]> git.ipfire.org Git - thirdparty/hostap.git/blame - tests/hwsim/test_ap_eap.py
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
OpenSSL: Add 'check_cert_subject' support for TLS server
[thirdparty/hostap.git] / tests / hwsim / test_ap_eap.py
CommitLineData
eac67440 1# -*- coding: utf-8 -*-
9626962d 2# WPA2-Enterprise tests
fb643190 3# Copyright (c) 2013-2019, Jouni Malinen <j@w1.fi>
9626962d
JM		 4#
5# This software may be distributed under the terms of the BSD license.
6# See README for more details.
7
6ea231e6 8import base64
5b3c40a6 9import binascii
9626962d
JM		 10import time
11import subprocess
12import logging
c9aa4308 13logger = logging.getLogger()
873e7c29 14import os
c9aba19b 15import signal
d4c3c055 16import socket
9c06eda0
MH		 17try:
18 import SocketServer
19except ImportError:
20 import socketserver as SocketServer
98d125ca
JM		 21import struct
22import tempfile
9626962d
JM		 23
24import hwsim_utils
67e34a28 25from hwsim import HWSimRadio
9626962d 26import hostapd
67e34a28 27from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger, require_under_vm
52352802 28from wpasupplicant import WpaSupplicant
0ceff76e 29from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
9626962d 30
ca27ee09
JM		 31try:
32 import OpenSSL
33 openssl_imported = True
34except ImportError:
35 openssl_imported = False
36
81e787b7
JM		 37def check_hlr_auc_gw_support():
38 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
39 raise HwsimSkip("No hlr_auc_gw available")
40
3b51cc63
JM		 41def check_eap_capa(dev, method):
42 res = dev.get_capability("eap")
43 if method not in res:
44 raise HwsimSkip("EAP method %s not supported in the build" % method)
45
506b2f05
JM		 46def check_subject_match_support(dev):
47 tls = dev.request("GET tls_library")
d8003dcb 48 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
506b2f05
JM		 49 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
50
51def check_altsubject_match_support(dev):
52 tls = dev.request("GET tls_library")
d8003dcb 53 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
506b2f05
JM		 54 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
55
e78eb404
JM		 56def check_domain_match(dev):
57 tls = dev.request("GET tls_library")
58 if tls.startswith("internal"):
59 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
60
61def check_domain_suffix_match(dev):
62 tls = dev.request("GET tls_library")
63 if tls.startswith("internal"):
64 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
65
24579e70
JM		 66def check_domain_match_full(dev):
67 tls = dev.request("GET tls_library")
d8003dcb 68 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
24579e70
JM		 69 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
70
4bf4e9db
JM		 71def check_cert_probe_support(dev):
72 tls = dev.request("GET tls_library")
0fc1b583 73 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
4bf4e9db
JM		 74 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
75
ca27ee09
JM		 76def check_ext_cert_check_support(dev):
77 tls = dev.request("GET tls_library")
78 if not tls.startswith("OpenSSL"):
79 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
80
0dae8c99
JM		 81def check_ocsp_support(dev):
82 tls = dev.request("GET tls_library")
138903f9
JM		 83 #if tls.startswith("internal"):
84 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
0c6185fc
JM		 85 #if "BoringSSL" in tls:
86 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
585e728a
JM		 87 if tls.startswith("wolfSSL"):
88 raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
0dae8c99 89
969e5250
JM		 90def check_pkcs5_v15_support(dev):
91 tls = dev.request("GET tls_library")
2d9ad634 92 if "BoringSSL" in tls or "GnuTLS" in tls:
969e5250
JM		 93 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls)
94
98d125ca
JM		 95def check_ocsp_multi_support(dev):
96 tls = dev.request("GET tls_library")
97 if not tls.startswith("internal"):
98 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls)
99 as_hapd = hostapd.Hostapd("as")
100 res = as_hapd.request("GET tls_library")
101 del as_hapd
102 if not res.startswith("internal"):
103 raise HwsimSkip("Authentication server does not support ocsp_multi")
104
686eee77
JM		 105def check_pkcs12_support(dev):
106 tls = dev.request("GET tls_library")
16c43d2a
JM		 107 #if tls.startswith("internal"):
108 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
d8003dcb
SP		 109 if tls.startswith("wolfSSL"):
110 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
686eee77 111
404597e6
JM		 112def check_dh_dsa_support(dev):
113 tls = dev.request("GET tls_library")
114 if tls.startswith("internal"):
115 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
116
6ea231e6
JM		 117def read_pem(fname):
118 with open(fname, "r") as f:
119 lines = f.readlines()
120 copy = False
121 cert = ""
122 for l in lines:
123 if "-----END" in l:
124 break
125 if copy:
126 cert = cert + l
127 if "-----BEGIN" in l:
128 copy = True
129 return base64.b64decode(cert)
130
3b3e2687 131def eap_connect(dev, hapd, method, identity,
6f939e59 132 sha256=False, expect_failure=False, local_error_report=False,
a61ee84d 133 maybe_local_error=False, report_failure=False, **kwargs):
2bb9e283
JM		 134 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
135 eap=method, identity=identity,
6f939e59
JM		 136 wait_connect=False, scan_freq="2412", ieee80211w="1",
137 **kwargs)
f10ba3b2
JM		 138 eap_check_auth(dev, method, True, sha256=sha256,
139 expect_failure=expect_failure,
9dd21d51 140 local_error_report=local_error_report,
a61ee84d
JM		 141 maybe_local_error=maybe_local_error,
142 report_failure=report_failure)
f10ba3b2
JM		 143 if expect_failure:
144 return id
cb33ee14
JM		 145 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
146 if ev is None:
147 raise Exception("No connection event received from hostapd")
2bb9e283 148 return id
75b2b9cf 149
f10ba3b2 150def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
9dd21d51 151 expect_failure=False, local_error_report=False,
a61ee84d 152 maybe_local_error=False, report_failure=False):
412c6030 153 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
9626962d
JM		 154 if ev is None:
155 raise Exception("Association and EAP start timed out")
06cdd1cd
JM		 156 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
157 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
9626962d
JM		 158 if ev is None:
159 raise Exception("EAP method selection timed out")
06cdd1cd
JM		 160 if "CTRL-EVENT-EAP-FAILURE" in ev:
161 if maybe_local_error:
162 return
163 raise Exception("Could not select EAP method")
9626962d
JM		 164 if method not in ev:
165 raise Exception("Unexpected EAP method")
f10ba3b2
JM		 166 if expect_failure:
167 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
168 if ev is None:
169 raise Exception("EAP failure timed out")
5f35a5e2 170 ev = dev.wait_disconnected(timeout=10)
9dd21d51
JM		 171 if maybe_local_error and "locally_generated=1" in ev:
172 return
f10ba3b2
JM		 173 if not local_error_report:
174 if "reason=23" not in ev:
175 raise Exception("Proper reason code for disconnection not reported")
176 return
a61ee84d
JM		 177 if report_failure:
178 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
179 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
180 if ev is None:
181 raise Exception("EAP success timed out")
182 if "CTRL-EVENT-EAP-SUCCESS" not in ev:
183 raise Exception("EAP failed")
184 else:
185 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
186 if ev is None:
187 raise Exception("EAP success timed out")
9626962d 188
75b2b9cf
JM		 189 if initial:
190 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
75b2b9cf 191 else:
bce774ad
JM		 192 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
193 if ev is None:
194 raise Exception("Association with the AP timed out")
195 status = dev.get_status()
196 if status["wpa_state"] != "COMPLETED":
197 raise Exception("Connection not completed")
75b2b9cf 198
9626962d
JM		 199 if status["suppPortStatus"] != "Authorized":
200 raise Exception("Port not authorized")
447fb0b0
JM		 201 if "selectedMethod" not in status:
202 logger.info("Status: " + str(status))
203 raise Exception("No selectedMethod in status")
9626962d
JM		 204 if method not in status["selectedMethod"]:
205 raise Exception("Incorrect EAP method status")
2b005194
JM		 206 if sha256:
207 e = "WPA2-EAP-SHA256"
208 elif rsn:
71390dc8
JM		 209 e = "WPA2/IEEE 802.1X/EAP"
210 else:
211 e = "WPA/IEEE 802.1X/EAP"
212 if status["key_mgmt"] != e:
213 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
2fc4749c 214 return status
9626962d 215
5b1aaf6c 216def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
75b2b9cf 217 dev.request("REAUTHENTICATE")
2fc4749c
JM		 218 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
219 expect_failure=expect_failure)
75b2b9cf 220
9626962d
JM		 221def test_ap_wpa2_eap_sim(dev, apdev):
222 """WPA2-Enterprise connection using EAP-SIM"""
81e787b7 223 check_hlr_auc_gw_support()
9626962d 224 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 225 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 226 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
9626962d 227 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
a8375c94 228 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 229 eap_reauth(dev[0], "SIM")
9626962d 230
3b3e2687 231 eap_connect(dev[1], hapd, "SIM", "1232010000000001",
a0f350fd 232 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3b3e2687 233 eap_connect(dev[2], hapd, "SIM", "1232010000000002",
a0f350fd
JM		 234 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
235 expect_failure=True)
236
f10ba3b2
JM		 237 logger.info("Negative test with incorrect key")
238 dev[0].request("REMOVE_NETWORK all")
3b3e2687 239 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
f10ba3b2
JM		 240 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
241 expect_failure=True)
242
32747a3e
JM		 243 logger.info("Invalid GSM-Milenage key")
244 dev[0].request("REMOVE_NETWORK all")
3b3e2687 245 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 246 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
247 expect_failure=True)
248
249 logger.info("Invalid GSM-Milenage key(2)")
250 dev[0].request("REMOVE_NETWORK all")
3b3e2687 251 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 252 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
253 expect_failure=True)
254
255 logger.info("Invalid GSM-Milenage key(3)")
256 dev[0].request("REMOVE_NETWORK all")
3b3e2687 257 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 258 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
259 expect_failure=True)
260
261 logger.info("Invalid GSM-Milenage key(4)")
262 dev[0].request("REMOVE_NETWORK all")
3b3e2687 263 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 264 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
265 expect_failure=True)
266
267 logger.info("Missing key configuration")
268 dev[0].request("REMOVE_NETWORK all")
3b3e2687 269 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 270 expect_failure=True)
271
5b1aaf6c
JM		 272def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
273 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
81e787b7 274 check_hlr_auc_gw_support()
5b1aaf6c
JM		 275 try:
276 import sqlite3
277 except ImportError:
81e787b7 278 raise HwsimSkip("No sqlite3 module available")
5b1aaf6c
JM		 279 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
280 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
281 params['auth_server_port'] = "1814"
3b3e2687
JD		 282 hapd = hostapd.add_ap(apdev[0], params)
283 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
5b1aaf6c
JM		 284 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
285
286 logger.info("SIM fast re-authentication")
287 eap_reauth(dev[0], "SIM")
288
289 logger.info("SIM full auth with pseudonym")
290 with con:
291 cur = con.cursor()
292 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
293 eap_reauth(dev[0], "SIM")
294
295 logger.info("SIM full auth with permanent identity")
296 with con:
297 cur = con.cursor()
298 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
299 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
300 eap_reauth(dev[0], "SIM")
301
302 logger.info("SIM reauth with mismatching MK")
303 with con:
304 cur = con.cursor()
305 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
306 eap_reauth(dev[0], "SIM", expect_failure=True)
307 dev[0].request("REMOVE_NETWORK all")
308
3b3e2687 309 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
5b1aaf6c
JM		 310 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
311 with con:
312 cur = con.cursor()
313 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
314 eap_reauth(dev[0], "SIM")
315 with con:
316 cur = con.cursor()
317 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
318 logger.info("SIM reauth with mismatching counter")
