]>
Commit | Line | Data |
---|---|---|
9626962d JM |
1 | #!/usr/bin/python |
2 | # | |
3 | # WPA2-Enterprise tests | |
bce774ad | 4 | # Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi> |
9626962d JM |
5 | # |
6 | # This software may be distributed under the terms of the BSD license. | |
7 | # See README for more details. | |
8 | ||
9 | import time | |
10 | import subprocess | |
11 | import logging | |
c9aa4308 | 12 | logger = logging.getLogger() |
0d4c5494 | 13 | import os.path |
9626962d JM |
14 | |
15 | import hwsim_utils | |
16 | import hostapd | |
17 | ||
cb33ee14 JM |
18 | def eap_connect(dev, ap, method, identity, anonymous_identity=None, |
19 | password=None, | |
72c052d5 | 20 | phase1=None, phase2=None, ca_cert=None, |
e114c49c | 21 | domain_suffix_match=None, password_hex=None, |
2b005194 | 22 | client_cert=None, private_key=None, sha256=False): |
cb33ee14 | 23 | hapd = hostapd.Hostapd(ap['ifname']) |
2bb9e283 JM |
24 | id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256", |
25 | eap=method, identity=identity, | |
26 | anonymous_identity=anonymous_identity, | |
27 | password=password, phase1=phase1, phase2=phase2, | |
28 | ca_cert=ca_cert, domain_suffix_match=domain_suffix_match, | |
29 | wait_connect=False, scan_freq="2412", | |
30 | password_hex=password_hex, | |
31 | client_cert=client_cert, private_key=private_key, | |
32 | ieee80211w="1") | |
2b005194 | 33 | eap_check_auth(dev, method, True, sha256=sha256) |
cb33ee14 JM |
34 | ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5) |
35 | if ev is None: | |
36 | raise Exception("No connection event received from hostapd") | |
2bb9e283 | 37 | return id |
75b2b9cf | 38 | |
2b005194 | 39 | def eap_check_auth(dev, method, initial, rsn=True, sha256=False): |
9626962d JM |
40 | ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10) |
41 | if ev is None: | |
42 | raise Exception("Association and EAP start timed out") | |
43 | ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10) | |
44 | if ev is None: | |
45 | raise Exception("EAP method selection timed out") | |
46 | if method not in ev: | |
47 | raise Exception("Unexpected EAP method") | |
48 | ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10) | |
49 | if ev is None: | |
50 | raise Exception("EAP success timed out") | |
9626962d | 51 | |
75b2b9cf JM |
52 | if initial: |
53 | ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10) | |
75b2b9cf | 54 | else: |
bce774ad JM |
55 | ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10) |
56 | if ev is None: | |
57 | raise Exception("Association with the AP timed out") | |
58 | status = dev.get_status() | |
59 | if status["wpa_state"] != "COMPLETED": | |
60 | raise Exception("Connection not completed") | |
75b2b9cf | 61 | |
9626962d JM |
62 | if status["suppPortStatus"] != "Authorized": |
63 | raise Exception("Port not authorized") | |
64 | if method not in status["selectedMethod"]: | |
65 | raise Exception("Incorrect EAP method status") | |
2b005194 JM |
66 | if sha256: |
67 | e = "WPA2-EAP-SHA256" | |
68 | elif rsn: | |
71390dc8 JM |
69 | e = "WPA2/IEEE 802.1X/EAP" |
70 | else: | |
71 | e = "WPA/IEEE 802.1X/EAP" | |
72 | if status["key_mgmt"] != e: | |
73 | raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"]) | |
9626962d | 74 | |
2b005194 | 75 | def eap_reauth(dev, method, rsn=True, sha256=False): |
75b2b9cf | 76 | dev.request("REAUTHENTICATE") |
2b005194 | 77 | eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256) |
75b2b9cf | 78 | |
9626962d JM |
79 | def test_ap_wpa2_eap_sim(dev, apdev): |
80 | """WPA2-Enterprise connection using EAP-SIM""" | |
0d4c5494 JM |
81 | if not os.path.exists("/tmp/hlr_auc_gw.sock"): |
82 | logger.info("No hlr_auc_gw available"); | |
83 | return "skip" | |
9626962d JM |
84 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") |
85 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 86 | eap_connect(dev[0], apdev[0], "SIM", "1232010000000000", |
9626962d JM |
87 | password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581") |
88 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 89 | eap_reauth(dev[0], "SIM") |
9626962d JM |
90 | |
91 | def test_ap_wpa2_eap_aka(dev, apdev): | |
92 | """WPA2-Enterprise connection using EAP-AKA""" | |
0d4c5494 JM |
93 | if not os.path.exists("/tmp/hlr_auc_gw.sock"): |
94 | logger.info("No hlr_auc_gw available"); | |
95 | return "skip" | |
9626962d JM |
96 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") |
97 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 98 | eap_connect(dev[0], apdev[0], "AKA", "0232010000000000", |
9626962d JM |
99 | password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123") |
100 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 101 | eap_reauth(dev[0], "AKA") |
9626962d JM |
102 | |
103 | def test_ap_wpa2_eap_aka_prime(dev, apdev): | |
