdev, params): + """EAP-TLS with SHA512 signature""" + params = int_eap_server_params() + params["ca_cert"] = "auth_serv/sha512-ca.pem" + params["server_cert"] = "auth_serv/sha512-server.pem" + params["private_key"] = "auth_serv/sha512-server.key" + hostapd.add_ap(apdev[0]['ifname'], params) + + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", + identity="tls user sha512", + ca_cert="auth_serv/sha512-ca.pem", + client_cert="auth_serv/sha512-user.pem", + private_key="auth_serv/sha512-user.key", + scan_freq="2412") + dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", + identity="tls user sha512", + ca_cert="auth_serv/sha512-ca.pem", + client_cert="auth_serv/sha384-user.pem", + private_key="auth_serv/sha384-user.key", + scan_freq="2412") + +def test_eap_tls_sha384(dev, apdev, params): + """EAP-TLS with SHA384 signature""" + params = int_eap_server_params() + params["ca_cert"] = "auth_serv/sha512-ca.pem" + params["server_cert"] = "auth_serv/sha384-server.pem" + params["private_key"] = "auth_serv/sha384-server.key" + hostapd.add_ap(apdev[0]['ifname'], params) + + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", + identity="tls user sha512", + ca_cert="auth_serv/sha512-ca.pem", + client_cert="auth_serv/sha512-user.pem", + private_key="auth_serv/sha512-user.key", + scan_freq="2412") + dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", + identity="tls user sha512", + ca_cert="auth_serv/sha512-ca.pem", + client_cert="auth_serv/sha384-user.pem", + private_key="auth_serv/sha384-user.key", + scan_freq="2412")