319 eap_reauth(dev[0], "SIM")
320 dev[0].request("REMOVE_NETWORK all")
321
3b3e2687 322 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
5b1aaf6c
JM		 323 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
324 with con:
325 cur = con.cursor()
326 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
327 logger.info("SIM reauth with max reauth count reached")
328 eap_reauth(dev[0], "SIM")
329
e2a90a4c
JM		 330def test_ap_wpa2_eap_sim_config(dev, apdev):
331 """EAP-SIM configuration options"""
332 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 333 hapd = hostapd.add_ap(apdev[0], params)
e2a90a4c
JM		 334 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
335 identity="1232010000000000",
336 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
337 phase1="sim_min_num_chal=1",
338 wait_connect=False, scan_freq="2412")
339 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
340 if ev is None:
341 raise Exception("No EAP error message seen")
342 dev[0].request("REMOVE_NETWORK all")
343
344 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
345 identity="1232010000000000",
346 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
347 phase1="sim_min_num_chal=4",
348 wait_connect=False, scan_freq="2412")
349 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
350 if ev is None:
351 raise Exception("No EAP error message seen (2)")
352 dev[0].request("REMOVE_NETWORK all")
353
3b3e2687 354 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
e2a90a4c
JM		 355 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
356 phase1="sim_min_num_chal=2")
3b3e2687 357 eap_connect(dev[1], hapd, "SIM", "1232010000000000",
e2a90a4c
JM		 358 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
359 anonymous_identity="345678")
360
72cbc684
JM		 361def test_ap_wpa2_eap_sim_ext(dev, apdev):
362 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
47dcb118 363 try:
81e787b7 364 _test_ap_wpa2_eap_sim_ext(dev, apdev)
47dcb118
JM		 365 finally:
366 dev[0].request("SET external_sim 0")
367
368def _test_ap_wpa2_eap_sim_ext(dev, apdev):
81e787b7 369 check_hlr_auc_gw_support()
72cbc684 370 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 371 hostapd.add_ap(apdev[0], params)
72cbc684
JM		 372 dev[0].request("SET external_sim 1")
373 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
374 identity="1232010000000000",
375 wait_connect=False, scan_freq="2412")
376 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
377 if ev is None:
378 raise Exception("Network connected timed out")
379
380 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
381 if ev is None:
382 raise Exception("Wait for external SIM processing request timed out")
383 p = ev.split(':', 2)
384 if p[1] != "GSM-AUTH":
385 raise Exception("Unexpected CTRL-REQ-SIM type")
386 rid = p[0].split('-')[3]
387
388 # IK:CK:RES
389 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
390 # This will fail during processing, but the ctrl_iface command succeeds
391 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
392 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
393 if ev is None:
394 raise Exception("EAP failure not reported")
395 dev[0].request("DISCONNECT")
90ad11e6
JM		 396 dev[0].wait_disconnected()
397 time.sleep(0.1)
72cbc684
JM		 398
399 dev[0].select_network(id, freq="2412")
400 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
401 if ev is None:
402 raise Exception("Wait for external SIM processing request timed out")
403 p = ev.split(':', 2)
404 if p[1] != "GSM-AUTH":
405 raise Exception("Unexpected CTRL-REQ-SIM type")
406 rid = p[0].split('-')[3]
407 # This will fail during GSM auth validation
408 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
409 raise Exception("CTRL-RSP-SIM failed")
410 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
411 if ev is None:
412 raise Exception("EAP failure not reported")
413 dev[0].request("DISCONNECT")
90ad11e6
JM		 414 dev[0].wait_disconnected()
415 time.sleep(0.1)
72cbc684
JM		 416
417 dev[0].select_network(id, freq="2412")
418 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
419 if ev is None:
420 raise Exception("Wait for external SIM processing request timed out")
421 p = ev.split(':', 2)
422 if p[1] != "GSM-AUTH":
423 raise Exception("Unexpected CTRL-REQ-SIM type")
424 rid = p[0].split('-')[3]
425 # This will fail during GSM auth validation
426 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
427 raise Exception("CTRL-RSP-SIM failed")
428 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
429 if ev is None:
430 raise Exception("EAP failure not reported")
431 dev[0].request("DISCONNECT")
90ad11e6
JM		 432 dev[0].wait_disconnected()
433 time.sleep(0.1)
72cbc684
JM		 434
435 dev[0].select_network(id, freq="2412")
436 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
437 if ev is None:
438 raise Exception("Wait for external SIM processing request timed out")
439 p = ev.split(':', 2)
440 if p[1] != "GSM-AUTH":
441 raise Exception("Unexpected CTRL-REQ-SIM type")
442 rid = p[0].split('-')[3]
443 # This will fail during GSM auth validation
444 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
445 raise Exception("CTRL-RSP-SIM failed")
446 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
447 if ev is None:
448 raise Exception("EAP failure not reported")
449 dev[0].request("DISCONNECT")
90ad11e6
JM		 450 dev[0].wait_disconnected()
451 time.sleep(0.1)
72cbc684
JM		 452
453 dev[0].select_network(id, freq="2412")
454 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
455 if ev is None:
456 raise Exception("Wait for external SIM processing request timed out")
457 p = ev.split(':', 2)
458 if p[1] != "GSM-AUTH":
459 raise Exception("Unexpected CTRL-REQ-SIM type")
460 rid = p[0].split('-')[3]
461 # This will fail during GSM auth validation
462 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
463 raise Exception("CTRL-RSP-SIM failed")
464 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
465 if ev is None:
466 raise Exception("EAP failure not reported")
467 dev[0].request("DISCONNECT")
90ad11e6
JM		 468 dev[0].wait_disconnected()
469 time.sleep(0.1)
72cbc684
JM		 470
471 dev[0].select_network(id, freq="2412")
472 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
473 if ev is None:
474 raise Exception("Wait for external SIM processing request timed out")
475 p = ev.split(':', 2)
476 if p[1] != "GSM-AUTH":
477 raise Exception("Unexpected CTRL-REQ-SIM type")
478 rid = p[0].split('-')[3]
479 # This will fail during GSM auth validation
480 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
481 raise Exception("CTRL-RSP-SIM failed")
482 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
483 if ev is None:
484 raise Exception("EAP failure not reported")
485 dev[0].request("DISCONNECT")
90ad11e6
JM		 486 dev[0].wait_disconnected()
487 time.sleep(0.1)
72cbc684
JM		 488
489 dev[0].select_network(id, freq="2412")
490 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
491 if ev is None:
492 raise Exception("Wait for external SIM processing request timed out")
493 p = ev.split(':', 2)
494 if p[1] != "GSM-AUTH":
495 raise Exception("Unexpected CTRL-REQ-SIM type")
496 rid = p[0].split('-')[3]
497 # This will fail during GSM auth validation
498 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
499 raise Exception("CTRL-RSP-SIM failed")
500 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
501 if ev is None:
502 raise Exception("EAP failure not reported")
503
40c654cc
JM		 504def test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
505 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
506 try:
507 _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev)
508 finally:
509 dev[0].request("SET external_sim 0")
510
511def _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
512 check_hlr_auc_gw_support()
513 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 514 hostapd.add_ap(apdev[0], params)
40c654cc
JM		 515 dev[0].request("SET external_sim 1")
516 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
517 identity="1232010000000000",
518 wait_connect=False, scan_freq="2412")
519
520 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
521 if ev is None:
522 raise Exception("Wait for external SIM processing request timed out")
523 p = ev.split(':', 2)
524 if p[1] != "GSM-AUTH":
525 raise Exception("Unexpected CTRL-REQ-SIM type")
526 rid = p[0].split('-')[3]
527 rand = p[2].split(' ')[0]
528
529 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
530 "-m",
531 "auth_serv/hlr_auc_gw.milenage_db",
d5e6ffd6 532 "GSM-AUTH-REQ 232010000000000 " + rand]).decode()
40c654cc
JM		 533 if "GSM-AUTH-RESP" not in res:
534 raise Exception("Unexpected hlr_auc_gw response")
535 resp = res.split(' ')[2].rstrip()
536
537 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
538 dev[0].wait_connected(timeout=15)
539 dev[0].request("DISCONNECT")
540 dev[0].wait_disconnected()
541
542 # Replace SIM, but forget to drop the previous pseudonym identity
543 dev[0].set_network_quoted(id, "identity", "1232010000000009")
544 dev[0].select_network(id, freq="2412")
545
546 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
547 if ev is None:
548 raise Exception("Wait for external SIM processing request timed out")
549 p = ev.split(':', 2)
550 if p[1] != "GSM-AUTH":
551 raise Exception("Unexpected CTRL-REQ-SIM type")
552 rid = p[0].split('-')[3]
553 rand = p[2].split(' ')[0]
554
555 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
556 "-m",
557 "auth_serv/hlr_auc_gw.milenage_db",
d5e6ffd6 558 "GSM-AUTH-REQ 232010000000009 " + rand]).decode()
40c654cc
JM		 559 if "GSM-AUTH-RESP" not in res:
560 raise Exception("Unexpected hlr_auc_gw response")
561 resp = res.split(' ')[2].rstrip()
562
563 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
564 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
565 if ev is None:
566 raise Exception("EAP-Failure not reported")
567 dev[0].request("DISCONNECT")
568 dev[0].wait_disconnected()
569
570def test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
571 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
572 try:
573 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev)
574 finally:
575 dev[0].request("SET external_sim 0")
576
577def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
578 check_hlr_auc_gw_support()
579 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 580 hostapd.add_ap(apdev[0], params)
40c654cc
JM		 581 dev[0].request("SET external_sim 1")
582 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
583 identity="1232010000000000",
584 wait_connect=False, scan_freq="2412")
585
586 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
587 if ev is None:
588 raise Exception("Wait for external SIM processing request timed out")
589 p = ev.split(':', 2)
590 if p[1] != "GSM-AUTH":
591 raise Exception("Unexpected CTRL-REQ-SIM type")
592 rid = p[0].split('-')[3]
593 rand = p[2].split(' ')[0]
594
595 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
596 "-m",
597 "auth_serv/hlr_auc_gw.milenage_db",
d5e6ffd6 598 "GSM-AUTH-REQ 232010000000000 " + rand]).decode()
40c654cc
JM		 599 if "GSM-AUTH-RESP" not in res:
600 raise Exception("Unexpected hlr_auc_gw response")
601 resp = res.split(' ')[2].rstrip()
602
603 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
604 dev[0].wait_connected(timeout=15)
605 dev[0].request("DISCONNECT")
606 dev[0].wait_disconnected()
607
608 # Replace SIM and drop the previous pseudonym identity
609 dev[0].set_network_quoted(id, "identity", "1232010000000009")
610 dev[0].set_network(id, "anonymous_identity", "NULL")
611 dev[0].select_network(id, freq="2412")
612
613 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
614 if ev is None:
615 raise Exception("Wait for external SIM processing request timed out")
616 p = ev.split(':', 2)
617 if p[1] != "GSM-AUTH":
618 raise Exception("Unexpected CTRL-REQ-SIM type")
619 rid = p[0].split('-')[3]
620 rand = p[2].split(' ')[0]
621
622 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
623 "-m",
624 "auth_serv/hlr_auc_gw.milenage_db",
d5e6ffd6 625 "GSM-AUTH-REQ 232010000000009 " + rand]).decode()
40c654cc
JM		 626 if "GSM-AUTH-RESP" not in res:
627 raise Exception("Unexpected hlr_auc_gw response")
628 resp = res.split(' ')[2].rstrip()
629
630 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
631 dev[0].wait_connected()
632 dev[0].request("DISCONNECT")
633 dev[0].wait_disconnected()
634
635def test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
636 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
637 try:
638 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev)
639 finally:
640 dev[0].request("SET external_sim 0")
641
642def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
643 check_hlr_auc_gw_support()
644 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 645 hostapd.add_ap(apdev[0], params)