104 | """WPA2-Enterprise connection using EAP-AKA'""" | |
0d4c5494 JM |
105 | if not os.path.exists("/tmp/hlr_auc_gw.sock"): |
106 | logger.info("No hlr_auc_gw available"); | |
107 | return "skip" | |
9626962d JM |
108 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") |
109 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 110 | eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111", |
9626962d JM |
111 | password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123") |
112 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 113 | eap_reauth(dev[0], "AKA'") |
9626962d JM |
114 | |
115 | def test_ap_wpa2_eap_ttls_pap(dev, apdev): | |
116 | """WPA2-Enterprise connection using EAP-TTLS/PAP""" | |
117 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
118 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 119 | eap_connect(dev[0], apdev[0], "TTLS", "pap user", |
9626962d JM |
120 | anonymous_identity="ttls", password="password", |
121 | ca_cert="auth_serv/ca.pem", phase2="auth=PAP") | |
122 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 123 | eap_reauth(dev[0], "TTLS") |
9626962d JM |
124 | |
125 | def test_ap_wpa2_eap_ttls_chap(dev, apdev): | |
126 | """WPA2-Enterprise connection using EAP-TTLS/CHAP""" | |
127 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
128 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 129 | eap_connect(dev[0], apdev[0], "TTLS", "chap user", |
9626962d JM |
130 | anonymous_identity="ttls", password="password", |
131 | ca_cert="auth_serv/ca.pem", phase2="auth=CHAP") | |
132 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 133 | eap_reauth(dev[0], "TTLS") |
9626962d JM |
134 | |
135 | def test_ap_wpa2_eap_ttls_mschap(dev, apdev): | |
136 | """WPA2-Enterprise connection using EAP-TTLS/MSCHAP""" | |
137 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
138 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 139 | eap_connect(dev[0], apdev[0], "TTLS", "mschap user", |
9626962d | 140 | anonymous_identity="ttls", password="password", |
72c052d5 JM |
141 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP", |
142 | domain_suffix_match="server.w1.fi") | |
9626962d | 143 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) |
75b2b9cf | 144 | eap_reauth(dev[0], "TTLS") |
9626962d JM |
145 | |
146 | def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev): | |
147 | """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2""" | |
148 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
149 | hostapd.add_ap(apdev[0]['ifname'], params) | |
5dec879d | 150 | hapd = hostapd.Hostapd(apdev[0]['ifname']) |
cb33ee14 | 151 | eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user", |
9626962d | 152 | anonymous_identity="ttls", password="password", |
72c052d5 JM |
153 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", |
154 | domain_suffix_match="w1.fi") | |
9626962d | 155 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) |
5dec879d JM |
156 | sta1 = hapd.get_sta(dev[0].p2p_interface_addr()) |
157 | eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol") | |
75b2b9cf | 158 | eap_reauth(dev[0], "TTLS") |
5dec879d JM |
159 | sta2 = hapd.get_sta(dev[0].p2p_interface_addr()) |
160 | eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol") | |
161 | if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']): | |
162 | raise Exception("dot1xAuthEapolFramesRx did not increase") | |
163 | if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1: | |
164 | raise Exception("authAuthEapStartsWhileAuthenticated did not increase") | |
165 | if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']): | |
166 | raise Exception("backendAuthSuccesses did not increase") | |
9626962d JM |
167 | |
168 | def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev): | |
169 | """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC""" | |
170 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
171 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 172 | eap_connect(dev[0], apdev[0], "TTLS", "user", |
9626962d JM |
173 | anonymous_identity="ttls", password="password", |
174 | ca_cert="auth_serv/ca.pem", phase2="autheap=GTC") | |
175 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 176 | eap_reauth(dev[0], "TTLS") |
9626962d JM |
177 | |
178 | def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev): | |
179 | """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5""" | |
180 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
181 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 182 | eap_connect(dev[0], apdev[0], "TTLS", "user", |
9626962d JM |
183 | anonymous_identity="ttls", password="password", |
184 | ca_cert="auth_serv/ca.pem", phase2="autheap=MD5") | |
185 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 186 | eap_reauth(dev[0], "TTLS") |
9626962d JM |
187 | |
