]> git.ipfire.org Git - thirdparty/hostap.git/blame - tests/hwsim/test_ap_eap.py
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tests: Use a valid key exchange value in eap_proto_ikev2
[thirdparty/hostap.git] / tests / hwsim / test_ap_eap.py
CommitLineData
eac67440 1# -*- coding: utf-8 -*-
9626962d 2# WPA2-Enterprise tests
3b51cc63 3# Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
9626962d
JM		 4#
5# This software may be distributed under the terms of the BSD license.
6# See README for more details.
7
6ea231e6 8import base64
5b3c40a6 9import binascii
9626962d
JM		 10import time
11import subprocess
12import logging
c9aa4308 13logger = logging.getLogger()
873e7c29 14import os
c9aba19b 15import signal
d4c3c055
JM		 16import socket
17import SocketServer
98d125ca
JM		 18import struct
19import tempfile
9626962d
JM		 20
21import hwsim_utils
22import hostapd
7c0d66cf 23from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
52352802 24from wpasupplicant import WpaSupplicant
0ceff76e 25from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
9626962d 26
ca27ee09
JM		 27try:
28 import OpenSSL
29 openssl_imported = True
30except ImportError:
31 openssl_imported = False
32
81e787b7
JM		 33def check_hlr_auc_gw_support():
34 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
35 raise HwsimSkip("No hlr_auc_gw available")
36
3b51cc63
JM		 37def check_eap_capa(dev, method):
38 res = dev.get_capability("eap")
39 if method not in res:
40 raise HwsimSkip("EAP method %s not supported in the build" % method)
41
506b2f05
JM		 42def check_subject_match_support(dev):
43 tls = dev.request("GET tls_library")
d8003dcb 44 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
506b2f05
JM		 45 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
46
47def check_altsubject_match_support(dev):
48 tls = dev.request("GET tls_library")
d8003dcb 49 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
506b2f05
JM		 50 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
51
e78eb404
JM		 52def check_domain_match(dev):
53 tls = dev.request("GET tls_library")
54 if tls.startswith("internal"):
55 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
56
57def check_domain_suffix_match(dev):
58 tls = dev.request("GET tls_library")
59 if tls.startswith("internal"):
60 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
61
24579e70
JM		 62def check_domain_match_full(dev):
63 tls = dev.request("GET tls_library")
d8003dcb 64 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
24579e70
JM		 65 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
66
4bf4e9db
JM		 67def check_cert_probe_support(dev):
68 tls = dev.request("GET tls_library")
0fc1b583 69 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
4bf4e9db
JM		 70 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
71
ca27ee09
JM		 72def check_ext_cert_check_support(dev):
73 tls = dev.request("GET tls_library")
74 if not tls.startswith("OpenSSL"):
75 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
76
0dae8c99
JM		 77def check_ocsp_support(dev):
78 tls = dev.request("GET tls_library")
138903f9
JM		 79 #if tls.startswith("internal"):
80 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
0c6185fc
JM		 81 #if "BoringSSL" in tls:
82 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
0dae8c99 83
969e5250
JM		 84def check_pkcs5_v15_support(dev):
85 tls = dev.request("GET tls_library")
2d9ad634 86 if "BoringSSL" in tls or "GnuTLS" in tls:
969e5250
JM		 87 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls)
88
98d125ca
JM		 89def check_ocsp_multi_support(dev):
90 tls = dev.request("GET tls_library")
91 if not tls.startswith("internal"):
92 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls)
93 as_hapd = hostapd.Hostapd("as")
94 res = as_hapd.request("GET tls_library")
95 del as_hapd
96 if not res.startswith("internal"):
97 raise HwsimSkip("Authentication server does not support ocsp_multi")
98
686eee77
JM		 99def check_pkcs12_support(dev):
100 tls = dev.request("GET tls_library")
16c43d2a
JM		 101 #if tls.startswith("internal"):
102 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
d8003dcb
SP		 103 if tls.startswith("wolfSSL"):
104 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
686eee77 105
404597e6
JM		 106def check_dh_dsa_support(dev):
107 tls = dev.request("GET tls_library")
108 if tls.startswith("internal"):
109 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
110
6ea231e6
JM		 111def read_pem(fname):
112 with open(fname, "r") as f:
113 lines = f.readlines()
114 copy = False
115 cert = ""
116 for l in lines:
117 if "-----END" in l:
118 break
119 if copy:
120 cert = cert + l
121 if "-----BEGIN" in l:
122 copy = True
123 return base64.b64decode(cert)
124
3b3e2687 125def eap_connect(dev, hapd, method, identity,
6f939e59 126 sha256=False, expect_failure=False, local_error_report=False,
a61ee84d 127 maybe_local_error=False, report_failure=False, **kwargs):
2bb9e283
JM		 128 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
129 eap=method, identity=identity,
6f939e59
JM		 130 wait_connect=False, scan_freq="2412", ieee80211w="1",
131 **kwargs)
f10ba3b2
JM		 132 eap_check_auth(dev, method, True, sha256=sha256,
133 expect_failure=expect_failure,
9dd21d51 134 local_error_report=local_error_report,
a61ee84d
JM		 135 maybe_local_error=maybe_local_error,
136 report_failure=report_failure)
f10ba3b2
JM		 137 if expect_failure:
138 return id
cb33ee14
JM		 139 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
140 if ev is None:
141 raise Exception("No connection event received from hostapd")
2bb9e283 142 return id
75b2b9cf 143
f10ba3b2 144def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
9dd21d51 145 expect_failure=False, local_error_report=False,
a61ee84d 146 maybe_local_error=False, report_failure=False):
412c6030 147 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
9626962d
JM		 148 if ev is None:
149 raise Exception("Association and EAP start timed out")
06cdd1cd
JM		 150 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
151 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
9626962d
JM		 152 if ev is None:
153 raise Exception("EAP method selection timed out")
06cdd1cd
JM		 154 if "CTRL-EVENT-EAP-FAILURE" in ev:
155 if maybe_local_error:
156 return
157 raise Exception("Could not select EAP method")
9626962d
JM		 158 if method not in ev:
159 raise Exception("Unexpected EAP method")
f10ba3b2
JM		 160 if expect_failure:
161 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
162 if ev is None:
163 raise Exception("EAP failure timed out")
5f35a5e2 164 ev = dev.wait_disconnected(timeout=10)
9dd21d51
JM		 165 if maybe_local_error and "locally_generated=1" in ev:
166 return
f10ba3b2
JM		 167 if not local_error_report:
168 if "reason=23" not in ev:
169 raise Exception("Proper reason code for disconnection not reported")
170 return
a61ee84d
JM		 171 if report_failure:
172 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
173 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
174 if ev is None:
175 raise Exception("EAP success timed out")
176 if "CTRL-EVENT-EAP-SUCCESS" not in ev:
177 raise Exception("EAP failed")
178 else:
179 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
180 if ev is None:
181 raise Exception("EAP success timed out")
9626962d 182
75b2b9cf
JM		 183 if initial:
184 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
75b2b9cf 185 else:
bce774ad
JM		 186 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
187 if ev is None:
188 raise Exception("Association with the AP timed out")
189 status = dev.get_status()
190 if status["wpa_state"] != "COMPLETED":
191 raise Exception("Connection not completed")
75b2b9cf 192
9626962d
JM		 193 if status["suppPortStatus"] != "Authorized":
194 raise Exception("Port not authorized")
447fb0b0
JM		 195 if "selectedMethod" not in status:
196 logger.info("Status: " + str(status))
197 raise Exception("No selectedMethod in status")
9626962d
JM		 198 if method not in status["selectedMethod"]:
199 raise Exception("Incorrect EAP method status")
2b005194
JM		 200 if sha256:
201 e = "WPA2-EAP-SHA256"
202 elif rsn:
71390dc8
JM		 203 e = "WPA2/IEEE 802.1X/EAP"
204 else:
205 e = "WPA/IEEE 802.1X/EAP"
206 if status["key_mgmt"] != e:
207 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
2fc4749c 208 return status
9626962d 209
5b1aaf6c 210def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
75b2b9cf 211 dev.request("REAUTHENTICATE")
2fc4749c
JM		 212 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
213 expect_failure=expect_failure)
75b2b9cf 214
9626962d
JM		 215def test_ap_wpa2_eap_sim(dev, apdev):
216 """WPA2-Enterprise connection using EAP-SIM"""
81e787b7 217 check_hlr_auc_gw_support()
9626962d 218 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 219 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 220 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
9626962d 221 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
a8375c94 222 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 223 eap_reauth(dev[0], "SIM")
9626962d 224
3b3e2687 225 eap_connect(dev[1], hapd, "SIM", "1232010000000001",
a0f350fd 226 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3b3e2687 227 eap_connect(dev[2], hapd, "SIM", "1232010000000002",
a0f350fd
JM		 228 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
229 expect_failure=True)
230
f10ba3b2
JM		 231 logger.info("Negative test with incorrect key")
232 dev[0].request("REMOVE_NETWORK all")
3b3e2687 233 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
f10ba3b2
JM		 234 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
235 expect_failure=True)
236
32747a3e
JM		 237 logger.info("Invalid GSM-Milenage key")
238 dev[0].request("REMOVE_NETWORK all")
3b3e2687 239 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 240 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
241 expect_failure=True)
242
243 logger.info("Invalid GSM-Milenage key(2)")
244 dev[0].request("REMOVE_NETWORK all")
3b3e2687 245 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 246 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
247 expect_failure=True)
248
249 logger.info("Invalid GSM-Milenage key(3)")
250 dev[0].request("REMOVE_NETWORK all")
3b3e2687 251 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 252 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
253 expect_failure=True)
254
255 logger.info("Invalid GSM-Milenage key(4)")
256 dev[0].request("REMOVE_NETWORK all")
3b3e2687 257 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 258 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
259 expect_failure=True)
260
261 logger.info("Missing key configuration")
262 dev[0].request("REMOVE_NETWORK all")
3b3e2687 263 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 264 expect_failure=True)
265
5b1aaf6c
JM		 266def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
267 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
81e787b7 268 check_hlr_auc_gw_support()
5b1aaf6c
JM		 269 try:
270 import sqlite3
271 except ImportError:
81e787b7 272 raise HwsimSkip("No sqlite3 module available")
5b1aaf6c
JM		 273 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
274 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
275 params['auth_server_port'] = "1814"
3b3e2687
JD		 276 hapd = hostapd.add_ap(apdev[0], params)
277 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
5b1aaf6c
JM		 278 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
279
280 logger.info("SIM fast re-authentication")
281 eap_reauth(dev[0], "SIM")
282
283 logger.info("SIM full auth with pseudonym")
284 with con:
285 cur = con.cursor()
286 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
287 eap_reauth(dev[0], "SIM")
288
289 logger.info("SIM full auth with permanent identity")
290 with con:
291 cur = con.cursor()
292 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
293 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
294 eap_reauth(dev[0], "SIM")
295
296 logger.info("SIM reauth with mismatching MK")
297 with con:
298 cur = con.cursor()
299 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
300 eap_reauth(dev[0], "SIM", expect_failure=True)
301 dev[0].request("REMOVE_NETWORK all")
302
3b3e2687 303 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
5b1aaf6c
JM		 304 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
305 with con:
306 cur = con.cursor()
307 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
308 eap_reauth(dev[0], "SIM")
309 with con:
310 cur = con.cursor()
311 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
312 logger.info("SIM reauth with mismatching counter")
313 eap_reauth(dev[0], "SIM")
314 dev[0].request("REMOVE_NETWORK all")
315
3b3e2687 316 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
5b1aaf6c
JM		 317 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
318 with con:
319 cur = con.cursor()
320 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
321 logger.info("SIM reauth with max reauth count reached")
322 eap_reauth(dev[0], "SIM")
323
e2a90a4c
JM		 324def test_ap_wpa2_eap_sim_config(dev, apdev):
325 """EAP-SIM configuration options"""
326 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 327 hapd = hostapd.add_ap(apdev[0], params)
e2a90a4c
JM		 328 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
329 identity="1232010000000000",
330 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
331 phase1="sim_min_num_chal=1",
332 wait_connect=False, scan_freq="2412")
333 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
334 if ev is None:
335 raise Exception("No EAP error message seen")
336 dev[0].request("REMOVE_NETWORK all")
337
338 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
339 identity="1232010000000000",
340 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
341 phase1="sim_min_num_chal=4",
342 wait_connect=False, scan_freq="2412")
343 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
344 if ev is None:
345 raise Exception("No EAP error message seen (2)")
346 dev[0].request("REMOVE_NETWORK all")
347
3b3e2687 348 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
e2a90a4c
JM		 349 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
350 phase1="sim_min_num_chal=2")
3b3e2687 351 eap_connect(dev[1], hapd, "SIM", "1232010000000000",
e2a90a4c
JM		 352 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
353 anonymous_identity="345678")
354
72cbc684
JM		 355def test_ap_wpa2_eap_sim_ext(dev, apdev):
356 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
47dcb118 357 try:
81e787b7 358 _test_ap_wpa2_eap_sim_ext(dev, apdev)
47dcb118
JM		 359 finally:
360 dev[0].request("SET external_sim 0")
361
362def _test_ap_wpa2_eap_sim_ext(dev, apdev):
81e787b7 363 check_hlr_auc_gw_support()
72cbc684 364 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 365 hostapd.add_ap(apdev[0], params)
72cbc684
JM		 366 dev[0].request("SET external_sim 1")
367 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
368 identity="1232010000000000",
369 wait_connect=False, scan_freq="2412")
370 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
371 if ev is None:
372 raise Exception("Network connected timed out")
373
374 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
375 if ev is None:
376 raise Exception("Wait for external SIM processing request timed out")
377 p = ev.split(':', 2)
378 if p[1] != "GSM-AUTH":
379 raise Exception("Unexpected CTRL-REQ-SIM type")
380 rid = p[0].split('-')[3]
381
382 # IK:CK:RES
383 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
384 # This will fail during processing, but the ctrl_iface command succeeds
385 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
386 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
387 if ev is None:
388 raise Exception("EAP failure not reported")
389 dev[0].request("DISCONNECT")
90ad11e6
JM		 390 dev[0].wait_disconnected()
391 time.sleep(0.1)
72cbc684
JM		 392
393 dev[0].select_network(id, freq="2412")
394 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
395 if ev is None:
396 raise Exception("Wait for external SIM processing request timed out")
397 p = ev.split(':', 2)
398 if p[1] != "GSM-AUTH":
399 raise Exception("Unexpected CTRL-REQ-SIM type")
400 rid = p[0].split('-')[3]
401 # This will fail during GSM auth validation
402 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
403 raise Exception("CTRL-RSP-SIM failed")
404 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
405 if ev is None:
406 raise Exception("EAP failure not reported")
407 dev[0].request("DISCONNECT")
90ad11e6
JM		 408 dev[0].wait_disconnected()
409 time.sleep(0.1)
72cbc684
JM		 410
411 dev[0].select_network(id, freq="2412")
412 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
413 if ev is None:
414 raise Exception("Wait for external SIM processing request timed out")
415 p = ev.split(':', 2)
416 if p[1] != "GSM-AUTH":
417 raise Exception("Unexpected CTRL-REQ-SIM type")
418 rid = p[0].split('-')[3]
419 # This will fail during GSM auth validation
420 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
421 raise Exception("CTRL-RSP-SIM failed")
422 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
423 if ev is None:
424 raise Exception("EAP failure not reported")
425 dev[0].request("DISCONNECT")
90ad11e6
JM		 426 dev[0].wait_disconnected()
427 time.sleep(0.1)
72cbc684
JM		 428
429 dev[0].select_network(id, freq="2412")
430 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
431 if ev is None:
432 raise Exception("Wait for external SIM processing request timed out")
433 p = ev.split(':', 2)
434 if p[1] != "GSM-AUTH":
435 raise Exception("Unexpected CTRL-REQ-SIM type")
436 rid = p[0].split('-')[3]
437 # This will fail during GSM auth validation
438 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
439 raise Exception("CTRL-RSP-SIM failed")
440 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
441 if ev is None:
442 raise Exception("EAP failure not reported")
443 dev[0].request("DISCONNECT")
90ad11e6
JM		 444 dev[0].wait_disconnected()
445 time.sleep(0.1)
72cbc684
JM		 446
447 dev[0].select_network(id, freq="2412")
448 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
449 if ev is None:
450 raise Exception("Wait for external SIM processing request timed out")
451 p = ev.split(':', 2)
452 if p[1] != "GSM-AUTH":
453 raise Exception("Unexpected CTRL-REQ-SIM type")
454 rid = p[0].split('-')[3]
455 # This will fail during GSM auth validation
456 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
457 raise Exception("CTRL-RSP-SIM failed")
458 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
459 if ev is None:
460 raise Exception("EAP failure not reported")
461 dev[0].request("DISCONNECT")
90ad11e6
JM		 462 dev[0].wait_disconnected()
463 time.sleep(0.1)
72cbc684
JM		 464
465 dev[0].select_network(id, freq="2412")
466 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
467 if ev is None:
468 raise Exception("Wait for external SIM processing request timed out")
469 p = ev.split(':', 2)
470 if p[1] != "GSM-AUTH":
471 raise Exception("Unexpected CTRL-REQ-SIM type")
472 rid = p[0].split('-')[3]
473 # This will fail during GSM auth validation
474 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
475 raise Exception("CTRL-RSP-SIM failed")
476 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
477 if ev is None:
478 raise Exception("EAP failure not reported")
479 dev[0].request("DISCONNECT")
90ad11e6
JM		 480 dev[0].wait_disconnected()
481 time.sleep(0.1)
72cbc684
JM		 482
483 dev[0].select_network(id, freq="2412")
484 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
485 if ev is None:
486 raise Exception("Wait for external SIM processing request timed out")
487 p = ev.split(':', 2)
488 if p[1] != "GSM-AUTH":
489 raise Exception("Unexpected CTRL-REQ-SIM type")
490 rid = p[0].split('-')[3]
491 # This will fail during GSM auth validation
492 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
493 raise Exception("CTRL-RSP-SIM failed")
494 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
495 if ev is None:
496 raise Exception("EAP failure not reported")
497
40c654cc
JM		 498def test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
499 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
500 try:
501 _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev)
502 finally:
503 dev[0].request("SET external_sim 0")
504
505def _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
506 check_hlr_auc_gw_support()
507 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 508 hostapd.add_ap(apdev[0], params)
40c654cc
JM		 509 dev[0].request("SET external_sim 1")
510 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
511 identity="1232010000000000",
512 wait_connect=False, scan_freq="2412")
513
514 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
515 if ev is None:
516 raise Exception("Wait for external SIM processing request timed out")
517 p = ev.split(':', 2)
518 if p[1] != "GSM-AUTH":
519 raise Exception("Unexpected CTRL-REQ-SIM type")
520 rid = p[0].split('-')[3]
521 rand = p[2].split(' ')[0]
522
523 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
524 "-m",
525 "auth_serv/hlr_auc_gw.milenage_db",
526 "GSM-AUTH-REQ 232010000000000 " + rand])
527 if "GSM-AUTH-RESP" not in res:
528 raise Exception("Unexpected hlr_auc_gw response")
529 resp = res.split(' ')[2].rstrip()
530
531 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
532 dev[0].wait_connected(timeout=15)
533 dev[0].request("DISCONNECT")
534 dev[0].wait_disconnected()
535
536 # Replace SIM, but forget to drop the previous pseudonym identity
537 dev[0].set_network_quoted(id, "identity", "1232010000000009")
538 dev[0].select_network(id, freq="2412")
539
540 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
541 if ev is None:
542 raise Exception("Wait for external SIM processing request timed out")
543 p = ev.split(':', 2)
544 if p[1] != "GSM-AUTH":
545 raise Exception("Unexpected CTRL-REQ-SIM type")
546 rid = p[0].split('-')[3]
547 rand = p[2].split(' ')[0]
548
549 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
550 "-m",
551 "auth_serv/hlr_auc_gw.milenage_db",
552 "GSM-AUTH-REQ 232010000000009 " + rand])
553 if "GSM-AUTH-RESP" not in res:
554 raise Exception("Unexpected hlr_auc_gw response")
555 resp = res.split(' ')[2].rstrip()
556
557 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
558 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
559 if ev is None:
560 raise Exception("EAP-Failure not reported")
561 dev[0].request("DISCONNECT")
562 dev[0].wait_disconnected()
563
564def test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
565 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
566 try:
567 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev)
568 finally:
569 dev[0].request("SET external_sim 0")
570
571def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
572 check_hlr_auc_gw_support()
573 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 574 hostapd.add_ap(apdev[0], params)
40c654cc
JM		 575 dev[0].request("SET external_sim 1")
576 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
577 identity="1232010000000000",
578 wait_connect=False, scan_freq="2412")
579
580 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
581 if ev is None:
582 raise Exception("Wait for external SIM processing request timed out")
583 p = ev.split(':', 2)
584 if p[1] != "GSM-AUTH":
585 raise Exception("Unexpected CTRL-REQ-SIM type")
586 rid = p[0].split('-')[3]
587 rand = p[2].split(' ')[0]
588
589 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
590 "-m",
591 "auth_serv/hlr_auc_gw.milenage_db",
592 "GSM-AUTH-REQ 232010000000000 " + rand])
593 if "GSM-AUTH-RESP" not in res:
594 raise Exception("Unexpected hlr_auc_gw response")
595 resp = res.split(' ')[2].rstrip()
596
597 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
598 dev[0].wait_connected(timeout=15)
599 dev[0].request("DISCONNECT")
600 dev[0].wait_disconnected()
601
602 # Replace SIM and drop the previous pseudonym identity
603 dev[0].set_network_quoted(id, "identity", "1232010000000009")
604 dev[0].set_network(id, "anonymous_identity", "NULL")
605 dev[0].select_network(id, freq="2412")
606
607 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
608 if ev is None:
609 raise Exception("Wait for external SIM processing request timed out")
610 p = ev.split(':', 2)
611 if p[1] != "GSM-AUTH":
612 raise Exception("Unexpected CTRL-REQ-SIM type")
613 rid = p[0].split('-')[3]
614 rand = p[2].split(' ')[0]
615
616 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
617 "-m",
618 "auth_serv/hlr_auc_gw.milenage_db",
619 "GSM-AUTH-REQ 232010000000009 " + rand])
620 if "GSM-AUTH-RESP" not in res:
621 raise Exception("Unexpected hlr_auc_gw response")
622 resp = res.split(' ')[2].rstrip()
623
624 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
625 dev[0].wait_connected()
626 dev[0].request("DISCONNECT")
627 dev[0].wait_disconnected()
628
629def test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
630 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
631 try:
632 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev)
633 finally:
634 dev[0].request("SET external_sim 0")
635
636def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
637 check_hlr_auc_gw_support()
638 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 639 hostapd.add_ap(apdev[0], params)
40c654cc
JM		 640 dev[0].request("SET external_sim 1")
641 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
642 wait_connect=False, scan_freq="2412")
643
644 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
645 if ev is None:
646 raise Exception("Request for identity timed out")
647 rid = ev.split(':')[0].split('-')[-1]
648 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000000")
649
650 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
651 if ev is None:
652 raise Exception("Wait for external SIM processing request timed out")
653 p = ev.split(':', 2)
654 if p[1] != "GSM-AUTH":
655 raise Exception("Unexpected CTRL-REQ-SIM type")
656 rid = p[0].split('-')[3]
657 rand = p[2].split(' ')[0]
658
659 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
660 "-m",
661 "auth_serv/hlr_auc_gw.milenage_db",
662 "GSM-AUTH-REQ 232010000000000 " + rand])
663 if "GSM-AUTH-RESP" not in res:
664 raise Exception("Unexpected hlr_auc_gw response")
665 resp = res.split(' ')[2].rstrip()
666
667 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
668 dev[0].wait_connected(timeout=15)
669 dev[0].request("DISCONNECT")
670 dev[0].wait_disconnected()
671
672 # Replace SIM and drop the previous permanent and pseudonym identities
673 dev[0].set_network(id, "identity", "NULL")
674 dev[0].set_network(id, "anonymous_identity", "NULL")
675 dev[0].select_network(id, freq="2412")
676
677 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
678 if ev is None:
679 raise Exception("Request for identity timed out")
680 rid = ev.split(':')[0].split('-')[-1]
681 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000009")
682
683 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
684 if ev is None:
685 raise Exception("Wait for external SIM processing request timed out")
686 p = ev.split(':', 2)
687 if p[1] != "GSM-AUTH":
688 raise Exception("Unexpected CTRL-REQ-SIM type")
689 rid = p[0].split('-')[3]
690 rand = p[2].split(' ')[0]
691
692 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
693 "-m",
694 "auth_serv/hlr_auc_gw.milenage_db",
695 "GSM-AUTH-REQ 232010000000009 " + rand])
696 if "GSM-AUTH-RESP" not in res:
697 raise Exception("Unexpected hlr_auc_gw response")
698 resp = res.split(' ')[2].rstrip()
699
700 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
701 dev[0].wait_connected()
702 dev[0].request("DISCONNECT")
703 dev[0].wait_disconnected()
704
c397edf2
JM		 705def test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
706 """EAP-SIM with external GSM auth and auth failing"""
707 try:
708 _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev)
709 finally:
710 dev[0].request("SET external_sim 0")
711
712def _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
713 check_hlr_auc_gw_support()
714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 715 hostapd.add_ap(apdev[0], params)
c397edf2
JM		 716 dev[0].request("SET external_sim 1")
717 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
718 identity="1232010000000000",
719 wait_connect=False, scan_freq="2412")
720
721 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
722 if ev is None:
723 raise Exception("Wait for external SIM processing request timed out")
724 p = ev.split(':', 2)
725 rid = p[0].split('-')[3]
726 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-FAIL")
727 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
728 if ev is None:
729 raise Exception("EAP failure not reported")
730 dev[0].request("REMOVE_NETWORK all")
731 dev[0].wait_disconnected()
732
6c7fed46
JM		 733def test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
734 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
735 try:
736 _test_ap_wpa2_eap_sim_change_bssid(dev, apdev)
737 finally:
738 dev[0].request("SET external_sim 0")
739
740def _test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
741 check_hlr_auc_gw_support()
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 743 hostapd.add_ap(apdev[0], params)
6c7fed46
JM		 744 dev[0].request("SET external_sim 1")
745 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
746 identity="1232010000000000",
747 wait_connect=False, scan_freq="2412")
748
749 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
750 if ev is None:
751 raise Exception("Wait for external SIM processing request timed out")
752 p = ev.split(':', 2)
753 if p[1] != "GSM-AUTH":
754 raise Exception("Unexpected CTRL-REQ-SIM type")
755 rid = p[0].split('-')[3]
756 rand = p[2].split(' ')[0]
757
758 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
759 "-m",
760 "auth_serv/hlr_auc_gw.milenage_db",
761 "GSM-AUTH-REQ 232010000000000 " + rand])
762 if "GSM-AUTH-RESP" not in res:
763 raise Exception("Unexpected hlr_auc_gw response")
764 resp = res.split(' ')[2].rstrip()
765
766 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
767 dev[0].wait_connected(timeout=15)
768
769 # Verify that EAP-SIM Reauthentication can be used after a profile change
770 # that does not affect EAP parameters.
771 dev[0].set_network(id, "bssid", "any")
772 eap_reauth(dev[0], "SIM")
773
07f0da30
JM		 774def test_ap_wpa2_eap_sim_no_change_set(dev, apdev):
775 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
776 try:
777 _test_ap_wpa2_eap_sim_no_change_set(dev, apdev)
778 finally:
779 dev[0].request("SET external_sim 0")
780
781def _test_ap_wpa2_eap_sim_no_change_set(dev, apdev):
782 check_hlr_auc_gw_support()
783 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 784 hostapd.add_ap(apdev[0], params)
07f0da30
JM		 785 dev[0].request("SET external_sim 1")
786 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
787 identity="1232010000000000",
788 wait_connect=False, scan_freq="2412")
789
790 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
791 if ev is None:
792 raise Exception("Wait for external SIM processing request timed out")
793 p = ev.split(':', 2)
794 if p[1] != "GSM-AUTH":
795 raise Exception("Unexpected CTRL-REQ-SIM type")
796 rid = p[0].split('-')[3]
797 rand = p[2].split(' ')[0]
798
799 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
800 "-m",
801 "auth_serv/hlr_auc_gw.milenage_db",
802 "GSM-AUTH-REQ 232010000000000 " + rand])
803 if "GSM-AUTH-RESP" not in res:
804 raise Exception("Unexpected hlr_auc_gw response")
805 resp = res.split(' ')[2].rstrip()
806
807 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
808 dev[0].wait_connected(timeout=15)
809
810 # Verify that EAP-SIM Reauthentication can be used after network profile
811 # SET_NETWORK commands that do not actually change previously set
812 # parameter values.