40c654cc
JM		 646 dev[0].request("SET external_sim 1")
647 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
648 wait_connect=False, scan_freq="2412")
649
650 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
651 if ev is None:
652 raise Exception("Request for identity timed out")
653 rid = ev.split(':')[0].split('-')[-1]
654 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000000")
655
656 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
657 if ev is None:
658 raise Exception("Wait for external SIM processing request timed out")
659 p = ev.split(':', 2)
660 if p[1] != "GSM-AUTH":
661 raise Exception("Unexpected CTRL-REQ-SIM type")
662 rid = p[0].split('-')[3]
663 rand = p[2].split(' ')[0]
664
665 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
666 "-m",
667 "auth_serv/hlr_auc_gw.milenage_db",
d5e6ffd6 668 "GSM-AUTH-REQ 232010000000000 " + rand]).decode()
40c654cc
JM		 669 if "GSM-AUTH-RESP" not in res:
670 raise Exception("Unexpected hlr_auc_gw response")
671 resp = res.split(' ')[2].rstrip()
672
673 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
674 dev[0].wait_connected(timeout=15)
675 dev[0].request("DISCONNECT")
676 dev[0].wait_disconnected()
677
678 # Replace SIM and drop the previous permanent and pseudonym identities
679 dev[0].set_network(id, "identity", "NULL")
680 dev[0].set_network(id, "anonymous_identity", "NULL")
681 dev[0].select_network(id, freq="2412")
682
683 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
684 if ev is None:
685 raise Exception("Request for identity timed out")
686 rid = ev.split(':')[0].split('-')[-1]
687 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000009")
688
689 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
690 if ev is None:
691 raise Exception("Wait for external SIM processing request timed out")
692 p = ev.split(':', 2)
693 if p[1] != "GSM-AUTH":
694 raise Exception("Unexpected CTRL-REQ-SIM type")
695 rid = p[0].split('-')[3]
696 rand = p[2].split(' ')[0]
697
698 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
699 "-m",
700 "auth_serv/hlr_auc_gw.milenage_db",
d5e6ffd6 701 "GSM-AUTH-REQ 232010000000009 " + rand]).decode()
40c654cc
JM		 702 if "GSM-AUTH-RESP" not in res:
703 raise Exception("Unexpected hlr_auc_gw response")
704 resp = res.split(' ')[2].rstrip()
705
706 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
707 dev[0].wait_connected()
708 dev[0].request("DISCONNECT")
709 dev[0].wait_disconnected()
710
c397edf2
JM		 711def test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
712 """EAP-SIM with external GSM auth and auth failing"""
713 try:
714 _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev)
715 finally:
716 dev[0].request("SET external_sim 0")
717
718def _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
719 check_hlr_auc_gw_support()
720 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 721 hostapd.add_ap(apdev[0], params)
c397edf2
JM		 722 dev[0].request("SET external_sim 1")
723 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
724 identity="1232010000000000",
725 wait_connect=False, scan_freq="2412")
726
727 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
728 if ev is None:
729 raise Exception("Wait for external SIM processing request timed out")
730 p = ev.split(':', 2)
731 rid = p[0].split('-')[3]
732 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-FAIL")
733 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
734 if ev is None:
735 raise Exception("EAP failure not reported")
736 dev[0].request("REMOVE_NETWORK all")
737 dev[0].wait_disconnected()
738
6c7fed46
JM		 739def test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
740 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
741 try:
742 _test_ap_wpa2_eap_sim_change_bssid(dev, apdev)
743 finally:
744 dev[0].request("SET external_sim 0")
745
746def _test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
747 check_hlr_auc_gw_support()
748 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 749 hostapd.add_ap(apdev[0], params)
6c7fed46
JM		 750 dev[0].request("SET external_sim 1")
751 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
752 identity="1232010000000000",
753 wait_connect=False, scan_freq="2412")
754
755 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
756 if ev is None:
757 raise Exception("Wait for external SIM processing request timed out")
758 p = ev.split(':', 2)
759 if p[1] != "GSM-AUTH":
760 raise Exception("Unexpected CTRL-REQ-SIM type")
761 rid = p[0].split('-')[3]
762 rand = p[2].split(' ')[0]
763
764 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
765 "-m",
766 "auth_serv/hlr_auc_gw.milenage_db",
d5e6ffd6 767 "GSM-AUTH-REQ 232010000000000 " + rand]).decode()
6c7fed46
JM		 768 if "GSM-AUTH-RESP" not in res:
769 raise Exception("Unexpected hlr_auc_gw response")
770 resp = res.split(' ')[2].rstrip()
771
772 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
773 dev[0].wait_connected(timeout=15)
774
775 # Verify that EAP-SIM Reauthentication can be used after a profile change
776 # that does not affect EAP parameters.
777 dev[0].set_network(id, "bssid", "any")
778 eap_reauth(dev[0], "SIM")
779
07f0da30
JM		 780def test_ap_wpa2_eap_sim_no_change_set(dev, apdev):
781 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
782 try:
783 _test_ap_wpa2_eap_sim_no_change_set(dev, apdev)
784 finally:
785 dev[0].request("SET external_sim 0")
786
787def _test_ap_wpa2_eap_sim_no_change_set(dev, apdev):
788 check_hlr_auc_gw_support()
789 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 790 hostapd.add_ap(apdev[0], params)
07f0da30
JM		 791 dev[0].request("SET external_sim 1")
792 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
793 identity="1232010000000000",
794 wait_connect=False, scan_freq="2412")
795
796 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
797 if ev is None:
798 raise Exception("Wait for external SIM processing request timed out")
799 p = ev.split(':', 2)
800 if p[1] != "GSM-AUTH":
801 raise Exception("Unexpected CTRL-REQ-SIM type")
802 rid = p[0].split('-')[3]
803 rand = p[2].split(' ')[0]
804
805 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
806 "-m",
807 "auth_serv/hlr_auc_gw.milenage_db",
d5e6ffd6 808 "GSM-AUTH-REQ 232010000000000 " + rand]).decode()
07f0da30
JM		 809 if "GSM-AUTH-RESP" not in res:
810 raise Exception("Unexpected hlr_auc_gw response")
811 resp = res.split(' ')[2].rstrip()
812
813 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
814 dev[0].wait_connected(timeout=15)
815
816 # Verify that EAP-SIM Reauthentication can be used after network profile
817 # SET_NETWORK commands that do not actually change previously set
818 # parameter values.
819 dev[0].set_network(id, "key_mgmt", "WPA-EAP")
820 dev[0].set_network(id, "eap", "SIM")
821 dev[0].set_network_quoted(id, "identity", "1232010000000000")
822 dev[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
823 eap_reauth(dev[0], "SIM")
824
486f4e3c
JM		 825def test_ap_wpa2_eap_sim_oom(dev, apdev):
826 """EAP-SIM and OOM"""
827 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 828 hostapd.add_ap(apdev[0], params)
486f4e3c
JM		 829 tests = [ (1, "milenage_f2345"),
830 (2, "milenage_f2345"),
831 (3, "milenage_f2345"),
832 (4, "milenage_f2345"),
833 (5, "milenage_f2345"),
834 (6, "milenage_f2345"),
835 (7, "milenage_f2345"),
836 (8, "milenage_f2345"),
837 (9, "milenage_f2345"),
838 (10, "milenage_f2345"),
839 (11, "milenage_f2345"),
840 (12, "milenage_f2345") ]
841 for count, func in tests:
7cbc8e67 842 with fail_test(dev[0], count, func):
486f4e3c
JM		 843 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
844 identity="1232010000000000",
845 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
846 wait_connect=False, scan_freq="2412")
847 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
848 if ev is None:
849 raise Exception("EAP method not selected")
850 dev[0].wait_disconnected()
851 dev[0].request("REMOVE_NETWORK all")
852
9626962d
JM		 853def test_ap_wpa2_eap_aka(dev, apdev):
854 """WPA2-Enterprise connection using EAP-AKA"""
81e787b7 855 check_hlr_auc_gw_support()
9626962d 856 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 857 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 858 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
9626962d 859 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
a8375c94 860 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 861 eap_reauth(dev[0], "AKA")
9626962d 862
f10ba3b2
JM		 863 logger.info("Negative test with incorrect key")
864 dev[0].request("REMOVE_NETWORK all")
3b3e2687 865 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
f10ba3b2
JM		 866 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
867 expect_failure=True)
868
32747a3e
JM		 869 logger.info("Invalid Milenage key")
870 dev[0].request("REMOVE_NETWORK all")
3b3e2687 871 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 872 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
873 expect_failure=True)
874
875 logger.info("Invalid Milenage key(2)")
3b3e2687 876 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 877 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
878 expect_failure=True)
879
880 logger.info("Invalid Milenage key(3)")
3b3e2687 881 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 882 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
883 expect_failure=True)
884
885 logger.info("Invalid Milenage key(4)")
3b3e2687 886 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 887 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
888 expect_failure=True)
889
890 logger.info("Invalid Milenage key(5)")
891 dev[0].request("REMOVE_NETWORK all")
3b3e2687 892 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 893 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
894 expect_failure=True)
895
896 logger.info("Invalid Milenage key(6)")
897 dev[0].request("REMOVE_NETWORK all")
3b3e2687 898 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 899 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
900 expect_failure=True)
901
902 logger.info("Missing key configuration")
903 dev[0].request("REMOVE_NETWORK all")
3b3e2687 904 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 905 expect_failure=True)
906
5b1aaf6c
JM		 907def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
908 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
81e787b7 909 check_hlr_auc_gw_support()
5b1aaf6c
JM		 910 try:
911 import sqlite3
912 except ImportError:
81e787b7 913 raise HwsimSkip("No sqlite3 module available")
5b1aaf6c
JM		 914 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
915 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
916 params['auth_server_port'] = "1814"
3b3e2687
JD		 917 hapd = hostapd.add_ap(apdev[0], params)
918 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
5b1aaf6c
JM		 919 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
920
921 logger.info("AKA fast re-authentication")
922 eap_reauth(dev[0], "AKA")
923
924 logger.info("AKA full auth with pseudonym")
925 with con:
926 cur = con.cursor()
927 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
928 eap_reauth(dev[0], "AKA")
929
930 logger.info("AKA full auth with permanent identity")
931 with con:
932 cur = con.cursor()
933 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
934 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
935 eap_reauth(dev[0], "AKA")
936
937 logger.info("AKA reauth with mismatching MK")
938 with con:
939 cur = con.cursor()
940 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
941 eap_reauth(dev[0], "AKA", expect_failure=True)
942 dev[0].request("REMOVE_NETWORK all")
943
3b3e2687 944 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
5b1aaf6c
JM		 945 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
946 with con:
947 cur = con.cursor()
948 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
949 eap_reauth(dev[0], "AKA")
950 with con:
951 cur = con.cursor()
952 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
953 logger.info("AKA reauth with mismatching counter")
954 eap_reauth(dev[0], "AKA")
955 dev[0].request("REMOVE_NETWORK all")
956
3b3e2687 957 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
5b1aaf6c
JM		 958 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
959 with con:
960 cur = con.cursor()
961 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
962 logger.info("AKA reauth with max reauth count reached")
963 eap_reauth(dev[0], "AKA")
964
e2a90a4c
JM		 965def test_ap_wpa2_eap_aka_config(dev, apdev):
966 """EAP-AKA configuration options"""
967 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 968 hapd = hostapd.add_ap(apdev[0], params)
969 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
e2a90a4c
JM		 970 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
971 anonymous_identity="2345678")
972
d314bedf