188 | def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev): | |
189 | """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2""" | |
190 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
191 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 192 | eap_connect(dev[0], apdev[0], "TTLS", "user", |
9626962d JM |
193 | anonymous_identity="ttls", password="password", |
194 | ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2") | |
195 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 196 | eap_reauth(dev[0], "TTLS") |
9626962d JM |
197 | |
198 | def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev): | |
199 | """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2""" | |
200 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
201 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 202 | eap_connect(dev[0], apdev[0], "PEAP", "user", |
698f8324 | 203 | anonymous_identity="peap", password="password", |
9626962d JM |
204 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") |
205 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 206 | eap_reauth(dev[0], "PEAP") |
c7afc078 | 207 | |
698f8324 JM |
208 | def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev): |
209 | """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding""" | |
210 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
211 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 212 | eap_connect(dev[0], apdev[0], "PEAP", "user", password="password", |
698f8324 JM |
213 | ca_cert="auth_serv/ca.pem", |
214 | phase1="peapver=0 crypto_binding=2", | |
215 | phase2="auth=MSCHAPV2") | |
216 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 217 | eap_reauth(dev[0], "PEAP") |
698f8324 | 218 | |
e114c49c JM |
219 | def test_ap_wpa2_eap_tls(dev, apdev): |
220 | """WPA2-Enterprise connection using EAP-TLS""" | |
221 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
222 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 223 | eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem", |
e114c49c JM |
224 | client_cert="auth_serv/user.pem", |
225 | private_key="auth_serv/user.key") | |
75b2b9cf | 226 | eap_reauth(dev[0], "TLS") |
e114c49c | 227 | |
c7afc078 JM |
228 | def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev): |
229 | """WPA2-Enterprise negative test - incorrect trust root""" | |
230 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
231 | hostapd.add_ap(apdev[0]['ifname'], params) | |
232 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", | |
233 | identity="DOMAIN\mschapv2 user", anonymous_identity="ttls", | |
234 | password="password", phase2="auth=MSCHAPV2", | |
235 | ca_cert="auth_serv/ca-incorrect.pem", | |
c65f23ab | 236 | wait_connect=False, scan_freq="2412") |
c7afc078 JM |
237 | |
238 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10) | |
239 | if ev is None: | |
240 | raise Exception("Association and EAP start timed out") | |
241 | ||
242 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10) | |
243 | if ev is None: | |
244 | raise Exception("EAP method selection timed out") | |
245 | if "TTLS" not in ev: | |
246 | raise Exception("Unexpected EAP method") | |
247 | ||
248 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR", | |
249 | "CTRL-EVENT-EAP-SUCCESS", | |
250 | "CTRL-EVENT-EAP-FAILURE", | |
251 | "CTRL-EVENT-CONNECTED", | |
252 | "CTRL-EVENT-DISCONNECTED"], timeout=10) | |
253 | if ev is None: | |
254 | raise Exception("EAP result timed out") | |
255 | if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev: | |
256 | raise Exception("TLS certificate error not reported") | |
257 | ||
258 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS", | |
259 | "CTRL-EVENT-EAP-FAILURE", | |
260 | "CTRL-EVENT-CONNECTED", | |
261 | "CTRL-EVENT-DISCONNECTED"], timeout=10) | |
262 | if ev is None: | |
263 | raise Exception("EAP result(2) timed out") | |
264 | if "CTRL-EVENT-EAP-FAILURE" not in ev: | |
265 | raise Exception("EAP failure not reported") | |
266 | ||
267 | ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED", | |
268 | "CTRL-EVENT-DISCONNECTED"], timeout=10) | |
269 | if ev is None: | |
270 | raise Exception("EAP result(3) timed out") | |
271 | if "CTRL-EVENT-DISCONNECTED" not in ev: | |
272 | raise Exception("Disconnection not reported") | |
273 | ||
274 | ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10) | |
275 | if ev is None: | |
276 | raise Exception("Network block disabling not reported") | |
72c052d5 JM |
277 | |
278 | def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev): | |
279 | """WPA2-Enterprise negative test - domain suffix mismatch""" | |
280 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
281 | hostapd.add_ap(apdev[0]['ifname'], params) | |
282 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", | |
283 | identity="DOMAIN\mschapv2 user", anonymous_identity="ttls", | |