813 dev[0].set_network(id, "key_mgmt", "WPA-EAP")
814 dev[0].set_network(id, "eap", "SIM")
815 dev[0].set_network_quoted(id, "identity", "1232010000000000")
816 dev[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
817 eap_reauth(dev[0], "SIM")
818
486f4e3c
JM		 819def test_ap_wpa2_eap_sim_oom(dev, apdev):
820 """EAP-SIM and OOM"""
821 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 822 hostapd.add_ap(apdev[0], params)
486f4e3c
JM		 823 tests = [ (1, "milenage_f2345"),
824 (2, "milenage_f2345"),
825 (3, "milenage_f2345"),
826 (4, "milenage_f2345"),
827 (5, "milenage_f2345"),
828 (6, "milenage_f2345"),
829 (7, "milenage_f2345"),
830 (8, "milenage_f2345"),
831 (9, "milenage_f2345"),
832 (10, "milenage_f2345"),
833 (11, "milenage_f2345"),
834 (12, "milenage_f2345") ]
835 for count, func in tests:
7cbc8e67 836 with fail_test(dev[0], count, func):
486f4e3c
JM		 837 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
838 identity="1232010000000000",
839 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
840 wait_connect=False, scan_freq="2412")
841 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
842 if ev is None:
843 raise Exception("EAP method not selected")
844 dev[0].wait_disconnected()
845 dev[0].request("REMOVE_NETWORK all")
846
9626962d
JM		 847def test_ap_wpa2_eap_aka(dev, apdev):
848 """WPA2-Enterprise connection using EAP-AKA"""
81e787b7 849 check_hlr_auc_gw_support()
9626962d 850 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 851 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 852 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
9626962d 853 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
a8375c94 854 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 855 eap_reauth(dev[0], "AKA")
9626962d 856
f10ba3b2
JM		 857 logger.info("Negative test with incorrect key")
858 dev[0].request("REMOVE_NETWORK all")
3b3e2687 859 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
f10ba3b2
JM		 860 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
861 expect_failure=True)
862
32747a3e
JM		 863 logger.info("Invalid Milenage key")
864 dev[0].request("REMOVE_NETWORK all")
3b3e2687 865 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 866 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
867 expect_failure=True)
868
869 logger.info("Invalid Milenage key(2)")
3b3e2687 870 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 871 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
872 expect_failure=True)
873
874 logger.info("Invalid Milenage key(3)")
3b3e2687 875 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 876 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
877 expect_failure=True)
878
879 logger.info("Invalid Milenage key(4)")
3b3e2687 880 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 881 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
882 expect_failure=True)
883
884 logger.info("Invalid Milenage key(5)")
885 dev[0].request("REMOVE_NETWORK all")
3b3e2687 886 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 887 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
888 expect_failure=True)
889
890 logger.info("Invalid Milenage key(6)")
891 dev[0].request("REMOVE_NETWORK all")
3b3e2687 892 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 893 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
894 expect_failure=True)
895
896 logger.info("Missing key configuration")
897 dev[0].request("REMOVE_NETWORK all")
3b3e2687 898 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 899 expect_failure=True)
900
5b1aaf6c
JM		 901def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
902 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
81e787b7 903 check_hlr_auc_gw_support()
5b1aaf6c
JM		 904 try:
905 import sqlite3
906 except ImportError:
81e787b7 907 raise HwsimSkip("No sqlite3 module available")
5b1aaf6c
JM		 908 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
909 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
910 params['auth_server_port'] = "1814"
3b3e2687
JD		 911 hapd = hostapd.add_ap(apdev[0], params)
912 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
5b1aaf6c
JM		 913 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
914
915 logger.info("AKA fast re-authentication")
916 eap_reauth(dev[0], "AKA")
917
918 logger.info("AKA full auth with pseudonym")
919 with con:
920 cur = con.cursor()
921 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
922 eap_reauth(dev[0], "AKA")
923
924 logger.info("AKA full auth with permanent identity")
925 with con:
926 cur = con.cursor()
927 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
928 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
929 eap_reauth(dev[0], "AKA")
930
931 logger.info("AKA reauth with mismatching MK")
932 with con:
933 cur = con.cursor()
934 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
935 eap_reauth(dev[0], "AKA", expect_failure=True)
936 dev[0].request("REMOVE_NETWORK all")
937
3b3e2687 938 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
5b1aaf6c
JM		 939 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
940 with con:
941 cur = con.cursor()
942 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
943 eap_reauth(dev[0], "AKA")
944 with con:
945 cur = con.cursor()
946 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
947 logger.info("AKA reauth with mismatching counter")
948 eap_reauth(dev[0], "AKA")
949 dev[0].request("REMOVE_NETWORK all")
950
3b3e2687 951 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
5b1aaf6c
JM		 952 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
953 with con:
954 cur = con.cursor()
955 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
956 logger.info("AKA reauth with max reauth count reached")
957 eap_reauth(dev[0], "AKA")
958
e2a90a4c
JM		 959def test_ap_wpa2_eap_aka_config(dev, apdev):
960 """EAP-AKA configuration options"""
961 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 962 hapd = hostapd.add_ap(apdev[0], params)
963 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
e2a90a4c
JM		 964 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
965 anonymous_identity="2345678")
966
d314bedf
JM		 967def test_ap_wpa2_eap_aka_ext(dev, apdev):
968 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
47dcb118 969 try:
81e787b7 970 _test_ap_wpa2_eap_aka_ext(dev, apdev)
47dcb118
JM		 971 finally:
972 dev[0].request("SET external_sim 0")
973
974def _test_ap_wpa2_eap_aka_ext(dev, apdev):
81e787b7 975 check_hlr_auc_gw_support()
d314bedf 976 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 977 hostapd.add_ap(apdev[0], params)
d314bedf
JM		 978 dev[0].request("SET external_sim 1")
979 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
980 identity="0232010000000000",
981 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
982 wait_connect=False, scan_freq="2412")
983 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
984 if ev is None:
985 raise Exception("Network connected timed out")
986
987 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
988 if ev is None:
989 raise Exception("Wait for external SIM processing request timed out")
990 p = ev.split(':', 2)
991 if p[1] != "UMTS-AUTH":
992 raise Exception("Unexpected CTRL-REQ-SIM type")
993 rid = p[0].split('-')[3]
994
995 # IK:CK:RES
996 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
997 # This will fail during processing, but the ctrl_iface command succeeds
998 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
999 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1000 if ev is None:
1001 raise Exception("EAP failure not reported")
1002 dev[0].request("DISCONNECT")
584e4197 1003 dev[0].wait_disconnected()
90ad11e6 1004 time.sleep(0.1)
a359c7bb 1005 dev[0].dump_monitor()
d314bedf 1006
d8e02214
JM		 1007 dev[0].select_network(id, freq="2412")
1008 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1009 if ev is None:
1010 raise Exception("Wait for external SIM processing request timed out")
1011 p = ev.split(':', 2)
1012 if p[1] != "UMTS-AUTH":
1013 raise Exception("Unexpected CTRL-REQ-SIM type")
1014 rid = p[0].split('-')[3]
1015 # This will fail during UMTS auth validation
1016 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
1017 raise Exception("CTRL-RSP-SIM failed")
1018 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1019 if ev is None:
1020 raise Exception("Wait for external SIM processing request timed out")
1021 p = ev.split(':', 2)
1022 if p[1] != "UMTS-AUTH":
1023 raise Exception("Unexpected CTRL-REQ-SIM type")
1024 rid = p[0].split('-')[3]
1025 # This will fail during UMTS auth validation
1026 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
1027 raise Exception("CTRL-RSP-SIM failed")
1028 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1029 if ev is None:
1030 raise Exception("EAP failure not reported")
1031 dev[0].request("DISCONNECT")
584e4197 1032 dev[0].wait_disconnected()
90ad11e6 1033 time.sleep(0.1)
a359c7bb 1034 dev[0].dump_monitor()
d8e02214 1035
0258cf10
JM		 1036 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1037 ":UMTS-AUTH:34",
1038 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1039 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1040 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1041 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1042 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1043 for t in tests:
1044 dev[0].select_network(id, freq="2412")
1045 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1046 if ev is None:
1047 raise Exception("Wait for external SIM processing request timed out")
1048 p = ev.split(':', 2)
1049 if p[1] != "UMTS-AUTH":
1050 raise Exception("Unexpected CTRL-REQ-SIM type")
1051 rid = p[0].split('-')[3]
1052 # This will fail during UMTS auth validation
1053 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
1054 raise Exception("CTRL-RSP-SIM failed")
1055 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1056 if ev is None:
1057 raise Exception("EAP failure not reported")
1058 dev[0].request("DISCONNECT")
1059 dev[0].wait_disconnected()
90ad11e6 1060 time.sleep(0.1)
a359c7bb 1061 dev[0].dump_monitor()
d314bedf 1062
c397edf2
JM		 1063def test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1064 """EAP-AKA with external UMTS auth and auth failing"""
1065 try:
1066 _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev)
1067 finally:
1068 dev[0].request("SET external_sim 0")
1069
1070def _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1071 check_hlr_auc_gw_support()
1072 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1073 hostapd.add_ap(apdev[0], params)
c397edf2
JM		 1074 dev[0].request("SET external_sim 1")
1075 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
1076 identity="0232010000000000",
1077 wait_connect=False, scan_freq="2412")
1078
1079 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1080 if ev is None:
1081 raise Exception("Wait for external SIM processing request timed out")
1082 p = ev.split(':', 2)
1083 rid = p[0].split('-')[3]
1084 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1085 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1086 if ev is None:
1087 raise Exception("EAP failure not reported")
1088 dev[0].request("REMOVE_NETWORK all")
1089 dev[0].wait_disconnected()
1090
9626962d
JM		 1091def test_ap_wpa2_eap_aka_prime(dev, apdev):
1092 """WPA2-Enterprise connection using EAP-AKA'"""
81e787b7 1093 check_hlr_auc_gw_support()
9626962d 1094 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1095 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1096 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
9626962d 1097 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
a8375c94 1098 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1099 eap_reauth(dev[0], "AKA'")
9626962d 1100
8583d664
JM		 1101 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1102 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
1103 identity="6555444333222111@both",
1104 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1105 wait_connect=False, scan_freq="2412")
5f35a5e2 1106 dev[1].wait_connected(timeout=15)
8583d664 1107
f10ba3b2
JM		 1108 logger.info("Negative test with incorrect key")
1109 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1110 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
f10ba3b2
JM		 1111 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1112 expect_failure=True)
1113
5b1aaf6c
JM		 1114def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
1115 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
81e787b7 1116 check_hlr_auc_gw_support()
5b1aaf6c
JM		 1117 try:
1118 import sqlite3
1119 except ImportError:
81e787b7 1120 raise HwsimSkip("No sqlite3 module available")
5b1aaf6c
JM		 1121 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
1122 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1123 params['auth_server_port'] = "1814"
3b3e2687
JD		 1124 hapd = hostapd.add_ap(apdev[0], params)
1125 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
5b1aaf6c
JM		 1126 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1127
1128 logger.info("AKA' fast re-authentication")
1129 eap_reauth(dev[0], "AKA'")
1130
1131 logger.info("AKA' full auth with pseudonym")
1132 with con:
1133 cur = con.cursor()
1134 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1135 eap_reauth(dev[0], "AKA'")
1136
1137 logger.info("AKA' full auth with permanent identity")
1138 with con:
1139 cur = con.cursor()
1140 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1141 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1142 eap_reauth(dev[0], "AKA'")
1143
1144 logger.info("AKA' reauth with mismatching k_aut")
1145 with con:
1146 cur = con.cursor()
1147 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1148 eap_reauth(dev[0], "AKA'", expect_failure=True)
1149 dev[0].request("REMOVE_NETWORK all")
1150
3b3e2687 1151 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
5b1aaf6c
JM		 1152 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1153 with con:
1154 cur = con.cursor()
1155 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1156 eap_reauth(dev[0], "AKA'")
1157 with con:
1158 cur = con.cursor()
1159 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1160 logger.info("AKA' reauth with mismatching counter")
1161 eap_reauth(dev[0], "AKA'")
1162 dev[0].request("REMOVE_NETWORK all")
1163
3b3e2687 1164 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
5b1aaf6c
JM		 1165 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1166 with con:
1167 cur = con.cursor()
1168 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1169 logger.info("AKA' reauth with max reauth count reached")
1170 eap_reauth(dev[0], "AKA'")
1171
c397edf2
JM		 1172def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1173 """EAP-AKA' with external UMTS auth and auth failing"""
1174 try:
1175 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev)
1176 finally:
1177 dev[0].request("SET external_sim 0")
1178
1179def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1180 check_hlr_auc_gw_support()
1181 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1182 hostapd.add_ap(apdev[0], params)
c397edf2
JM		 1183 dev[0].request("SET external_sim 1")
1184 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1185 identity="6555444333222111",
1186 wait_connect=False, scan_freq="2412")
1187
1188 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1189 if ev is None:
1190 raise Exception("Wait for external SIM processing request timed out")
1191 p = ev.split(':', 2)
1192 rid = p[0].split('-')[3]
1193 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1194 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1195 if ev is None:
1196 raise Exception("EAP failure not reported")
1197 dev[0].request("REMOVE_NETWORK all")
1198 dev[0].wait_disconnected()
1199
c25aada9
JM		 1200def test_ap_wpa2_eap_aka_prime_ext(dev, apdev):
1201 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1202 try:
1203 _test_ap_wpa2_eap_aka_prime_ext(dev, apdev)
1204 finally:
1205 dev[0].request("SET external_sim 0")
1206
1207def _test_ap_wpa2_eap_aka_prime_ext(dev, apdev):
1208 check_hlr_auc_gw_support()
1209 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1210 hostapd.add_ap(apdev[0], params)
1211 dev[0].request("SET external_sim 1")
1212 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1213 identity="6555444333222111",
1214 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1215 wait_connect=False, scan_freq="2412")
1216 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
1217 if ev is None:
1218 raise Exception("Network connected timed out")
1219
1220 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1221 if ev is None:
1222 raise Exception("Wait for external SIM processing request timed out")
1223 p = ev.split(':', 2)
1224 if p[1] != "UMTS-AUTH":
1225 raise Exception("Unexpected CTRL-REQ-SIM type")
1226 rid = p[0].split('-')[3]
1227 # This will fail during UMTS auth validation
1228 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
1229 raise Exception("CTRL-RSP-SIM failed")
1230 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1231 if ev is None:
1232 raise Exception("Wait for external SIM processing request timed out")
1233
9626962d
JM		 1234def test_ap_wpa2_eap_ttls_pap(dev, apdev):
1235 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1236 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1237 hapd = hostapd.add_ap(apdev[0], params)
65038313
JM		 1238 key_mgmt = hapd.get_config()['key_mgmt']
1239 if key_mgmt.split(' ')[0] != "WPA-EAP":
1240 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3b3e2687 1241 eap_connect(dev[0], hapd, "TTLS", "pap user",
9626962d 1242 anonymous_identity="ttls", password="password",
506b2f05 1243 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
a8375c94 1244 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1245 eap_reauth(dev[0], "TTLS")
eaf3f9b1
JM		 1246 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1247 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
9626962d 1248
506b2f05
JM		 1249def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
1250 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1251 check_subject_match_support(dev[0])
1252 check_altsubject_match_support(dev[0])
1253 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1254 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1255 eap_connect(dev[0], hapd, "TTLS", "pap user",
506b2f05
JM		 1256 anonymous_identity="ttls", password="password",
1257 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1258 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
1259 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1260 eap_reauth(dev[0], "TTLS")
1261
82a8f5b5
JM		 1262def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
1263 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1264 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1265 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1266 eap_connect(dev[0], hapd, "TTLS", "pap user",
82a8f5b5
JM		 1267 anonymous_identity="ttls", password="wrong",
1268 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1269 expect_failure=True)
3b3e2687 1270 eap_connect(dev[1], hapd, "TTLS", "user",
82a8f5b5
JM		 1271 anonymous_identity="ttls", password="password",
1272 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1273 expect_failure=True)
1274
9626962d
JM		 1275def test_ap_wpa2_eap_ttls_chap(dev, apdev):
1276 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
ca158ea6 1277 skip_with_fips(dev[0])
9626962d 1278 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1279 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1280 eap_connect(dev[0], hapd, "TTLS", "chap user",
506b2f05
JM		 1281 anonymous_identity="ttls", password="password",
1282 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
1283 hwsim_utils.test_connectivity(dev[0], hapd)
1284 eap_reauth(dev[0], "TTLS")
1285
1286def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
1287 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
ca158ea6 1288 skip_with_fips(dev[0])
506b2f05
JM		 1289 check_altsubject_match_support(dev[0])
1290 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1291 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1292 eap_connect(dev[0], hapd, "TTLS", "chap user",
9626962d 1293 anonymous_identity="ttls", password="password",
5c65e277
JM		 1294 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1295 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
75b2b9cf 1296 eap_reauth(dev[0], "TTLS")
9626962d 1297
82a8f5b5
JM		 1298def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
1299 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
ca158ea6 1300 skip_with_fips(dev[0])
82a8f5b5 1301 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1302 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1303 eap_connect(dev[0], hapd, "TTLS", "chap user",
82a8f5b5
JM		 1304 anonymous_identity="ttls", password="wrong",
1305 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1306 expect_failure=True)
3b3e2687 1307 eap_connect(dev[1], hapd, "TTLS", "user",
82a8f5b5
JM		 1308 anonymous_identity="ttls", password="password",
1309 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1310 expect_failure=True)
1311
9626962d
JM		 1312def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
1313 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
ca158ea6 1314 skip_with_fips(dev[0])
e78eb404 1315 check_domain_suffix_match(dev[0])
9626962d 1316 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1317 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1318 eap_connect(dev[0], hapd, "TTLS", "mschap user",
9626962d 1319 anonymous_identity="ttls", password="password",
72c052d5
JM		 1320 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1321 domain_suffix_match="server.w1.fi")
a8375c94 1322 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1323 eap_reauth(dev[0], "TTLS")
6daf5b9c 1324 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1325 eap_connect(dev[0], hapd, "TTLS", "mschap user",
6daf5b9c
JM		 1326 anonymous_identity="ttls", password="password",
1327 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1328 fragment_size="200")
bfdb90d4
JM		 1329 dev[0].request("REMOVE_NETWORK all")
1330 dev[0].wait_disconnected()
3b3e2687 1331 eap_connect(dev[0], hapd, "TTLS", "mschap user",
bfdb90d4
JM		 1332 anonymous_identity="ttls",
1333 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1334 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
9626962d 1335
82a8f5b5 1336def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
ca158ea6
JM		 1337 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1338 skip_with_fips(dev[0])
82a8f5b5 1339 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1340 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1341 eap_connect(dev[0], hapd, "TTLS", "mschap user",
82a8f5b5
JM		 1342 anonymous_identity="ttls", password="wrong",
1343 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1344 expect_failure=True)
3b3e2687 1345 eap_connect(dev[1], hapd, "TTLS", "user",
82a8f5b5
JM		 1346 anonymous_identity="ttls", password="password",
1347 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1348 expect_failure=True)
3b3e2687 1349 eap_connect(dev[2], hapd, "TTLS", "no such user",
82a8f5b5
JM		 1350 anonymous_identity="ttls", password="password",
1351 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1352 expect_failure=True)
1353
9626962d
JM		 1354def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
1355 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
e78eb404 1356 check_domain_suffix_match(dev[0])
ca158ea6 1357 check_eap_capa(dev[0], "MSCHAPV2")
9626962d 1358 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1359 hapd = hostapd.add_ap(apdev[0], params)
1360 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
9626962d 1361 anonymous_identity="ttls", password="password",
72c052d5 1362 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
24579e70 1363 domain_suffix_match="server.w1.fi")
a8375c94 1364 hwsim_utils.test_connectivity(dev[0], hapd)
5dec879d
JM		 1365 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
1366 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
75b2b9cf 1367 eap_reauth(dev[0], "TTLS")
5dec879d
JM		 1368 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
1369 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1370 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
1371 raise Exception("dot1xAuthEapolFramesRx did not increase")
1372 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
1373 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1374 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
1375 raise Exception("backendAuthSuccesses did not increase")
9626962d 1376
fa0ddb14
JM		 1377 logger.info("Password as hash value")
1378 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1379 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
fa0ddb14
JM		 1380 anonymous_identity="ttls",
1381 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1382 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1383
c4e06b9b
JM		 1384def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
1385 """EAP-TTLS with invalid phase2 parameter values"""
1386 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1387 hostapd.add_ap(apdev[0], params)
c4e06b9b 1388 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
53827125
JM		 1389 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1390 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
c4e06b9b
JM		 1391 for t in tests:
1392 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1393 identity="DOMAIN\mschapv2 user",
1394 anonymous_identity="ttls", password="password",
1395 ca_cert="auth_serv/ca.pem", phase2=t,
1396 wait_connect=False, scan_freq="2412")
1397 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
1398 if ev is None or "method=21" not in ev:
1399 raise Exception("EAP-TTLS not started")
1400 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
1401 "CTRL-EVENT-CONNECTED"], timeout=5)
1402 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
1403 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
1404 dev[0].request("REMOVE_NETWORK all")
1405 dev[0].wait_disconnected()
1406 dev[0].dump_monitor()
1407
24579e70
JM		 1408def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
1409 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1410 check_domain_match_full(dev[0])
ca158ea6 1411 skip_with_fips(dev[0])
24579e70 1412 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1413 hapd = hostapd.add_ap(apdev[0], params)
1414 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
24579e70
JM		 1415 anonymous_identity="ttls", password="password",
1416 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1417 domain_suffix_match="w1.fi")
1418 hwsim_utils.test_connectivity(dev[0], hapd)
1419 eap_reauth(dev[0], "TTLS")
1420
061cbb25
JM		 1421def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
1422 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
e78eb404 1423 check_domain_match(dev[0])
ca158ea6 1424 skip_with_fips(dev[0])
061cbb25 1425 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1426 hapd = hostapd.add_ap(apdev[0], params)
1427 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
061cbb25
JM		 1428 anonymous_identity="ttls", password="password",
1429 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1430 domain_match="Server.w1.fi")
1431 hwsim_utils.test_connectivity(dev[0], hapd)
1432 eap_reauth(dev[0], "TTLS")
1433
82a8f5b5
JM		 1434def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
1435 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
ca158ea6 1436 skip_with_fips(dev[0])
82a8f5b5 1437 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1438 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1439 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
f10ba3b2
JM		 1440 anonymous_identity="ttls", password="password1",
1441 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1442 expect_failure=True)
3b3e2687 1443 eap_connect(dev[1], hapd, "TTLS", "user",
82a8f5b5
JM		 1444 anonymous_identity="ttls", password="password",
1445 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1446 expect_failure=True)
f10ba3b2 1447
eac67440
JM		 1448def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1449 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
ca158ea6 1450 skip_with_fips(dev[0])
eac67440 1451 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1452 hapd = hostapd.add_ap(apdev[0], params)
1453 eap_connect(dev[0], hapd, "TTLS", "utf8-user-hash",
eac67440
JM		 1454 anonymous_identity="ttls", password="secret-åäö-€-password",
1455 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3b3e2687 1456 eap_connect(dev[1], hapd, "TTLS", "utf8-user",
eac67440
JM		 1457 anonymous_identity="ttls",
1458 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1459 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
0d2a7bad
JM		 1460 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1461 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1462 eap="TTLS", identity="utf8-user-hash",
1463 anonymous_identity="ttls", password_hex=p,
1464 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1465 wait_connect=False, scan_freq="2412")
1466 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1467 if ev is None:
1468 raise Exception("No failure reported")
1469 dev[2].request("REMOVE_NETWORK all")
1470 dev[2].wait_disconnected()
eac67440 1471
9626962d
JM		 1472def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1473 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1474 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1475 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1476 eap_connect(dev[0], hapd, "TTLS", "user",
9626962d
JM		 1477 anonymous_identity="ttls", password="password",
1478 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
a8375c94 1479 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1480 eap_reauth(dev[0], "TTLS")
9626962d 1481
95a15d79
JM		 1482def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1483 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1484 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1485 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1486 eap_connect(dev[0], hapd, "TTLS", "user",
95a15d79
JM		 1487 anonymous_identity="ttls", password="wrong",
1488 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1489 expect_failure=True)
1490
1491def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1492 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1493 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1494 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1495 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
95a15d79
JM		 1496 anonymous_identity="ttls", password="password",
1497 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1498 expect_failure=True)
1499
1500def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1501 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1502 params = int_eap_server_params()
8b8a1864 1503 hapd = hostapd.add_ap(apdev[0], params)
95a15d79 1504 with alloc_fail(hapd, 1, "eap_gtc_init"):
3b3e2687 1505 eap_connect(dev[0], hapd, "TTLS", "user",
95a15d79
JM		 1506 anonymous_identity="ttls", password="password",
1507 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1508 expect_failure=True)
1509 dev[0].request("REMOVE_NETWORK all")
1510
1511 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1512 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1513 eap="TTLS", identity="user",
1514 anonymous_identity="ttls", password="password",
1515 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1516 wait_connect=False, scan_freq="2412")
1517 # This would eventually time out, but we can stop after having reached
1518 # the allocation failure.
1519 for i in range(20):
1520 time.sleep(0.1)
1521 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1522 break
1523
ac713c09
JM		 1524def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev, apdev):
1525 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1526 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1527 hapd = hostapd.add_ap(apdev[0], params)
ac713c09
JM		 1528
1529 tests = [ "eap_gtc_init",
1530 "eap_msg_alloc;eap_gtc_process" ]
1531 for func in tests:
1532 with alloc_fail(dev[0], 1, func):
1533 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1534 scan_freq="2412",
1535 eap="TTLS", identity="user",
1536 anonymous_identity="ttls", password="password",
1537 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1538 wait_connect=False)
1539 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1540 dev[0].request("REMOVE_NETWORK all")
1541 dev[0].wait_disconnected()
1542
9626962d
JM		 1543def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1544 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
e7ac04ce 1545 check_eap_capa(dev[0], "MD5")
9626962d 1546 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1547 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1548 eap_connect(dev[0], hapd, "TTLS", "user",
9626962d
JM		 1549 anonymous_identity="ttls", password="password",
1550 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
a8375c94 1551 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1552 eap_reauth(dev[0], "TTLS")
9626962d 1553
ee9533eb
JM		 1554def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1555 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
e7ac04ce 1556 check_eap_capa(dev[0], "MD5")
ee9533eb 1557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1558 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1559 eap_connect(dev[0], hapd, "TTLS", "user",
ee9533eb
JM		 1560 anonymous_identity="ttls", password="wrong",
1561 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1562 expect_failure=True)
1563
95a15d79
JM		 1564def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1565 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
e7ac04ce 1566 check_eap_capa(dev[0], "MD5")
95a15d79 1567 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1568 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1569 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
95a15d79
JM		 1570 anonymous_identity="ttls", password="password",
1571 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1572 expect_failure=True)
1573
ee9533eb
JM		 1574def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1575 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
e7ac04ce 1576 check_eap_capa(dev[0], "MD5")
ee9533eb 1577 params = int_eap_server_params()
8b8a1864 1578 hapd = hostapd.add_ap(apdev[0], params)
ee9533eb 1579 with alloc_fail(hapd, 1, "eap_md5_init"):
3b3e2687 1580 eap_connect(dev[0], hapd, "TTLS", "user",
ee9533eb
JM		 1581 anonymous_identity="ttls", password="password",
1582 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1583 expect_failure=True)
1584 dev[0].request("REMOVE_NETWORK all")
1585
1586 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1587 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1588 eap="TTLS", identity="user",
1589 anonymous_identity="ttls", password="password",
1590 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1591 wait_connect=False, scan_freq="2412")
1592 # This would eventually time out, but we can stop after having reached
1593 # the allocation failure.
1594 for i in range(20):
1595 time.sleep(0.1)
1596 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1597 break
1598
9626962d
JM		 1599def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1600 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
e7ac04ce 1601 check_eap_capa(dev[0], "MSCHAPV2")
9626962d 1602 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1603 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1604 eap_connect(dev[0], hapd, "TTLS", "user",
9626962d
JM		 1605 anonymous_identity="ttls", password="password",
1606 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
a8375c94 1607 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1608 eap_reauth(dev[0], "TTLS")
9626962d 1609
f10ba3b2
JM		 1610 logger.info("Negative test with incorrect password")
1611 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1612 eap_connect(dev[0], hapd, "TTLS", "user",
f10ba3b2
JM		 1613 anonymous_identity="ttls", password="password1",
1614 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1615 expect_failure=True)
1616
95a15d79
JM		 1617def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1618 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
e7ac04ce 1619 check_eap_capa(dev[0], "MSCHAPV2")
95a15d79 1620 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1621 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1622 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
95a15d79
JM		 1623 anonymous_identity="ttls", password="password",
1624 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1625 expect_failure=True)
1626
ef318402
JM		 1627def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1628 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
e7ac04ce 1629 check_eap_capa(dev[0], "MSCHAPV2")
ef318402 1630 params = int_eap_server_params()
8b8a1864 1631 hapd = hostapd.add_ap(apdev[0], params)
ef318402 1632 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
3b3e2687 1633 eap_connect(dev[0], hapd, "TTLS", "user",
ef318402
JM		 1634 anonymous_identity="ttls", password="password",
1635 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1636 expect_failure=True)
1637 dev[0].request("REMOVE_NETWORK all")
1638
1639 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1640 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1641 eap="TTLS", identity="user",
1642 anonymous_identity="ttls", password="password",
1643 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1644 wait_connect=False, scan_freq="2412")
1645 # This would eventually time out, but we can stop after having reached
1646 # the allocation failure.
1647 for i in range(20):
1648 time.sleep(0.1)
1649 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1650 break
1651 dev[0].request("REMOVE_NETWORK all")
1652
1653 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1654 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1655 eap="TTLS", identity="user",
1656 anonymous_identity="ttls", password="password",
1657 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1658 wait_connect=False, scan_freq="2412")
1659 # This would eventually time out, but we can stop after having reached
1660 # the allocation failure.
1661 for i in range(20):
1662 time.sleep(0.1)
1663 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1664 break
1665 dev[0].request("REMOVE_NETWORK all")
1666
1667 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1668 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1669 eap="TTLS", identity="user",
1670 anonymous_identity="ttls", password="wrong",
1671 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1672 wait_connect=False, scan_freq="2412")
1673 # This would eventually time out, but we can stop after having reached
1674 # the allocation failure.