JM		 973def test_ap_wpa2_eap_aka_ext(dev, apdev):
974 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
47dcb118 975 try:
81e787b7 976 _test_ap_wpa2_eap_aka_ext(dev, apdev)
47dcb118
JM		 977 finally:
978 dev[0].request("SET external_sim 0")
979
980def _test_ap_wpa2_eap_aka_ext(dev, apdev):
81e787b7 981 check_hlr_auc_gw_support()
d314bedf 982 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 983 hostapd.add_ap(apdev[0], params)
d314bedf
JM		 984 dev[0].request("SET external_sim 1")
985 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
986 identity="0232010000000000",
987 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
988 wait_connect=False, scan_freq="2412")
989 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
990 if ev is None:
991 raise Exception("Network connected timed out")
992
993 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
994 if ev is None:
995 raise Exception("Wait for external SIM processing request timed out")
996 p = ev.split(':', 2)
997 if p[1] != "UMTS-AUTH":
998 raise Exception("Unexpected CTRL-REQ-SIM type")
999 rid = p[0].split('-')[3]
1000
1001 # IK:CK:RES
1002 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
1003 # This will fail during processing, but the ctrl_iface command succeeds
1004 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
1005 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1006 if ev is None:
1007 raise Exception("EAP failure not reported")
1008 dev[0].request("DISCONNECT")
584e4197 1009 dev[0].wait_disconnected()
90ad11e6 1010 time.sleep(0.1)
a359c7bb 1011 dev[0].dump_monitor()
d314bedf 1012
d8e02214
JM		 1013 dev[0].select_network(id, freq="2412")
1014 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1015 if ev is None:
1016 raise Exception("Wait for external SIM processing request timed out")
1017 p = ev.split(':', 2)
1018 if p[1] != "UMTS-AUTH":
1019 raise Exception("Unexpected CTRL-REQ-SIM type")
1020 rid = p[0].split('-')[3]
1021 # This will fail during UMTS auth validation
1022 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
1023 raise Exception("CTRL-RSP-SIM failed")
1024 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1025 if ev is None:
1026 raise Exception("Wait for external SIM processing request timed out")
1027 p = ev.split(':', 2)
1028 if p[1] != "UMTS-AUTH":
1029 raise Exception("Unexpected CTRL-REQ-SIM type")
1030 rid = p[0].split('-')[3]
1031 # This will fail during UMTS auth validation
1032 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
1033 raise Exception("CTRL-RSP-SIM failed")
1034 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1035 if ev is None:
1036 raise Exception("EAP failure not reported")
1037 dev[0].request("DISCONNECT")
584e4197 1038 dev[0].wait_disconnected()
90ad11e6 1039 time.sleep(0.1)
a359c7bb 1040 dev[0].dump_monitor()
d8e02214 1041
0258cf10
JM		 1042 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1043 ":UMTS-AUTH:34",
1044 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1045 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1046 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1047 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1048 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1049 for t in tests:
1050 dev[0].select_network(id, freq="2412")
1051 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1052 if ev is None:
1053 raise Exception("Wait for external SIM processing request timed out")
1054 p = ev.split(':', 2)
1055 if p[1] != "UMTS-AUTH":
1056 raise Exception("Unexpected CTRL-REQ-SIM type")
1057 rid = p[0].split('-')[3]
1058 # This will fail during UMTS auth validation
1059 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
1060 raise Exception("CTRL-RSP-SIM failed")
1061 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1062 if ev is None:
1063 raise Exception("EAP failure not reported")
1064 dev[0].request("DISCONNECT")
1065 dev[0].wait_disconnected()
90ad11e6 1066 time.sleep(0.1)
a359c7bb 1067 dev[0].dump_monitor()
d314bedf 1068
c397edf2
JM		 1069def test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1070 """EAP-AKA with external UMTS auth and auth failing"""
1071 try:
1072 _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev)
1073 finally:
1074 dev[0].request("SET external_sim 0")
1075
1076def _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1077 check_hlr_auc_gw_support()
1078 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1079 hostapd.add_ap(apdev[0], params)
c397edf2
JM		 1080 dev[0].request("SET external_sim 1")
1081 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
1082 identity="0232010000000000",
1083 wait_connect=False, scan_freq="2412")
1084
1085 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1086 if ev is None:
1087 raise Exception("Wait for external SIM processing request timed out")
1088 p = ev.split(':', 2)
1089 rid = p[0].split('-')[3]
1090 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1091 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1092 if ev is None:
1093 raise Exception("EAP failure not reported")
1094 dev[0].request("REMOVE_NETWORK all")
1095 dev[0].wait_disconnected()
1096
9626962d
JM		 1097def test_ap_wpa2_eap_aka_prime(dev, apdev):
1098 """WPA2-Enterprise connection using EAP-AKA'"""
81e787b7 1099 check_hlr_auc_gw_support()
9626962d 1100 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1101 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1102 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
9626962d 1103 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
a8375c94 1104 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1105 eap_reauth(dev[0], "AKA'")
9626962d 1106
8583d664
JM		 1107 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1108 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
1109 identity="6555444333222111@both",
1110 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1111 wait_connect=False, scan_freq="2412")
5f35a5e2 1112 dev[1].wait_connected(timeout=15)
8583d664 1113
f10ba3b2
JM		 1114 logger.info("Negative test with incorrect key")
1115 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1116 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
f10ba3b2
JM		 1117 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1118 expect_failure=True)
1119
5b1aaf6c
JM		 1120def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
1121 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
81e787b7 1122 check_hlr_auc_gw_support()
5b1aaf6c
JM		 1123 try:
1124 import sqlite3
1125 except ImportError:
81e787b7 1126 raise HwsimSkip("No sqlite3 module available")
5b1aaf6c
JM		 1127 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
1128 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1129 params['auth_server_port'] = "1814"
3b3e2687
JD		 1130 hapd = hostapd.add_ap(apdev[0], params)
1131 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
5b1aaf6c
JM		 1132 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1133
1134 logger.info("AKA' fast re-authentication")
1135 eap_reauth(dev[0], "AKA'")
1136
1137 logger.info("AKA' full auth with pseudonym")
1138 with con:
1139 cur = con.cursor()
1140 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1141 eap_reauth(dev[0], "AKA'")
1142
1143 logger.info("AKA' full auth with permanent identity")
1144 with con:
1145 cur = con.cursor()
1146 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1147 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1148 eap_reauth(dev[0], "AKA'")
1149
1150 logger.info("AKA' reauth with mismatching k_aut")
1151 with con:
1152 cur = con.cursor()
1153 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1154 eap_reauth(dev[0], "AKA'", expect_failure=True)
1155 dev[0].request("REMOVE_NETWORK all")
1156
3b3e2687 1157 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
5b1aaf6c
JM		 1158 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1159 with con:
1160 cur = con.cursor()
1161 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1162 eap_reauth(dev[0], "AKA'")
1163 with con:
1164 cur = con.cursor()
1165 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1166 logger.info("AKA' reauth with mismatching counter")
1167 eap_reauth(dev[0], "AKA'")
1168 dev[0].request("REMOVE_NETWORK all")
1169
3b3e2687 1170 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
5b1aaf6c
JM		 1171 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1172 with con:
1173 cur = con.cursor()
1174 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1175 logger.info("AKA' reauth with max reauth count reached")
1176 eap_reauth(dev[0], "AKA'")
1177
c397edf2
JM		 1178def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1179 """EAP-AKA' with external UMTS auth and auth failing"""
1180 try:
1181 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev)
1182 finally:
1183 dev[0].request("SET external_sim 0")
1184
1185def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1186 check_hlr_auc_gw_support()
1187 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1188 hostapd.add_ap(apdev[0], params)
c397edf2
JM		 1189 dev[0].request("SET external_sim 1")
1190 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1191 identity="6555444333222111",
1192 wait_connect=False, scan_freq="2412")
1193
1194 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1195 if ev is None:
1196 raise Exception("Wait for external SIM processing request timed out")
1197 p = ev.split(':', 2)
1198 rid = p[0].split('-')[3]
1199 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1200 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1201 if ev is None:
1202 raise Exception("EAP failure not reported")
1203 dev[0].request("REMOVE_NETWORK all")
1204 dev[0].wait_disconnected()
1205
c25aada9
JM		 1206def test_ap_wpa2_eap_aka_prime_ext(dev, apdev):
1207 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1208 try:
1209 _test_ap_wpa2_eap_aka_prime_ext(dev, apdev)
1210 finally:
1211 dev[0].request("SET external_sim 0")
1212
1213def _test_ap_wpa2_eap_aka_prime_ext(dev, apdev):
1214 check_hlr_auc_gw_support()
1215 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1216 hostapd.add_ap(apdev[0], params)
1217 dev[0].request("SET external_sim 1")
1218 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1219 identity="6555444333222111",
1220 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1221 wait_connect=False, scan_freq="2412")
1222 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
1223 if ev is None:
1224 raise Exception("Network connected timed out")
1225
1226 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1227 if ev is None:
1228 raise Exception("Wait for external SIM processing request timed out")
1229 p = ev.split(':', 2)
1230 if p[1] != "UMTS-AUTH":
1231 raise Exception("Unexpected CTRL-REQ-SIM type")
1232 rid = p[0].split('-')[3]
1233 # This will fail during UMTS auth validation
1234 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
1235 raise Exception("CTRL-RSP-SIM failed")
1236 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1237 if ev is None:
1238 raise Exception("Wait for external SIM processing request timed out")
1239
9626962d
JM		 1240def test_ap_wpa2_eap_ttls_pap(dev, apdev):
1241 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1242 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1243 hapd = hostapd.add_ap(apdev[0], params)
65038313
JM		 1244 key_mgmt = hapd.get_config()['key_mgmt']
1245 if key_mgmt.split(' ')[0] != "WPA-EAP":
1246 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3b3e2687 1247 eap_connect(dev[0], hapd, "TTLS", "pap user",
9626962d 1248 anonymous_identity="ttls", password="password",
506b2f05 1249 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
a8375c94 1250 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1251 eap_reauth(dev[0], "TTLS")
eaf3f9b1
JM		 1252 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1253 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
9626962d 1254
506b2f05
JM		 1255def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
1256 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1257 check_subject_match_support(dev[0])
1258 check_altsubject_match_support(dev[0])
1259 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1260 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1261 eap_connect(dev[0], hapd, "TTLS", "pap user",
506b2f05
JM		 1262 anonymous_identity="ttls", password="password",
1263 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1264 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
1265 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1266 eap_reauth(dev[0], "TTLS")
1267
82a8f5b5
JM		 1268def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
1269 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1270 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1271 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1272 eap_connect(dev[0], hapd, "TTLS", "pap user",