284 | password="password", phase2="auth=MSCHAPV2", | |
285 | ca_cert="auth_serv/ca.pem", | |
286 | domain_suffix_match="incorrect.example.com", | |
c65f23ab | 287 | wait_connect=False, scan_freq="2412") |
72c052d5 JM |
288 | |
289 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10) | |
290 | if ev is None: | |
291 | raise Exception("Association and EAP start timed out") | |
292 | ||
293 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10) | |
294 | if ev is None: | |
295 | raise Exception("EAP method selection timed out") | |
296 | if "TTLS" not in ev: | |
297 | raise Exception("Unexpected EAP method") | |
298 | ||
299 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR", | |
300 | "CTRL-EVENT-EAP-SUCCESS", | |
301 | "CTRL-EVENT-EAP-FAILURE", | |
302 | "CTRL-EVENT-CONNECTED", | |
303 | "CTRL-EVENT-DISCONNECTED"], timeout=10) | |
304 | if ev is None: | |
305 | raise Exception("EAP result timed out") | |
306 | if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev: | |
307 | raise Exception("TLS certificate error not reported") | |
308 | if "Domain suffix mismatch" not in ev: | |
309 | raise Exception("Domain suffix mismatch not reported") | |
310 | ||
311 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS", | |
312 | "CTRL-EVENT-EAP-FAILURE", | |
313 | "CTRL-EVENT-CONNECTED", | |
314 | "CTRL-EVENT-DISCONNECTED"], timeout=10) | |
315 | if ev is None: | |
316 | raise Exception("EAP result(2) timed out") | |
317 | if "CTRL-EVENT-EAP-FAILURE" not in ev: | |
318 | raise Exception("EAP failure not reported") | |
319 | ||
320 | ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED", | |
321 | "CTRL-EVENT-DISCONNECTED"], timeout=10) | |
322 | if ev is None: | |
323 | raise Exception("EAP result(3) timed out") | |
324 | if "CTRL-EVENT-DISCONNECTED" not in ev: | |
325 | raise Exception("Disconnection not reported") | |
326 | ||
327 | ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10) | |
328 | if ev is None: | |
329 | raise Exception("Network block disabling not reported") | |
22b99086 JM |
330 | |
331 | def test_ap_wpa2_eap_pwd(dev, apdev): | |
332 | """WPA2-Enterprise connection using EAP-pwd""" | |
333 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
334 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 335 | eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password") |
75b2b9cf | 336 | eap_reauth(dev[0], "PWD") |
22b99086 JM |
337 | |
338 | def test_ap_wpa2_eap_gpsk(dev, apdev): | |
339 | """WPA2-Enterprise connection using EAP-GPSK""" | |
340 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
341 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 342 | id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user", |
369f9c20 | 343 | password="abcdefghijklmnop0123456789abcdef") |
75b2b9cf | 344 | eap_reauth(dev[0], "GPSK") |
22b99086 | 345 | |
369f9c20 JM |
346 | logger.info("Test forced algorithm selection") |
347 | for phase1 in [ "cipher=1", "cipher=2" ]: | |
348 | dev[0].set_network_quoted(id, "phase1", phase1) | |
349 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10) | |
350 | if ev is None: | |
351 | raise Exception("EAP success timed out") | |
352 | ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10) | |
353 | if ev is None: | |
354 | raise Exception("Association with the AP timed out") | |
355 | ||
356 | logger.info("Test failed algorithm negotiation") | |
357 | dev[0].set_network_quoted(id, "phase1", "cipher=9") | |
358 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) | |
359 | if ev is None: | |
360 | raise Exception("EAP failure timed out") | |
361 | ||
22b99086 JM |
362 | def test_ap_wpa2_eap_sake(dev, apdev): |
363 | """WPA2-Enterprise connection using EAP-SAKE""" | |
364 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
365 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 366 | eap_connect(dev[0], apdev[0], "SAKE", "sake user", |
22b99086 | 367 | password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef") |
75b2b9cf | 368 | eap_reauth(dev[0], "SAKE") |
22b99086 JM |
369 | |
370 | def test_ap_wpa2_eap_eke(dev, apdev): | |
371 | """WPA2-Enterprise connection using EAP-EKE""" | |
372 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
373 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 374 | id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello") |
75b2b9cf | 375 | eap_reauth(dev[0], "EKE") |
22b99086 | 376 | |
2bb9e283 JM |
377 | logger.info("Test forced algorithm selection") |
378 | for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2", | |
379 | "dhgroup=4 encr=1 prf=2 mac=2", | |
380 | "dhgroup=3 encr=1 prf=2 mac=2", | |
381 | "dhgroup=3 encr=1 prf=1 mac=1" ]: | |
382 | dev[0].set_network_quoted(id, "phase1", phase1) | |
383 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10) | |
384 | if ev is None: | |
385 | raise Exception("EAP success timed out") | |