1675 for i in range(20):
1676 time.sleep(0.1)
1677 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1678 break
1679 dev[0].request("REMOVE_NETWORK all")
1680
f22bc118
JM		 1681def test_ap_wpa2_eap_ttls_eap_sim(dev, apdev):
1682 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1683 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1684 hapd = hostapd.add_ap(apdev[0], params)
1685 eap_connect(dev[0], hapd, "TTLS", "1232010000000000",
1686 anonymous_identity="1232010000000000@ttls",
1687 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1688 ca_cert="auth_serv/ca.pem", phase2="autheap=SIM")
1689 eap_reauth(dev[0], "TTLS")
1690
1691def run_ext_sim_auth(dev):
1692 ev = dev.wait_event(["CTRL-REQ-SIM"], timeout=15)
1693 if ev is None:
1694 raise Exception("Wait for external SIM processing request timed out")
1695 p = ev.split(':', 2)
1696 if p[1] != "GSM-AUTH":
1697 raise Exception("Unexpected CTRL-REQ-SIM type")
1698 rid = p[0].split('-')[3]
1699 rand = p[2].split(' ')[0]
1700
1701 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
1702 "-m",
1703 "auth_serv/hlr_auc_gw.milenage_db",
1704 "GSM-AUTH-REQ 232010000000000 " + rand])
1705 if "GSM-AUTH-RESP" not in res:
1706 raise Exception("Unexpected hlr_auc_gw response")
1707 resp = res.split(' ')[2].rstrip()
1708
1709 dev.request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
1710 dev.wait_connected(timeout=15)
1711
1712 dev.dump_monitor()
1713 dev.request("REAUTHENTICATE")
1714 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5)
1715 if ev is None:
1716 raise Exception("EAP reauthentication did not succeed")
1717 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=5)
1718 if ev is None:
1719 raise Exception("Key negotiation did not complete")
1720 dev.dump_monitor()
1721
1722def test_ap_wpa2_eap_ttls_eap_sim_ext(dev, apdev):
1723 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1724 check_hlr_auc_gw_support()
1725 try:
1726 run_ap_wpa2_eap_ttls_eap_sim_ext(dev, apdev)
1727 finally:
1728 dev[0].request("SET external_sim 0")
1729
1730def run_ap_wpa2_eap_ttls_eap_sim_ext(dev, apdev):
1731 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1732 hapd = hostapd.add_ap(apdev[0], params)
1733 dev[0].request("SET external_sim 1")
1734 dev[0].connect("test-wpa2-eap", eap="TTLS", key_mgmt="WPA-EAP",
1735 identity="1232010000000000",
1736 anonymous_identity="1232010000000000@ttls",
1737 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1738 ca_cert="auth_serv/ca.pem", phase2="autheap=SIM",
1739 wait_connect=False, scan_freq="2412")
1740 run_ext_sim_auth(dev[0])
1741
1742def test_ap_wpa2_eap_peap_eap_sim(dev, apdev):
1743 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1744 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1745 hapd = hostapd.add_ap(apdev[0], params)
1746 eap_connect(dev[0], hapd, "PEAP", "1232010000000000",
1747 anonymous_identity="1232010000000000@peap",
1748 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1749 ca_cert="auth_serv/ca.pem", phase2="auth=SIM")
1750 eap_reauth(dev[0], "PEAP")
1751
1752def test_ap_wpa2_eap_peap_eap_sim_ext(dev, apdev):
1753 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1754 check_hlr_auc_gw_support()
1755 try:
1756 run_ap_wpa2_eap_peap_eap_sim_ext(dev, apdev)
1757 finally:
1758 dev[0].request("SET external_sim 0")
1759
1760def run_ap_wpa2_eap_peap_eap_sim_ext(dev, apdev):
1761 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1762 hapd = hostapd.add_ap(apdev[0], params)
1763 dev[0].request("SET external_sim 1")
1764 dev[0].connect("test-wpa2-eap", eap="PEAP", key_mgmt="WPA-EAP",
1765 identity="1232010000000000",
1766 anonymous_identity="1232010000000000@peap",
1767 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1768 ca_cert="auth_serv/ca.pem", phase2="auth=SIM",
1769 wait_connect=False, scan_freq="2412")
1770 run_ext_sim_auth(dev[0])
1771
1772def test_ap_wpa2_eap_fast_eap_sim(dev, apdev):
1773 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
9626bfbb 1774 check_eap_capa(dev[0], "FAST")
f22bc118
JM		 1775 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1776 hapd = hostapd.add_ap(apdev[0], params)
1777 eap_connect(dev[0], hapd, "FAST", "1232010000000000",
1778 anonymous_identity="1232010000000000@fast",
1779 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1780 phase1="fast_provisioning=2",
1781 pac_file="blob://fast_pac_auth_sim",
1782 ca_cert="auth_serv/ca.pem", phase2="auth=SIM")
1783 eap_reauth(dev[0], "FAST")
1784
1785def test_ap_wpa2_eap_fast_eap_sim_ext(dev, apdev):
1786 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1787 check_hlr_auc_gw_support()
1788 try:
1789 run_ap_wpa2_eap_fast_eap_sim_ext(dev, apdev)
1790 finally:
1791 dev[0].request("SET external_sim 0")
1792
1793def run_ap_wpa2_eap_fast_eap_sim_ext(dev, apdev):
1794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1795 hapd = hostapd.add_ap(apdev[0], params)
1796 dev[0].request("SET external_sim 1")
1797 dev[0].connect("test-wpa2-eap", eap="PEAP", key_mgmt="WPA-EAP",
1798 identity="1232010000000000",
1799 anonymous_identity="1232010000000000@peap",
1800 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1801 phase1="fast_provisioning=2",
1802 pac_file="blob://fast_pac_auth_sim",
1803 ca_cert="auth_serv/ca.pem", phase2="auth=SIM",
1804 wait_connect=False, scan_freq="2412")
1805 run_ext_sim_auth(dev[0])
1806
95fb531c
JM		 1807def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1808 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1809 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1810 hapd = hostapd.add_ap(apdev[0], params)
1811 eap_connect(dev[0], hapd, "TTLS", "0232010000000000",
95fb531c
JM		 1812 anonymous_identity="0232010000000000@ttls",
1813 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1814 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
8a303f09 1815 eap_reauth(dev[0], "TTLS")
95fb531c
JM		 1816
1817def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1818 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1819 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1820 hapd = hostapd.add_ap(apdev[0], params)
1821 eap_connect(dev[0], hapd, "PEAP", "0232010000000000",
95fb531c
JM		 1822 anonymous_identity="0232010000000000@peap",
1823 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1824 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
8a303f09 1825 eap_reauth(dev[0], "PEAP")
95fb531c
JM		 1826
1827def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1828 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
3b51cc63 1829 check_eap_capa(dev[0], "FAST")
95fb531c 1830 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1831 hapd = hostapd.add_ap(apdev[0], params)
1832 eap_connect(dev[0], hapd, "FAST", "0232010000000000",
95fb531c
JM		 1833 anonymous_identity="0232010000000000@fast",
1834 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1835 phase1="fast_provisioning=2",
1836 pac_file="blob://fast_pac_auth_aka",
1837 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
8a303f09 1838 eap_reauth(dev[0], "FAST")
95fb531c 1839
9626962d
JM		 1840def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1841 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
e7ac04ce 1842 check_eap_capa(dev[0], "MSCHAPV2")
9626962d 1843 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1844 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1845 eap_connect(dev[0], hapd, "PEAP", "user",
698f8324 1846 anonymous_identity="peap", password="password",
9626962d 1847 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
a8375c94 1848 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1849 eap_reauth(dev[0], "PEAP")
6daf5b9c 1850 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1851 eap_connect(dev[0], hapd, "PEAP", "user",
6daf5b9c
JM		 1852 anonymous_identity="peap", password="password",
1853 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1854 fragment_size="200")
c7afc078 1855
fa0ddb14
JM		 1856 logger.info("Password as hash value")
1857 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1858 eap_connect(dev[0], hapd, "PEAP", "user",
fa0ddb14
JM		 1859 anonymous_identity="peap",
1860 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1861 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1862
f10ba3b2
JM		 1863 logger.info("Negative test with incorrect password")
1864 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1865 eap_connect(dev[0], hapd, "PEAP", "user",
f10ba3b2
JM		 1866 anonymous_identity="peap", password="password1",
1867 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1868 expect_failure=True)
1869
0d33f504
JM		 1870def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1871 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
e7ac04ce 1872 check_eap_capa(dev[0], "MSCHAPV2")
0d33f504 1873 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1874 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1875 eap_connect(dev[0], hapd, "PEAP", "DOMAIN\user3",
0d33f504
JM		 1876 anonymous_identity="peap", password="password",
1877 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1878 hwsim_utils.test_connectivity(dev[0], hapd)
1879 eap_reauth(dev[0], "PEAP")
1880
f4cd0f64
JM		 1881def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1882 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
e7ac04ce 1883 check_eap_capa(dev[0], "MSCHAPV2")
f4cd0f64 1884 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1885 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1886 eap_connect(dev[0], hapd, "PEAP", "user",
f4cd0f64
JM		 1887 anonymous_identity="peap", password="wrong",
1888 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1889 expect_failure=True)
1890
698f8324
JM		 1891def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1892 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
e7ac04ce 1893 check_eap_capa(dev[0], "MSCHAPV2")
698f8324 1894 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1895 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1896 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
698f8324
JM		 1897 ca_cert="auth_serv/ca.pem",
1898 phase1="peapver=0 crypto_binding=2",
1899 phase2="auth=MSCHAPV2")
a8375c94 1900 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1901 eap_reauth(dev[0], "PEAP")
698f8324 1902
3b3e2687 1903 eap_connect(dev[1], hapd, "PEAP", "user", password="password",
ea6464b0
JM		 1904 ca_cert="auth_serv/ca.pem",
1905 phase1="peapver=0 crypto_binding=1",
1906 phase2="auth=MSCHAPV2")
3b3e2687 1907 eap_connect(dev[2], hapd, "PEAP", "user", password="password",
ea6464b0
JM		 1908 ca_cert="auth_serv/ca.pem",
1909 phase1="peapver=0 crypto_binding=0",
1910 phase2="auth=MSCHAPV2")
1911
ef318402
JM		 1912def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1913 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
e7ac04ce 1914 check_eap_capa(dev[0], "MSCHAPV2")
ef318402 1915 params = int_eap_server_params()
8b8a1864 1916 hapd = hostapd.add_ap(apdev[0], params)
ef318402 1917 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
3b3e2687 1918 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
ef318402
JM		 1919 ca_cert="auth_serv/ca.pem",
1920 phase1="peapver=0 crypto_binding=2",
1921 phase2="auth=MSCHAPV2",
1922 expect_failure=True, local_error_report=True)
1923
c4d37011
JM		 1924def test_ap_wpa2_eap_peap_params(dev, apdev):
1925 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
e7ac04ce 1926 check_eap_capa(dev[0], "MSCHAPV2")
c4d37011 1927 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1928 hapd = hostapd.add_ap(apdev[0], params)
1929 eap_connect(dev[0], hapd, "PEAP", "user",
c4d37011
JM		 1930 anonymous_identity="peap", password="password",
1931 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1932 phase1="peapver=0 peaplabel=1",
1933 expect_failure=True)
1934 dev[0].request("REMOVE_NETWORK all")
09ad98c5
JM		 1935 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1936 identity="user",
1937 anonymous_identity="peap", password="password",
1938 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1939 phase1="peap_outer_success=0",
1940 wait_connect=False, scan_freq="2412")
1941 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1942 if ev is None:
1943 raise Exception("No EAP success seen")
1944 # This won't succeed to connect with peap_outer_success=0, so stop here.
1945 dev[0].request("REMOVE_NETWORK all")
1946 dev[0].wait_disconnected()
3b3e2687 1947 eap_connect(dev[1], hapd, "PEAP", "user", password="password",
c4d37011
JM		 1948 ca_cert="auth_serv/ca.pem",
1949 phase1="peap_outer_success=1",
1950 phase2="auth=MSCHAPV2")
3b3e2687 1951 eap_connect(dev[2], hapd, "PEAP", "user", password="password",
c4d37011
JM		 1952 ca_cert="auth_serv/ca.pem",
1953 phase1="peap_outer_success=2",
1954 phase2="auth=MSCHAPV2")
1955 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1956 identity="user",
1957 anonymous_identity="peap", password="password",
1958 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1959 phase1="peapver=1 peaplabel=1",
1960 wait_connect=False, scan_freq="2412")
1961 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1962 if ev is None:
1963 raise Exception("No EAP success seen")
1964 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1965 if ev is not None:
1966 raise Exception("Unexpected connection")
1967
09a4404a
JM		 1968 tests = [ ("peap-ver0", ""),
1969 ("peap-ver1", ""),
1970 ("peap-ver0", "peapver=0"),
1971 ("peap-ver1", "peapver=1") ]
1972 for anon,phase1 in tests:
1973 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1974 identity="user", anonymous_identity=anon,
1975 password="password", phase1=phase1,
1976 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1977 scan_freq="2412")
1978 dev[0].request("REMOVE_NETWORK all")
1979 dev[0].wait_disconnected()
1980
1981 tests = [ ("peap-ver0", "peapver=1"),
1982 ("peap-ver1", "peapver=0") ]
1983 for anon,phase1 in tests:
1984 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1985 identity="user", anonymous_identity=anon,
1986 password="password", phase1=phase1,
1987 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1988 wait_connect=False, scan_freq="2412")
1989 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1990 if ev is None:
1991 raise Exception("No EAP-Failure seen")
1992 dev[0].request("REMOVE_NETWORK all")
1993 dev[0].wait_disconnected()
1994
3b3e2687 1995 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
d5f5d260
JM		 1996 ca_cert="auth_serv/ca.pem",
1997 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1998 phase2="auth=MSCHAPV2")
1999
d0ce1050
JM		 2000def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
2001 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
2002 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2003 hapd = hostapd.add_ap(apdev[0], params)
2004 eap_connect(dev[0], hapd, "PEAP", "cert user",
d0ce1050
JM		 2005 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
2006 ca_cert2="auth_serv/ca.pem",
2007 client_cert2="auth_serv/user.pem",
2008 private_key2="auth_serv/user.key")
2009 eap_reauth(dev[0], "PEAP")
2010
e114c49c
JM		 2011def test_ap_wpa2_eap_tls(dev, apdev):
2012 """WPA2-Enterprise connection using EAP-TLS"""
2013 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2014 hapd = hostapd.add_ap(apdev[0], params)
2015 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
e114c49c
JM		 2016 client_cert="auth_serv/user.pem",
2017 private_key="auth_serv/user.key")
75b2b9cf 2018 eap_reauth(dev[0], "TLS")
e114c49c 2019
96bf8fe1
JM		 2020def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
2021 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2022 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2023 hapd = hostapd.add_ap(apdev[0], params)
2024 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
96bf8fe1
JM		 2025 client_cert="auth_serv/user.pem",
2026 private_key="auth_serv/user.key.pkcs8",
2027 private_key_passwd="whatever")
2028
2029def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
2030 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
969e5250 2031 check_pkcs5_v15_support(dev[0])
96bf8fe1 2032 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2033 hapd = hostapd.add_ap(apdev[0], params)
2034 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
96bf8fe1
JM		 2035 client_cert="auth_serv/user.pem",
2036 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
2037 private_key_passwd="whatever")
2038
6ea231e6
JM		 2039def test_ap_wpa2_eap_tls_blob(dev, apdev):
2040 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2041 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 2042 hapd = hostapd.add_ap(apdev[0], params)
6ea231e6
JM		 2043 cert = read_pem("auth_serv/ca.pem")
2044 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
2045 raise Exception("Could not set cacert blob")
2046 cert = read_pem("auth_serv/user.pem")
2047 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
2048 raise Exception("Could not set usercert blob")
62750c3e 2049 key = read_pem("auth_serv/user.rsa-key")
6ea231e6
JM		 2050 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
2051 raise Exception("Could not set cacert blob")
3b3e2687 2052 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="blob://cacert",
6ea231e6
JM		 2053 client_cert="blob://usercert",
2054 private_key="blob://userkey")
2055
cef42a44
JM		 2056def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
2057 """EAP-TLS and config blob missing"""
2058 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2059 hostapd.add_ap(apdev[0], params)
cef42a44
JM		 2060 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2061 identity="tls user",
2062 ca_cert="blob://testing-blob-does-not-exist",
2063 client_cert="blob://testing-blob-does-not-exist",
2064 private_key="blob://testing-blob-does-not-exist",
2065 wait_connect=False, scan_freq="2412")
2066 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
2067 if ev is None:
2068 raise Exception("EAP failure not reported")
2069 dev[0].request("REMOVE_NETWORK all")
2070 dev[0].wait_disconnected()
2071
7cb27f89
JM		 2072def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
2073 """EAP-TLS and TLS Message Length in unfragmented packets"""
2074 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2075 hapd = hostapd.add_ap(apdev[0], params)
2076 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
7cb27f89
JM		 2077 phase1="include_tls_length=1",
2078 client_cert="auth_serv/user.pem",
2079 private_key="auth_serv/user.key")
2080
2d10eb0e
JM		 2081def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
2082 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
686eee77 2083 check_pkcs12_support(dev[0])
2d10eb0e 2084 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2085 hapd = hostapd.add_ap(apdev[0], params)
2086 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2d10eb0e
JM		 2087 private_key="auth_serv/user.pkcs12",
2088 private_key_passwd="whatever")
2089 dev[0].request("REMOVE_NETWORK all")
0c83ae04
JM		 2090 dev[0].wait_disconnected()
2091
2d10eb0e
JM		 2092 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2093 identity="tls user",
2094 ca_cert="auth_serv/ca.pem",
2095 private_key="auth_serv/user.pkcs12",
2096 wait_connect=False, scan_freq="2412")
2097 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2098 if ev is None:
2099 raise Exception("Request for private key passphrase timed out")
2100 id = ev.split(':')[0].split('-')[-1]
2101 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
5f35a5e2 2102 dev[0].wait_connected(timeout=10)
0c83ae04
JM		 2103 dev[0].request("REMOVE_NETWORK all")
2104 dev[0].wait_disconnected()
2105
6da3b745
JM		 2106 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2107 # different files to cover both cases of the extra certificate being the
2108 # one that signed the client certificate and it being unrelated to the
2109 # client certificate.
2110 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2111 for i in range(2):
3b3e2687 2112 eap_connect(dev[0], hapd, "TLS", "tls user",
6da3b745
JM		 2113 ca_cert="auth_serv/ca.pem",
2114 private_key=pkcs12,
2115 private_key_passwd="whatever")
2116 dev[0].request("REMOVE_NETWORK all")
2117 dev[0].wait_disconnected()
2d10eb0e 2118
6ea231e6
JM		 2119def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
2120 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
686eee77 2121 check_pkcs12_support(dev[0])
6ea231e6 2122 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 2123 hapd = hostapd.add_ap(apdev[0], params)
6ea231e6
JM		 2124 cert = read_pem("auth_serv/ca.pem")
2125 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
2126 raise Exception("Could not set cacert blob")
2127 with open("auth_serv/user.pkcs12", "rb") as f:
2128 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
2129 raise Exception("Could not set pkcs12 blob")
3b3e2687 2130 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="blob://cacert",
6ea231e6
JM		 2131 private_key="blob://pkcs12",
2132 private_key_passwd="whatever")
2133
c7afc078
JM		 2134def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
2135 """WPA2-Enterprise negative test - incorrect trust root"""
e7ac04ce 2136 check_eap_capa(dev[0], "MSCHAPV2")
c7afc078 2137 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2138 hostapd.add_ap(apdev[0], params)
6ea231e6
JM		 2139 cert = read_pem("auth_serv/ca-incorrect.pem")
2140 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
2141 raise Exception("Could not set cacert blob")
c7afc078 2142 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
6ea231e6
JM		 2143 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2144 password="password", phase2="auth=MSCHAPV2",
2145 ca_cert="blob://cacert",
2146 wait_connect=False, scan_freq="2412")
2147 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
c7afc078
JM		 2148 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2149 password="password", phase2="auth=MSCHAPV2",
2150 ca_cert="auth_serv/ca-incorrect.pem",
c65f23ab 2151 wait_connect=False, scan_freq="2412")
c7afc078 2152
6ea231e6 2153 for dev in (dev[0], dev[1]):
412c6030 2154 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
6ea231e6
JM		 2155 if ev is None:
2156 raise Exception("Association and EAP start timed out")
c7afc078 2157
6ea231e6
JM		 2158 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2159 if ev is None:
2160 raise Exception("EAP method selection timed out")
2161 if "TTLS" not in ev:
2162 raise Exception("Unexpected EAP method")
2163
2164 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2165 "CTRL-EVENT-EAP-SUCCESS",
2166 "CTRL-EVENT-EAP-FAILURE",
2167 "CTRL-EVENT-CONNECTED",
2168 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2169 if ev is None:
2170 raise Exception("EAP result timed out")
2171 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2172 raise Exception("TLS certificate error not reported")
2173
2174 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2175 "CTRL-EVENT-EAP-FAILURE",
2176 "CTRL-EVENT-CONNECTED",
2177 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2178 if ev is None:
2179 raise Exception("EAP result(2) timed out")
2180 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2181 raise Exception("EAP failure not reported")
c7afc078 2182
6ea231e6
JM		 2183 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
2184 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2185 if ev is None:
2186 raise Exception("EAP result(3) timed out")
2187 if "CTRL-EVENT-DISCONNECTED" not in ev:
2188 raise Exception("Disconnection not reported")
c7afc078 2189
6ea231e6
JM		 2190 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2191 if ev is None:
2192 raise Exception("Network block disabling not reported")
72c052d5 2193
9a5cfd70
JM		 2194def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
2195 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2196 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2197 hapd = hostapd.add_ap(apdev[0], params)
9a5cfd70
JM		 2198 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2199 identity="pap user", anonymous_identity="ttls",
2200 password="password", phase2="auth=PAP",
2201 ca_cert="auth_serv/ca.pem",
2202 wait_connect=True, scan_freq="2412")
2203 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2204 identity="pap user", anonymous_identity="ttls",
2205 password="password", phase2="auth=PAP",
2206 ca_cert="auth_serv/ca-incorrect.pem",
2207 only_add_network=True, scan_freq="2412")
2208
2209 dev[0].request("DISCONNECT")
90ad11e6 2210 dev[0].wait_disconnected()
9a5cfd70
JM		 2211 dev[0].dump_monitor()
2212 dev[0].select_network(id, freq="2412")
2213
2214 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2215 if ev is None:
2216 raise Exception("EAP-TTLS not re-started")
db98b587 2217
5f35a5e2 2218 ev = dev[0].wait_disconnected(timeout=15)
9a5cfd70
JM		 2219 if "reason=23" not in ev:
2220 raise Exception("Proper reason code for disconnection not reported")
2221
2222def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
2223 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2224 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2225 hapd = hostapd.add_ap(apdev[0], params)
9a5cfd70
JM		 2226 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2227 identity="pap user", anonymous_identity="ttls",
2228 password="password", phase2="auth=PAP",
2229 wait_connect=True, scan_freq="2412")
2230 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2231 identity="pap user", anonymous_identity="ttls",
2232 password="password", phase2="auth=PAP",
2233 ca_cert="auth_serv/ca-incorrect.pem",
2234 only_add_network=True, scan_freq="2412")
2235
2236 dev[0].request("DISCONNECT")
90ad11e6 2237 dev[0].wait_disconnected()
9a5cfd70
JM		 2238 dev[0].dump_monitor()
2239 dev[0].select_network(id, freq="2412")
2240
2241 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2242 if ev is None:
2243 raise Exception("EAP-TTLS not re-started")
db98b587 2244
5f35a5e2 2245 ev = dev[0].wait_disconnected(timeout=15)
9a5cfd70
JM		 2246 if "reason=23" not in ev:
2247 raise Exception("Proper reason code for disconnection not reported")
2248
2249def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
2250 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2251 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2252 hapd = hostapd.add_ap(apdev[0], params)
9a5cfd70
JM		 2253 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2254 identity="pap user", anonymous_identity="ttls",
2255 password="password", phase2="auth=PAP",
2256 ca_cert="auth_serv/ca.pem",
2257 wait_connect=True, scan_freq="2412")
2258 dev[0].request("DISCONNECT")
90ad11e6 2259 dev[0].wait_disconnected()
9a5cfd70
JM		 2260 dev[0].dump_monitor()
2261 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2262 dev[0].select_network(id, freq="2412")
2263
2264 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2265 if ev is None:
2266 raise Exception("EAP-TTLS not re-started")
db98b587 2267
5f35a5e2 2268 ev = dev[0].wait_disconnected(timeout=15)
9a5cfd70
JM		 2269 if "reason=23" not in ev:
2270 raise Exception("Proper reason code for disconnection not reported")
2271
72c052d5
JM		 2272def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
2273 """WPA2-Enterprise negative test - domain suffix mismatch"""
e78eb404 2274 check_domain_suffix_match(dev[0])
72c052d5 2275 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2276 hostapd.add_ap(apdev[0], params)
72c052d5
JM		 2277 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2278 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2279 password="password", phase2="auth=MSCHAPV2",
2280 ca_cert="auth_serv/ca.pem",
2281 domain_suffix_match="incorrect.example.com",
c65f23ab 2282 wait_connect=False, scan_freq="2412")
72c052d5 2283
412c6030 2284 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
72c052d5
JM		 2285 if ev is None:
2286 raise Exception("Association and EAP start timed out")
2287
2288 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2289 if ev is None:
2290 raise Exception("EAP method selection timed out")
2291 if "TTLS" not in ev:
2292 raise Exception("Unexpected EAP method")
2293
2294 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2295 "CTRL-EVENT-EAP-SUCCESS",
2296 "CTRL-EVENT-EAP-FAILURE",
2297 "CTRL-EVENT-CONNECTED",
2298 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2299 if ev is None:
2300 raise Exception("EAP result timed out")
2301 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2302 raise Exception("TLS certificate error not reported")
2303 if "Domain suffix mismatch" not in ev:
2304 raise Exception("Domain suffix mismatch not reported")
2305
2306 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2307 "CTRL-EVENT-EAP-FAILURE",
2308 "CTRL-EVENT-CONNECTED",
2309 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2310 if ev is None:
2311 raise Exception("EAP result(2) timed out")
2312 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2313 raise Exception("EAP failure not reported")
2314
2315 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2316 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2317 if ev is None:
2318 raise Exception("EAP result(3) timed out")
2319 if "CTRL-EVENT-DISCONNECTED" not in ev:
2320 raise Exception("Disconnection not reported")
2321
2322 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2323 if ev is None:
2324 raise Exception("Network block disabling not reported")
22b99086 2325
061cbb25
JM		 2326def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
2327 """WPA2-Enterprise negative test - domain mismatch"""
e78eb404 2328 check_domain_match(dev[0])
061cbb25 2329 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2330 hostapd.add_ap(apdev[0], params)
061cbb25
JM		 2331 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2332 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2333 password="password", phase2="auth=MSCHAPV2",
2334 ca_cert="auth_serv/ca.pem",
2335 domain_match="w1.fi",
2336 wait_connect=False, scan_freq="2412")
2337
412c6030 2338 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
061cbb25
JM		 2339 if ev is None:
2340 raise Exception("Association and EAP start timed out")
2341
2342 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2343 if ev is None:
2344 raise Exception("EAP method selection timed out")
2345 if "TTLS" not in ev:
2346 raise Exception("Unexpected EAP method")
2347
2348 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2349 "CTRL-EVENT-EAP-SUCCESS",
2350 "CTRL-EVENT-EAP-FAILURE",
2351 "CTRL-EVENT-CONNECTED",
2352 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2353 if ev is None:
2354 raise Exception("EAP result timed out")
2355 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2356 raise Exception("TLS certificate error not reported")
2357 if "Domain mismatch" not in ev:
2358 raise Exception("Domain mismatch not reported")
2359
2360 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2361 "CTRL-EVENT-EAP-FAILURE",
2362 "CTRL-EVENT-CONNECTED",
2363 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2364 if ev is None:
2365 raise Exception("EAP result(2) timed out")
2366 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2367 raise Exception("EAP failure not reported")
2368
2369 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2370 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2371 if ev is None:
2372 raise Exception("EAP result(3) timed out")
2373 if "CTRL-EVENT-DISCONNECTED" not in ev:
2374 raise Exception("Disconnection not reported")
2375
2376 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2377 if ev is None:
2378 raise Exception("Network block disabling not reported")
2379
3b74982f
JM		 2380def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
2381 """WPA2-Enterprise negative test - subject mismatch"""
2382 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2383 hostapd.add_ap(apdev[0], params)
3b74982f
JM		 2384 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2385 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2386 password="password", phase2="auth=MSCHAPV2",
2387 ca_cert="auth_serv/ca.pem",
2388 subject_match="/C=FI/O=w1.fi/CN=example.com",
2389 wait_connect=False, scan_freq="2412")
2390
412c6030 2391 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
3b74982f
JM		 2392 if ev is None:
2393 raise Exception("Association and EAP start timed out")
2394
506b2f05
JM		 2395 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2396 "EAP: Failed to initialize EAP method"], timeout=10)
3b74982f
JM		 2397 if ev is None:
2398 raise Exception("EAP method selection timed out")
506b2f05
JM		 2399 if "EAP: Failed to initialize EAP method" in ev:
2400 tls = dev[0].request("GET tls_library")
2401 if tls.startswith("OpenSSL"):
2402 raise Exception("Failed to select EAP method")
2403 logger.info("subject_match not supported - connection failed, so test succeeded")
2404 return
3b74982f
JM		 2405 if "TTLS" not in ev:
2406 raise Exception("Unexpected EAP method")
2407
2408 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2409 "CTRL-EVENT-EAP-SUCCESS",
2410 "CTRL-EVENT-EAP-FAILURE",
2411 "CTRL-EVENT-CONNECTED",
2412 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2413 if ev is None:
2414 raise Exception("EAP result timed out")
2415 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2416 raise Exception("TLS certificate error not reported")
2417 if "Subject mismatch" not in ev:
2418 raise Exception("Subject mismatch not reported")
2419
2420 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2421 "CTRL-EVENT-EAP-FAILURE",
2422 "CTRL-EVENT-CONNECTED",
2423 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2424 if ev is None:
2425 raise Exception("EAP result(2) timed out")
2426 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2427 raise Exception("EAP failure not reported")
2428
2429 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2430 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2431 if ev is None:
2432 raise Exception("EAP result(3) timed out")
2433 if "CTRL-EVENT-DISCONNECTED" not in ev:
2434 raise Exception("Disconnection not reported")
2435
2436 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2437 if ev is None:
2438 raise Exception("Network block disabling not reported")
2439
2440def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
2441 """WPA2-Enterprise negative test - altsubject mismatch"""
2442 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2443 hostapd.add_ap(apdev[0], params)
37d61355
JM		 2444
2445 tests = [ "incorrect.example.com",
2446 "DNS:incorrect.example.com",
2447 "DNS:w1.fi",
2448 "DNS:erver.w1.fi" ]