82a8f5b5
JM		 1273 anonymous_identity="ttls", password="wrong",
1274 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1275 expect_failure=True)
3b3e2687 1276 eap_connect(dev[1], hapd, "TTLS", "user",
82a8f5b5
JM		 1277 anonymous_identity="ttls", password="password",
1278 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1279 expect_failure=True)
1280
9626962d
JM		 1281def test_ap_wpa2_eap_ttls_chap(dev, apdev):
1282 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
ca158ea6 1283 skip_with_fips(dev[0])
9626962d 1284 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1285 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1286 eap_connect(dev[0], hapd, "TTLS", "chap user",
506b2f05
JM		 1287 anonymous_identity="ttls", password="password",
1288 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
1289 hwsim_utils.test_connectivity(dev[0], hapd)
1290 eap_reauth(dev[0], "TTLS")
1291
1292def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
1293 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
ca158ea6 1294 skip_with_fips(dev[0])
506b2f05
JM		 1295 check_altsubject_match_support(dev[0])
1296 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1297 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1298 eap_connect(dev[0], hapd, "TTLS", "chap user",
9626962d 1299 anonymous_identity="ttls", password="password",
5c65e277
JM		 1300 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1301 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
75b2b9cf 1302 eap_reauth(dev[0], "TTLS")
9626962d 1303
82a8f5b5
JM		 1304def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
1305 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
ca158ea6 1306 skip_with_fips(dev[0])
82a8f5b5 1307 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1308 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1309 eap_connect(dev[0], hapd, "TTLS", "chap user",
82a8f5b5
JM		 1310 anonymous_identity="ttls", password="wrong",
1311 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1312 expect_failure=True)
3b3e2687 1313 eap_connect(dev[1], hapd, "TTLS", "user",
82a8f5b5
JM		 1314 anonymous_identity="ttls", password="password",
1315 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1316 expect_failure=True)
1317
9626962d
JM		 1318def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
1319 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
ca158ea6 1320 skip_with_fips(dev[0])
e78eb404 1321 check_domain_suffix_match(dev[0])
9626962d 1322 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1323 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1324 eap_connect(dev[0], hapd, "TTLS", "mschap user",
9626962d 1325 anonymous_identity="ttls", password="password",
72c052d5
JM		 1326 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1327 domain_suffix_match="server.w1.fi")
a8375c94 1328 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1329 eap_reauth(dev[0], "TTLS")
6daf5b9c 1330 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1331 eap_connect(dev[0], hapd, "TTLS", "mschap user",
6daf5b9c
JM		 1332 anonymous_identity="ttls", password="password",
1333 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1334 fragment_size="200")
bfdb90d4
JM		 1335 dev[0].request("REMOVE_NETWORK all")
1336 dev[0].wait_disconnected()
3b3e2687 1337 eap_connect(dev[0], hapd, "TTLS", "mschap user",
bfdb90d4
JM		 1338 anonymous_identity="ttls",
1339 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1340 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
9626962d 1341
82a8f5b5 1342def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
ca158ea6
JM		 1343 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1344 skip_with_fips(dev[0])
82a8f5b5 1345 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1346 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1347 eap_connect(dev[0], hapd, "TTLS", "mschap user",
82a8f5b5
JM		 1348 anonymous_identity="ttls", password="wrong",
1349 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1350 expect_failure=True)
3b3e2687 1351 eap_connect(dev[1], hapd, "TTLS", "user",
82a8f5b5
JM		 1352 anonymous_identity="ttls", password="password",
1353 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1354 expect_failure=True)
3b3e2687 1355 eap_connect(dev[2], hapd, "TTLS", "no such user",
82a8f5b5
JM		 1356 anonymous_identity="ttls", password="password",
1357 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1358 expect_failure=True)
1359
9626962d
JM		 1360def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
1361 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
e78eb404 1362 check_domain_suffix_match(dev[0])
ca158ea6 1363 check_eap_capa(dev[0], "MSCHAPV2")
9626962d 1364 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1365 hapd = hostapd.add_ap(apdev[0], params)
1366 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
9626962d 1367 anonymous_identity="ttls", password="password",
72c052d5 1368 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
24579e70 1369 domain_suffix_match="server.w1.fi")
a8375c94 1370 hwsim_utils.test_connectivity(dev[0], hapd)
5dec879d
JM		 1371 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
1372 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
75b2b9cf 1373 eap_reauth(dev[0], "TTLS")
5dec879d
JM		 1374 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
1375 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1376 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
1377 raise Exception("dot1xAuthEapolFramesRx did not increase")
1378 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
1379 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1380 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
1381 raise Exception("backendAuthSuccesses did not increase")
9626962d 1382
fa0ddb14
JM		 1383 logger.info("Password as hash value")
1384 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1385 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
fa0ddb14
JM		 1386 anonymous_identity="ttls",
1387 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1388 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1389
c4e06b9b
JM		 1390def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
1391 """EAP-TTLS with invalid phase2 parameter values"""
1392 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1393 hostapd.add_ap(apdev[0], params)
c4e06b9b 1394 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
53827125
JM		 1395 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1396 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
c4e06b9b
JM		 1397 for t in tests:
1398 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1399 identity="DOMAIN\mschapv2 user",
1400 anonymous_identity="ttls", password="password",
1401 ca_cert="auth_serv/ca.pem", phase2=t,
1402 wait_connect=False, scan_freq="2412")
1403 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
1404 if ev is None or "method=21" not in ev:
1405 raise Exception("EAP-TTLS not started")
1406 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
1407 "CTRL-EVENT-CONNECTED"], timeout=5)
1408 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
1409 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
1410 dev[0].request("REMOVE_NETWORK all")
1411 dev[0].wait_disconnected()
1412 dev[0].dump_monitor()
1413
24579e70
JM		 1414def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
1415 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1416 check_domain_match_full(dev[0])
ca158ea6 1417 skip_with_fips(dev[0])
24579e70 1418 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1419 hapd = hostapd.add_ap(apdev[0], params)
1420 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
24579e70
JM		 1421 anonymous_identity="ttls", password="password",
1422 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1423 domain_suffix_match="w1.fi")
1424 hwsim_utils.test_connectivity(dev[0], hapd)
1425 eap_reauth(dev[0], "TTLS")
1426
061cbb25
JM		 1427def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
1428 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
e78eb404 1429 check_domain_match(dev[0])
ca158ea6 1430 skip_with_fips(dev[0])
061cbb25 1431 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1432 hapd = hostapd.add_ap(apdev[0], params)
1433 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
061cbb25
JM		 1434 anonymous_identity="ttls", password="password",
1435 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1436 domain_match="Server.w1.fi")
1437 hwsim_utils.test_connectivity(dev[0], hapd)
1438 eap_reauth(dev[0], "TTLS")
1439
82a8f5b5
JM		 1440def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
1441 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
ca158ea6 1442 skip_with_fips(dev[0])
82a8f5b5 1443 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1444 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1445 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
f10ba3b2
JM		 1446 anonymous_identity="ttls", password="password1",
1447 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1448 expect_failure=True)
3b3e2687 1449 eap_connect(dev[1], hapd, "TTLS", "user",
82a8f5b5
JM		 1450 anonymous_identity="ttls", password="password",
1451 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1452 expect_failure=True)
f10ba3b2 1453
eac67440
JM		 1454def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1455 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
ca158ea6 1456 skip_with_fips(dev[0])
eac67440 1457 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1458 hapd = hostapd.add_ap(apdev[0], params)
1459 eap_connect(dev[0], hapd, "TTLS", "utf8-user-hash",
eac67440
JM		 1460 anonymous_identity="ttls", password="secret-åäö-€-password",
1461 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3b3e2687 1462 eap_connect(dev[1], hapd, "TTLS", "utf8-user",
eac67440
JM		 1463 anonymous_identity="ttls",
1464 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1465 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
0d2a7bad
JM		 1466 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1467 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1468 eap="TTLS", identity="utf8-user-hash",
1469 anonymous_identity="ttls", password_hex=p,
1470 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1471 wait_connect=False, scan_freq="2412")
1472 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1473 if ev is None:
1474 raise Exception("No failure reported")
1475 dev[2].request("REMOVE_NETWORK all")
1476 dev[2].wait_disconnected()
eac67440 1477
9626962d
JM		 1478def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1479 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1480 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1481 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1482 eap_connect(dev[0], hapd, "TTLS", "user",
9626962d
JM		 1483 anonymous_identity="ttls", password="password",
1484 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
a8375c94 1485 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1486 eap_reauth(dev[0], "TTLS")
9626962d 1487
95a15d79
JM		 1488def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1489 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1490 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1491 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1492 eap_connect(dev[0], hapd, "TTLS", "user",
95a15d79
JM		 1493 anonymous_identity="ttls", password="wrong",
1494 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1495 expect_failure=True)
1496
1497def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1498 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1499 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1500 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1501 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
95a15d79
JM		 1502 anonymous_identity="ttls", password="password",
1503 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1504 expect_failure=True)
1505
1506def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1507 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1508 params = int_eap_server_params()
8b8a1864 1509 hapd = hostapd.add_ap(apdev[0], params)
95a15d79 1510 with alloc_fail(hapd, 1, "eap_gtc_init"):
3b3e2687 1511 eap_connect(dev[0], hapd, "TTLS", "user",
95a15d79
JM		 1512 anonymous_identity="ttls", password="password",
1513 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1514 expect_failure=True)
1515 dev[0].request("REMOVE_NETWORK all")
1516
1517 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1518 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1519 eap="TTLS", identity="user",
1520 anonymous_identity="ttls", password="password",
1521 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1522 wait_connect=False, scan_freq="2412")
1523 # This would eventually time out, but we can stop after having reached
1524 # the allocation failure.