386 | ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10) | |
387 | if ev is None: | |
388 | raise Exception("Association with the AP timed out") | |
389 | ||
390 | logger.info("Test failed algorithm negotiation") | |
391 | dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9") | |
392 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) | |
393 | if ev is None: | |
394 | raise Exception("EAP failure timed out") | |
395 | ||
22b99086 JM |
396 | def test_ap_wpa2_eap_ikev2(dev, apdev): |
397 | """WPA2-Enterprise connection using EAP-IKEv2""" | |
398 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
399 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 JM |
400 | eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user", |
401 | password="ike password") | |
75b2b9cf | 402 | eap_reauth(dev[0], "IKEV2") |
22b99086 JM |
403 | |
404 | def test_ap_wpa2_eap_pax(dev, apdev): | |
405 | """WPA2-Enterprise connection using EAP-PAX""" | |
406 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
407 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 408 | eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com", |
22b99086 | 409 | password_hex="0123456789abcdef0123456789abcdef") |
75b2b9cf | 410 | eap_reauth(dev[0], "PAX") |
22b99086 JM |
411 | |
412 | def test_ap_wpa2_eap_psk(dev, apdev): | |
413 | """WPA2-Enterprise connection using EAP-PSK""" | |
414 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
2b005194 JM |
415 | params["wpa_key_mgmt"] = "WPA-EAP-SHA256" |
416 | params["ieee80211w"] = "2" | |
22b99086 | 417 | hostapd.add_ap(apdev[0]['ifname'], params) |
cb33ee14 | 418 | eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com", |
2b005194 JM |
419 | password_hex="0123456789abcdef0123456789abcdef", sha256=True) |
420 | eap_reauth(dev[0], "PSK", sha256=True) | |
71390dc8 JM |
421 | |
422 | def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev): | |
423 | """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2""" | |
424 | params = hostapd.wpa_eap_params(ssid="test-wpa-eap") | |
425 | hostapd.add_ap(apdev[0]['ifname'], params) | |
426 | dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP", | |
427 | identity="user", password="password", phase2="auth=MSCHAPV2", | |
428 | ca_cert="auth_serv/ca.pem", wait_connect=False, | |
429 | scan_freq="2412") | |
430 | eap_check_auth(dev[0], "PEAP", True, rsn=False) | |
431 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
432 | eap_reauth(dev[0], "PEAP", rsn=False) | |
40759604 JM |
433 | |
434 | def test_ap_wpa2_eap_interactive(dev, apdev): | |
435 | """WPA2-Enterprise connection using interactive identity/password entry""" | |
436 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
437 | hostapd.add_ap(apdev[0]['ifname'], params) | |
438 | hapd = hostapd.Hostapd(apdev[0]['ifname']) | |
439 | ||
440 | tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry", | |
441 | "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2", | |
442 | None, "password"), | |
443 | ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry", | |
444 | "TTLS", "ttls", None, "auth=MSCHAPV2", | |
445 | "DOMAIN\mschapv2 user", "password"), | |
446 | ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry", | |
447 | "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"), | |
448 | ("Connection with dynamic TTLS/EAP-MD5 password entry", | |
449 | "TTLS", "ttls", "user", "autheap=MD5", None, "password"), | |
450 | ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry", | |
451 | "PEAP", None, "user", "auth=MSCHAPV2", None, "password"), | |
452 | ("Connection with dynamic PEAP/EAP-GTC password entry", | |
453 | "PEAP", None, "user", "auth=GTC", None, "password") ] | |
454 | for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests: | |
455 | logger.info(desc) | |
456 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap, | |
457 | anonymous_identity=anon, identity=identity, | |
458 | ca_cert="auth_serv/ca.pem", phase2=phase2, | |
459 | wait_connect=False, scan_freq="2412") | |
460 | if req_id: | |
461 | ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"]) | |
462 | if ev is None: | |
463 | raise Exception("Request for identity timed out") | |
464 | id = ev.split(':')[0].split('-')[-1] | |
465 | dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id) | |
466 | ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"]) | |
467 | if ev is None: | |
468 | raise Exception("Request for password timed out") | |
469 | id = ev.split(':')[0].split('-')[-1] | |
470 | type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD" | |
471 | dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw) | |
472 | ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10) | |
473 | if ev is None: | |
474 | raise Exception("Connection timed out") | |
475 | dev[0].request("REMOVE_NETWORK all") |