2449 for match in tests:
2450 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
2451
2452def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
3b74982f
JM		 2453 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2454 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2455 password="password", phase2="auth=MSCHAPV2",
2456 ca_cert="auth_serv/ca.pem",
37d61355 2457 altsubject_match=match,
3b74982f
JM		 2458 wait_connect=False, scan_freq="2412")
2459
412c6030 2460 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
3b74982f
JM		 2461 if ev is None:
2462 raise Exception("Association and EAP start timed out")
2463
506b2f05
JM		 2464 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2465 "EAP: Failed to initialize EAP method"], timeout=10)
3b74982f
JM		 2466 if ev is None:
2467 raise Exception("EAP method selection timed out")
506b2f05
JM		 2468 if "EAP: Failed to initialize EAP method" in ev:
2469 tls = dev[0].request("GET tls_library")
2470 if tls.startswith("OpenSSL"):
2471 raise Exception("Failed to select EAP method")
2472 logger.info("altsubject_match not supported - connection failed, so test succeeded")
2473 return
3b74982f
JM		 2474 if "TTLS" not in ev:
2475 raise Exception("Unexpected EAP method")
2476
2477 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2478 "CTRL-EVENT-EAP-SUCCESS",
2479 "CTRL-EVENT-EAP-FAILURE",
2480 "CTRL-EVENT-CONNECTED",
2481 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2482 if ev is None:
2483 raise Exception("EAP result timed out")
2484 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2485 raise Exception("TLS certificate error not reported")
2486 if "AltSubject mismatch" not in ev:
2487 raise Exception("altsubject mismatch not reported")
2488
2489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2490 "CTRL-EVENT-EAP-FAILURE",
2491 "CTRL-EVENT-CONNECTED",
2492 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2493 if ev is None:
2494 raise Exception("EAP result(2) timed out")
2495 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2496 raise Exception("EAP failure not reported")
2497
2498 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2499 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2500 if ev is None:
2501 raise Exception("EAP result(3) timed out")
2502 if "CTRL-EVENT-DISCONNECTED" not in ev:
2503 raise Exception("Disconnection not reported")
2504
2505 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2506 if ev is None:
2507 raise Exception("Network block disabling not reported")
2508
37d61355
JM		 2509 dev[0].request("REMOVE_NETWORK all")
2510
5a0c1517
JM		 2511def test_ap_wpa2_eap_unauth_tls(dev, apdev):
2512 """WPA2-Enterprise connection using UNAUTH-TLS"""
2513 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2514 hapd = hostapd.add_ap(apdev[0], params)
2515 eap_connect(dev[0], hapd, "UNAUTH-TLS", "unauth-tls",
5a0c1517
JM		 2516 ca_cert="auth_serv/ca.pem")
2517 eap_reauth(dev[0], "UNAUTH-TLS")
2518
57be05e1
JM		 2519def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
2520 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
4bf4e9db 2521 check_cert_probe_support(dev[0])
ca158ea6 2522 skip_with_fips(dev[0])
0ba13e86 2523 srv_cert_hash = "53728dde442d4adc27cb10a847234a4315590f0b36786353023c3b0f2e9fdf49"
57be05e1 2524 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 2525 hapd = hostapd.add_ap(apdev[0], params)
57be05e1
JM		 2526 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2527 identity="probe", ca_cert="probe://",
2528 wait_connect=False, scan_freq="2412")
412c6030 2529 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
57be05e1
JM		 2530 if ev is None:
2531 raise Exception("Association and EAP start timed out")
2532 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
2533 if ev is None:
2534 raise Exception("No peer server certificate event seen")
2535 if "hash=" + srv_cert_hash not in ev:
2536 raise Exception("Expected server certificate hash not reported")
2537 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2538 if ev is None:
2539 raise Exception("EAP result timed out")
2540 if "Server certificate chain probe" not in ev:
2541 raise Exception("Server certificate probe not reported")
5f35a5e2 2542 dev[0].wait_disconnected(timeout=10)
57be05e1
JM		 2543 dev[0].request("REMOVE_NETWORK all")
2544
2545 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2546 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2547 password="password", phase2="auth=MSCHAPV2",
2548 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2549 wait_connect=False, scan_freq="2412")
412c6030 2550 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
57be05e1
JM		 2551 if ev is None:
2552 raise Exception("Association and EAP start timed out")
2553 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2554 if ev is None:
2555 raise Exception("EAP result timed out")
2556 if "Server certificate mismatch" not in ev:
2557 raise Exception("Server certificate mismatch not reported")
5f35a5e2 2558 dev[0].wait_disconnected(timeout=10)
57be05e1
JM		 2559 dev[0].request("REMOVE_NETWORK all")
2560
3b3e2687 2561 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
57be05e1
JM		 2562 anonymous_identity="ttls", password="password",
2563 ca_cert="hash://server/sha256/" + srv_cert_hash,
2564 phase2="auth=MSCHAPV2")
2565
2a6a2192
JM		 2566def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
2567 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2568 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2569 hostapd.add_ap(apdev[0], params)
2a6a2192
JM		 2570 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2571 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2572 password="password", phase2="auth=MSCHAPV2",
2573 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2574 wait_connect=False, scan_freq="2412")
2575 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2576 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2577 password="password", phase2="auth=MSCHAPV2",
2578 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2579 wait_connect=False, scan_freq="2412")
2580 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2581 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2582 password="password", phase2="auth=MSCHAPV2",
2583 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2584 wait_connect=False, scan_freq="2412")
2585 for i in range(0, 3):
412c6030 2586 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2a6a2192
JM		 2587 if ev is None:
2588 raise Exception("Association and EAP start timed out")
cbb85a03
JM		 2589 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2590 if ev is None:
2591 raise Exception("Did not report EAP method initialization failure")
2a6a2192 2592
22b99086
JM		 2593def test_ap_wpa2_eap_pwd(dev, apdev):
2594 """WPA2-Enterprise connection using EAP-pwd"""
3b51cc63 2595 check_eap_capa(dev[0], "PWD")
22b99086 2596 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2597 hapd = hostapd.add_ap(apdev[0], params)
2598 eap_connect(dev[0], hapd, "PWD", "pwd user", password="secret password")
75b2b9cf 2599 eap_reauth(dev[0], "PWD")
6daf5b9c 2600 dev[0].request("REMOVE_NETWORK all")
0403fa0a 2601
3b3e2687 2602 eap_connect(dev[1], hapd, "PWD",
0403fa0a
JM		 2603 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2604 password="secret password",
6daf5b9c
JM		 2605 fragment_size="90")
2606
f10ba3b2 2607 logger.info("Negative test with incorrect password")
3b3e2687 2608 eap_connect(dev[2], hapd, "PWD", "pwd user", password="secret-password",
f10ba3b2
JM		 2609 expect_failure=True, local_error_report=True)
2610
3b3e2687 2611 eap_connect(dev[0], hapd, "PWD",
0403fa0a
JM		 2612 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2613 password="secret password",
2614 fragment_size="31")
2615
b898a6ee
JM		 2616def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2617 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2618 check_eap_capa(dev[0], "PWD")
0392867b 2619 skip_with_fips(dev[0])
b898a6ee 2620 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2621 hapd = hostapd.add_ap(apdev[0], params)
2622 eap_connect(dev[0], hapd, "PWD", "pwd-hash", password="secret password")
2623 eap_connect(dev[1], hapd, "PWD", "pwd-hash",
b898a6ee 2624 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
3b3e2687 2625 eap_connect(dev[2], hapd, "PWD", "pwd user",
b898a6ee
JM		 2626 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2627 expect_failure=True, local_error_report=True)
2628
c075f040
JM		 2629def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2630 """WPA2-Enterprise connection using various EAP-pwd groups"""
3b51cc63 2631 check_eap_capa(dev[0], "PWD")
5f2e4547 2632 tls = dev[0].request("GET tls_library")
c075f040
JM		 2633 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2634 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2635 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
f2d789f2
JM		 2636 groups = [ 19, 20, 21, 25, 26 ]
2637 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2638 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2639 groups += [ 27, 28, 29, 30 ]
2640 for i in groups:
2641 logger.info("Group %d" % i)
c075f040 2642 params['pwd_group'] = str(i)
3b3e2687 2643 hapd = hostapd.add_ap(apdev[0], params)
5f2e4547 2644 try:
3b3e2687 2645 eap_connect(dev[0], hapd, "PWD", "pwd user",
5f2e4547 2646 password="secret password")
f2d789f2
JM		 2647 dev[0].request("REMOVE_NETWORK all")
2648 dev[0].wait_disconnected()
2649 dev[0].dump_monitor()
5f2e4547
JM		 2650 except:
2651 if "BoringSSL" in tls and i in [ 25 ]:
2652 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2653 dev[0].request("DISCONNECT")
2654 time.sleep(0.1)
f2d789f2
JM		 2655 dev[0].request("REMOVE_NETWORK all")
2656 dev[0].dump_monitor()
5f2e4547
JM		 2657 continue
2658 raise
c075f040 2659
4b2d2098
JM		 2660def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2661 """WPA2-Enterprise connection using invalid EAP-pwd group"""
3b51cc63 2662 check_eap_capa(dev[0], "PWD")
4b2d2098
JM		 2663 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2664 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2665 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2666 params['pwd_group'] = "0"
8b8a1864 2667 hostapd.add_ap(apdev[0], params)
4b2d2098
JM		 2668 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2669 identity="pwd user", password="secret password",
2670 scan_freq="2412", wait_connect=False)
2671 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2672 if ev is None:
2673 raise Exception("Timeout on EAP failure report")
2674
8ba89e0a
JM		 2675def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2676 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
3b51cc63 2677 check_eap_capa(dev[0], "PWD")
8ba89e0a
JM		 2678 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2679 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2680 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2681 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2682 "pwd_group": "19", "fragment_size": "40" }
3b3e2687
JD		 2683 hapd = hostapd.add_ap(apdev[0], params)
2684 eap_connect(dev[0], hapd, "PWD", "pwd user", password="secret password")
8ba89e0a 2685
22b99086
JM		 2686def test_ap_wpa2_eap_gpsk(dev, apdev):
2687 """WPA2-Enterprise connection using EAP-GPSK"""
2688 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2689 hapd = hostapd.add_ap(apdev[0], params)
2690 id = eap_connect(dev[0], hapd, "GPSK", "gpsk user",
369f9c20 2691 password="abcdefghijklmnop0123456789abcdef")
75b2b9cf 2692 eap_reauth(dev[0], "GPSK")
22b99086 2693
369f9c20
JM		 2694 logger.info("Test forced algorithm selection")
2695 for phase1 in [ "cipher=1", "cipher=2" ]:
2696 dev[0].set_network_quoted(id, "phase1", phase1)
2697 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2698 if ev is None:
2699 raise Exception("EAP success timed out")
5f35a5e2 2700 dev[0].wait_connected(timeout=10)
369f9c20
JM		 2701
2702 logger.info("Test failed algorithm negotiation")
2703 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2704 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2705 if ev is None:
2706 raise Exception("EAP failure timed out")
2707
f10ba3b2
JM		 2708 logger.info("Negative test with incorrect password")
2709 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2710 eap_connect(dev[0], hapd, "GPSK", "gpsk user",
f10ba3b2
JM		 2711 password="ffcdefghijklmnop0123456789abcdef",
2712 expect_failure=True)
2713
22b99086
JM		 2714def test_ap_wpa2_eap_sake(dev, apdev):
2715 """WPA2-Enterprise connection using EAP-SAKE"""
2716 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2717 hapd = hostapd.add_ap(apdev[0], params)
2718 eap_connect(dev[0], hapd, "SAKE", "sake user",
22b99086 2719 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
75b2b9cf 2720 eap_reauth(dev[0], "SAKE")
22b99086 2721
f10ba3b2
JM		 2722 logger.info("Negative test with incorrect password")
2723 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2724 eap_connect(dev[0], hapd, "SAKE", "sake user",
f10ba3b2
JM		 2725 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2726 expect_failure=True)
2727
22b99086
JM		 2728def test_ap_wpa2_eap_eke(dev, apdev):
2729 """WPA2-Enterprise connection using EAP-EKE"""
2730 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2731 hapd = hostapd.add_ap(apdev[0], params)
2732 id = eap_connect(dev[0], hapd, "EKE", "eke user", password="hello")
75b2b9cf 2733 eap_reauth(dev[0], "EKE")
22b99086 2734
2bb9e283
JM		 2735 logger.info("Test forced algorithm selection")
2736 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2737 "dhgroup=4 encr=1 prf=2 mac=2",
2738 "dhgroup=3 encr=1 prf=2 mac=2",
2739 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2740 dev[0].set_network_quoted(id, "phase1", phase1)
2741 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2742 if ev is None:
2743 raise Exception("EAP success timed out")
5f35a5e2 2744 dev[0].wait_connected(timeout=10)
2bb9e283
JM		 2745
2746 logger.info("Test failed algorithm negotiation")
2747 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2748 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2749 if ev is None:
2750 raise Exception("EAP failure timed out")
2751
f10ba3b2
JM		 2752 logger.info("Negative test with incorrect password")
2753 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2754 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello1",
f10ba3b2
JM		 2755 expect_failure=True)
2756
3b6f3b37
JM		 2757def test_ap_wpa2_eap_eke_many(dev, apdev, params):
2758 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2759 if not params['long']:
2760 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2761 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2762 hostapd.add_ap(apdev[0], params)
3b6f3b37
JM		 2763 success = 0
2764 fail = 0
2765 for i in range(100):
2766 for j in range(3):
2767 dev[j].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="EKE",
2768 identity="eke user", password="hello",
2769 phase1="dhgroup=3 encr=1 prf=1 mac=1",
2770 scan_freq="2412", wait_connect=False)
2771 for j in range(3):
2772 ev = dev[j].wait_event(["CTRL-EVENT-CONNECTED",
2773 "CTRL-EVENT-DISCONNECTED"], timeout=15)
2774 if ev is None:
2775 raise Exception("No connected/disconnected event")
2776 if "CTRL-EVENT-DISCONNECTED" in ev:
2777 fail += 1
2778 # The RADIUS server limits on active sessions can be hit when
2779 # going through this test case, so try to give some more time
2780 # for the server to remove sessions.
2781 logger.info("Failed to connect i=%d j=%d" % (i, j))
2782 dev[j].request("REMOVE_NETWORK all")
2783 time.sleep(1)
2784 else:
2785 success += 1
2786 dev[j].request("REMOVE_NETWORK all")
2787 dev[j].wait_disconnected()
2788 dev[j].dump_monitor()
2789 logger.info("Total success=%d failure=%d" % (success, fail))
2790
f7e3c17b
JM		 2791def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2792 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2793 params = int_eap_server_params()
2794 params['server_id'] = 'example.server@w1.fi'
3b3e2687
JD		 2795 hapd = hostapd.add_ap(apdev[0], params)
2796 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello")
f7e3c17b 2797
5e0bedc6
JM		 2798def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2799 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2800 params = int_eap_server_params()
8b8a1864 2801 hapd = hostapd.add_ap(apdev[0], params)
5e0bedc6
JM		 2802 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2803
2804 for count,func in [ (1, "eap_eke_build_commit"),
2805 (2, "eap_eke_build_commit"),
2806 (3, "eap_eke_build_commit"),
2807 (1, "eap_eke_build_confirm"),
2808 (2, "eap_eke_build_confirm"),
2809 (1, "eap_eke_process_commit"),
2810 (2, "eap_eke_process_commit"),
2811 (1, "eap_eke_process_confirm"),
2812 (1, "eap_eke_process_identity"),
2813 (2, "eap_eke_process_identity"),
2814 (3, "eap_eke_process_identity"),
2815 (4, "eap_eke_process_identity") ]:
2816 with alloc_fail(hapd, count, func):
3b3e2687 2817 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello",
5e0bedc6
JM		 2818 expect_failure=True)
2819 dev[0].request("REMOVE_NETWORK all")
2820
2821 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2822 (1, "eap_eke_get_session_id", "hello"),
2823 (1, "eap_eke_getKey", "hello"),
2824 (1, "eap_eke_build_msg", "hello"),
2825 (1, "eap_eke_build_failure", "wrong"),
2826 (1, "eap_eke_build_identity", "hello"),
2827 (2, "eap_eke_build_identity", "hello") ]:
2828 with alloc_fail(hapd, count, func):
2829 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2830 eap="EKE", identity="eke user", password=pw,
2831 wait_connect=False, scan_freq="2412")
2832 # This would eventually time out, but we can stop after having
2833 # reached the allocation failure.
2834 for i in range(20):
2835 time.sleep(0.1)
2836 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2837 break
2838 dev[0].request("REMOVE_NETWORK all")
2839
2840 for count in range(1, 1000):
2841 try:
2842 with alloc_fail(hapd, count, "eap_server_sm_step"):
2843 dev[0].connect("test-wpa2-eap",
2844 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2845 eap="EKE", identity="eke user", password=pw,
2846 wait_connect=False, scan_freq="2412")
2847 # This would eventually time out, but we can stop after having
2848 # reached the allocation failure.
2849 for i in range(10):
2850 time.sleep(0.1)
2851 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2852 break
2853 dev[0].request("REMOVE_NETWORK all")
2854 except Exception, e:
2855 if str(e) == "Allocation failure did not trigger":
2856 if count < 30:
2857 raise Exception("Too few allocation failures")
2858 logger.info("%d allocation failures tested" % (count - 1))
2859 break
2860 raise e
2861
22b99086
JM		 2862def test_ap_wpa2_eap_ikev2(dev, apdev):
2863 """WPA2-Enterprise connection using EAP-IKEv2"""
c8e82c94 2864 check_eap_capa(dev[0], "IKEV2")
22b99086 2865 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2866 hapd = hostapd.add_ap(apdev[0], params)
2867 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
cb33ee14 2868 password="ike password")
75b2b9cf 2869 eap_reauth(dev[0], "IKEV2")
6daf5b9c 2870 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2871 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
47a74ad8 2872 password="ike password", fragment_size="50")
22b99086 2873
f10ba3b2
JM		 2874 logger.info("Negative test with incorrect password")
2875 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2876 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
f10ba3b2 2877 password="ike-password", expect_failure=True)
35372f6c
JM		 2878 dev[0].request("REMOVE_NETWORK all")
2879
3b3e2687 2880 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
35372f6c
JM		 2881 password="ike password", fragment_size="0")
2882 dev[0].request("REMOVE_NETWORK all")
2883 dev[0].wait_disconnected()
f10ba3b2 2884
47a74ad8
JM		 2885def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2886 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
c8e82c94 2887 check_eap_capa(dev[0], "IKEV2")
47a74ad8
JM		 2888 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2889 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2890 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2891 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2892 "fragment_size": "50" }
3b3e2687
JD		 2893 hapd = hostapd.add_ap(apdev[0], params)
2894 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
47a74ad8
JM		 2895 password="ike password")
2896 eap_reauth(dev[0], "IKEV2")
2897
f1ab79c3
JM		 2898def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2899 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
c8e82c94 2900 check_eap_capa(dev[0], "IKEV2")
f1ab79c3 2901 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2902 hostapd.add_ap(apdev[0], params)
f1ab79c3
JM		 2903
2904 tests = [ (1, "dh_init"),
2905 (2, "dh_init"),
2906 (1, "dh_derive_shared") ]
2907 for count, func in tests:
2908 with alloc_fail(dev[0], count, func):
2909 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2910 identity="ikev2 user", password="ike password",
2911 wait_connect=False, scan_freq="2412")
2912 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2913 if ev is None:
2914 raise Exception("EAP method not selected")
2915 for i in range(10):
2916 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2917 break
2918 time.sleep(0.02)
2919 dev[0].request("REMOVE_NETWORK all")
2920
d8003dcb
SP		 2921 tls = dev[0].request("GET tls_library")
2922 if not tls.startswith("wolfSSL"):
2923 tests = [ (1, "os_get_random;dh_init") ]
2924 else:
2925 tests = [ (1, "crypto_dh_init;dh_init") ]
f1ab79c3
JM		 2926 for count, func in tests:
2927 with fail_test(dev[0], count, func):
2928 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2929 identity="ikev2 user", password="ike password",
2930 wait_connect=False, scan_freq="2412")
2931 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2932 if ev is None:
2933 raise Exception("EAP method not selected")
2934 for i in range(10):
2935 if "0:" in dev[0].request("GET_FAIL"):
2936 break
2937 time.sleep(0.02)
2938 dev[0].request("REMOVE_NETWORK all")
2939
22b99086
JM		 2940def test_ap_wpa2_eap_pax(dev, apdev):
2941 """WPA2-Enterprise connection using EAP-PAX"""
2942 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2943 hapd = hostapd.add_ap(apdev[0], params)
2944 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
22b99086 2945 password_hex="0123456789abcdef0123456789abcdef")
75b2b9cf 2946 eap_reauth(dev[0], "PAX")
22b99086 2947
f10ba3b2
JM		 2948 logger.info("Negative test with incorrect password")
2949 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2950 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
f10ba3b2
JM		 2951 password_hex="ff23456789abcdef0123456789abcdef",
2952 expect_failure=True)
2953
22b99086
JM		 2954def test_ap_wpa2_eap_psk(dev, apdev):
2955 """WPA2-Enterprise connection using EAP-PSK"""
2956 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2b005194
JM		 2957 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2958 params["ieee80211w"] = "2"
3b3e2687
JD		 2959 hapd = hostapd.add_ap(apdev[0], params)
2960 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
2b005194
JM		 2961 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2962 eap_reauth(dev[0], "PSK", sha256=True)
eaf3f9b1
JM		 2963 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2964 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
71390dc8 2965
d463c556
JM		 2966 bss = dev[0].get_bss(apdev[0]['bssid'])
2967 if 'flags' not in bss:
2968 raise Exception("Could not get BSS flags from BSS table")
2969 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2970 raise Exception("Unexpected BSS flags: " + bss['flags'])
2971
f10ba3b2
JM		 2972 logger.info("Negative test with incorrect password")
2973 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2974 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
f10ba3b2
JM		 2975 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2976 expect_failure=True)
2977
8c4e4c01
JM		 2978def test_ap_wpa2_eap_psk_oom(dev, apdev):
2979 """WPA2-Enterprise connection using EAP-PSK and OOM"""
38934ed1 2980 skip_with_fips(dev[0])
8c4e4c01 2981 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2982 hostapd.add_ap(apdev[0], params)
7cbc8e67
JM		 2983 tests = [ (1, "=aes_128_eax_encrypt"),
2984 (1, "=aes_128_eax_decrypt") ]
2985 for count, func in tests:
2986 with alloc_fail(dev[0], count, func):
2987 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2988 identity="psk.user@example.com",
2989 password_hex="0123456789abcdef0123456789abcdef",
2990 wait_connect=False, scan_freq="2412")
2991 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2992 if ev is None:
2993 raise Exception("EAP method not selected")
2994 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
2995 note="Failure not triggered: %d:%s" % (count, func))
2996 dev[0].request("REMOVE_NETWORK all")
2997 dev[0].wait_disconnected()
2998
677c2283 2999 tests = [ (1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
8c4e4c01
JM		 3000 (1, "omac1_aes_128;aes_128_eax_encrypt"),
3001 (2, "omac1_aes_128;aes_128_eax_encrypt"),
3002 (3, "omac1_aes_128;aes_128_eax_encrypt"),
8c4e4c01 3003 (1, "omac1_aes_vector"),
8c4e4c01
JM		 3004 (1, "omac1_aes_128;aes_128_eax_decrypt"),
3005 (2, "omac1_aes_128;aes_128_eax_decrypt"),
3006 (3, "omac1_aes_128;aes_128_eax_decrypt"),
677c2283 3007 (1, "aes_ctr_encrypt;aes_128_eax_decrypt") ]
8c4e4c01 3008 for count, func in tests:
7cbc8e67 3009 with fail_test(dev[0], count, func):
8c4e4c01
JM		 3010 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
3011 identity="psk.user@example.com",
3012 password_hex="0123456789abcdef0123456789abcdef",
3013 wait_connect=False, scan_freq="2412")
3014 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
3015 if ev is None:
3016 raise Exception("EAP method not selected")
7cbc8e67
JM		 3017 wait_fail_trigger(dev[0], "GET_FAIL",
3018 note="Failure not triggered: %d:%s" % (count, func))
8c4e4c01 3019 dev[0].request("REMOVE_NETWORK all")
7cbc8e67 3020 dev[0].wait_disconnected()
8c4e4c01 3021
7cbc8e67 3022 with fail_test(dev[0], 1, "aes_128_encrypt_block"):
8c4e4c01
JM		 3023 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
3024 identity="psk.user@example.com",
3025 password_hex="0123456789abcdef0123456789abcdef",
3026 wait_connect=False, scan_freq="2412")
3027 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3028 if ev is None:
3029 raise Exception("EAP method failure not reported")
3030 dev[0].request("REMOVE_NETWORK all")
7cbc8e67 3031 dev[0].wait_disconnected()
8c4e4c01 3032
71390dc8
JM		 3033def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
3034 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
e7ac04ce 3035 check_eap_capa(dev[0], "MSCHAPV2")
71390dc8 3036 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
8b8a1864 3037 hapd = hostapd.add_ap(apdev[0], params)
71390dc8
JM		 3038 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
3039 identity="user", password="password", phase2="auth=MSCHAPV2",
3040 ca_cert="auth_serv/ca.pem", wait_connect=False,
3041 scan_freq="2412")
3042 eap_check_auth(dev[0], "PEAP", True, rsn=False)
a8375c94 3043 hwsim_utils.test_connectivity(dev[0], hapd)
71390dc8 3044 eap_reauth(dev[0], "PEAP", rsn=False)
eaf3f9b1
JM		 3045 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3046 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
48bb2e68
JM		 3047 status = dev[0].get_status(extra="VERBOSE")
3048 if 'portControl' not in status:
3049 raise Exception("portControl missing from STATUS-VERBOSE")
3050 if status['portControl'] != 'Auto':
3051 raise Exception("Unexpected portControl value: " + status['portControl'])
3052 if 'eap_session_id' not in status:
3053 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3054 if not status['eap_session_id'].startswith("19"):
3055 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
40759604
JM		 3056
3057def test_ap_wpa2_eap_interactive(dev, apdev):
3058 """WPA2-Enterprise connection using interactive identity/password entry"""
e7ac04ce 3059 check_eap_capa(dev[0], "MSCHAPV2")
40759604 3060 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6f334bf7 3061 hapd = hostapd.add_ap(apdev[0], params)
40759604
JM		 3062
3063 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
3064 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3065 None, "password"),
3066 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3067 "TTLS", "ttls", None, "auth=MSCHAPV2",
3068 "DOMAIN\mschapv2 user", "password"),
3069 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3070 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3071 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3072 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3073 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3074 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3075 ("Connection with dynamic PEAP/EAP-GTC password entry",
3076 "PEAP", None, "user", "auth=GTC", None, "password") ]
3077 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
3078 logger.info(desc)
3079 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
3080 anonymous_identity=anon, identity=identity,
3081 ca_cert="auth_serv/ca.pem", phase2=phase2,
3082 wait_connect=False, scan_freq="2412")
3083 if req_id:
3084 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
3085 if ev is None:
3086 raise Exception("Request for identity timed out")
3087 id = ev.split(':')[0].split('-')[-1]
3088 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
3089 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
3090 if ev is None:
3091 raise Exception("Request for password timed out")
3092 id = ev.split(':')[0].split('-')[-1]
3093 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
3094 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
5f35a5e2 3095 dev[0].wait_connected(timeout=10)
40759604 3096 dev[0].request("REMOVE_NETWORK all")
e745c811 3097
f455998a
JM		 3098def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
3099 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3100 check_eap_capa(dev[0], "MSCHAPV2")
3101 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6f334bf7 3102 hapd = hostapd.add_ap(apdev[0], params)
f455998a
JM		 3103
3104 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
3105 only_add_network=True)
3106
3107 req_id = "DOMAIN\mschapv2 user"
3108 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3109 anonymous_identity="ttls", identity=None,
3110 password="password",
3111 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3112 wait_connect=False, scan_freq="2412")
3113 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
3114 if ev is None:
3115 raise Exception("Request for identity timed out")
3116 id = ev.split(':')[0].split('-')[-1]
3117 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
3118 dev[0].wait_connected(timeout=10)
3119
3120 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
3121 raise Exception("Failed to enable network")
3122 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
3123 if ev is not None:
3124 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3125 dev[0].request("REMOVE_NETWORK all")
3126
e745c811
JM		 3127def test_ap_wpa2_eap_vendor_test(dev, apdev):
3128 """WPA2-Enterprise connection using EAP vendor test"""
3129 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 3130 hapd = hostapd.add_ap(apdev[0], params)
3131 eap_connect(dev[0], hapd, "VENDOR-TEST", "vendor-test")
e745c811 3132 eap_reauth(dev[0], "VENDOR-TEST")
3b3e2687 3133 eap_connect(dev[1], hapd, "VENDOR-TEST", "vendor-test",
467775c5 3134 password="pending")
53a6f06a 3135
79a3973c
JM		 3136def test_ap_wpa2_eap_vendor_test_oom(dev, apdev):
3137 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3139 hostapd.add_ap(apdev[0], params)
79a3973c
JM		 3140
3141 tests = [ "eap_vendor_test_init",
3142 "eap_msg_alloc;eap_vendor_test_process",
3143 "eap_vendor_test_getKey" ]
3144 for func in tests:
3145 with alloc_fail(dev[0], 1, func):
3146 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
3147 scan_freq="2412",
3148 eap="VENDOR-TEST", identity="vendor-test",
3149 wait_connect=False)
3150 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
3151 dev[0].request("REMOVE_NETWORK all")
3152 dev[0].wait_disconnected()
3153
53a6f06a
JM		 3154def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
3155 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3b51cc63 3156 check_eap_capa(dev[0], "FAST")
53a6f06a 3157 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3158 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 3159 eap_connect(dev[0], hapd, "FAST", "user",
53a6f06a
JM		 3160 anonymous_identity="FAST", password="password",
3161 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3162 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
a8375c94 3163 hwsim_utils.test_connectivity(dev[0], hapd)
2fc4749c
JM		 3164 res = eap_reauth(dev[0], "FAST")
3165 if res['tls_session_reused'] != '1':
3166 raise Exception("EAP-FAST could not use PAC session ticket")
53a6f06a 3167
873e7c29
JM		 3168def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
3169 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3b51cc63 3170 check_eap_capa(dev[0], "FAST")
873e7c29
JM		 3171 pac_file = os.path.join(params['logdir'], "fast.pac")
3172 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
3173 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 3174 hapd = hostapd.add_ap(apdev[0], params)
873e7c29
JM		 3175
3176 try:
3b3e2687 3177 eap_connect(dev[0], hapd, "FAST", "user",
873e7c29
JM		 3178 anonymous_identity="FAST", password="password",
3179 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3180 phase1="fast_provisioning=1", pac_file=pac_file)
3181 with open(pac_file, "r") as f:
3182 data = f.read()
3183 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
3184 raise Exception("PAC file header missing")
3185 if "PAC-Key=" not in data:
3186 raise Exception("PAC-Key missing from PAC file")
3187 dev[0].request("REMOVE_NETWORK all")
3b3e2687 3188 eap_connect(dev[0], hapd, "FAST", "user",
873e7c29
JM		 3189 anonymous_identity="FAST", password="password",
3190 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3191 pac_file=pac_file)
3192
3b3e2687 3193 eap_connect(dev[1], hapd, "FAST", "user",
873e7c29
JM		 3194 anonymous_identity="FAST", password="password",
3195 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3196 phase1="fast_provisioning=1 fast_pac_format=binary",