1525 for i in range(20):
1526 time.sleep(0.1)
1527 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1528 break
1529
ac713c09
JM		 1530def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev, apdev):
1531 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1532 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1533 hapd = hostapd.add_ap(apdev[0], params)
ac713c09
JM		 1534
1535 tests = [ "eap_gtc_init",
1536 "eap_msg_alloc;eap_gtc_process" ]
1537 for func in tests:
1538 with alloc_fail(dev[0], 1, func):
1539 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1540 scan_freq="2412",
1541 eap="TTLS", identity="user",
1542 anonymous_identity="ttls", password="password",
1543 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1544 wait_connect=False)
1545 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1546 dev[0].request("REMOVE_NETWORK all")
1547 dev[0].wait_disconnected()
1548
9626962d
JM		 1549def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1550 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
e7ac04ce 1551 check_eap_capa(dev[0], "MD5")
9626962d 1552 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1553 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1554 eap_connect(dev[0], hapd, "TTLS", "user",
9626962d
JM		 1555 anonymous_identity="ttls", password="password",
1556 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
a8375c94 1557 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1558 eap_reauth(dev[0], "TTLS")
9626962d 1559
ee9533eb
JM		 1560def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1561 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
e7ac04ce 1562 check_eap_capa(dev[0], "MD5")
ee9533eb 1563 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1564 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1565 eap_connect(dev[0], hapd, "TTLS", "user",
ee9533eb
JM		 1566 anonymous_identity="ttls", password="wrong",
1567 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1568 expect_failure=True)
1569
95a15d79
JM		 1570def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1571 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
e7ac04ce 1572 check_eap_capa(dev[0], "MD5")
95a15d79 1573 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1574 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1575 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
95a15d79
JM		 1576 anonymous_identity="ttls", password="password",
1577 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1578 expect_failure=True)
1579
ee9533eb
JM		 1580def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1581 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
e7ac04ce 1582 check_eap_capa(dev[0], "MD5")
ee9533eb 1583 params = int_eap_server_params()
8b8a1864 1584 hapd = hostapd.add_ap(apdev[0], params)
ee9533eb 1585 with alloc_fail(hapd, 1, "eap_md5_init"):
3b3e2687 1586 eap_connect(dev[0], hapd, "TTLS", "user",
ee9533eb
JM		 1587 anonymous_identity="ttls", password="password",
1588 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1589 expect_failure=True)
1590 dev[0].request("REMOVE_NETWORK all")
1591
1592 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1593 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1594 eap="TTLS", identity="user",
1595 anonymous_identity="ttls", password="password",
1596 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1597 wait_connect=False, scan_freq="2412")
1598 # This would eventually time out, but we can stop after having reached
1599 # the allocation failure.
1600 for i in range(20):
1601 time.sleep(0.1)
1602 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1603 break
1604
9626962d
JM		 1605def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1606 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
e7ac04ce 1607 check_eap_capa(dev[0], "MSCHAPV2")
9626962d 1608 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1609 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1610 eap_connect(dev[0], hapd, "TTLS", "user",
9626962d
JM		 1611 anonymous_identity="ttls", password="password",
1612 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
a8375c94 1613 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1614 eap_reauth(dev[0], "TTLS")
9626962d 1615
f10ba3b2
JM		 1616 logger.info("Negative test with incorrect password")
1617 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1618 eap_connect(dev[0], hapd, "TTLS", "user",
f10ba3b2
JM		 1619 anonymous_identity="ttls", password="password1",
1620 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1621 expect_failure=True)
1622
95a15d79
JM		 1623def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1624 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
e7ac04ce 1625 check_eap_capa(dev[0], "MSCHAPV2")
95a15d79 1626 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1627 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1628 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
95a15d79
JM		 1629 anonymous_identity="ttls", password="password",
1630 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1631 expect_failure=True)
1632
ef318402
JM		 1633def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1634 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
e7ac04ce 1635 check_eap_capa(dev[0], "MSCHAPV2")
ef318402 1636 params = int_eap_server_params()
8b8a1864 1637 hapd = hostapd.add_ap(apdev[0], params)
ef318402 1638 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
3b3e2687 1639 eap_connect(dev[0], hapd, "TTLS", "user",
ef318402
JM		 1640 anonymous_identity="ttls", password="password",
1641 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1642 expect_failure=True)
1643 dev[0].request("REMOVE_NETWORK all")
1644
1645 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1646 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1647 eap="TTLS", identity="user",
1648 anonymous_identity="ttls", password="password",
1649 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1650 wait_connect=False, scan_freq="2412")
1651 # This would eventually time out, but we can stop after having reached
1652 # the allocation failure.
1653 for i in range(20):
1654 time.sleep(0.1)
1655 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1656 break
1657 dev[0].request("REMOVE_NETWORK all")
1658
1659 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1660 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1661 eap="TTLS", identity="user",
1662 anonymous_identity="ttls", password="password",
1663 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1664 wait_connect=False, scan_freq="2412")
1665 # This would eventually time out, but we can stop after having reached
1666 # the allocation failure.
1667 for i in range(20):
1668 time.sleep(0.1)
1669 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1670 break
1671 dev[0].request("REMOVE_NETWORK all")
1672
1673 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1674 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1675 eap="TTLS", identity="user",
1676 anonymous_identity="ttls", password="wrong",
1677 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1678 wait_connect=False, scan_freq="2412")
1679 # This would eventually time out, but we can stop after having reached
1680 # the allocation failure.
1681 for i in range(20):
1682 time.sleep(0.1)
1683 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1684 break
1685 dev[0].request("REMOVE_NETWORK all")
1686
f22bc118
JM		 1687def test_ap_wpa2_eap_ttls_eap_sim(dev, apdev):
1688 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1689 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1690 hapd = hostapd.add_ap(apdev[0], params)
1691 eap_connect(dev[0], hapd, "TTLS", "1232010000000000",
1692 anonymous_identity="1232010000000000@ttls",
1693 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1694 ca_cert="auth_serv/ca.pem", phase2="autheap=SIM")
1695 eap_reauth(dev[0], "TTLS")
1696
1697def run_ext_sim_auth(dev):
1698 ev = dev.wait_event(["CTRL-REQ-SIM"], timeout=15)
1699 if ev is None:
1700 raise Exception("Wait for external SIM processing request timed out")
1701 p = ev.split(':', 2)
1702 if p[1] != "GSM-AUTH":
1703 raise Exception("Unexpected CTRL-REQ-SIM type")
1704 rid = p[0].split('-')[3]
1705 rand = p[2].split(' ')[0]
1706
1707 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
1708 "-m",
1709 "auth_serv/hlr_auc_gw.milenage_db",
d5e6ffd6 1710 "GSM-AUTH-REQ 232010000000000 " + rand]).decode()
f22bc118
JM		 1711 if "GSM-AUTH-RESP" not in res:
1712 raise Exception("Unexpected hlr_auc_gw response")
1713 resp = res.split(' ')[2].rstrip()
1714
1715 dev.request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
1716 dev.wait_connected(timeout=15)
1717
1718 dev.dump_monitor()
1719 dev.request("REAUTHENTICATE")
1720 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5)
1721 if ev is None:
1722 raise Exception("EAP reauthentication did not succeed")
1723 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=5)
1724 if ev is None:
1725 raise Exception("Key negotiation did not complete")
1726 dev.dump_monitor()
1727
1728def test_ap_wpa2_eap_ttls_eap_sim_ext(dev, apdev):
1729 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1730 check_hlr_auc_gw_support()
1731 try:
1732 run_ap_wpa2_eap_ttls_eap_sim_ext(dev, apdev)
1733 finally:
1734 dev[0].request("SET external_sim 0")
1735
1736def run_ap_wpa2_eap_ttls_eap_sim_ext(dev, apdev):
1737 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1738 hapd = hostapd.add_ap(apdev[0], params)
1739 dev[0].request("SET external_sim 1")
1740 dev[0].connect("test-wpa2-eap", eap="TTLS", key_mgmt="WPA-EAP",
1741 identity="1232010000000000",
1742 anonymous_identity="1232010000000000@ttls",
1743 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1744 ca_cert="auth_serv/ca.pem", phase2="autheap=SIM",
1745 wait_connect=False, scan_freq="2412")
1746 run_ext_sim_auth(dev[0])
1747
1748def test_ap_wpa2_eap_peap_eap_sim(dev, apdev):
1749 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1750 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1751 hapd = hostapd.add_ap(apdev[0], params)
1752 eap_connect(dev[0], hapd, "PEAP", "1232010000000000",
1753 anonymous_identity="1232010000000000@peap",
1754 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1755 ca_cert="auth_serv/ca.pem", phase2="auth=SIM")
1756 eap_reauth(dev[0], "PEAP")
1757
1758def test_ap_wpa2_eap_peap_eap_sim_ext(dev, apdev):
1759 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1760 check_hlr_auc_gw_support()
1761 try:
1762 run_ap_wpa2_eap_peap_eap_sim_ext(dev, apdev)
1763 finally:
1764 dev[0].request("SET external_sim 0")
1765
1766def run_ap_wpa2_eap_peap_eap_sim_ext(dev, apdev):
1767 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1768 hapd = hostapd.add_ap(apdev[0], params)
1769 dev[0].request("SET external_sim 1")
1770 dev[0].connect("test-wpa2-eap", eap="PEAP", key_mgmt="WPA-EAP",
1771 identity="1232010000000000",
1772 anonymous_identity="1232010000000000@peap",
1773 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1774 ca_cert="auth_serv/ca.pem", phase2="auth=SIM",
1775 wait_connect=False, scan_freq="2412")
1776 run_ext_sim_auth(dev[0])
1777
1778def test_ap_wpa2_eap_fast_eap_sim(dev, apdev):
1779 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
9626bfbb 1780 check_eap_capa(dev[0], "FAST")
f22bc118
JM		 1781 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1782 hapd = hostapd.add_ap(apdev[0], params)
1783 eap_connect(dev[0], hapd, "FAST", "1232010000000000",
1784 anonymous_identity="1232010000000000@fast",
1785 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1786 phase1="fast_provisioning=2",
1787 pac_file="blob://fast_pac_auth_sim",
1788 ca_cert="auth_serv/ca.pem", phase2="auth=SIM")
1789 eap_reauth(dev[0], "FAST")
1790
1791def test_ap_wpa2_eap_fast_eap_sim_ext(dev, apdev):
1792 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1793 check_hlr_auc_gw_support()
1794 try:
1795 run_ap_wpa2_eap_fast_eap_sim_ext(dev, apdev)
1796 finally:
1797 dev[0].request("SET external_sim 0")
1798
1799def run_ap_wpa2_eap_fast_eap_sim_ext(dev, apdev):
1800 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1801 hapd = hostapd.add_ap(apdev[0], params)
1802 dev[0].request("SET external_sim 1")
1803 dev[0].connect("test-wpa2-eap", eap="PEAP", key_mgmt="WPA-EAP",
1804 identity="1232010000000000",
1805 anonymous_identity="1232010000000000@peap",
1806 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1807 phase1="fast_provisioning=2",
1808 pac_file="blob://fast_pac_auth_sim",
1809 ca_cert="auth_serv/ca.pem", phase2="auth=SIM",
1810 wait_connect=False, scan_freq="2412")
1811 run_ext_sim_auth(dev[0])
1812
95fb531c
JM		 1813def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1814 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1815 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1816 hapd = hostapd.add_ap(apdev[0], params)
1817 eap_connect(dev[0], hapd, "TTLS", "0232010000000000",
95fb531c
JM		 1818 anonymous_identity="0232010000000000@ttls",
1819 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1820 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
8a303f09 1821 eap_reauth(dev[0], "TTLS")
95fb531c
JM		 1822
1823def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1824 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1825 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1826 hapd = hostapd.add_ap(apdev[0], params)
1827 eap_connect(dev[0], hapd, "PEAP", "0232010000000000",
95fb531c
JM		 1828 anonymous_identity="0232010000000000@peap",
1829 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1830 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
8a303f09 1831 eap_reauth(dev[0], "PEAP")
95fb531c
JM		 1832
1833def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1834 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