3197 pac_file=pac_file2)
3198 dev[1].request("REMOVE_NETWORK all")
3b3e2687 3199 eap_connect(dev[1], hapd, "FAST", "user",
873e7c29
JM		 3200 anonymous_identity="FAST", password="password",
3201 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3202 phase1="fast_pac_format=binary",
3203 pac_file=pac_file2)
3204 finally:
b638f703
JM		 3205 try:
3206 os.remove(pac_file)
3207 except:
3208 pass
3209 try:
3210 os.remove(pac_file2)
3211 except:
3212 pass
873e7c29 3213
c6ab1cdb
JM		 3214def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
3215 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3b51cc63 3216 check_eap_capa(dev[0], "FAST")
c6ab1cdb 3217 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 3218 hapd = hostapd.add_ap(apdev[0], params)
3219 eap_connect(dev[0], hapd, "FAST", "user",
c6ab1cdb
JM		 3220 anonymous_identity="FAST", password="password",
3221 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3222 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3223 pac_file="blob://fast_pac_bin")
2fc4749c
JM		 3224 res = eap_reauth(dev[0], "FAST")
3225 if res['tls_session_reused'] != '1':
3226 raise Exception("EAP-FAST could not use PAC session ticket")
c6ab1cdb 3227
d7ef6e63
JM		 3228 # Verify fast_max_pac_list_len=0 special case
3229 dev[0].request("REMOVE_NETWORK all")
3230 dev[0].wait_disconnected()
3b3e2687 3231 eap_connect(dev[0], hapd, "FAST", "user",
d7ef6e63
JM		 3232 anonymous_identity="FAST", password="password",
3233 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3234 phase1="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3235 pac_file="blob://fast_pac_bin")
3236
46e094bd
JM		 3237def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
3238 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3b51cc63 3239 check_eap_capa(dev[0], "FAST")
46e094bd 3240 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3241 hostapd.add_ap(apdev[0], params)
46e094bd
JM		 3242
3243 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3244 identity="user", anonymous_identity="FAST",
3245 password="password",
3246 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3247 pac_file="blob://fast_pac_not_in_use",
3248 wait_connect=False, scan_freq="2412")
3249 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3250 if ev is None:
3251 raise Exception("Timeout on EAP failure report")
3252 dev[0].request("REMOVE_NETWORK all")
3253
3254 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3255 identity="user", anonymous_identity="FAST",
3256 password="password",
3257 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3258 wait_connect=False, scan_freq="2412")
3259 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3260 if ev is None:
3261 raise Exception("Timeout on EAP failure report")
3262
93aa1e16
JM		 3263def test_ap_wpa2_eap_fast_binary_pac_errors(dev, apdev):
3264 """EAP-FAST and binary PAC errors"""
3265 check_eap_capa(dev[0], "FAST")
3266 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 3267 hapd = hostapd.add_ap(apdev[0], params)
93aa1e16
JM		 3268
3269 tests = [ (1, "=eap_fast_save_pac_bin"),
3270 (1, "eap_fast_write_pac"),
3271 (2, "eap_fast_write_pac"), ]
3272 for count, func in tests:
3273 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors "):
3274 raise Exception("Could not set blob")
3275
3276 with alloc_fail(dev[0], count, func):
3b3e2687 3277 eap_connect(dev[0], hapd, "FAST", "user",
93aa1e16
JM		 3278 anonymous_identity="FAST", password="password",
3279 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3280 phase1="fast_provisioning=1 fast_pac_format=binary",
3281 pac_file="blob://fast_pac_bin_errors")
3282 dev[0].request("REMOVE_NETWORK all")
3283 dev[0].wait_disconnected()
3284
3285 tests = [ "00", "000000000000", "6ae4920c0001",
3286 "6ae4920c000000",
3287 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3288 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3289 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3290 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3291 for t in tests:
3292 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + t):
3293 raise Exception("Could not set blob")
3294
3295 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3296 identity="user", anonymous_identity="FAST",
3297 password="password",
3298 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3299 phase1="fast_provisioning=1 fast_pac_format=binary",
3300 pac_file="blob://fast_pac_bin_errors",
3301 scan_freq="2412", wait_connect=False)
3302 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3303 timeout=5)
3304 if ev is None:
3305 raise Exception("Failure not reported")
3306 dev[0].request("REMOVE_NETWORK all")
3307 dev[0].wait_disconnected()
3308
3309 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3310 tests = [ (1, "eap_fast_load_pac_bin"),
3311 (2, "eap_fast_load_pac_bin"),
3312 (3, "eap_fast_load_pac_bin") ]
3313 for count, func in tests:
3314 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3315 raise Exception("Could not set blob")
3316
3317 with alloc_fail(dev[0], count, func):
3318 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3319 identity="user", anonymous_identity="FAST",
3320 password="password",
3321 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3322 phase1="fast_provisioning=1 fast_pac_format=binary",
3323 pac_file="blob://fast_pac_bin_errors",
3324 scan_freq="2412", wait_connect=False)
3325 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3326 timeout=5)
3327 if ev is None:
3328 raise Exception("Failure not reported")
3329 dev[0].request("REMOVE_NETWORK all")
3330 dev[0].wait_disconnected()
3331
3332 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3333 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3334 raise Exception("Could not set blob")
3335
3b3e2687 3336 eap_connect(dev[0], hapd, "FAST", "user",
93aa1e16
JM		 3337 anonymous_identity="FAST", password="password",
3338 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3339 phase1="fast_provisioning=1 fast_pac_format=binary",
3340 pac_file="blob://fast_pac_bin_errors")
3341 dev[0].request("REMOVE_NETWORK all")
3342 dev[0].wait_disconnected()
3343
3344 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3345 tests = [ (1, "eap_fast_pac_get_a_id"),
3346 (2, "eap_fast_pac_get_a_id") ]
3347 for count, func in tests:
3348 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3349 raise Exception("Could not set blob")
3350 with alloc_fail(dev[0], count, func):
3b3e2687 3351 eap_connect(dev[0], hapd, "FAST", "user",
93aa1e16
JM		 3352 anonymous_identity="FAST", password="password",
3353 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3354 phase1="fast_provisioning=1 fast_pac_format=binary",
3355 pac_file="blob://fast_pac_bin_errors")
3356 dev[0].request("REMOVE_NETWORK all")
3357 dev[0].wait_disconnected()
3358
592790bf
JM		 3359def test_ap_wpa2_eap_fast_text_pac_errors(dev, apdev):
3360 """EAP-FAST and text PAC errors"""
3361 check_eap_capa(dev[0], "FAST")
3362 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3363 hostapd.add_ap(apdev[0], params)
592790bf
JM		 3364
3365 tests = [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3366 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3367 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3368 (1, "eap_fast_parse_start"),
3369 (1, "eap_fast_save_pac") ]
3370 for count, func in tests:
3371 dev[0].request("FLUSH")
3372 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3373 raise Exception("Could not set blob")
3374
3375 with alloc_fail(dev[0], count, func):
3376 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3377 identity="user", anonymous_identity="FAST",
3378 password="password",
3379 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3380 phase1="fast_provisioning=1",
3381 pac_file="blob://fast_pac_text_errors",
3382 scan_freq="2412", wait_connect=False)
3383 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
3384 dev[0].request("REMOVE_NETWORK all")
3385 dev[0].wait_disconnected()
3386
3387 pac = "wpa_supplicant EAP-FAST PAC file - version 1\n"
3388 pac += "START\n"
3389 pac += "PAC-Type\n"
3390 pac += "END\n"
3391 if "OK" not in dev[0].request("SET blob fast_pac_text_errors " + pac.encode("hex")):
3392 raise Exception("Could not set blob")
3393
3394 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3395 identity="user", anonymous_identity="FAST",
3396 password="password",
3397 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3398 phase1="fast_provisioning=1",
3399 pac_file="blob://fast_pac_text_errors",
3400 scan_freq="2412", wait_connect=False)
3401 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=5)
3402 if ev is None:
3403 raise Exception("Failure not reported")
3404 dev[0].request("REMOVE_NETWORK all")
3405 dev[0].wait_disconnected()
3406
3407 dev[0].request("FLUSH")
3408 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3409 raise Exception("Could not set blob")
3410
3411 with alloc_fail(dev[0], 1, "eap_fast_add_pac_data"):
3412 for i in range(3):
3413 params = int_eap_server_params()
3414 params['ssid'] = "test-wpa2-eap-2"
3415 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3416 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3417 params['eap_fast_a_id_info'] = "test server %d" % i
3418
8b8a1864 3419 hapd2 = hostapd.add_ap(apdev[1], params)
592790bf
JM		 3420
3421 dev[0].connect("test-wpa2-eap-2", key_mgmt="WPA-EAP", eap="FAST",
3422 identity="user", anonymous_identity="FAST",
3423 password="password",
3424 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3425 phase1="fast_provisioning=1",
3426 pac_file="blob://fast_pac_text_errors",
3427 scan_freq="2412", wait_connect=False)
3428 dev[0].wait_connected()
3429 dev[0].request("REMOVE_NETWORK all")
3430 dev[0].wait_disconnected()
3431
3432 hapd2.disable()
3433
3434def test_ap_wpa2_eap_fast_pac_truncate(dev, apdev):
3435 """EAP-FAST and PAC list truncation"""
3436 check_eap_capa(dev[0], "FAST")
3437 if "OK" not in dev[0].request("SET blob fast_pac_truncate "):
3438 raise Exception("Could not set blob")
3439 for i in range(5):
3440 params = int_eap_server_params()
3441 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3442 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3443 params['eap_fast_a_id_info'] = "test server %d" % i
8b8a1864 3444 hapd = hostapd.add_ap(apdev[0], params)
592790bf
JM		 3445
3446 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3447 identity="user", anonymous_identity="FAST",
3448 password="password",
3449 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3450 phase1="fast_provisioning=1 fast_max_pac_list_len=2",
3451 pac_file="blob://fast_pac_truncate",
3452 scan_freq="2412", wait_connect=False)
3453 dev[0].wait_connected()
3454 dev[0].request("REMOVE_NETWORK all")
3455 dev[0].wait_disconnected()
3456
3457 hapd.disable()
3458
3459def test_ap_wpa2_eap_fast_pac_refresh(dev, apdev):
3460 """EAP-FAST and PAC refresh"""
3461 check_eap_capa(dev[0], "FAST")
3462 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3463 raise Exception("Could not set blob")
3464 for i in range(2):
3465 params = int_eap_server_params()
3466 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3467 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3468 params['eap_fast_a_id_info'] = "test server %d" % i
3469 params['pac_key_refresh_time'] = "1"
3470 params['pac_key_lifetime'] = "10"
8b8a1864 3471 hapd = hostapd.add_ap(apdev[0], params)
592790bf
JM		 3472
3473 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3474 identity="user", anonymous_identity="FAST",
3475 password="password",
3476 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3477 phase1="fast_provisioning=1",
3478 pac_file="blob://fast_pac_refresh",
3479 scan_freq="2412", wait_connect=False)
3480 dev[0].wait_connected()
3481 dev[0].request("REMOVE_NETWORK all")
3482 dev[0].wait_disconnected()
3483
3484 hapd.disable()
3485
3486 for i in range(2):
3487 params = int_eap_server_params()
3488 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3489 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3490 params['eap_fast_a_id_info'] = "test server %d" % i
3491 params['pac_key_refresh_time'] = "10"
3492 params['pac_key_lifetime'] = "10"
8b8a1864 3493 hapd = hostapd.add_ap(apdev[0], params)
592790bf
JM		 3494
3495 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3496 identity="user", anonymous_identity="FAST",
3497 password="password",
3498 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3499 phase1="fast_provisioning=1",
3500 pac_file="blob://fast_pac_refresh",
3501 scan_freq="2412", wait_connect=False)
3502 dev[0].wait_connected()
3503 dev[0].request("REMOVE_NETWORK all")
3504 dev[0].wait_disconnected()
3505
3506 hapd.disable()
3507
3508def test_ap_wpa2_eap_fast_pac_lifetime(dev, apdev):
3509 """EAP-FAST and PAC lifetime"""
3510 check_eap_capa(dev[0], "FAST")
3511 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3512 raise Exception("Could not set blob")
3513
3514 i = 0
3515 params = int_eap_server_params()
3516 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3517 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3518 params['eap_fast_a_id_info'] = "test server %d" % i
3519 params['pac_key_refresh_time'] = "0"
3520 params['pac_key_lifetime'] = "2"
8b8a1864 3521 hapd = hostapd.add_ap(apdev[0], params)
592790bf
JM		 3522
3523 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3524 identity="user", anonymous_identity="FAST",
3525 password="password",
3526 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3527 phase1="fast_provisioning=2",
3528 pac_file="blob://fast_pac_refresh",
3529 scan_freq="2412", wait_connect=False)
3530 dev[0].wait_connected()
3531 dev[0].request("DISCONNECT")
3532 dev[0].wait_disconnected()
3533
3534 time.sleep(3)
3535 dev[0].request("PMKSA_FLUSH")
3536 dev[0].request("RECONNECT")
3537 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3538 if ev is None:
3539 raise Exception("No EAP-Failure seen after expired PAC")
3540 dev[0].request("DISCONNECT")
3541 dev[0].wait_disconnected()
3542
3543 dev[0].select_network(id)
3544 dev[0].wait_connected()
3545 dev[0].request("REMOVE_NETWORK all")
3546 dev[0].wait_disconnected()
3547
53a6f06a
JM		 3548def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
3549 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3b51cc63 3550 check_eap_capa(dev[0], "FAST")
53a6f06a 3551 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3552 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 3553 eap_connect(dev[0], hapd, "FAST", "user",
53a6f06a
JM		 3554 anonymous_identity="FAST", password="password",
3555 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3556 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
a8375c94 3557 hwsim_utils.test_connectivity(dev[0], hapd)
2fc4749c
JM		 3558 res = eap_reauth(dev[0], "FAST")
3559 if res['tls_session_reused'] != '1':
3560 raise Exception("EAP-FAST could not use PAC session ticket")
d4c7a2b9 3561
95a15d79
JM		 3562def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
3563 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3564 check_eap_capa(dev[0], "FAST")
3565 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3566 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 3567 id = eap_connect(dev[0], hapd, "FAST", "user",
95a15d79
JM		 3568 anonymous_identity="FAST", password="password",
3569 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3570 phase1="fast_provisioning=2",
3571 pac_file="blob://fast_pac_auth")
3572 dev[0].set_network_quoted(id, "identity", "user2")
3573 dev[0].wait_disconnected()
3574 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
3575 if ev is None:
3576 raise Exception("EAP-FAST not started")
3577 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
3578 if ev is None:
3579 raise Exception("EAP failure not reported")
3580 dev[0].wait_disconnected()
3581
27f2fab0
JM		 3582def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
3583 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3584 check_eap_capa(dev[0], "FAST")
cc71035f
JM		 3585 tls = dev[0].request("GET tls_library")
3586 if tls.startswith("OpenSSL"):
90b4c73f 3587 func = "tls_connection_get_eap_fast_key"
cc71035f
JM		 3588 count = 2
3589 elif tls.startswith("internal"):
3590 func = "tls_connection_prf"
3591 count = 1
3592 else:
3593 raise HwsimSkip("Unsupported TLS library")
27f2fab0 3594 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3595 hapd = hostapd.add_ap(apdev[0], params)
cc71035f 3596 with alloc_fail(dev[0], count, func):
27f2fab0
JM		 3597 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3598 identity="user", anonymous_identity="FAST",
3599 password="password", ca_cert="auth_serv/ca.pem",
3600 phase2="auth=GTC",
3601 phase1="fast_provisioning=2",
3602 pac_file="blob://fast_pac_auth",
3603 wait_connect=False, scan_freq="2412")
3604 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
3605 if ev is None:
3606 raise Exception("EAP failure not reported")
3607 dev[0].request("DISCONNECT")
3608
6eddd530
JM		 3609def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
3610 """EAP-FAST/MSCHAPv2 and server OOM"""
3611 check_eap_capa(dev[0], "FAST")
3612
3613 params = int_eap_server_params()
3614 params['dh_file'] = 'auth_serv/dh.conf'
3615 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3616 params['eap_fast_a_id'] = '1011'
3617 params['eap_fast_a_id_info'] = 'another test server'
8b8a1864 3618 hapd = hostapd.add_ap(apdev[0], params)
6eddd530
JM		 3619
3620 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
3b3e2687 3621 id = eap_connect(dev[0], hapd, "FAST", "user",
6eddd530
JM		 3622 anonymous_identity="FAST", password="password",
3623 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3624 phase1="fast_provisioning=1",
3625 pac_file="blob://fast_pac",
3626 expect_failure=True)
3627 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3628 if ev is None:
3629 raise Exception("No EAP failure reported")
3630 dev[0].wait_disconnected()
3631 dev[0].request("DISCONNECT")
3632
3633 dev[0].select_network(id, freq="2412")
3634
ecd07de4
JM		 3635def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev):
3636 """EAP-FAST and different TLS cipher suites"""
3637 check_eap_capa(dev[0], "FAST")
3638 tls = dev[0].request("GET tls_library")
d8003dcb
SP		 3639 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
3640 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls)
ecd07de4
JM		 3641
3642 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3643 hapd = hostapd.add_ap(apdev[0], params)
ecd07de4
JM		 3644
3645 dev[0].request("SET blob fast_pac_ciphers ")
3b3e2687 3646 eap_connect(dev[0], hapd, "FAST", "user",
ecd07de4
JM		 3647 anonymous_identity="FAST", password="password",
3648 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3649 phase1="fast_provisioning=2",
3650 pac_file="blob://fast_pac_ciphers")
3651 res = dev[0].get_status_field('EAP TLS cipher')
3652 dev[0].request("REMOVE_NETWORK all")
3653 dev[0].wait_disconnected()
3654 if res != "DHE-RSA-AES256-SHA":
3655 raise Exception("Unexpected cipher suite for provisioning: " + res)
3656
3657 tests = [ "DHE-RSA-AES128-SHA",
3658 "RC4-SHA",
3659 "AES128-SHA",
3660 "AES256-SHA",
3661 "DHE-RSA-AES256-SHA" ]
3662 for cipher in tests:
71666dc3
JM		 3663 dev[0].dump_monitor()
3664 logger.info("Testing " + cipher)
3665 try:
3b3e2687 3666 eap_connect(dev[0], hapd, "FAST", "user",
71666dc3
JM		 3667 openssl_ciphers=cipher,
3668 anonymous_identity="FAST", password="password",
3669 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
a61ee84d
JM		 3670 pac_file="blob://fast_pac_ciphers",
3671 report_failure=True)
71666dc3 3672 except Exception, e:
a61ee84d
JM		 3673 if cipher == "RC4-SHA" and \
3674 ("Could not select EAP method" in str(e) or \
3675 "EAP failed" in str(e)):
71666dc3
JM		 3676 if "run=OpenSSL 1.1" in tls:
3677 logger.info("Allow failure due to missing TLS library support")
3678 dev[0].request("REMOVE_NETWORK all")
3679 dev[0].wait_disconnected()
3680 continue
3681 raise
ecd07de4
JM		 3682 res = dev[0].get_status_field('EAP TLS cipher')
3683 dev[0].request("REMOVE_NETWORK all")
3684 dev[0].wait_disconnected()
3685 if res != cipher:
3686 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher, res))
3687
4c626382
JM		 3688def test_ap_wpa2_eap_fast_prov(dev, apdev):
3689 """EAP-FAST and provisioning options"""
3690 check_eap_capa(dev[0], "FAST")
3691 if "OK" not in dev[0].request("SET blob fast_pac_prov "):
3692 raise Exception("Could not set blob")
3693
3694 i = 100
3695 params = int_eap_server_params()
3696 params['disable_pmksa_caching'] = '1'
3697 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3698 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3699 params['eap_fast_a_id_info'] = "test server %d" % i
3700 params['eap_fast_prov'] = "0"
3701 hapd = hostapd.add_ap(apdev[0], params)
3702
3703 logger.info("Provisioning attempt while server has provisioning disabled")
3704 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3705 identity="user", anonymous_identity="FAST",
3706 password="password",
3707 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3708 phase1="fast_provisioning=2",
3709 pac_file="blob://fast_pac_prov",
3710 scan_freq="2412", wait_connect=False)
3711 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3712 timeout=15)
3713 if ev is None:
3714 raise Exception("EAP result not reported")
3715 if "parameter='failure'" not in ev:
3716 raise Exception("Unexpected EAP result: " + ev)
3717 dev[0].wait_disconnected()
3718 dev[0].request("DISCONNECT")
3719 dev[0].dump_monitor()
3720
3721 hapd.disable()
3722 logger.info("Authenticated provisioning")
3723 hapd.set("eap_fast_prov", "2")
3724 hapd.enable()
3725
3726 dev[0].select_network(id, freq="2412")
3727 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3728 timeout=15)
3729 if ev is None:
3730 raise Exception("EAP result not reported")
3731 if "parameter='success'" not in ev:
3732 raise Exception("Unexpected EAP result: " + ev)
3733 dev[0].wait_connected()
3734 dev[0].request("DISCONNECT")
3735 dev[0].wait_disconnected()
3736 dev[0].dump_monitor()
3737
3738 hapd.disable()
3739 logger.info("Provisioning disabled - using previously provisioned PAC")
3740 hapd.set("eap_fast_prov", "0")
3741 hapd.enable()
3742
3743 dev[0].select_network(id, freq="2412")
3744 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3745 timeout=15)
3746 if ev is None:
3747 raise Exception("EAP result not reported")
3748 if "parameter='success'" not in ev:
3749 raise Exception("Unexpected EAP result: " + ev)
3750 dev[0].wait_connected()
3751 dev[0].request("DISCONNECT")
3752 dev[0].wait_disconnected()
3753 dev[0].dump_monitor()
3754
3755 logger.info("Drop PAC and verify connection failure")
3756 if "OK" not in dev[0].request("SET blob fast_pac_prov "):
3757 raise Exception("Could not set blob")
3758
3759 dev[0].select_network(id, freq="2412")
3760 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3761 timeout=15)
3762 if ev is None:
3763 raise Exception("EAP result not reported")
3764 if "parameter='failure'" not in ev:
3765 raise Exception("Unexpected EAP result: " + ev)
3766 dev[0].wait_disconnected()
3767 dev[0].request("DISCONNECT")
3768 dev[0].dump_monitor()
3769
3770 hapd.disable()
3771 logger.info("Anonymous provisioning")
3772 hapd.set("eap_fast_prov", "1")
3773 hapd.enable()
3774 dev[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3775 dev[0].select_network(id, freq="2412")
3776 # Anonymous provisioning results in EAP-Failure first
3777 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3778 timeout=15)
3779 if ev is None:
3780 raise Exception("EAP result not reported")
3781 if "parameter='failure'" not in ev:
3782 raise Exception("Unexpected EAP result: " + ev)
3783 dev[0].wait_disconnected()
3784 # And then the actual data connection
3785 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3786 timeout=15)
3787 if ev is None:
3788 raise Exception("EAP result not reported")
3789 if "parameter='success'" not in ev:
3790 raise Exception("Unexpected EAP result: " + ev)
3791 dev[0].wait_connected()
3792 dev[0].request("DISCONNECT")
3793 dev[0].wait_disconnected()
3794 dev[0].dump_monitor()
3795
3796 hapd.disable()
3797 logger.info("Provisioning disabled - using previously provisioned PAC")
3798 hapd.set("eap_fast_prov", "0")
3799 hapd.enable()
3800
3801 dev[0].select_network(id, freq="2412")
3802 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3803 timeout=15)
3804 if ev is None:
3805 raise Exception("EAP result not reported")
3806 if "parameter='success'" not in ev:
3807 raise Exception("Unexpected EAP result: " + ev)
3808 dev[0].wait_connected()
3809 dev[0].request("DISCONNECT")
3810 dev[0].wait_disconnected()
3811 dev[0].dump_monitor()
3812
d4c7a2b9
JM		 3813def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
3814 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
0dae8c99 3815 check_ocsp_support(dev[0])
16c43d2a 3816 check_pkcs12_support(dev[0])
d4c7a2b9 3817 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 3818 hapd = hostapd.add_ap(apdev[0], params)
3819 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
d4c7a2b9
JM		 3820 private_key="auth_serv/user.pkcs12",
3821 private_key_passwd="whatever", ocsp=2)
3822
98d125ca
JM		 3823def test_ap_wpa2_eap_tls_ocsp_multi(dev, apdev):
3824 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3825 check_ocsp_multi_support(dev[0])
3826 check_pkcs12_support(dev[0])
3827
3828 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 3829 hapd = hostapd.add_ap(apdev[0], params)
3830 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
98d125ca
JM		 3831 private_key="auth_serv/user.pkcs12",
3832 private_key_passwd="whatever", ocsp=2)
3833
64e05f96 3834def int_eap_server_params():
d4c7a2b9
JM		 3835 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3836 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3837 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3838 "ca_cert": "auth_serv/ca.pem",
3839 "server_cert": "auth_serv/server.pem",
8adce07a
JM		 3840 "private_key": "auth_serv/server.key",
3841 "dh_file": "auth_serv/dh.conf" }
64e05f96 3842 return params
d2a1047e 3843
58a40620
JM		 3844def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
3845 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3846 check_ocsp_support(dev[0])
ff7affcc 3847 check_pkcs12_support(dev[0])
58a40620
JM		 3848 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
3849 if not os.path.exists(ocsp):
3850 raise HwsimSkip("No OCSP response available")
3851 params = int_eap_server_params()
3852 params["ocsp_stapling_response"] = ocsp
8b8a1864 3853 hostapd.add_ap(apdev[0], params)
58a40620
JM		 3854 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3855 identity="tls user", ca_cert="auth_serv/ca.pem",
3856 private_key="auth_serv/user.pkcs12",
3857 private_key_passwd="whatever", ocsp=2,
3858 scan_freq="2412")
3859
d79ce4a6
JM		 3860def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
3861 """EAP-TLS and CA signed OCSP response (good)"""
3862 check_ocsp_support(dev[0])
ff7affcc 3863 check_pkcs12_support(dev[0])
d79ce4a6
JM		 3864 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
3865 if not os.path.exists(ocsp):
3866 raise HwsimSkip("No OCSP response available")
3867 params = int_eap_server_params()
3868 params["ocsp_stapling_response"] = ocsp
8b8a1864 3869 hostapd.add_ap(apdev[0], params)
d79ce4a6
JM		 3870 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3871 identity="tls user", ca_cert="auth_serv/ca.pem",
3872 private_key="auth_serv/user.pkcs12",
3873 private_key_passwd="whatever", ocsp=2,
3874 scan_freq="2412")
3875
3876def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
3877 """EAP-TLS and CA signed OCSP response (revoked)"""
3878 check_ocsp_support(dev[0])
ff7affcc 3879 check_pkcs12_support(dev[0])
d79ce4a6
JM		 3880 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
3881 if not os.path.exists(ocsp):
3882 raise HwsimSkip("No OCSP response available")
3883 params = int_eap_server_params()
3884 params["ocsp_stapling_response"] = ocsp
8b8a1864 3885 hostapd.add_ap(apdev[0], params)
d79ce4a6
JM		 3886 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3887 identity="tls user", ca_cert="auth_serv/ca.pem",
3888 private_key="auth_serv/user.pkcs12",
3889 private_key_passwd="whatever", ocsp=2,
3890 wait_connect=False, scan_freq="2412")
3891 count = 0
3892 while True:
3893 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3894 if ev is None:
3895 raise Exception("Timeout on EAP status")
3896 if 'bad certificate status response' in ev:
3897 break
3898 if 'certificate revoked' in ev:
3899 break
3900 count = count + 1
3901 if count > 10:
3902 raise Exception("Unexpected number of EAP status messages")
3903
3904 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3905 if ev is None:
3906 raise Exception("Timeout on EAP failure report")
3907
3908def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
3909 """EAP-TLS and CA signed OCSP response (unknown)"""
3910 check_ocsp_support(dev[0])
ff7affcc 3911 check_pkcs12_support(dev[0])
d79ce4a6
JM		 3912 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
3913 if not os.path.exists(ocsp):
3914 raise HwsimSkip("No OCSP response available")
3915 params = int_eap_server_params()
3916 params["ocsp_stapling_response"] = ocsp
8b8a1864 3917 hostapd.add_ap(apdev[0], params)
d79ce4a6
JM		 3918 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3919 identity="tls user", ca_cert="auth_serv/ca.pem",
3920 private_key="auth_serv/user.pkcs12",
3921 private_key_passwd="whatever", ocsp=2,
3922 wait_connect=False, scan_freq="2412")
3923 count = 0
3924 while True:
3925 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3926 if ev is None:
3927 raise Exception("Timeout on EAP status")
3928 if 'bad certificate status response' in ev:
3929 break
3930 count = count + 1
3931 if count > 10:
3932 raise Exception("Unexpected number of EAP status messages")
3933
3934 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3935 if ev is None:
3936 raise Exception("Timeout on EAP failure report")
3937
3938def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
3939 """EAP-TLS and server signed OCSP response"""
3940 check_ocsp_support(dev[0])
ff7affcc 3941 check_pkcs12_support(dev[0])
d79ce4a6
JM		 3942 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
3943 if not os.path.exists(ocsp):
3944 raise HwsimSkip("No OCSP response available")
3945 params = int_eap_server_params()
3946 params["ocsp_stapling_response"] = ocsp
8b8a1864 3947 hostapd.add_ap(apdev[0], params)
d79ce4a6
JM		 3948 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3949 identity="tls user", ca_cert="auth_serv/ca.pem",
3950 private_key="auth_serv/user.pkcs12",
3951 private_key_passwd="whatever", ocsp=2,
3952 wait_connect=False, scan_freq="2412")
3953 count = 0
3954 while True:
3955 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3956 if ev is None:
3957 raise Exception("Timeout on EAP status")
3958 if 'bad certificate status response' in ev:
3959 break
3960 count = count + 1
3961 if count > 10:
3962 raise Exception("Unexpected number of EAP status messages")
3963
3964 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3965 if ev is None:
3966 raise Exception("Timeout on EAP failure report")
3967
d2a1047e
JM		 3968def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
3969 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
0dae8c99 3970 check_ocsp_support(dev[0])
ff7affcc 3971 check_pkcs12_support(dev[0])
d2a1047e
JM		 3972 params = int_eap_server_params()
3973 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
8b8a1864 3974 hostapd.add_ap(apdev[0], params)
d2a1047e
JM		 3975 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3976 identity="tls user", ca_cert="auth_serv/ca.pem",
3977 private_key="auth_serv/user.pkcs12",
3978 private_key_passwd="whatever", ocsp=2,
3979 wait_connect=False, scan_freq="2412")
3980 count = 0
3981 while True:
3982 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3983 if ev is None:
3984 raise Exception("Timeout on EAP status")
3985 if 'bad certificate status response' in ev:
3986 break
3987 count = count + 1
3988 if count > 10:
3989 raise Exception("Unexpected number of EAP status messages")
3990
3991 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3992 if ev is None:
3993 raise Exception("Timeout on EAP failure report")
3994
64e05f96
JM		 3995def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
3996 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
0dae8c99 3997 check_ocsp_support(dev[0])
ff7affcc 3998 check_pkcs12_support(dev[0])
64e05f96
JM		 3999 params = int_eap_server_params()
4000 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
8b8a1864 4001 hostapd.add_ap(apdev[0], params)
df7ad0fa
JM		 4002 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4003 identity="tls user", ca_cert="auth_serv/ca.pem",
4004 private_key="auth_serv/user.pkcs12",
4005 private_key_passwd="whatever", ocsp=2,
4006 wait_connect=False, scan_freq="2412")
4007 count = 0
4008 while True:
4009 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4010 if ev is None:
4011 raise Exception("Timeout on EAP status")
4012 if 'bad certificate status response' in ev:
4013 break
4014 count = count + 1
4015 if count > 10:
4016 raise Exception("Unexpected number of EAP status messages")
4017
4018 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4019 if ev is None:
4020 raise Exception("Timeout on EAP failure report")
4021
4022def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
4023 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
0dae8c99 4024 check_ocsp_support(dev[0])
ff7affcc 4025 check_pkcs12_support(dev[0])
df7ad0fa
JM		 4026 params = int_eap_server_params()
4027 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
8b8a1864 4028 hostapd.add_ap(apdev[0], params)
d4c7a2b9
JM		 4029 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4030 identity="tls user", ca_cert="auth_serv/ca.pem",
4031 private_key="auth_serv/user.pkcs12",
4032 private_key_passwd="whatever", ocsp=2,
4033 wait_connect=False, scan_freq="2412")
4034 count = 0
4035 while True:
4036 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4037 if ev is None:
4038 raise Exception("Timeout on EAP status")
4039 if 'bad certificate status response' in ev:
4040 break
4041 count = count + 1
4042 if count > 10:
4043 raise Exception("Unexpected number of EAP status messages")
4044
4045 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4046 if ev is None:
4047 raise Exception("Timeout on EAP failure report")
64e05f96 4048
37b4a66c
JM		 4049def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
4050 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
0dae8c99 4051 check_ocsp_support(dev[0])
37b4a66c
JM		 4052 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
4053 if not os.path.exists(ocsp):
4054 raise HwsimSkip("No OCSP response available")
4055 params = int_eap_server_params()
4056 params["ocsp_stapling_response"] = ocsp
8b8a1864 4057 hostapd.add_ap(apdev[0], params)
37b4a66c
JM		 4058 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4059 identity="pap user", ca_cert="auth_serv/ca.pem",
4060 anonymous_identity="ttls", password="password",
4061 phase2="auth=PAP", ocsp=2,
4062 wait_connect=False, scan_freq="2412")
4063 count = 0
4064 while True:
4065 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4066 if ev is None:
4067 raise Exception("Timeout on EAP status")
4068 if 'bad certificate status response' in ev:
4069 break
4070 if 'certificate revoked' in ev:
4071 break
4072 count = count + 1
4073 if count > 10:
4074 raise Exception("Unexpected number of EAP status messages")
4075
4076 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4077 if ev is None:
4078 raise Exception("Timeout on EAP failure report")
4079
4080def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
4081 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
0dae8c99 4082 check_ocsp_support(dev[0])
37b4a66c
JM		 4083 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
4084 if not os.path.exists(ocsp):
4085 raise HwsimSkip("No OCSP response available")
4086 params = int_eap_server_params()
4087 params["ocsp_stapling_response"] = ocsp
8b8a1864 4088 hostapd.add_ap(apdev[0], params)
37b4a66c
JM		 4089 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4090 identity="pap user", ca_cert="auth_serv/ca.pem",
4091 anonymous_identity="ttls", password="password",
4092 phase2="auth=PAP", ocsp=2,
4093 wait_connect=False, scan_freq="2412")
4094 count = 0
4095 while True:
4096 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4097 if ev is None:
4098 raise Exception("Timeout on EAP status")
4099 if 'bad certificate status response' in ev:
4100 break
4101 count = count + 1
4102 if count > 10:
4103 raise Exception("Unexpected number of EAP status messages")
4104
4105 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4106 if ev is None:
4107 raise Exception("Timeout on EAP failure report")
4108
4109def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
4110 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4111 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
4112 if not os.path.exists(ocsp):
4113 raise HwsimSkip("No OCSP response available")
4114 params = int_eap_server_params()
4115 params["ocsp_stapling_response"] = ocsp
8b8a1864 4116 hostapd.add_ap(apdev[0], params)
37b4a66c
JM		 4117 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4118 identity="pap user", ca_cert="auth_serv/ca.pem",
4119 anonymous_identity="ttls", password="password",
4120 phase2="auth=PAP", ocsp=1, scan_freq="2412")
4121
52811b8c
JM		 4122def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
4123 """EAP-TLS with intermediate server/user CA"""
4124 params = int_eap_server_params()
4125 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4126 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4127 params["private_key"] = "auth_serv/iCA-server/server.key"
8b8a1864 4128 hostapd.add_ap(apdev[0], params)
b4635f0a
JM		 4129 tls = dev[0].request("GET tls_library")
4130 if "GnuTLS" in tls:
4131 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4132 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4133 else:
4134 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4135 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4136 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4137 identity="tls user",
b4635f0a
JM		 4138 ca_cert=ca_cert,
4139 client_cert=client_cert,
52811b8c
JM		 4140 private_key="auth_serv/iCA-user/user.key",
4141 scan_freq="2412")
4142
4143def root_ocsp(cert):
4144 ca = "auth_serv/ca.pem"
4145
4146 fd2, fn2 = tempfile.mkstemp()
4147 os.close(fd2)
4148
d40d959e
JB		 4149 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256",
4150 "-cert", cert, "-no_nonce", "-text" ]
4151 logger.info(' '.join(arg))
52811b8c
JM		 4152 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4153 stderr=subprocess.PIPE)
4154 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
4155 cmd.stdout.close()
4156 cmd.stderr.close()
d40d959e
JB		 4157 cmd.wait()
4158 if cmd.returncode != 0:
4159 raise Exception("bad return code from openssl ocsp\n\n" + res)
52811b8c
JM		 4160 logger.info("OCSP request:\n" + res)
4161
4162 fd, fn = tempfile.mkstemp()
4163 os.close(fd)
40ae4a2f
JM		 4164 arg = [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4165 "-rsigner", ca, "-rkey", "auth_serv/ca-key.pem",
52811b8c
JM		 4166 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
4167 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
4168 "-text" ]
4169 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4170 stderr=subprocess.PIPE)
4171 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
4172 cmd.stdout.close()
4173 cmd.stderr.close()
d40d959e
JB		 4174 cmd.wait()
4175 if cmd.returncode != 0:
4176 raise Exception("bad return code from openssl ocsp\n\n" + res)
52811b8c
JM		 4177 logger.info("OCSP response:\n" + res)
4178 os.unlink(fn2)
4179 return fn
4180
b7288e5d 4181def ica_ocsp(cert, md="-sha256"):
52811b8c
JM		 4182 prefix = "auth_serv/iCA-server/"
4183 ca = prefix + "cacert.pem"
4184 cert = prefix + cert
4185
4186 fd2, fn2 = tempfile.mkstemp()
4187 os.close(fd2)
4188
b7288e5d 4189 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, md,
d40d959e 4190 "-cert", cert, "-no_nonce", "-text" ]
52811b8c
JM		 4191 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4192 stderr=subprocess.PIPE)
4193 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
4194 cmd.stdout.close()
4195 cmd.stderr.close()
d40d959e
JB		 4196 cmd.wait()
4197 if cmd.returncode != 0:
4198 raise Exception("bad return code from openssl ocsp\n\n" + res)
52811b8c
JM		 4199 logger.info("OCSP request:\n" + res)
4200
4201 fd, fn = tempfile.mkstemp()
4202 os.close(fd)
4203 arg = [ "openssl", "ocsp", "-index", prefix + "index.txt",
4204 "-rsigner", ca, "-rkey", prefix + "private/cakey.pem",
4205 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
4206 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
4207 "-text" ]
4208 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4209 stderr=subprocess.PIPE)
4210 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
4211 cmd.stdout.close()
4212 cmd.stderr.close()
d40d959e
JB		 4213 cmd.wait()
4214 if cmd.returncode != 0:
4215 raise Exception("bad return code from openssl ocsp\n\n" + res)
52811b8c
JM		 4216 logger.info("OCSP response:\n" + res)
4217 os.unlink(fn2)
4218 return fn
4219
4220def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
4221 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
b7288e5d
JM		 4222 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, "-sha256")
4223
4224def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev, apdev, params):
4225 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4226 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, "-sha1")
4227
4228def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, md):
52811b8c
JM		 4229 params = int_eap_server_params()
4230 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4231 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4232 params["private_key"] = "auth_serv/iCA-server/server.key"
b7288e5d 4233 fn = ica_ocsp("server.pem", md)
52811b8c
JM		 4234 params["ocsp_stapling_response"] = fn
4235 try:
8b8a1864 4236 hostapd.add_ap(apdev[0], params)
b4635f0a
JM		 4237 tls = dev[0].request("GET tls_library")
4238 if "GnuTLS" in tls:
4239 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4240 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4241 else:
4242 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4243 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4244 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4245 identity="tls user",
b4635f0a
JM		 4246 ca_cert=ca_cert,
4247 client_cert=client_cert,
52811b8c
JM		 4248 private_key="auth_serv/iCA-user/user.key",
4249 scan_freq="2412", ocsp=2)
4250 finally:
4251 os.unlink(fn)
4252
4253def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params):
4254 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
b7288e5d
JM		 4255 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params,
4256 "-sha256")
4257
4258def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev, apdev, params):
4259 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4260 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params,
4261 "-sha1")
4262
4263def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params, md):
52811b8c
JM		 4264 params = int_eap_server_params()
4265 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4266 params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4267 params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
b7288e5d 4268 fn = ica_ocsp("server-revoked.pem", md)
52811b8c
JM		 4269 params["ocsp_stapling_response"] = fn
4270 try:
8b8a1864 4271 hostapd.add_ap(apdev[0], params)
b4635f0a
JM		 4272 tls = dev[0].request("GET tls_library")
4273 if "GnuTLS" in tls:
4274 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4275 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4276 else:
4277 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4278 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4279 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4280 identity="tls user",
b4635f0a
JM		 4281 ca_cert=ca_cert,
4282 client_cert=client_cert,
52811b8c
JM		 4283 private_key="auth_serv/iCA-user/user.key",
4284 scan_freq="2412", ocsp=1, wait_connect=False)
4285 count = 0
4286 while True:
4287 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4288 "CTRL-EVENT-EAP-SUCCESS"])
4289 if ev is None:
4290 raise Exception("Timeout on EAP status")
4291 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4292 raise Exception("Unexpected EAP-Success")
4293 if 'bad certificate status response' in ev:
4294 break
4295 if 'certificate revoked' in ev:
4296 break
4297 count = count + 1
4298 if count > 10:
4299 raise Exception("Unexpected number of EAP status messages")
4300
4301 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4302 if ev is None:
4303 raise Exception("Timeout on EAP failure report")
4304 dev[0].request("REMOVE_NETWORK all")
4305 dev[0].wait_disconnected()
4306 finally:
4307 os.unlink(fn)
4308
4309def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, params):
4310 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4311 check_ocsp_support(dev[0])
4312 check_ocsp_multi_support(dev[0])
4313
4314 params = int_eap_server_params()
4315 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4316 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4317 params["private_key"] = "auth_serv/iCA-server/server.key"
4318 fn = ica_ocsp("server.pem")
4319 params["ocsp_stapling_response"] = fn
4320 try:
8b8a1864 4321 hostapd.add_ap(apdev[0], params)
b4635f0a
JM		 4322 tls = dev[0].request("GET tls_library")
4323 if "GnuTLS" in tls:
4324 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4325 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4326 else:
4327 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4328 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4329 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4330 identity="tls user",
b4635f0a
JM		 4331 ca_cert=ca_cert,
4332 client_cert=client_cert,
52811b8c
JM		 4333 private_key="auth_serv/iCA-user/user.key",
4334 scan_freq="2412", ocsp=3, wait_connect=False)
4335 count = 0
4336 while True:
4337 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4338 "CTRL-EVENT-EAP-SUCCESS"])
4339 if ev is None:
4340 raise Exception("Timeout on EAP status")
4341 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4342 raise Exception("Unexpected EAP-Success")
4343 if 'bad certificate status response' in ev:
4344 break
4345 if 'certificate revoked' in ev:
4346 break
4347 count = count + 1
4348 if count > 10:
4349 raise Exception("Unexpected number of EAP status messages")
4350
4351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4352 if ev is None:
4353 raise Exception("Timeout on EAP failure report")
4354 dev[0].request("REMOVE_NETWORK all")
4355 dev[0].wait_disconnected()
4356 finally:
4357 os.unlink(fn)
4358
4359def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
4360 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4361 check_ocsp_support(dev[0])
4362 check_ocsp_multi_support(dev[0])
4363
4364 params = int_eap_server_params()
4365 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4366 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4367 params["private_key"] = "auth_serv/iCA-server/server.key"
4368 fn = ica_ocsp("server.pem")
4369 fn2 = root_ocsp("auth_serv/iCA-server/cacert.pem")
4370 params["ocsp_stapling_response"] = fn
4371
4372 with open(fn, "r") as f:
4373 resp_server = f.read()
4374 with open(fn2, "r") as f:
4375 resp_ica = f.read()
4376
4377 fd3, fn3 = tempfile.mkstemp()
4378 try:
4379 f = os.fdopen(fd3, 'w')
4380 f.write(struct.pack(">L", len(resp_server))[1:4])
4381 f.write(resp_server)
4382 f.write(struct.pack(">L", len(resp_ica))[1:4])
4383 f.write(resp_ica)
4384 f.close()
4385
4386 params["ocsp_stapling_response_multi"] = fn3
4387
8b8a1864 4388 hostapd.add_ap(apdev[0], params)
b4635f0a
JM		 4389 tls = dev[0].request("GET tls_library")
4390 if "GnuTLS" in tls:
4391 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4392 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4393 else:
4394 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4395 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4396 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4397 identity="tls user",
b4635f0a
JM		 4398 ca_cert=ca_cert,
4399 client_cert=client_cert,
52811b8c 4400 private_key="auth_serv/iCA-user/user.key",
40ae4a2f 4401 scan_freq="2412", ocsp=3)
52811b8c
JM		 4402 dev[0].request("REMOVE_NETWORK all")
4403 dev[0].wait_disconnected()
4404 finally:
4405 os.unlink(fn)
4406 os.unlink(fn2)
4407 os.unlink(fn3)
4408
98d125ca
JM		 4409def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
4410 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4411 check_ocsp_support(dev[0])
4412 check_ocsp_multi_support(dev[0])
ff7affcc 4413 check_pkcs12_support(dev[0])
98d125ca
JM		 4414
4415 ocsp_revoked = os.path.join(params['logdir'],
4416 "ocsp-resp-ca-signed-revoked.der")
4417 if not os.path.exists(ocsp_revoked):
4418 raise HwsimSkip("No OCSP response (revoked) available")
4419 ocsp_unknown = os.path.join(params['logdir'],
4420 "ocsp-resp-ca-signed-unknown.der")
4421 if not os.path.exists(ocsp_unknown):
4422 raise HwsimSkip("No OCSP response(unknown) available")
4423
4424 with open(ocsp_revoked, "r") as f:
4425 resp_revoked = f.read()
4426 with open(ocsp_unknown, "r") as f:
4427 resp_unknown = f.read()
4428
4429 fd, fn = tempfile.mkstemp()
4430 try:
4431 # This is not really a valid order of the OCSPResponse items in the
4432 # list, but this works for now to verify parsing and processing of
4433 # multiple responses.
4434 f = os.fdopen(fd, 'w')
4435 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4436 f.write(resp_unknown)
4437 f.write(struct.pack(">L", len(resp_revoked))[1:4])
4438 f.write(resp_revoked)
4439 f.write(struct.pack(">L", 0)[1:4])
4440 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4441 f.write(resp_unknown)
4442 f.close()
4443
4444 params = int_eap_server_params()
4445 params["ocsp_stapling_response_multi"] = fn
8b8a1864 4446 hostapd.add_ap(apdev[0], params)
98d125ca
JM		 4447 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4448 identity="tls user", ca_cert="auth_serv/ca.pem",
4449 private_key="auth_serv/user.pkcs12",
4450 private_key_passwd="whatever", ocsp=1,
4451 wait_connect=False, scan_freq="2412")
4452 count = 0
4453 while True:
4454 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4455 "CTRL-EVENT-EAP-SUCCESS"])
4456 if ev is None:
4457 raise Exception("Timeout on EAP status")
4458 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4459 raise Exception("Unexpected EAP-Success")
4460 if 'bad certificate status response' in ev:
4461 break
4462 if 'certificate revoked' in ev:
4463 break
4464 count = count + 1
4465 if count > 10:
4466 raise Exception("Unexpected number of EAP status messages")
4467 finally:
4468 os.unlink(fn)
4469
24579e70 4470def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
64e05f96 4471 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
e78eb404 4472 check_domain_match_full(dev[0])
ff7affcc 4473 check_pkcs12_support(dev[0])
64e05f96
JM		 4474 params = int_eap_server_params()
4475 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4476 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4477 hostapd.add_ap(apdev[0], params)
64e05f96
JM		 4478 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4479 identity="tls user", ca_cert="auth_serv/ca.pem",
4480 private_key="auth_serv/user.pkcs12",
4481 private_key_passwd="whatever",
4482 domain_suffix_match="server3.w1.fi",
4483 scan_freq="2412")
24579e70 4484
061cbb25
JM		 4485def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
4486 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
e78eb404 4487 check_domain_match(dev[0])
ff7affcc 4488 check_pkcs12_support(dev[0])
061cbb25
JM		 4489 params = int_eap_server_params()
4490 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4491 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4492 hostapd.add_ap(apdev[0], params)
061cbb25
JM		 4493 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4494 identity="tls user", ca_cert="auth_serv/ca.pem",
4495 private_key="auth_serv/user.pkcs12",
4496 private_key_passwd="whatever",
4497 domain_match="server3.w1.fi",
4498 scan_freq="2412")
4499
24579e70
JM		 4500def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
4501 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4502 check_domain_match_full(dev[0])
ff7affcc 4503 check_pkcs12_support(dev[0])
24579e70
JM		 4504 params = int_eap_server_params()
4505 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4506 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4507 hostapd.add_ap(apdev[0], params)
64e05f96
JM		 4508 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4509 identity="tls user", ca_cert="auth_serv/ca.pem",
4510 private_key="auth_serv/user.pkcs12",
4511 private_key_passwd="whatever",
4512 domain_suffix_match="w1.fi",
4513 scan_freq="2412")
4514
4515def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
4516 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
e78eb404 4517 check_domain_suffix_match(dev[0])
ff7affcc 4518 check_pkcs12_support(dev[0])
64e05f96
JM		 4519 params = int_eap_server_params()
4520 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4521 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4522 hostapd.add_ap(apdev[0], params)
64e05f96
JM		 4523 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4524 identity="tls user", ca_cert="auth_serv/ca.pem",
4525 private_key="auth_serv/user.pkcs12",
4526 private_key_passwd="whatever",
4527 domain_suffix_match="example.com",
4528 wait_connect=False,
4529 scan_freq="2412")
c61dca40
JM		 4530 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4531 identity="tls user", ca_cert="auth_serv/ca.pem",
4532 private_key="auth_serv/user.pkcs12",
4533 private_key_passwd="whatever",
4534 domain_suffix_match="erver3.w1.fi",
4535 wait_connect=False,
4536 scan_freq="2412")
64e05f96
JM		 4537 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4538 if ev is None:
4539 raise Exception("Timeout on EAP failure report")
c61dca40
JM		 4540 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4541 if ev is None:
4542 raise Exception("Timeout on EAP failure report (2)")
6a4d0dbe 4543
061cbb25
JM		 4544def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
4545 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
e78eb404 4546 check_domain_match(dev[0])
ff7affcc 4547 check_pkcs12_support(dev[0])
061cbb25
JM		 4548 params = int_eap_server_params()
4549 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4550 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4551 hostapd.add_ap(apdev[0], params)
061cbb25
JM		 4552 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4553 identity="tls user", ca_cert="auth_serv/ca.pem",
4554 private_key="auth_serv/user.pkcs12",
4555 private_key_passwd="whatever",
4556 domain_match="example.com",
4557 wait_connect=False,
4558 scan_freq="2412")
4559 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4560 identity="tls user", ca_cert="auth_serv/ca.pem",
4561 private_key="auth_serv/user.pkcs12",
4562 private_key_passwd="whatever",
4563 domain_match="w1.fi",
4564 wait_connect=False,
4565 scan_freq="2412")
4566 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4567 if ev is None:
4568 raise Exception("Timeout on EAP failure report")
4569 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4570 if ev is None:
4571 raise Exception("Timeout on EAP failure report (2)")
4572
6a4d0dbe
JM		 4573def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
4574 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
ca158ea6 4575 skip_with_fips(dev[0])
6a4d0dbe
JM		 4576 params = int_eap_server_params()
4577 params["server_cert"] = "auth_serv/server-expired.pem"
4578 params["private_key"] = "auth_serv/server-expired.key"
8b8a1864 4579 hostapd.add_ap(apdev[0], params)
6a4d0dbe
JM		 4580 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4581 identity="mschap user", password="password",
4582 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4583 wait_connect=False,
4584 scan_freq="2412")
4585 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4586 if ev is None:
4587 raise Exception("Timeout on EAP certificate error report")
4588 if "reason=4" not in ev or "certificate has expired" not in ev:
4589 raise Exception("Unexpected failure reason: " + ev)
4590 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4591 if ev is None:
4592 raise Exception("Timeout on EAP failure report")
4593
4594def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
4595 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
ca158ea6 4596 skip_with_fips(dev[0])
6a4d0dbe
JM		 4597 params = int_eap_server_params()
4598 params["server_cert"] = "auth_serv/server-expired.pem"
4599 params["private_key"] = "auth_serv/server-expired.key"
8b8a1864 4600 hostapd.add_ap(apdev[0], params)
6a4d0dbe
JM		 4601 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4602 identity="mschap user", password="password",
4603 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4604 phase1="tls_disable_time_checks=1",
4605 scan_freq="2412")
6ab4a7aa 4606
5748d1e5
JM		 4607def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
4608 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
ca158ea6 4609 skip_with_fips(dev[0])
5748d1e5
JM		 4610 params = int_eap_server_params()
4611 params["server_cert"] = "auth_serv/server-long-duration.pem"
4612 params["private_key"] = "auth_serv/server-long-duration.key"
8b8a1864 4613 hostapd.add_ap(apdev[0], params)
5748d1e5
JM		 4614 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4615 identity="mschap user", password="password",
4616 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4617 scan_freq="2412")
4618
6ab4a7aa
JM		 4619def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
4620 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
ca158ea6 4621 skip_with_fips(dev[0])
6ab4a7aa
JM		 4622 params = int_eap_server_params()
4623 params["server_cert"] = "auth_serv/server-eku-client.pem"
4624 params["private_key"] = "auth_serv/server-eku-client.key"
8b8a1864 4625 hostapd.add_ap(apdev[0], params)
6ab4a7aa
JM		 4626 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4627 identity="mschap user", password="password",
4628 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4629 wait_connect=False,
4630 scan_freq="2412")
4631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4632 if ev is None:
4633 raise Exception("Timeout on EAP failure report")
242219c5 4634
14bef66d
JM		 4635def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
4636 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
ca158ea6 4637 skip_with_fips(dev[0])
14bef66d
JM		 4638 params = int_eap_server_params()
4639 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
4640 params["private_key"] = "auth_serv/server-eku-client-server.key"
8b8a1864 4641 hostapd.add_ap(apdev[0], params)
14bef66d
JM		 4642 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4643 identity="mschap user", password="password",
4644 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4645 scan_freq="2412")
4646
c37b02fc
JM		 4647def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
4648 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
ca158ea6 4649 skip_with_fips(dev[0])
c37b02fc
JM		 4650 params = int_eap_server_params()
4651 del params["server_cert"]
4652 params["private_key"] = "auth_serv/server.pkcs12"
8b8a1864 4653 hostapd.add_ap(apdev[0], params)
c37b02fc
JM		 4654 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4655 identity="mschap user", password="password",
4656 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4657 scan_freq="2412")
4658
31dd3153
JM		 4659def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev, apdev):
4660 """EAP-TTLS and server PKCS#12 file with extra certs"""
4661 skip_with_fips(dev[0])
4662 params = int_eap_server_params()
4663 del params["server_cert"]
4664 params["private_key"] = "auth_serv/server-extra.pkcs12"
4665 params["private_key_passwd"] = "whatever"
8b8a1864 4666 hostapd.add_ap(apdev[0], params)
31dd3153
JM		 4667 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4668 identity="mschap user", password="password",
4669 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4670 scan_freq="2412")
4671
242219c5
JM		 4672def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
4673 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4674 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 4675 hapd = hostapd.add_ap(apdev[0], params)
4676 eap_connect(dev[0], hapd, "TTLS", "pap user",
242219c5 4677 anonymous_identity="ttls", password="password",
ca158ea6 4678 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
242219c5 4679 dh_file="auth_serv/dh.conf")
7c50093f 4680
b3ff3dec
JM		 4681def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
4682 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
404597e6 4683 check_dh_dsa_support(dev[0])
b3ff3dec 4684 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 4685 hapd = hostapd.add_ap(apdev[0], params)
4686 eap_connect(dev[0], hapd, "TTLS", "pap user",
b3ff3dec 4687 anonymous_identity="ttls", password="password",
ca158ea6 4688 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
b3ff3dec
JM		 4689 dh_file="auth_serv/dsaparam.pem")
4690
4691def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4692 """EAP-TTLS and DH params file not found"""
ca158ea6 4693 skip_with_fips(dev[0])
b3ff3dec 4694 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4695 hostapd.add_ap(apdev[0], params)
b3ff3dec
JM		 4696 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4697 identity="mschap user", password="password",
4698 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4699 dh_file="auth_serv/dh-no-such-file.conf",
4700 scan_freq="2412", wait_connect=False)
4701 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4702 if ev is None:
4703 raise Exception("EAP failure timed out")
4704 dev[0].request("REMOVE_NETWORK all")
4705 dev[0].wait_disconnected()
4706
4707def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4708 """EAP-TTLS and invalid DH params file"""
ca158ea6 4709 skip_with_fips(dev[0])
b3ff3dec 4710 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4711 hostapd.add_ap(apdev[0], params)
b3ff3dec
JM		 4712 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4713 identity="mschap user", password="password",
4714 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4715 dh_file="auth_serv/ca.pem",
4716 scan_freq="2412", wait_connect=False)
4717 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4718 if ev is None:
4719 raise Exception("EAP failure timed out")
4720 dev[0].request("REMOVE_NETWORK all")
4721 dev[0].wait_disconnected()
4722
6ea231e6
JM		 4723def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
4724 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4725 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 4726 hapd = hostapd.add_ap(apdev[0], params)
768ea0bc 4727 dh = read_pem("auth_serv/dh2.conf")
6ea231e6
JM		 4728 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
4729 raise Exception("Could not set dhparams blob")
3b3e2687 4730 eap_connect(dev[0], hapd, "TTLS", "pap user",
6ea231e6 4731 anonymous_identity="ttls", password="password",
ca158ea6 4732 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
6ea231e6
JM		 4733 dh_file="blob://dhparams")
4734
768ea0bc
JM		 4735def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
4736 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4737 params = int_eap_server_params()
4738 params["dh_file"] = "auth_serv/dh2.conf"
3b3e2687
JD		 4739 hapd = hostapd.add_ap(apdev[0], params)
4740 eap_connect(dev[0], hapd, "TTLS", "pap user",
768ea0bc 4741 anonymous_identity="ttls", password="password",
ca158ea6 4742 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
768ea0bc 4743
b3ff3dec
JM		 4744def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
4745 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4746 params = int_eap_server_params()
4747 params["dh_file"] = "auth_serv/dsaparam.pem"
3b3e2687
JD		 4748 hapd = hostapd.add_ap(apdev[0], params)
4749 eap_connect(dev[0], hapd, "TTLS", "pap user",
b3ff3dec 4750 anonymous_identity="ttls", password="password",
ca158ea6 4751 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
b3ff3dec
JM		 4752
4753def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4754 """EAP-TLS server and dhparams file not found"""
4755 params = int_eap_server_params()
4756 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
8b8a1864 4757 hapd = hostapd.add_ap(apdev[0], params, no_enable=True)
b3ff3dec
JM		 4758 if "FAIL" not in hapd.request("ENABLE"):
4759 raise Exception("Invalid configuration accepted")
4760
4761def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4762 """EAP-TLS server and invalid dhparams file"""
4763 params = int_eap_server_params()
4764 params["dh_file"] = "auth_serv/ca.pem"
8b8a1864 4765 hapd = hostapd.add_ap(apdev[0], params, no_enable=True)
b3ff3dec
JM		 4766 if "FAIL" not in hapd.request("ENABLE"):
4767 raise Exception("Invalid configuration accepted")
4768
7c50093f
JM		 4769def test_ap_wpa2_eap_reauth(dev, apdev):
4770 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4771 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4772 params['eap_reauth_period'] = '2'
3b3e2687
JD		 4773 hapd = hostapd.add_ap(apdev[0], params)
4774 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
7c50093f
JM		 4775 password_hex="0123456789abcdef0123456789abcdef")
4776 logger.info("Wait for reauthentication")
4777 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
4778 if ev is None:
4779 raise Exception("Timeout on reauthentication")
4780 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4781 if ev is None:
4782 raise Exception("Timeout on reauthentication")
4783 for i in range(0, 20):
4784 state = dev[0].get_status_field("wpa_state")
4785 if state == "COMPLETED":
4786 break
4787 time.sleep(0.1)
4788 if state != "COMPLETED":
4789 raise Exception("Reauthentication did not complete")
8b56743e
JM		 4790
4791def test_ap_wpa2_eap_request_identity_message(dev, apdev):
4792 """Optional displayable message in EAP Request-Identity"""
4793 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4794 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3b3e2687
JD		 4795 hapd = hostapd.add_ap(apdev[0], params)
4796 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
8b56743e 4797 password_hex="0123456789abcdef0123456789abcdef")
910f16ca
JM		 4798
4799def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
4800 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
81e787b7 4801 check_hlr_auc_gw_support()
910f16ca
JM		 4802 params = int_eap_server_params()
4803 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4804 params['eap_sim_aka_result_ind'] = "1"
3b3e2687 4805 hapd = hostapd.add_ap(apdev[0], params)
910f16ca 4806
3b3e2687 4807 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
910f16ca
JM		 4808 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4809 phase1="result_ind=1")
4810 eap_reauth(dev[0], "SIM")
3b3e2687 4811 eap_connect(dev[1], hapd, "SIM", "1232010000000000",
910f16ca
JM		 4812 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4813
4814 dev[0].request("REMOVE_NETWORK all")
4815 dev[1].request("REMOVE_NETWORK all")
4816
3b3e2687 4817 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
910f16ca
JM		 4818 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4819 phase1="result_ind=1")
4820 eap_reauth(dev[0], "AKA")
3b3e2687 4821 eap_connect(dev[1], hapd, "AKA", "0232010000000000",
910f16ca
JM		 4822 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4823
4824 dev[0].request("REMOVE_NETWORK all")
4825 dev[1].request("REMOVE_NETWORK all")
4826
3b3e2687 4827 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
910f16ca
JM		 4828 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4829 phase1="result_ind=1")
4830 eap_reauth(dev[0], "AKA'")
3b3e2687 4831 eap_connect(dev[1], hapd, "AKA'", "6555444333222111",
910f16ca 4832 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
633e364b 4833
a8217972
JM		 4834def test_ap_wpa2_eap_sim_zero_db_timeout(dev, apdev):
4835 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4836 check_hlr_auc_gw_support()
4837 params = int_eap_server_params()
4838 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4839 params['eap_sim_db_timeout'] = "0"
4840 params['disable_pmksa_caching'] = '1'
4841 hapd = hostapd.add_ap(apdev[0], params)
4842
4843 # Run multiple iterations to make it more likely to hit the case where the
4844 # DB request times out and response is lost.