3b51cc63 1835 check_eap_capa(dev[0], "FAST")
95fb531c 1836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1837 hapd = hostapd.add_ap(apdev[0], params)
1838 eap_connect(dev[0], hapd, "FAST", "0232010000000000",
95fb531c
JM		 1839 anonymous_identity="0232010000000000@fast",
1840 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1841 phase1="fast_provisioning=2",
1842 pac_file="blob://fast_pac_auth_aka",
1843 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
8a303f09 1844 eap_reauth(dev[0], "FAST")
95fb531c 1845
9626962d
JM		 1846def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1847 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
e7ac04ce 1848 check_eap_capa(dev[0], "MSCHAPV2")
9626962d 1849 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1850 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1851 eap_connect(dev[0], hapd, "PEAP", "user",
698f8324 1852 anonymous_identity="peap", password="password",
9626962d 1853 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
a8375c94 1854 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1855 eap_reauth(dev[0], "PEAP")
6daf5b9c 1856 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1857 eap_connect(dev[0], hapd, "PEAP", "user",
6daf5b9c
JM		 1858 anonymous_identity="peap", password="password",
1859 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1860 fragment_size="200")
c7afc078 1861
fa0ddb14
JM		 1862 logger.info("Password as hash value")
1863 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1864 eap_connect(dev[0], hapd, "PEAP", "user",
fa0ddb14
JM		 1865 anonymous_identity="peap",
1866 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1867 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1868
f10ba3b2
JM		 1869 logger.info("Negative test with incorrect password")
1870 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1871 eap_connect(dev[0], hapd, "PEAP", "user",
f10ba3b2
JM		 1872 anonymous_identity="peap", password="password1",
1873 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1874 expect_failure=True)
1875
0d33f504
JM		 1876def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1877 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
e7ac04ce 1878 check_eap_capa(dev[0], "MSCHAPV2")
0d33f504 1879 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1880 hapd = hostapd.add_ap(apdev[0], params)
bc664dfc 1881 eap_connect(dev[0], hapd, "PEAP", r"DOMAIN\user3",
0d33f504
JM		 1882 anonymous_identity="peap", password="password",
1883 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1884 hwsim_utils.test_connectivity(dev[0], hapd)
1885 eap_reauth(dev[0], "PEAP")
1886
f4cd0f64
JM		 1887def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1888 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
e7ac04ce 1889 check_eap_capa(dev[0], "MSCHAPV2")
f4cd0f64 1890 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1891 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1892 eap_connect(dev[0], hapd, "PEAP", "user",
f4cd0f64
JM		 1893 anonymous_identity="peap", password="wrong",
1894 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1895 expect_failure=True)
1896
698f8324
JM		 1897def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1898 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
e7ac04ce 1899 check_eap_capa(dev[0], "MSCHAPV2")
698f8324 1900 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1901 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1902 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
698f8324
JM		 1903 ca_cert="auth_serv/ca.pem",
1904 phase1="peapver=0 crypto_binding=2",
1905 phase2="auth=MSCHAPV2")
a8375c94 1906 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1907 eap_reauth(dev[0], "PEAP")
698f8324 1908
3b3e2687 1909 eap_connect(dev[1], hapd, "PEAP", "user", password="password",
ea6464b0
JM		 1910 ca_cert="auth_serv/ca.pem",
1911 phase1="peapver=0 crypto_binding=1",
1912 phase2="auth=MSCHAPV2")
3b3e2687 1913 eap_connect(dev[2], hapd, "PEAP", "user", password="password",
ea6464b0
JM		 1914 ca_cert="auth_serv/ca.pem",
1915 phase1="peapver=0 crypto_binding=0",
1916 phase2="auth=MSCHAPV2")
1917
ef318402
JM		 1918def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1919 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
e7ac04ce 1920 check_eap_capa(dev[0], "MSCHAPV2")
ef318402 1921 params = int_eap_server_params()
8b8a1864 1922 hapd = hostapd.add_ap(apdev[0], params)
ef318402 1923 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
3b3e2687 1924 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
ef318402
JM		 1925 ca_cert="auth_serv/ca.pem",
1926 phase1="peapver=0 crypto_binding=2",
1927 phase2="auth=MSCHAPV2",
1928 expect_failure=True, local_error_report=True)
1929
c4d37011
JM		 1930def test_ap_wpa2_eap_peap_params(dev, apdev):
1931 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
e7ac04ce 1932 check_eap_capa(dev[0], "MSCHAPV2")
c4d37011 1933 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1934 hapd = hostapd.add_ap(apdev[0], params)
1935 eap_connect(dev[0], hapd, "PEAP", "user",
c4d37011
JM		 1936 anonymous_identity="peap", password="password",
1937 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1938 phase1="peapver=0 peaplabel=1",
1939 expect_failure=True)
1940 dev[0].request("REMOVE_NETWORK all")
09ad98c5
JM		 1941 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1942 identity="user",
1943 anonymous_identity="peap", password="password",
1944 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1945 phase1="peap_outer_success=0",
1946 wait_connect=False, scan_freq="2412")
1947 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1948 if ev is None:
1949 raise Exception("No EAP success seen")
1950 # This won't succeed to connect with peap_outer_success=0, so stop here.
1951 dev[0].request("REMOVE_NETWORK all")
1952 dev[0].wait_disconnected()
3b3e2687 1953 eap_connect(dev[1], hapd, "PEAP", "user", password="password",
c4d37011
JM		 1954 ca_cert="auth_serv/ca.pem",
1955 phase1="peap_outer_success=1",
1956 phase2="auth=MSCHAPV2")
3b3e2687 1957 eap_connect(dev[2], hapd, "PEAP", "user", password="password",
c4d37011
JM		 1958 ca_cert="auth_serv/ca.pem",
1959 phase1="peap_outer_success=2",
1960 phase2="auth=MSCHAPV2")
1961 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1962 identity="user",
1963 anonymous_identity="peap", password="password",
1964 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1965 phase1="peapver=1 peaplabel=1",
1966 wait_connect=False, scan_freq="2412")
1967 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1968 if ev is None:
1969 raise Exception("No EAP success seen")
1970 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1971 if ev is not None:
1972 raise Exception("Unexpected connection")
1973
09a4404a
JM		 1974 tests = [ ("peap-ver0", ""),
1975 ("peap-ver1", ""),
1976 ("peap-ver0", "peapver=0"),
1977 ("peap-ver1", "peapver=1") ]
1978 for anon,phase1 in tests:
1979 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1980 identity="user", anonymous_identity=anon,
1981 password="password", phase1=phase1,
1982 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1983 scan_freq="2412")
1984 dev[0].request("REMOVE_NETWORK all")
1985 dev[0].wait_disconnected()
1986
1987 tests = [ ("peap-ver0", "peapver=1"),
1988 ("peap-ver1", "peapver=0") ]
1989 for anon,phase1 in tests:
1990 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1991 identity="user", anonymous_identity=anon,
1992 password="password", phase1=phase1,
1993 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1994 wait_connect=False, scan_freq="2412")
1995 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1996 if ev is None:
1997 raise Exception("No EAP-Failure seen")
1998 dev[0].request("REMOVE_NETWORK all")
1999 dev[0].wait_disconnected()
2000
3b3e2687 2001 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
d5f5d260
JM		 2002 ca_cert="auth_serv/ca.pem",
2003 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
2004 phase2="auth=MSCHAPV2")
2005
836f0dda
JM		 2006def test_ap_wpa2_eap_peap_eap_gtc(dev, apdev, params):
2007 """WPA2-Enterprise connection using EAP-PEAP/EAP-GTC"""
2008 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2009 hapd = hostapd.add_ap(apdev[0], p)
2010 eap_connect(dev[0], hapd, "PEAP", "user", phase1="peapver=1",
2011 anonymous_identity="peap", password="password",
2012 ca_cert="auth_serv/ca.pem", phase2="auth=GTC")
2013
d0ce1050
JM		 2014def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
2015 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
2016 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2017 hapd = hostapd.add_ap(apdev[0], params)
2018 eap_connect(dev[0], hapd, "PEAP", "cert user",
d0ce1050
JM		 2019 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
2020 ca_cert2="auth_serv/ca.pem",
2021 client_cert2="auth_serv/user.pem",
2022 private_key2="auth_serv/user.key")
2023 eap_reauth(dev[0], "PEAP")
2024
e114c49c
JM		 2025def test_ap_wpa2_eap_tls(dev, apdev):
2026 """WPA2-Enterprise connection using EAP-TLS"""
2027 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2028 hapd = hostapd.add_ap(apdev[0], params)
2029 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
e114c49c
JM		 2030 client_cert="auth_serv/user.pem",
2031 private_key="auth_serv/user.key")
75b2b9cf 2032 eap_reauth(dev[0], "TLS")
e114c49c 2033
96bf8fe1
JM		 2034def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
2035 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2036 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2037 hapd = hostapd.add_ap(apdev[0], params)
2038 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
96bf8fe1
JM		 2039 client_cert="auth_serv/user.pem",
2040 private_key="auth_serv/user.key.pkcs8",
2041 private_key_passwd="whatever")
2042
2043def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
2044 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
969e5250 2045 check_pkcs5_v15_support(dev[0])
96bf8fe1 2046 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2047 hapd = hostapd.add_ap(apdev[0], params)
2048 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
96bf8fe1
JM		 2049 client_cert="auth_serv/user.pem",
2050 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
2051 private_key_passwd="whatever")
2052
6ea231e6
JM		 2053def test_ap_wpa2_eap_tls_blob(dev, apdev):
2054 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2055 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 2056 hapd = hostapd.add_ap(apdev[0], params)
6ea231e6 2057 cert = read_pem("auth_serv/ca.pem")
54c58f29 2058 if "OK" not in dev[0].request("SET blob cacert " + binascii.hexlify(cert).decode()):
6ea231e6
JM		 2059 raise Exception("Could not set cacert blob")
2060 cert = read_pem("auth_serv/user.pem")
54c58f29 2061 if "OK" not in dev[0].request("SET blob usercert " + binascii.hexlify(cert).decode()):
6ea231e6 2062 raise Exception("Could not set usercert blob")
62750c3e 2063 key = read_pem("auth_serv/user.rsa-key")
54c58f29 2064 if "OK" not in dev[0].request("SET blob userkey " + binascii.hexlify(key).decode()):
6ea231e6 2065 raise Exception("Could not set cacert blob")
3b3e2687 2066 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="blob://cacert",
6ea231e6
JM		 2067 client_cert="blob://usercert",
2068 private_key="blob://userkey")
2069
cef42a44
JM		 2070def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
2071 """EAP-TLS and config blob missing"""
2072 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2073 hostapd.add_ap(apdev[0], params)
cef42a44
JM		 2074 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2075 identity="tls user",
2076 ca_cert="blob://testing-blob-does-not-exist",
2077 client_cert="blob://testing-blob-does-not-exist",
2078 private_key="blob://testing-blob-does-not-exist",
2079 wait_connect=False, scan_freq="2412")
2080 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
2081 if ev is None:
2082 raise Exception("EAP failure not reported")
2083 dev[0].request("REMOVE_NETWORK all")
2084 dev[0].wait_disconnected()
2085
7cb27f89
JM		 2086def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
2087 """EAP-TLS and TLS Message Length in unfragmented packets"""
2088 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2089 hapd = hostapd.add_ap(apdev[0], params)
2090 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
7cb27f89
JM		 2091 phase1="include_tls_length=1",
2092 client_cert="auth_serv/user.pem",
2093 private_key="auth_serv/user.key")
2094
2d10eb0e
JM		 2095def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
2096 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
686eee77 2097 check_pkcs12_support(dev[0])
2d10eb0e 2098 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2099 hapd = hostapd.add_ap(apdev[0], params)
2100 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2d10eb0e
JM		 2101 private_key="auth_serv/user.pkcs12",
2102 private_key_passwd="whatever")
2103 dev[0].request("REMOVE_NETWORK all")
0c83ae04
JM		 2104 dev[0].wait_disconnected()
2105
2d10eb0e
JM		 2106 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2107 identity="tls user",
2108 ca_cert="auth_serv/ca.pem",
2109 private_key="auth_serv/user.pkcs12",
2110 wait_connect=False, scan_freq="2412")
2111 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2112 if ev is None:
2113 raise Exception("Request for private key passphrase timed out")
2114 id = ev.split(':')[0].split('-')[-1]
2115 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
5f35a5e2 2116 dev[0].wait_connected(timeout=10)
0c83ae04
JM		 2117 dev[0].request("REMOVE_NETWORK all")
2118 dev[0].wait_disconnected()
2119
6da3b745
JM		 2120 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2121 # different files to cover both cases of the extra certificate being the
2122 # one that signed the client certificate and it being unrelated to the
2123 # client certificate.