4845 for i in range(20):
a8217972
JM		 4846 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
4847 identity="1232010000000000",
4848 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4849 wait_connect=False, scan_freq="2412")
4850 ev = dev[0].wait_event([ "CTRL-EVENT-CONNECTED",
4851 "CTRL-EVENT-DISCONNECTED" ],
4852 timeout=15)
4853 if ev is None:
4854 raise Exception("No connection result")
4855 dev[0].request("REMOVE_NETWORK all")
4856 if "CTRL-EVENT-DISCONNECTED" in ev:
4857 break
4858 dev[0].wait_disconnected()
4859 hapd.ping()
4860
633e364b
JM		 4861def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
4862 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
ca158ea6 4863 skip_with_fips(dev[0])
633e364b 4864 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4865 hostapd.add_ap(apdev[0], params)
633e364b
JM		 4866 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4867 eap="TTLS", identity="mschap user",
4868 wait_connect=False, scan_freq="2412", ieee80211w="1",
4869 anonymous_identity="ttls", password="password",
4870 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
78d2233f
JM		 4871 fragment_size="8")
4872 ev = dev[0].wait_event(["EAP: more than",
4873 "CTRL-EVENT-EAP-SUCCESS"], timeout=20)
4874 if ev is None or "EAP: more than" not in ev:
633e364b 4875 raise Exception("EAP roundtrip limit not reached")
32dca985
JM		 4876
4877def test_ap_wpa2_eap_expanded_nak(dev, apdev):
4878 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4879 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4880 hostapd.add_ap(apdev[0], params)
32dca985
JM		 4881 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4882 eap="PSK", identity="vendor-test",
4883 password_hex="ff23456789abcdef0123456789abcdef",
4884 wait_connect=False)
4885
4886 found = False
4887 for i in range(0, 5):
412c6030 4888 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=16)
32dca985
JM		 4889 if ev is None:
4890 raise Exception("Association and EAP start timed out")
4891 if "refuse proposed method" in ev:
4892 found = True
4893 break
4894 if not found:
4895 raise Exception("Unexpected EAP status: " + ev)
4896
4897 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4898 if ev is None:
4899 raise Exception("EAP failure timed out")
745f8771
JM		 4900
4901def test_ap_wpa2_eap_sql(dev, apdev, params):
4902 """WPA2-Enterprise connection using SQLite for user DB"""
ca158ea6 4903 skip_with_fips(dev[0])
745f8771
JM		 4904 try:
4905 import sqlite3
4906 except ImportError:
81e787b7 4907 raise HwsimSkip("No sqlite3 module available")
745f8771
JM		 4908 dbfile = os.path.join(params['logdir'], "eap-user.db")
4909 try:
4910 os.remove(dbfile)
4911 except:
4912 pass
4913 con = sqlite3.connect(dbfile)
4914 with con:
4915 cur = con.cursor()
4916 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4917 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4918 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4919 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4920 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4921 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4922 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4923 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4924
4925 try:
4926 params = int_eap_server_params()
4927 params["eap_user_file"] = "sqlite:" + dbfile
3b3e2687
JD		 4928 hapd = hostapd.add_ap(apdev[0], params)
4929 eap_connect(dev[0], hapd, "TTLS", "user-mschapv2",
745f8771
JM		 4930 anonymous_identity="ttls", password="password",
4931 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4932 dev[0].request("REMOVE_NETWORK all")
3b3e2687 4933 eap_connect(dev[1], hapd, "TTLS", "user-mschap",
745f8771
JM		 4934 anonymous_identity="ttls", password="password",
4935 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
4936 dev[1].request("REMOVE_NETWORK all")
3b3e2687 4937 eap_connect(dev[0], hapd, "TTLS", "user-chap",
745f8771
JM		 4938 anonymous_identity="ttls", password="password",
4939 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3b3e2687 4940 eap_connect(dev[1], hapd, "TTLS", "user-pap",
745f8771
JM		 4941 anonymous_identity="ttls", password="password",
4942 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4943 finally:
4944 os.remove(dbfile)
b246e2af
JM		 4945
4946def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
4947 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4948 params = int_eap_server_params()
8b8a1864 4949 hostapd.add_ap(apdev[0], params)
b246e2af
JM		 4950 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4951 identity="\x80", password="password", wait_connect=False)
4952 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4953 identity="a\x80", password="password", wait_connect=False)
4954 for i in range(0, 2):
412c6030 4955 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
b246e2af
JM		 4956 if ev is None:
4957 raise Exception("Association and EAP start timed out")
4958 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4959 if ev is None:
4960 raise Exception("EAP method selection timed out")
4961
4962def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
4963 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4964 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4965 hostapd.add_ap(apdev[0], params)
b246e2af
JM		 4966 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4967 identity="\x80", password="password", wait_connect=False)
4968 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4969 identity="a\x80", password="password", wait_connect=False)
4970 for i in range(0, 2):
412c6030 4971 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
b246e2af
JM		 4972 if ev is None:
4973 raise Exception("Association and EAP start timed out")
4974 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4975 if ev is None:
4976 raise Exception("EAP method selection timed out")
89f20842
JM		 4977
4978def test_openssl_cipher_suite_config_wpas(dev, apdev):
4979 """OpenSSL cipher suite configuration on wpa_supplicant"""
a783340d
JM		 4980 tls = dev[0].request("GET tls_library")
4981 if not tls.startswith("OpenSSL"):
4982 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
89f20842 4983 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4984 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 4985 eap_connect(dev[0], hapd, "TTLS", "pap user",
89f20842
JM		 4986 anonymous_identity="ttls", password="password",
4987 openssl_ciphers="AES128",
4988 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3b3e2687 4989 eap_connect(dev[1], hapd, "TTLS", "pap user",
89f20842
JM		 4990 anonymous_identity="ttls", password="password",
4991 openssl_ciphers="EXPORT",
4992 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
9dd21d51 4993 expect_failure=True, maybe_local_error=True)
7be5ec99
JM		 4994 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4995 identity="pap user", anonymous_identity="ttls",
4996 password="password",
4997 openssl_ciphers="FOO",
4998 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4999 wait_connect=False)
5000 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5001 if ev is None:
5002 raise Exception("EAP failure after invalid openssl_ciphers not reported")
5003 dev[2].request("DISCONNECT")
89f20842
JM		 5004
5005def test_openssl_cipher_suite_config_hapd(dev, apdev):
5006 """OpenSSL cipher suite configuration on hostapd"""
a783340d
JM		 5007 tls = dev[0].request("GET tls_library")
5008 if not tls.startswith("OpenSSL"):
5009 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
89f20842
JM		 5010 params = int_eap_server_params()
5011 params['openssl_ciphers'] = "AES256"
8b8a1864 5012 hapd = hostapd.add_ap(apdev[0], params)
a783340d
JM		 5013 tls = hapd.request("GET tls_library")
5014 if not tls.startswith("OpenSSL"):
5015 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3b3e2687 5016 eap_connect(dev[0], hapd, "TTLS", "pap user",
89f20842
JM		 5017 anonymous_identity="ttls", password="password",
5018 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3b3e2687 5019 eap_connect(dev[1], hapd, "TTLS", "pap user",
89f20842
JM		 5020 anonymous_identity="ttls", password="password",
5021 openssl_ciphers="AES128",
5022 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
5023 expect_failure=True)
3b3e2687 5024 eap_connect(dev[2], hapd, "TTLS", "pap user",
89f20842
JM		 5025 anonymous_identity="ttls", password="password",
5026 openssl_ciphers="HIGH:!ADH",
5027 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
5b3c40a6 5028
7be5ec99 5029 params['openssl_ciphers'] = "FOO"
8b8a1864 5030 hapd2 = hostapd.add_ap(apdev[1], params, no_enable=True)
7be5ec99 5031 if "FAIL" not in hapd2.request("ENABLE"):
0d34c13a
JM		 5032 if "run=OpenSSL 1.1.1" in tls:
5033 logger.info("Ignore acceptance of an invalid openssl_ciphers value with OpenSSL 1.1.1")
5034 else:
5035 raise Exception("Invalid openssl_ciphers value accepted")
7be5ec99 5036
5b3c40a6
JM		 5037def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
5038 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5039 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5040 hapd = hostapd.add_ap(apdev[0], p)
5b3c40a6
JM		 5041 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5042 pid = find_wpas_process(dev[0])
3b3e2687 5043 id = eap_connect(dev[0], hapd, "TTLS", "pap-secret",
5b3c40a6
JM		 5044 anonymous_identity="ttls", password=password,
5045 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
8e416cec
JM		 5046 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5047 # event has been delivered, so verify that wpa_supplicant has returned to
5048 # eloop before reading process memory.
54f2cae2 5049 time.sleep(1)
8e416cec 5050 dev[0].ping()
5b3c40a6
JM		 5051 buf = read_process_memory(pid, password)
5052
5053 dev[0].request("DISCONNECT")
5054 dev[0].wait_disconnected()
5055
5056 dev[0].relog()
750904dd
JM		 5057 msk = None
5058 emsk = None
5b3c40a6
JM		 5059 pmk = None
5060 ptk = None
5061 gtk = None
5062 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
5063 for l in f.readlines():
750904dd
JM		 5064 if "EAP-TTLS: Derived key - hexdump" in l:
5065 val = l.strip().split(':')[3].replace(' ', '')
5066 msk = binascii.unhexlify(val)
5067 if "EAP-TTLS: Derived EMSK - hexdump" in l:
5068 val = l.strip().split(':')[3].replace(' ', '')
5069 emsk = binascii.unhexlify(val)
5b3c40a6
JM		 5070 if "WPA: PMK - hexdump" in l:
5071 val = l.strip().split(':')[3].replace(' ', '')
5072 pmk = binascii.unhexlify(val)
5073 if "WPA: PTK - hexdump" in l:
5074 val = l.strip().split(':')[3].replace(' ', '')
5075 ptk = binascii.unhexlify(val)
5076 if "WPA: Group Key - hexdump" in l:
5077 val = l.strip().split(':')[3].replace(' ', '')
5078 gtk = binascii.unhexlify(val)
750904dd 5079 if not msk or not emsk or not pmk or not ptk or not gtk:
5b3c40a6
JM		 5080 raise Exception("Could not find keys from debug log")
5081 if len(gtk) != 16:
5082 raise Exception("Unexpected GTK length")
5083
5084 kck = ptk[0:16]
5085 kek = ptk[16:32]
5086 tk = ptk[32:48]
5087
5088 fname = os.path.join(params['logdir'],
5089 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5090
5091 logger.info("Checking keys in memory while associated")
5092 get_key_locations(buf, password, "Password")
5093 get_key_locations(buf, pmk, "PMK")
750904dd
JM		 5094 get_key_locations(buf, msk, "MSK")
5095 get_key_locations(buf, emsk, "EMSK")
5b3c40a6 5096 if password not in buf:
81e787b7 5097 raise HwsimSkip("Password not found while associated")
5b3c40a6 5098 if pmk not in buf:
81e787b7 5099 raise HwsimSkip("PMK not found while associated")
5b3c40a6
JM		 5100 if kck not in buf:
5101 raise Exception("KCK not found while associated")
5102 if kek not in buf:
5103 raise Exception("KEK not found while associated")
b74f82a4
JM		 5104 #if tk in buf:
5105 # raise Exception("TK found from memory")
5b3c40a6
JM		 5106
5107 logger.info("Checking keys in memory after disassociation")
5108 buf = read_process_memory(pid, password)
5109
5110 # Note: Password is still present in network configuration
5111 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5112
5113 get_key_locations(buf, password, "Password")
5114 get_key_locations(buf, pmk, "PMK")
750904dd
JM		 5115 get_key_locations(buf, msk, "MSK")
5116 get_key_locations(buf, emsk, "EMSK")
5b3c40a6
JM		 5117 verify_not_present(buf, kck, fname, "KCK")
5118 verify_not_present(buf, kek, fname, "KEK")
5119 verify_not_present(buf, tk, fname, "TK")
6db556b2
JM		 5120 if gtk in buf:
5121 get_key_locations(buf, gtk, "GTK")
5b3c40a6
JM		 5122 verify_not_present(buf, gtk, fname, "GTK")
5123
5124 dev[0].request("PMKSA_FLUSH")
5125 dev[0].set_network_quoted(id, "identity", "foo")
5126 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5127 buf = read_process_memory(pid, password)
5128 get_key_locations(buf, password, "Password")
5129 get_key_locations(buf, pmk, "PMK")
750904dd
JM		 5130 get_key_locations(buf, msk, "MSK")
5131 get_key_locations(buf, emsk, "EMSK")
5b3c40a6
JM		 5132 verify_not_present(buf, pmk, fname, "PMK")
5133
5134 dev[0].request("REMOVE_NETWORK all")
5135
5136 logger.info("Checking keys in memory after network profile removal")
5137 buf = read_process_memory(pid, password)
5138
5139 get_key_locations(buf, password, "Password")
5140 get_key_locations(buf, pmk, "PMK")
750904dd
JM		 5141 get_key_locations(buf, msk, "MSK")
5142 get_key_locations(buf, emsk, "EMSK")
5b3c40a6
JM		 5143 verify_not_present(buf, password, fname, "password")
5144 verify_not_present(buf, pmk, fname, "PMK")
5145 verify_not_present(buf, kck, fname, "KCK")
5146 verify_not_present(buf, kek, fname, "KEK")
5147 verify_not_present(buf, tk, fname, "TK")
5148 verify_not_present(buf, gtk, fname, "GTK")
750904dd
JM		 5149 verify_not_present(buf, msk, fname, "MSK")
5150 verify_not_present(buf, emsk, fname, "EMSK")
a08fdb17
JM		 5151
5152def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
5153 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5154 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5155 hapd = hostapd.add_ap(apdev[0], params)
a08fdb17 5156 bssid = apdev[0]['bssid']
3b3e2687 5157 eap_connect(dev[0], hapd, "TTLS", "pap user",
a08fdb17
JM		 5158 anonymous_identity="ttls", password="password",
5159 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
5160
5161 # Send unexpected WEP EAPOL-Key; this gets dropped
5162 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5163 if "OK" not in res:
5164 raise Exception("EAPOL_RX to wpa_supplicant failed")
52352802
JM		 5165
5166def test_ap_wpa2_eap_in_bridge(dev, apdev):
5167 """WPA2-EAP and wpas interface in a bridge"""
5168 br_ifname='sta-br0'
5169 ifname='wlan5'
5170 try:
5171 _test_ap_wpa2_eap_in_bridge(dev, apdev)
5172 finally:
5173 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
5174 subprocess.call(['brctl', 'delif', br_ifname, ifname])
5175 subprocess.call(['brctl', 'delbr', br_ifname])
5176 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
5177
5178def _test_ap_wpa2_eap_in_bridge(dev, apdev):
5179 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5180 hapd = hostapd.add_ap(apdev[0], params)
52352802
JM		 5181
5182 br_ifname='sta-br0'
5183 ifname='wlan5'
5184 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
5185 subprocess.call(['brctl', 'addbr', br_ifname])
5186 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
5187 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
5188 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
5189 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
5190 wpas.interface_add(ifname, br_ifname=br_ifname)
4b9d79b6 5191 wpas.dump_monitor()
52352802 5192
3b3e2687 5193 id = eap_connect(wpas, hapd, "PAX", "pax.user@example.com",
52352802 5194 password_hex="0123456789abcdef0123456789abcdef")
4b9d79b6 5195 wpas.dump_monitor()
52352802 5196 eap_reauth(wpas, "PAX")
4b9d79b6 5197 wpas.dump_monitor()
52352802
JM		 5198 # Try again as a regression test for packet socket workaround
5199 eap_reauth(wpas, "PAX")
4b9d79b6 5200 wpas.dump_monitor()
52352802
JM		 5201 wpas.request("DISCONNECT")
5202 wpas.wait_disconnected()
4b9d79b6 5203 wpas.dump_monitor()
52352802
JM		 5204 wpas.request("RECONNECT")
5205 wpas.wait_connected()
4b9d79b6 5206 wpas.dump_monitor()
febf5752
JM		 5207
5208def test_ap_wpa2_eap_session_ticket(dev, apdev):
5209 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5210 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5211 hapd = hostapd.add_ap(apdev[0], params)
febf5752
JM		 5212 key_mgmt = hapd.get_config()['key_mgmt']
5213 if key_mgmt.split(' ')[0] != "WPA-EAP":
5214 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3b3e2687 5215 eap_connect(dev[0], hapd, "TTLS", "pap user",
febf5752
JM		 5216 anonymous_identity="ttls", password="password",
5217 ca_cert="auth_serv/ca.pem",
5218 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
5219 eap_reauth(dev[0], "TTLS")
5220
5221def test_ap_wpa2_eap_no_workaround(dev, apdev):
5222 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5223 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5224 hapd = hostapd.add_ap(apdev[0], params)
febf5752
JM		 5225 key_mgmt = hapd.get_config()['key_mgmt']
5226 if key_mgmt.split(' ')[0] != "WPA-EAP":
5227 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3b3e2687 5228 eap_connect(dev[0], hapd, "TTLS", "pap user",
febf5752
JM		 5229 anonymous_identity="ttls", password="password",
5230 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5231 phase2="auth=PAP")
5232 eap_reauth(dev[0], "TTLS")
b197a819
JM		 5233
5234def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
5235 """EAP-TLS and server checking CRL"""
5236 params = int_eap_server_params()
5237 params['check_crl'] = '1'
8b8a1864 5238 hapd = hostapd.add_ap(apdev[0], params)
b197a819
JM		 5239
5240 # check_crl=1 and no CRL available --> reject connection
3b3e2687 5241 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
b197a819
JM		 5242 client_cert="auth_serv/user.pem",
5243 private_key="auth_serv/user.key", expect_failure=True)
5244 dev[0].request("REMOVE_NETWORK all")
5245
5246 hapd.disable()
5247 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
5248 hapd.enable()
5249
5250 # check_crl=1 and valid CRL --> accept
3b3e2687 5251 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
b197a819
JM		 5252 client_cert="auth_serv/user.pem",
5253 private_key="auth_serv/user.key")
5254 dev[0].request("REMOVE_NETWORK all")
5255
5256 hapd.disable()
5257 hapd.set("check_crl", "2")
5258 hapd.enable()
5259
5260 # check_crl=2 and valid CRL --> accept
3b3e2687 5261 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
b197a819
JM		 5262 client_cert="auth_serv/user.pem",
5263 private_key="auth_serv/user.key")
5264 dev[0].request("REMOVE_NETWORK all")
b1fb4275
JM		 5265
5266def test_ap_wpa2_eap_tls_oom(dev, apdev):
5267 """EAP-TLS and OOM"""
5268 check_subject_match_support(dev[0])
5269 check_altsubject_match_support(dev[0])
e78eb404 5270 check_domain_match(dev[0])
b1fb4275
JM		 5271 check_domain_match_full(dev[0])
5272
5273 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5274 hostapd.add_ap(apdev[0], params)
b1fb4275
JM		 5275
5276 tests = [ (1, "tls_connection_set_subject_match"),
5277 (2, "tls_connection_set_subject_match"),
5278 (3, "tls_connection_set_subject_match"),
5279 (4, "tls_connection_set_subject_match") ]
5280 for count, func in tests:
5281 with alloc_fail(dev[0], count, func):
5282 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5283 identity="tls user", ca_cert="auth_serv/ca.pem",
5284 client_cert="auth_serv/user.pem",
5285 private_key="auth_serv/user.key",
5286 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
5287 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5288 domain_suffix_match="server.w1.fi",
5289 domain_match="server.w1.fi",
5290 wait_connect=False, scan_freq="2412")
5291 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5292 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
5293 if ev is None:
5294 raise Exception("No passphrase request")
5295 dev[0].request("REMOVE_NETWORK all")
5296 dev[0].wait_disconnected()
405c621c
JM		 5297
5298def test_ap_wpa2_eap_tls_macacl(dev, apdev):
5299 """WPA2-Enterprise connection using MAC ACL"""
5300 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5301 params["macaddr_acl"] = "2"
3b3e2687
JD		 5302 hapd = hostapd.add_ap(apdev[0], params)
5303 eap_connect(dev[1], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
405c621c
JM		 5304 client_cert="auth_serv/user.pem",
5305 private_key="auth_serv/user.key")
85774b70
JM		 5306
5307def test_ap_wpa2_eap_oom(dev, apdev):
5308 """EAP server and OOM"""
5309 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5310 hapd = hostapd.add_ap(apdev[0], params)
85774b70
JM		 5311 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
5312
5313 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
5314 # The first attempt fails, but STA will send EAPOL-Start to retry and
5315 # that succeeds.
5316 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5317 identity="tls user", ca_cert="auth_serv/ca.pem",
5318 client_cert="auth_serv/user.pem",
5319 private_key="auth_serv/user.key",
5320 scan_freq="2412")
6c4b5da4 5321
3b3e2687
JD		 5322def check_tls_ver(dev, hapd, phase1, expected):
5323 eap_connect(dev, hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
6c4b5da4
JM		 5324 client_cert="auth_serv/user.pem",
5325 private_key="auth_serv/user.key",
5326 phase1=phase1)
5327 ver = dev.get_status_field("eap_tls_version")
5328 if ver != expected:
5329 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
5330
5331def test_ap_wpa2_eap_tls_versions(dev, apdev):
5332 """EAP-TLS and TLS version configuration"""
5333 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 5334 hapd = hostapd.add_ap(apdev[0], params)
6c4b5da4
JM		 5335
5336 tls = dev[0].request("GET tls_library")
5337 if tls.startswith("OpenSSL"):
41d5af55 5338 if "build=OpenSSL 1.0.1" not in tls and "run=OpenSSL 1.0.1" not in tls:
3b3e2687 5339 check_tls_ver(dev[0], hapd,
6c4b5da4
JM		 5340 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5341 "TLSv1.2")
d8003dcb
SP		 5342 if tls.startswith("wolfSSL"):
5343 if ("build=3.10.0" in tls and "run=3.10.0" in tls) or \
5344 ("build=3.13.0" in tls and "run=3.13.0" in tls):
5345 check_tls_ver(dev[0], hapd,
5346 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5347 "TLSv1.2")
2286578f 5348 elif tls.startswith("internal"):
3b3e2687 5349 check_tls_ver(dev[0], hapd,
2286578f 5350 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3b3e2687 5351 check_tls_ver(dev[1], hapd,
6c4b5da4 5352 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3b3e2687 5353 check_tls_ver(dev[2], hapd,
6c4b5da4 5354 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
832b736f
JM		 5355 if "run=OpenSSL 1.1.1" in tls:
5356 check_tls_ver(dev[0], hapd,
5357 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
ecafa0cf
JM		 5358
5359def test_rsn_ie_proto_eap_sta(dev, apdev):
5360 """RSN element protocol testing for EAP cases on STA side"""
5361 bssid = apdev[0]['bssid']
5362 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5363 # This is the RSN element used normally by hostapd
5364 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
8b8a1864 5365 hapd = hostapd.add_ap(apdev[0], params)
ecafa0cf
JM		 5366 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5367 identity="gpsk user",
5368 password="abcdefghijklmnop0123456789abcdef",
5369 scan_freq="2412")
5370
5371 tests = [ ('No RSN Capabilities field',
5372 '30120100000fac040100000fac040100000fac01'),
5373 ('No AKM Suite fields',
5374 '300c0100000fac040100000fac04'),
5375 ('No Pairwise Cipher Suite fields',
5376 '30060100000fac04'),
5377 ('No Group Data Cipher Suite field',
5378 '30020100') ]
5379 for txt,ie in tests:
5380 dev[0].request("DISCONNECT")
5381 dev[0].wait_disconnected()
5382 logger.info(txt)
5383 hapd.disable()
5384 hapd.set('own_ie_override', ie)
5385 hapd.enable()
5386 dev[0].request("BSS_FLUSH 0")
5387 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
5388 dev[0].select_network(id, freq=2412)
5389 dev[0].wait_connected()
f9dd43ea 5390
9353f07f
JM		 5391 dev[0].request("DISCONNECT")
5392 dev[0].wait_disconnected()
5393 dev[0].flush_scan_cache()
5394
f9dd43ea
JM		 5395def check_tls_session_resumption_capa(dev, hapd):
5396 tls = hapd.request("GET tls_library")
5397 if not tls.startswith("OpenSSL"):
d8003dcb 5398 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls)
f9dd43ea
JM		 5399
5400 tls = dev.request("GET tls_library")
5401 if not tls.startswith("OpenSSL"):
5402 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
5403
5404def test_eap_ttls_pap_session_resumption(dev, apdev):
5405 """EAP-TTLS/PAP session resumption"""
5406 params = int_eap_server_params()
5407 params['tls_session_lifetime'] = '60'
8b8a1864 5408 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5409 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5410 eap_connect(dev[0], hapd, "TTLS", "pap user",
f9dd43ea
JM		 5411 anonymous_identity="ttls", password="password",
5412 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5413 phase2="auth=PAP")
5414 if dev[0].get_status_field("tls_session_reused") != '0':
5415 raise Exception("Unexpected session resumption on the first connection")
5416
5417 dev[0].request("REAUTHENTICATE")
5418 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5419 if ev is None:
5420 raise Exception("EAP success timed out")
5421 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5422 if ev is None:
5423 raise Exception("Key handshake with the AP timed out")
5424 if dev[0].get_status_field("tls_session_reused") != '1':
5425 raise Exception("Session resumption not used on the second connection")
5426
5427def test_eap_ttls_chap_session_resumption(dev, apdev):
5428 """EAP-TTLS/CHAP session resumption"""
5429 params = int_eap_server_params()
5430 params['tls_session_lifetime'] = '60'
8b8a1864 5431 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5432 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5433 eap_connect(dev[0], hapd, "TTLS", "chap user",
f9dd43ea
JM		 5434 anonymous_identity="ttls", password="password",
5435 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
5436 if dev[0].get_status_field("tls_session_reused") != '0':
5437 raise Exception("Unexpected session resumption on the first connection")
5438
5439 dev[0].request("REAUTHENTICATE")
5440 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5441 if ev is None:
5442 raise Exception("EAP success timed out")
5443 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5444 if ev is None:
5445 raise Exception("Key handshake with the AP timed out")
5446 if dev[0].get_status_field("tls_session_reused") != '1':
5447 raise Exception("Session resumption not used on the second connection")
5448
5449def test_eap_ttls_mschap_session_resumption(dev, apdev):
5450 """EAP-TTLS/MSCHAP session resumption"""
e78eb404 5451 check_domain_suffix_match(dev[0])
f9dd43ea
JM		 5452 params = int_eap_server_params()
5453 params['tls_session_lifetime'] = '60'
8b8a1864 5454 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5455 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5456 eap_connect(dev[0], hapd, "TTLS", "mschap user",
f9dd43ea
JM		 5457 anonymous_identity="ttls", password="password",
5458 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
5459 domain_suffix_match="server.w1.fi")
5460 if dev[0].get_status_field("tls_session_reused") != '0':
5461 raise Exception("Unexpected session resumption on the first connection")
5462
5463 dev[0].request("REAUTHENTICATE")
5464 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5465 if ev is None:
5466 raise Exception("EAP success timed out")
5467 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5468 if ev is None:
5469 raise Exception("Key handshake with the AP timed out")
5470 if dev[0].get_status_field("tls_session_reused") != '1':
5471 raise Exception("Session resumption not used on the second connection")
5472
5473def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
5474 """EAP-TTLS/MSCHAPv2 session resumption"""
e78eb404 5475 check_domain_suffix_match(dev[0])
f9dd43ea
JM		 5476 check_eap_capa(dev[0], "MSCHAPV2")
5477 params = int_eap_server_params()
5478 params['tls_session_lifetime'] = '60'
8b8a1864 5479 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5480 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5481 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
f9dd43ea
JM		 5482 anonymous_identity="ttls", password="password",
5483 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5484 domain_suffix_match="server.w1.fi")
5485 if dev[0].get_status_field("tls_session_reused") != '0':
5486 raise Exception("Unexpected session resumption on the first connection")
5487
5488 dev[0].request("REAUTHENTICATE")
5489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5490 if ev is None:
5491 raise Exception("EAP success timed out")
5492 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5493 if ev is None:
5494 raise Exception("Key handshake with the AP timed out")
5495 if dev[0].get_status_field("tls_session_reused") != '1':
5496 raise Exception("Session resumption not used on the second connection")
5497
5498def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
5499 """EAP-TTLS/EAP-GTC session resumption"""
5500 params = int_eap_server_params()
5501 params['tls_session_lifetime'] = '60'
8b8a1864 5502 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5503 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5504 eap_connect(dev[0], hapd, "TTLS", "user",
f9dd43ea
JM		 5505 anonymous_identity="ttls", password="password",
5506 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
5507 if dev[0].get_status_field("tls_session_reused") != '0':
5508 raise Exception("Unexpected session resumption on the first connection")
5509
5510 dev[0].request("REAUTHENTICATE")
5511 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5512 if ev is None:
5513 raise Exception("EAP success timed out")
5514 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5515 if ev is None:
5516 raise Exception("Key handshake with the AP timed out")
5517 if dev[0].get_status_field("tls_session_reused") != '1':
5518 raise Exception("Session resumption not used on the second connection")
5519
5520def test_eap_ttls_no_session_resumption(dev, apdev):
5521 """EAP-TTLS session resumption disabled on server"""
5522 params = int_eap_server_params()
5523 params['tls_session_lifetime'] = '0'
8b8a1864 5524 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5525 eap_connect(dev[0], hapd, "TTLS", "pap user",
f9dd43ea
JM		 5526 anonymous_identity="ttls", password="password",
5527 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5528 phase2="auth=PAP")
5529 if dev[0].get_status_field("tls_session_reused") != '0':
5530 raise Exception("Unexpected session resumption on the first connection")
5531
5532 dev[0].request("REAUTHENTICATE")
5533 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5534 if ev is None:
5535 raise Exception("EAP success timed out")
5536 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5537 if ev is None:
5538 raise Exception("Key handshake with the AP timed out")
5539 if dev[0].get_status_field("tls_session_reused") != '0':
5540 raise Exception("Unexpected session resumption on the second connection")
5541
5542def test_eap_peap_session_resumption(dev, apdev):
5543 """EAP-PEAP session resumption"""
ead550b9 5544 check_eap_capa(dev[0], "MSCHAPV2")
f9dd43ea
JM		 5545 params = int_eap_server_params()
5546 params['tls_session_lifetime'] = '60'
8b8a1864 5547 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5548 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5549 eap_connect(dev[0], hapd, "PEAP", "user",
f9dd43ea
JM		 5550 anonymous_identity="peap", password="password",
5551 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5552 if dev[0].get_status_field("tls_session_reused") != '0':
5553 raise Exception("Unexpected session resumption on the first connection")
5554
5555 dev[0].request("REAUTHENTICATE")
5556 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5557 if ev is None:
5558 raise Exception("EAP success timed out")
5559 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5560 if ev is None:
5561 raise Exception("Key handshake with the AP timed out")
5562 if dev[0].get_status_field("tls_session_reused") != '1':
5563 raise Exception("Session resumption not used on the second connection")
5564
81e1ab85
JM		 5565def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
5566 """EAP-PEAP session resumption with crypto binding"""
5567 params = int_eap_server_params()
5568 params['tls_session_lifetime'] = '60'
8b8a1864 5569 hapd = hostapd.add_ap(apdev[0], params)
81e1ab85 5570 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5571 eap_connect(dev[0], hapd, "PEAP", "user",
81e1ab85
JM		 5572 anonymous_identity="peap", password="password",
5573 phase1="peapver=0 crypto_binding=2",
5574 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5575 if dev[0].get_status_field("tls_session_reused") != '0':
5576 raise Exception("Unexpected session resumption on the first connection")
5577
5578 dev[0].request("REAUTHENTICATE")
5579 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5580 if ev is None:
5581 raise Exception("EAP success timed out")
5582 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5583 if ev is None:
5584 raise Exception("Key handshake with the AP timed out")
5585 if dev[0].get_status_field("tls_session_reused") != '1':
5586 raise Exception("Session resumption not used on the second connection")
5587
f9dd43ea
JM		 5588def test_eap_peap_no_session_resumption(dev, apdev):
5589 """EAP-PEAP session resumption disabled on server"""
5590 params = int_eap_server_params()
8b8a1864 5591 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5592 eap_connect(dev[0], hapd, "PEAP", "user",
f9dd43ea
JM		 5593 anonymous_identity="peap", password="password",
5594 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5595 if dev[0].get_status_field("tls_session_reused") != '0':
5596 raise Exception("Unexpected session resumption on the first connection")
5597
5598 dev[0].request("REAUTHENTICATE")
5599 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5600 if ev is None:
5601 raise Exception("EAP success timed out")
5602 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5603 if ev is None:
5604 raise Exception("Key handshake with the AP timed out")
5605 if dev[0].get_status_field("tls_session_reused") != '0':
5606 raise Exception("Unexpected session resumption on the second connection")
5607
5608def test_eap_tls_session_resumption(dev, apdev):
5609 """EAP-TLS session resumption"""
5610 params = int_eap_server_params()
5611 params['tls_session_lifetime'] = '60'
8b8a1864 5612 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5613 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5614 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5615 client_cert="auth_serv/user.pem",
5616 private_key="auth_serv/user.key")
5617 if dev[0].get_status_field("tls_session_reused") != '0':
5618 raise Exception("Unexpected session resumption on the first connection")
5619
5620 dev[0].request("REAUTHENTICATE")
5621 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5622 if ev is None:
5623 raise Exception("EAP success timed out")
5624 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5625 if ev is None:
5626 raise Exception("Key handshake with the AP timed out")
5627 if dev[0].get_status_field("tls_session_reused") != '1':
5628 raise Exception("Session resumption not used on the second connection")
5629
5630 dev[0].request("REAUTHENTICATE")
5631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5632 if ev is None:
5633 raise Exception("EAP success timed out")
5634 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5635 if ev is None:
5636 raise Exception("Key handshake with the AP timed out")
5637 if dev[0].get_status_field("tls_session_reused") != '1':
5638 raise Exception("Session resumption not used on the third connection")
5639
5640def test_eap_tls_session_resumption_expiration(dev, apdev):
5641 """EAP-TLS session resumption"""
5642 params = int_eap_server_params()
5643 params['tls_session_lifetime'] = '1'
8b8a1864 5644 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5645 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5646 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5647 client_cert="auth_serv/user.pem",
5648 private_key="auth_serv/user.key")
5649 if dev[0].get_status_field("tls_session_reused") != '0':
5650 raise Exception("Unexpected session resumption on the first connection")
5651
5652 # Allow multiple attempts since OpenSSL may not expire the cached entry
5653 # immediately.
5654 for i in range(10):
5655 time.sleep(1.2)
5656
5657 dev[0].request("REAUTHENTICATE")
5658 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5659 if ev is None:
5660 raise Exception("EAP success timed out")
5661 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5662 if ev is None:
5663 raise Exception("Key handshake with the AP timed out")
5664 if dev[0].get_status_field("tls_session_reused") == '0':
5665 break
5666 if dev[0].get_status_field("tls_session_reused") != '0':
5667 raise Exception("Session resumption used after lifetime expiration")
5668
5669def test_eap_tls_no_session_resumption(dev, apdev):
5670 """EAP-TLS session resumption disabled on server"""
5671 params = int_eap_server_params()
8b8a1864 5672 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5673 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5674 client_cert="auth_serv/user.pem",
5675 private_key="auth_serv/user.key")
5676 if dev[0].get_status_field("tls_session_reused") != '0':
5677 raise Exception("Unexpected session resumption on the first connection")
5678
5679 dev[0].request("REAUTHENTICATE")
5680 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5681 if ev is None:
5682 raise Exception("EAP success timed out")
5683 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5684 if ev is None:
5685 raise Exception("Key handshake with the AP timed out")
5686 if dev[0].get_status_field("tls_session_reused") != '0':
5687 raise Exception("Unexpected session resumption on the second connection")
5688
5689def test_eap_tls_session_resumption_radius(dev, apdev):
5690 """EAP-TLS session resumption (RADIUS)"""
5691 params = { "ssid": "as", "beacon_int": "2000",
5692 "radius_server_clients": "auth_serv/radius_clients.conf",
5693 "radius_server_auth_port": '18128',
5694 "eap_server": "1",
5695 "eap_user_file": "auth_serv/eap_user.conf",
5696 "ca_cert": "auth_serv/ca.pem",
5697 "server_cert": "auth_serv/server.pem",
5698 "private_key": "auth_serv/server.key",
5699 "tls_session_lifetime": "60" }
8b8a1864 5700 authsrv = hostapd.add_ap(apdev[1], params)
f9dd43ea
JM		 5701 check_tls_session_resumption_capa(dev[0], authsrv)
5702
5703 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5704 params['auth_server_port'] = "18128"
8b8a1864 5705 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5706 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5707 client_cert="auth_serv/user.pem",
5708 private_key="auth_serv/user.key")
5709 if dev[0].get_status_field("tls_session_reused") != '0':
5710 raise Exception("Unexpected session resumption on the first connection")
5711
5712 dev[0].request("REAUTHENTICATE")
5713 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5714 if ev is None:
5715 raise Exception("EAP success timed out")
5716 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5717 if ev is None:
5718 raise Exception("Key handshake with the AP timed out")
5719 if dev[0].get_status_field("tls_session_reused") != '1':
5720 raise Exception("Session resumption not used on the second connection")
5721
5722def test_eap_tls_no_session_resumption_radius(dev, apdev):
5723 """EAP-TLS session resumption disabled (RADIUS)"""
5724 params = { "ssid": "as", "beacon_int": "2000",
5725 "radius_server_clients": "auth_serv/radius_clients.conf",
5726 "radius_server_auth_port": '18128',
5727 "eap_server": "1",
5728 "eap_user_file": "auth_serv/eap_user.conf",
5729 "ca_cert": "auth_serv/ca.pem",
5730 "server_cert": "auth_serv/server.pem",
5731 "private_key": "auth_serv/server.key",
5732 "tls_session_lifetime": "0" }
8b8a1864 5733 hostapd.add_ap(apdev[1], params)
f9dd43ea
JM		 5734
5735 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5736 params['auth_server_port'] = "18128"
8b8a1864 5737 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5738 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5739 client_cert="auth_serv/user.pem",
5740 private_key="auth_serv/user.key")
5741 if dev[0].get_status_field("tls_session_reused") != '0':
5742 raise Exception("Unexpected session resumption on the first connection")
5743
5744 dev[0].request("REAUTHENTICATE")
5745 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5746 if ev is None:
5747 raise Exception("EAP success timed out")
5748 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5749 if ev is None:
5750 raise Exception("Key handshake with the AP timed out")
5751 if dev[0].get_status_field("tls_session_reused") != '0':
5752 raise Exception("Unexpected session resumption on the second connection")
7c0d66cf
JM		 5753
5754def test_eap_mschapv2_errors(dev, apdev):
5755 """EAP-MSCHAPv2 error cases"""
5756 check_eap_capa(dev[0], "MSCHAPV2")
5757 check_eap_capa(dev[0], "FAST")
5758
5759 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
8b8a1864 5760 hapd = hostapd.add_ap(apdev[0], params)
7c0d66cf
JM		 5761 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5762 identity="phase1-user", password="password",
5763 scan_freq="2412")
5764 dev[0].request("REMOVE_NETWORK all")
5765 dev[0].wait_disconnected()
5766
5767 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5768 (1, "nt_password_hash;mschapv2_derive_response"),
5769 (1, "nt_password_hash;=mschapv2_derive_response"),
5770 (1, "generate_nt_response;mschapv2_derive_response"),
5771 (1, "generate_authenticator_response;mschapv2_derive_response"),
5772 (1, "nt_password_hash;=mschapv2_derive_response"),
5773 (1, "get_master_key;mschapv2_derive_response"),
5774 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5775 for count, func in tests:
5776 with fail_test(dev[0], count, func):
5777 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5778 identity="phase1-user", password="password",
5779 wait_connect=False, scan_freq="2412")
5780 wait_fail_trigger(dev[0], "GET_FAIL")
5781 dev[0].request("REMOVE_NETWORK all")
5782 dev[0].wait_disconnected()
5783
5784 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5785 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5786 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5787 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5788 for count, func in tests:
5789 with fail_test(dev[0], count, func):
5790 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5791 identity="phase1-user",
5792 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
5793 wait_connect=False, scan_freq="2412")
5794 wait_fail_trigger(dev[0], "GET_FAIL")
5795 dev[0].request("REMOVE_NETWORK all")
5796 dev[0].wait_disconnected()
5797
5798 tests = [ (1, "eap_mschapv2_init"),
5799 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5800 (1, "eap_msg_alloc;eap_mschapv2_success"),
5801 (1, "eap_mschapv2_getKey") ]
5802 for count, func in tests:
5803 with alloc_fail(dev[0], count, func):
5804 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5805 identity="phase1-user", password="password",
5806 wait_connect=False, scan_freq="2412")
5807 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5808 dev[0].request("REMOVE_NETWORK all")
5809 dev[0].wait_disconnected()
5810
5811 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5812 for count, func in tests:
5813 with alloc_fail(dev[0], count, func):
5814 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5815 identity="phase1-user", password="wrong password",
5816 wait_connect=False, scan_freq="2412")
5817 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5818 dev[0].request("REMOVE_NETWORK all")
5819 dev[0].wait_disconnected()
5820
5821 tests = [ (2, "eap_mschapv2_init"),
5822 (3, "eap_mschapv2_init") ]
5823 for count, func in tests:
5824 with alloc_fail(dev[0], count, func):
5825 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
5826 anonymous_identity="FAST", identity="user",
5827 password="password",
5828 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5829 phase1="fast_provisioning=1",
5830 pac_file="blob://fast_pac",
5831 wait_connect=False, scan_freq="2412")
5832 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5833 dev[0].request("REMOVE_NETWORK all")
5834 dev[0].wait_disconnected()
bf0ec17a
JM		 5835
5836def test_eap_gpsk_errors(dev, apdev):
5837 """EAP-GPSK error cases"""
5838 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
8b8a1864 5839 hapd = hostapd.add_ap(apdev[0], params)
bf0ec17a
JM		 5840 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5841 identity="gpsk user",
5842 password="abcdefghijklmnop0123456789abcdef",
5843 scan_freq="2412")
5844 dev[0].request("REMOVE_NETWORK all")
5845 dev[0].wait_disconnected()
5846
5847 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5848 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5849 "cipher=1"),
5850 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5851 "cipher=2"),
5852 (1, "eap_gpsk_derive_keys_helper", None),
5853 (2, "eap_gpsk_derive_keys_helper", None),
5854 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5855 "cipher=1"),
5856 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5857 "cipher=2"),
5858 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5859 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5860 (1, "eap_gpsk_derive_mid_helper", None) ]
5861 for count, func, phase1 in tests:
5862 with fail_test(dev[0], count, func):
5863 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5864 identity="gpsk user",
5865 password="abcdefghijklmnop0123456789abcdef",
5866 phase1=phase1,
5867 wait_connect=False, scan_freq="2412")
5868 wait_fail_trigger(dev[0], "GET_FAIL")
5869 dev[0].request("REMOVE_NETWORK all")
5870 dev[0].wait_disconnected()
5871
5872 tests = [ (1, "eap_gpsk_init"),
5873 (2, "eap_gpsk_init"),
5874 (3, "eap_gpsk_init"),
5875 (1, "eap_gpsk_process_id_server"),
5876 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5877 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5878 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5879 (1, "eap_gpsk_derive_keys"),
5880 (1, "eap_gpsk_derive_keys_helper"),
5881 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5882 (1, "eap_gpsk_getKey"),
5883 (1, "eap_gpsk_get_emsk"),
5884 (1, "eap_gpsk_get_session_id") ]
5885 for count, func in tests:
5886 with alloc_fail(dev[0], count, func):
5887 dev[0].request("ERP_FLUSH")
5888 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
0a0c4dc1 5889 identity="gpsk user@domain", erp="1",
bf0ec17a
JM		 5890 password="abcdefghijklmnop0123456789abcdef",
5891 wait_connect=False, scan_freq="2412")
5892 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5893 dev[0].request("REMOVE_NETWORK all")
5894 dev[0].wait_disconnected()
d4c3c055
JM		 5895
5896def test_ap_wpa2_eap_sim_db(dev, apdev, params):
5897 """EAP-SIM DB error cases"""
5898 sockpath = '/tmp/hlr_auc_gw.sock-test'
5899 try:
5900 os.remove(sockpath)
5901 except:
5902 pass
5903 hparams = int_eap_server_params()
5904 hparams['eap_sim_db'] = 'unix:' + sockpath
8b8a1864 5905 hapd = hostapd.add_ap(apdev[0], hparams)
d4c3c055
JM		 5906
5907 # Initial test with hlr_auc_gw socket not available
5908 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
5909 eap="SIM", identity="1232010000000000",
5910 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5911 scan_freq="2412", wait_connect=False)
5a30fcf5
JM		 5912 ev = dev[0].wait_event(["EAP-ERROR-CODE"], timeout=10)
5913 if ev is None:
5914 raise Exception("EAP method specific error code not reported")
5915 if int(ev.split()[1]) != 16384:
5916 raise Exception("Unexpected EAP method specific error code: " + ev)
d4c3c055
JM		 5917 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5918 if ev is None:
5919 raise Exception("EAP-Failure not reported")
5920 dev[0].wait_disconnected()
5921 dev[0].request("DISCONNECT")
5922
5923 # Test with invalid responses and response timeout
5924
5925 class test_handler(SocketServer.DatagramRequestHandler):
5926 def handle(self):
5927 data = self.request[0].strip()
5928 socket = self.request[1]
5929 logger.debug("Received hlr_auc_gw request: " + data)
5930 # EAP-SIM DB: Failed to parse response string
5931 socket.sendto("FOO", self.client_address)
5932 # EAP-SIM DB: Failed to parse response string
5933 socket.sendto("FOO 1", self.client_address)
5934 # EAP-SIM DB: Unknown external response
5935 socket.sendto("FOO 1 2", self.client_address)
5936 logger.info("No proper response - wait for pending eap_sim_db request timeout")
5937
5938 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
5939 server.timeout = 1
5940
5941 dev[0].select_network(id)
5942 server.handle_request()
5943 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5944 if ev is None:
5945 raise Exception("EAP-Failure not reported")
5946 dev[0].wait_disconnected()
5947 dev[0].request("DISCONNECT")
5948
5949 # Test with a valid response
5950
5951 class test_handler2(SocketServer.DatagramRequestHandler):
5952 def handle(self):
5953 data = self.request[0].strip()
5954 socket = self.request[1]
5955 logger.debug("Received hlr_auc_gw request: " + data)
5956 fname = os.path.join(params['logdir'],
5957 'hlr_auc_gw.milenage_db')
5958 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
5959 '-m', fname, data],
5960 stdout=subprocess.PIPE)
5961 res = cmd.stdout.read().strip()
5962 cmd.stdout.close()
5963 logger.debug("hlr_auc_gw response: " + res)
5964 socket.sendto(res, self.client_address)
5965
5966 server.RequestHandlerClass = test_handler2
5967
5968 dev[0].select_network(id)
5969 server.handle_request()
5970 dev[0].wait_connected()
5971 dev[0].request("DISCONNECT")
5972 dev[0].wait_disconnected()
d6ba709a
JM		 5973
5974def test_eap_tls_sha512(dev, apdev, params):
5975 """EAP-TLS with SHA512 signature"""
5976 params = int_eap_server_params()
5977 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5978 params["server_cert"] = "auth_serv/sha512-server.pem"
5979 params["private_key"] = "auth_serv/sha512-server.key"
8b8a1864 5980 hostapd.add_ap(apdev[0], params)
d6ba709a
JM		 5981
5982 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5983 identity="tls user sha512",
5984 ca_cert="auth_serv/sha512-ca.pem",
5985 client_cert="auth_serv/sha512-user.pem",
5986 private_key="auth_serv/sha512-user.key",
5987 scan_freq="2412")
5988 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5989 identity="tls user sha512",
5990 ca_cert="auth_serv/sha512-ca.pem",
5991 client_cert="auth_serv/sha384-user.pem",
5992 private_key="auth_serv/sha384-user.key",
5993 scan_freq="2412")
5994
5995def test_eap_tls_sha384(dev, apdev, params):
5996 """EAP-TLS with SHA384 signature"""
5997 params = int_eap_server_params()
5998 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5999 params["server_cert"] = "auth_serv/sha384-server.pem"
6000 params["private_key"] = "auth_serv/sha384-server.key"
8b8a1864 6001 hostapd.add_ap(apdev[0], params)
d6ba709a
JM		 6002
6003 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6004 identity="tls user sha512",
6005 ca_cert="auth_serv/sha512-ca.pem",
6006 client_cert="auth_serv/sha512-user.pem",
6007 private_key="auth_serv/sha512-user.key",
6008 scan_freq="2412")
6009 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6010 identity="tls user sha512",
6011 ca_cert="auth_serv/sha512-ca.pem",
6012 client_cert="auth_serv/sha384-user.pem",
6013 private_key="auth_serv/sha384-user.key",
6014 scan_freq="2412")
0ceff76e
JM		 6015
6016def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
6017 """WPA2-Enterprise AP and association request RSN IE differences"""
6018 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 6019 hostapd.add_ap(apdev[0], params)
0ceff76e
JM		 6020
6021 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
6022 params["ieee80211w"] = "2"
8b8a1864 6023 hostapd.add_ap(apdev[1], params)
0ceff76e
JM		 6024
6025 # Success cases with optional RSN IE fields removed one by one
6026 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
6027 "30140100000fac040100000fac040100000fac010000"),
6028 ("Extra PMKIDCount field in RSN IE",
6029 "30160100000fac040100000fac040100000fac0100000000"),
6030 ("Extra Group Management Cipher Suite in RSN IE",
6031 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6032 ("Extra undefined extension field in RSN IE",
6033 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6034 ("RSN IE without RSN Capabilities",
6035 "30120100000fac040100000fac040100000fac01"),
6036 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6037 ("RSN IE without pairwise", "30060100000fac04"),
6038 ("RSN IE without group", "30020100") ]
6039 for title, ie in tests:
6040 logger.info(title)
6041 set_test_assoc_ie(dev[0], ie)
6042 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
6043 identity="gpsk user",
6044 password="abcdefghijklmnop0123456789abcdef",
6045 scan_freq="2412")
6046 dev[0].request("REMOVE_NETWORK all")
6047 dev[0].wait_disconnected()
6048
6049 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
6050 "30140100000fac040100000fac040100000fac01cc00"),
6051 ("Group management cipher included in assoc req RSN IE",
6052 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
6053 for title, ie in tests:
6054 logger.info(title)
6055 set_test_assoc_ie(dev[0], ie)
6056 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
6057 eap="GPSK", identity="gpsk user",
6058 password="abcdefghijklmnop0123456789abcdef",
6059 scan_freq="2412")
6060 dev[0].request("REMOVE_NETWORK all")
6061 dev[0].wait_disconnected()
6062
6063 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
6064 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
6065 for title, ie, status in tests:
6066 logger.info(title)
6067 set_test_assoc_ie(dev[0], ie)
6068 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
6069 identity="gpsk user",
6070 password="abcdefghijklmnop0123456789abcdef",
6071 scan_freq="2412", wait_connect=False)
6072 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6073 if ev is None:
6074 raise Exception("Association rejection not reported")
6075 if "status_code=" + str(status) not in ev:
6076 raise Exception("Unexpected status code: " + ev)
6077 dev[0].request("REMOVE_NETWORK all")
6078 dev[0].dump_monitor()
6079
6080 tests = [ ("Management frame protection not enabled",
6081 "30140100000fac040100000fac040100000fac010000", 31),
6082 ("Unsupported management group cipher",
80ad0680 6083 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46) ]
0ceff76e
JM		 6084 for title, ie, status in tests:
6085 logger.info(title)
6086 set_test_assoc_ie(dev[0], ie)
6087 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
6088 eap="GPSK", identity="gpsk user",
6089 password="abcdefghijklmnop0123456789abcdef",
6090 scan_freq="2412", wait_connect=False)
6091 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6092 if ev is None:
6093 raise Exception("Association rejection not reported")
6094 if "status_code=" + str(status) not in ev:
6095 raise Exception("Unexpected status code: " + ev)
6096 dev[0].request("REMOVE_NETWORK all")
6097 dev[0].dump_monitor()
ca27ee09
JM		 6098
6099def test_eap_tls_ext_cert_check(dev, apdev):
6100 """EAP-TLS and external server certification validation"""
6101 # With internal server certificate chain validation
6102 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6103 identity="tls user",
6104 ca_cert="auth_serv/ca.pem",
6105 client_cert="auth_serv/user.pem",
6106 private_key="auth_serv/user.key",
6107 phase1="tls_ext_cert_check=1", scan_freq="2412",
6108 only_add_network=True)
6109 run_ext_cert_check(dev, apdev, id)
6110
6111def test_eap_ttls_ext_cert_check(dev, apdev):
6112 """EAP-TTLS and external server certification validation"""
6113 # Without internal server certificate chain validation
6114 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
6115 identity="pap user", anonymous_identity="ttls",
6116 password="password", phase2="auth=PAP",
6117 phase1="tls_ext_cert_check=1", scan_freq="2412",
6118 only_add_network=True)
6119 run_ext_cert_check(dev, apdev, id)
6120
6121def test_eap_peap_ext_cert_check(dev, apdev):
6122 """EAP-PEAP and external server certification validation"""
6123 # With internal server certificate chain validation
6124 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
6125 identity="user", anonymous_identity="peap",
6126 ca_cert="auth_serv/ca.pem",
6127 password="password", phase2="auth=MSCHAPV2",
6128 phase1="tls_ext_cert_check=1", scan_freq="2412",
6129 only_add_network=True)
6130 run_ext_cert_check(dev, apdev, id)
6131
6132def test_eap_fast_ext_cert_check(dev, apdev):
6133 """EAP-FAST and external server certification validation"""
6134 check_eap_capa(dev[0], "FAST")
6135 # With internal server certificate chain validation
6136 dev[0].request("SET blob fast_pac_auth_ext ")
6137 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
6138 identity="user", anonymous_identity="FAST",
6139 ca_cert="auth_serv/ca.pem",
6140 password="password", phase2="auth=GTC",
6141 phase1="tls_ext_cert_check=1 fast_provisioning=2",
6142 pac_file="blob://fast_pac_auth_ext",
6143 scan_freq="2412",
6144 only_add_network=True)
6145 run_ext_cert_check(dev, apdev, id)
6146
6147def run_ext_cert_check(dev, apdev, net_id):
6148 check_ext_cert_check_support(dev[0])
6149 if not openssl_imported:
6150 raise HwsimSkip("OpenSSL python method not available")
6151
6152 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 6153 hapd = hostapd.add_ap(apdev[0], params)
ca27ee09
JM		 6154
6155 dev[0].select_network(net_id)
6156 certs = {}
6157 while True:
6158 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6159 "CTRL-REQ-EXT_CERT_CHECK",
6160 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
6161 if ev is None:
6162 raise Exception("No peer server certificate event seen")
6163 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
6164 depth = None
6165 cert = None
6166 vals = ev.split(' ')
6167 for v in vals:
6168 if v.startswith("depth="):
6169 depth = int(v.split('=')[1])
6170 elif v.startswith("cert="):
6171 cert = v.split('=')[1]
6172 if depth is not None and cert:
6173 certs[depth] = binascii.unhexlify(cert)
6174 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
6175 raise Exception("Unexpected EAP-Success")
6176 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
6177 id = ev.split(':')[0].split('-')[-1]
6178 break
6179 if 0 not in certs:
6180 raise Exception("Server certificate not received")
6181 if 1 not in certs:
6182 raise Exception("Server certificate issuer not received")
6183
6184 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
6185 certs[0])
6186 cn = cert.get_subject().commonName
6187 logger.info("Server certificate CN=" + cn)
6188
6189 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
6190 certs[1])
6191 icn = issuer.get_subject().commonName
6192 logger.info("Issuer certificate CN=" + icn)
6193
6194 if cn != "server.w1.fi":
6195 raise Exception("Unexpected server certificate CN: " + cn)
6196 if icn != "Root CA":
6197 raise Exception("Unexpected server certificate issuer CN: " + icn)
6198
6199 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
6200 if ev:
6201 raise Exception("Unexpected EAP-Success before external check result indication")
6202
6203 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6204 dev[0].wait_connected()
6205
6206 dev[0].request("DISCONNECT")
6207 dev[0].wait_disconnected()
6208 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
6209 raise Exception("PMKSA_FLUSH failed")
6210 dev[0].request("SET blob fast_pac_auth_ext ")
6211 dev[0].request("RECONNECT")
6212
6213 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
6214 if ev is None:
6215 raise Exception("No peer server certificate event seen (2)")
6216 id = ev.split(':')[0].split('-')[-1]
6217 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6218 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
6219 if ev is None:
6220 raise Exception("EAP-Failure not reported")
6221 dev[0].request("REMOVE_NETWORK all")
6222 dev[0].wait_disconnected()
a89faedc
JM		 6223
6224def test_eap_tls_errors(dev, apdev):
6225 """EAP-TLS error cases"""
6226 params = int_eap_server_params()
6227 params['fragment_size'] = '100'
8b8a1864 6228 hostapd.add_ap(apdev[0], params)
a89faedc
JM		 6229 with alloc_fail(dev[0], 1,
6230 "eap_peer_tls_reassemble_fragment"):
6231 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6232 identity="tls user", ca_cert="auth_serv/ca.pem",
6233 client_cert="auth_serv/user.pem",
6234 private_key="auth_serv/user.key",
6235 wait_connect=False, scan_freq="2412")
6236 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6237 dev[0].request("REMOVE_NETWORK all")
6238 dev[0].wait_disconnected()
6239
6240 with alloc_fail(dev[0], 1, "eap_tls_init"):
6241 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6242 identity="tls user", ca_cert="auth_serv/ca.pem",
6243 client_cert="auth_serv/user.pem",
6244 private_key="auth_serv/user.key",
6245 wait_connect=False, scan_freq="2412")
6246 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6247 dev[0].request("REMOVE_NETWORK all")
6248 dev[0].wait_disconnected()
6249
6250 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init"):
6251 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6252 identity="tls user", ca_cert="auth_serv/ca.pem",
6253 client_cert="auth_serv/user.pem",
6254 private_key="auth_serv/user.key",
6255 engine="1",
6256 wait_connect=False, scan_freq="2412")
6257 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6258 ev = dev[0].wait_event(["CTRL-REQ-PIN"], timeout=5)
6259 if ev is None:
6260 raise Exception("No CTRL-REQ-PIN seen")
6261 dev[0].request("REMOVE_NETWORK all")
6262 dev[0].wait_disconnected()
6263
6264 tests = [ "eap_peer_tls_derive_key;eap_tls_success",
6265 "eap_peer_tls_derive_session_id;eap_tls_success",
6266 "eap_tls_getKey",
6267 "eap_tls_get_emsk",
6268 "eap_tls_get_session_id" ]
6269 for func in tests:
6270 with alloc_fail(dev[0], 1, func):
6271 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
0a0c4dc1
JM		 6272 identity="tls user@domain",
6273 ca_cert="auth_serv/ca.pem",
a89faedc
JM		 6274 client_cert="auth_serv/user.pem",
6275 private_key="auth_serv/user.key",
6276 erp="1",
6277 wait_connect=False, scan_freq="2412")
6278 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6279 dev[0].request("REMOVE_NETWORK all")
6280 dev[0].wait_disconnected()
6281
6282 with alloc_fail(dev[0], 1, "eap_unauth_tls_init"):
6283 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
6284 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
6285 wait_connect=False, scan_freq="2412")
6286 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6287 dev[0].request("REMOVE_NETWORK all")
6288 dev[0].wait_disconnected()
6289
6290 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6291 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
6292 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
6293 wait_connect=False, scan_freq="2412")
6294 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6295 dev[0].request("REMOVE_NETWORK all")
6296 dev[0].wait_disconnected()
6297
6298 with alloc_fail(dev[0], 1, "eap_wfa_unauth_tls_init"):
6299 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
6300 eap="WFA-UNAUTH-TLS",
6301 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
6302 wait_connect=False, scan_freq="2412")
6303 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6304 dev[0].request("REMOVE_NETWORK all")
6305 dev[0].wait_disconnected()
6306
6307 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6308 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
6309 eap="WFA-UNAUTH-TLS",
6310 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
6311 wait_connect=False, scan_freq="2412")
6312 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6313 dev[0].request("REMOVE_NETWORK all")
6314 dev[0].wait_disconnected()
0918fe4d
JM		 6315
6316def test_ap_wpa2_eap_status(dev, apdev):
6317 """EAP state machine status information"""
6318 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 6319 hostapd.add_ap(apdev[0], params)
0918fe4d
JM		 6320 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
6321 identity="cert user",
6322 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
6323 ca_cert2="auth_serv/ca.pem",
6324 client_cert2="auth_serv/user.pem",
6325 private_key2="auth_serv/user.key",
6326 scan_freq="2412", wait_connect=False)
6327 success = False
6328 states = []
6329 method_states = []
6330 decisions = []
6331 req_methods = []
6332 selected_methods = []
6333 for i in range(100000):
6334 s = dev[0].get_status(extra="VERBOSE")
6335 if 'EAP state' in s:
6336 state = s['EAP state']
6337 if state:
6338 if state not in states:
6339 states.append(state)
6340 if state == "SUCCESS":
6341 success = True
6342 break
6343 if 'methodState' in s:
6344 val = s['methodState']
6345 if val not in method_states:
6346 method_states.append(val)
6347 if 'decision' in s:
6348 val = s['decision']
6349 if val not in decisions:
6350 decisions.append(val)
6351 if 'reqMethod' in s:
6352 val = s['reqMethod']
6353 if val not in req_methods:
6354 req_methods.append(val)
6355 if 'selectedMethod' in s:
6356 val = s['selectedMethod']
6357 if val not in selected_methods:
6358 selected_methods.append(val)
6359 logger.info("Iterations: %d" % i)
6360 logger.info("EAP states: " + str(states))
6361 logger.info("methodStates: " + str(method_states))
6362 logger.info("decisions: " + str(decisions))
6363 logger.info("reqMethods: " + str(req_methods))
6364 logger.info("selectedMethods: " + str(selected_methods))
6365 if not success:
6366 raise Exception("EAP did not succeed")
6367 dev[0].wait_connected()
6368 dev[0].request("REMOVE_NETWORK all")
6369 dev[0].wait_disconnected()
29b508e7
JM		 6370
6371def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev, apdev):
6372 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6373 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6374 params['wpa_ptk_rekey'] = '2'
8b8a1864 6375 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 6376 id = eap_connect(dev[0], hapd, "GPSK", "gpsk user",
29b508e7
JM		 6377 password="abcdefghijklmnop0123456789abcdef")
6378 ev = dev[0].wait_event(["WPA: Key negotiation completed"])
6379 if ev is None:
6380 raise Exception("PTK rekey timed out")
6381 hwsim_utils.test_connectivity(dev[0], hapd)
2833743d
JM		 6382
6383def test_ap_wpa2_eap_wildcard_ssid(dev, apdev):
6384 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6385 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6386 hapd = hostapd.add_ap(apdev[0], params)
6387 dev[0].connect(bssid=apdev[0]['bssid'], key_mgmt="WPA-EAP", eap="GPSK",
6388 identity="gpsk user",
6389 password="abcdefghijklmnop0123456789abcdef",
6390 scan_freq="2412")
c9aba19b
JM		 6391
6392def test_ap_wpa2_eap_psk_mac_addr_change(dev, apdev):
6393 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
6394 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6395 hapd = hostapd.add_ap(apdev[0], params)
6396
6397 cmd = subprocess.Popen(['ps', '-eo', 'pid,command'], stdout=subprocess.PIPE)
6398 res = cmd.stdout.read()
6399 cmd.stdout.close()
6400 pid = 0
6401 for p in res.splitlines():
6402 if "wpa_supplicant" not in p:
6403 continue
6404 if dev[0].ifname not in p:
6405 continue
6406 pid = int(p.strip().split(' ')[0])
6407 if pid == 0:
6408 logger.info("Could not find wpa_supplicant PID")
6409 else:
6410 logger.info("wpa_supplicant PID %d" % pid)
6411
6412 addr = dev[0].get_status_field("address")
6413 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'down'])
6414 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'address',
6415 '02:11:22:33:44:55'])
6416 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'up'])
6417 addr1 = dev[0].get_status_field("address")
6418 if addr1 != '02:11:22:33:44:55':
6419 raise Exception("Failed to change MAC address")
6420
6421 # Scan using the externally set MAC address, stop the wpa_supplicant
6422 # process to avoid it from processing the ifdown event before the interface
6423 # is already UP, change the MAC address back, allow the wpa_supplicant
6424 # process to continue. This will result in the ifdown + ifup sequence of
6425 # RTM_NEWLINK events to be processed while the interface is already UP.
6426 try:
6427 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
6428 os.kill(pid, signal.SIGSTOP)
6429 time.sleep(0.1)
6430 finally:
6431 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'down'])
6432 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'address',
6433 addr])
6434 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'up'])
6435 time.sleep(0.1)
6436 os.kill(pid, signal.SIGCONT)
6437
6438 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
6439 password_hex="0123456789abcdef0123456789abcdef")
6440
6441 addr2 = dev[0].get_status_field("address")
6442 if addr != addr2:
6443 raise Exception("Failed to restore MAC address")
Unnamed repository; edit this file 'description' to name the repository.