2124 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2125 for i in range(2):
3b3e2687 2126 eap_connect(dev[0], hapd, "TLS", "tls user",
6da3b745
JM		 2127 ca_cert="auth_serv/ca.pem",
2128 private_key=pkcs12,
2129 private_key_passwd="whatever")
2130 dev[0].request("REMOVE_NETWORK all")
2131 dev[0].wait_disconnected()
2d10eb0e 2132
6ea231e6
JM		 2133def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
2134 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
686eee77 2135 check_pkcs12_support(dev[0])
6ea231e6 2136 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 2137 hapd = hostapd.add_ap(apdev[0], params)
6ea231e6 2138 cert = read_pem("auth_serv/ca.pem")
54c58f29 2139 if "OK" not in dev[0].request("SET blob cacert " + binascii.hexlify(cert).decode()):
6ea231e6
JM		 2140 raise Exception("Could not set cacert blob")
2141 with open("auth_serv/user.pkcs12", "rb") as f:
54c58f29 2142 if "OK" not in dev[0].request("SET blob pkcs12 " + binascii.hexlify(f.read()).decode()):
6ea231e6 2143 raise Exception("Could not set pkcs12 blob")
3b3e2687 2144 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="blob://cacert",
6ea231e6
JM		 2145 private_key="blob://pkcs12",
2146 private_key_passwd="whatever")
2147
c7afc078
JM		 2148def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
2149 """WPA2-Enterprise negative test - incorrect trust root"""
e7ac04ce 2150 check_eap_capa(dev[0], "MSCHAPV2")
c7afc078 2151 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2152 hostapd.add_ap(apdev[0], params)
6ea231e6 2153 cert = read_pem("auth_serv/ca-incorrect.pem")
54c58f29 2154 if "OK" not in dev[0].request("SET blob cacert " + binascii.hexlify(cert).decode()):
6ea231e6 2155 raise Exception("Could not set cacert blob")
c7afc078 2156 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
6ea231e6
JM		 2157 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2158 password="password", phase2="auth=MSCHAPV2",
2159 ca_cert="blob://cacert",
2160 wait_connect=False, scan_freq="2412")
2161 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
c7afc078
JM		 2162 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2163 password="password", phase2="auth=MSCHAPV2",
2164 ca_cert="auth_serv/ca-incorrect.pem",
c65f23ab 2165 wait_connect=False, scan_freq="2412")
c7afc078 2166
6ea231e6 2167 for dev in (dev[0], dev[1]):
412c6030 2168 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
6ea231e6
JM		 2169 if ev is None:
2170 raise Exception("Association and EAP start timed out")
c7afc078 2171
6ea231e6
JM		 2172 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2173 if ev is None:
2174 raise Exception("EAP method selection timed out")
2175 if "TTLS" not in ev:
2176 raise Exception("Unexpected EAP method")
2177
2178 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2179 "CTRL-EVENT-EAP-SUCCESS",
2180 "CTRL-EVENT-EAP-FAILURE",
2181 "CTRL-EVENT-CONNECTED",
2182 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2183 if ev is None:
2184 raise Exception("EAP result timed out")
2185 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2186 raise Exception("TLS certificate error not reported")
2187
2188 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2189 "CTRL-EVENT-EAP-FAILURE",
2190 "CTRL-EVENT-CONNECTED",
2191 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2192 if ev is None:
2193 raise Exception("EAP result(2) timed out")
2194 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2195 raise Exception("EAP failure not reported")
c7afc078 2196
6ea231e6
JM		 2197 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
2198 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2199 if ev is None:
2200 raise Exception("EAP result(3) timed out")
2201 if "CTRL-EVENT-DISCONNECTED" not in ev:
2202 raise Exception("Disconnection not reported")
c7afc078 2203
6ea231e6
JM		 2204 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2205 if ev is None:
2206 raise Exception("Network block disabling not reported")
72c052d5 2207
9a5cfd70
JM		 2208def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
2209 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2210 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2211 hapd = hostapd.add_ap(apdev[0], params)
9a5cfd70
JM		 2212 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2213 identity="pap user", anonymous_identity="ttls",
2214 password="password", phase2="auth=PAP",
2215 ca_cert="auth_serv/ca.pem",
2216 wait_connect=True, scan_freq="2412")
2217 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2218 identity="pap user", anonymous_identity="ttls",
2219 password="password", phase2="auth=PAP",
2220 ca_cert="auth_serv/ca-incorrect.pem",
2221 only_add_network=True, scan_freq="2412")
2222
2223 dev[0].request("DISCONNECT")
90ad11e6 2224 dev[0].wait_disconnected()
9a5cfd70
JM		 2225 dev[0].dump_monitor()
2226 dev[0].select_network(id, freq="2412")
2227
2228 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2229 if ev is None:
2230 raise Exception("EAP-TTLS not re-started")
db98b587 2231
5f35a5e2 2232 ev = dev[0].wait_disconnected(timeout=15)
9a5cfd70
JM		 2233 if "reason=23" not in ev:
2234 raise Exception("Proper reason code for disconnection not reported")
2235
2236def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
2237 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2238 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2239 hapd = hostapd.add_ap(apdev[0], params)
9a5cfd70
JM		 2240 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2241 identity="pap user", anonymous_identity="ttls",
2242 password="password", phase2="auth=PAP",
2243 wait_connect=True, scan_freq="2412")
2244 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2245 identity="pap user", anonymous_identity="ttls",
2246 password="password", phase2="auth=PAP",
2247 ca_cert="auth_serv/ca-incorrect.pem",
2248 only_add_network=True, scan_freq="2412")
2249
2250 dev[0].request("DISCONNECT")
90ad11e6 2251 dev[0].wait_disconnected()
9a5cfd70
JM		 2252 dev[0].dump_monitor()
2253 dev[0].select_network(id, freq="2412")
2254
2255 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2256 if ev is None:
2257 raise Exception("EAP-TTLS not re-started")
db98b587 2258
5f35a5e2 2259 ev = dev[0].wait_disconnected(timeout=15)
9a5cfd70
JM		 2260 if "reason=23" not in ev:
2261 raise Exception("Proper reason code for disconnection not reported")
2262
2263def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
2264 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2265 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2266 hapd = hostapd.add_ap(apdev[0], params)
9a5cfd70
JM		 2267 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2268 identity="pap user", anonymous_identity="ttls",
2269 password="password", phase2="auth=PAP",
2270 ca_cert="auth_serv/ca.pem",
2271 wait_connect=True, scan_freq="2412")
2272 dev[0].request("DISCONNECT")
90ad11e6 2273 dev[0].wait_disconnected()
9a5cfd70
JM		 2274 dev[0].dump_monitor()
2275 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2276 dev[0].select_network(id, freq="2412")
2277
2278 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2279 if ev is None:
2280 raise Exception("EAP-TTLS not re-started")
db98b587 2281
5f35a5e2 2282 ev = dev[0].wait_disconnected(timeout=15)
9a5cfd70
JM		 2283 if "reason=23" not in ev:
2284 raise Exception("Proper reason code for disconnection not reported")
2285
72c052d5
JM		 2286def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
2287 """WPA2-Enterprise negative test - domain suffix mismatch"""
e78eb404 2288 check_domain_suffix_match(dev[0])
72c052d5 2289 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2290 hostapd.add_ap(apdev[0], params)
72c052d5
JM		 2291 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2292 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2293 password="password", phase2="auth=MSCHAPV2",
2294 ca_cert="auth_serv/ca.pem",
2295 domain_suffix_match="incorrect.example.com",
c65f23ab 2296 wait_connect=False, scan_freq="2412")
72c052d5 2297
412c6030 2298 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
72c052d5
JM		 2299 if ev is None:
2300 raise Exception("Association and EAP start timed out")
2301
2302 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2303 if ev is None:
2304 raise Exception("EAP method selection timed out")
2305 if "TTLS" not in ev:
2306 raise Exception("Unexpected EAP method")
2307
2308 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2309 "CTRL-EVENT-EAP-SUCCESS",
2310 "CTRL-EVENT-EAP-FAILURE",
2311 "CTRL-EVENT-CONNECTED",
2312 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2313 if ev is None:
2314 raise Exception("EAP result timed out")
2315 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2316 raise Exception("TLS certificate error not reported")
2317 if "Domain suffix mismatch" not in ev:
2318 raise Exception("Domain suffix mismatch not reported")
2319
2320 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2321 "CTRL-EVENT-EAP-FAILURE",
2322 "CTRL-EVENT-CONNECTED",
2323 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2324 if ev is None:
2325 raise Exception("EAP result(2) timed out")
2326 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2327 raise Exception("EAP failure not reported")
2328
2329 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2330 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2331 if ev is None:
2332 raise Exception("EAP result(3) timed out")
2333 if "CTRL-EVENT-DISCONNECTED" not in ev:
2334 raise Exception("Disconnection not reported")
2335
2336 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2337 if ev is None:
2338 raise Exception("Network block disabling not reported")
22b99086 2339
061cbb25
JM		 2340def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
2341 """WPA2-Enterprise negative test - domain mismatch"""
e78eb404 2342 check_domain_match(dev[0])
061cbb25 2343 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2344 hostapd.add_ap(apdev[0], params)
061cbb25
JM		 2345 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2346 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2347 password="password", phase2="auth=MSCHAPV2",
2348 ca_cert="auth_serv/ca.pem",
2349 domain_match="w1.fi",
2350 wait_connect=False, scan_freq="2412")
2351
412c6030 2352 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
061cbb25
JM		 2353 if ev is None:
2354 raise Exception("Association and EAP start timed out")
2355
2356 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2357 if ev is None:
2358 raise Exception("EAP method selection timed out")
2359 if "TTLS" not in ev:
2360 raise Exception("Unexpected EAP method")
2361
2362 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2363 "CTRL-EVENT-EAP-SUCCESS",
2364 "CTRL-EVENT-EAP-FAILURE",
2365 "CTRL-EVENT-CONNECTED",
2366 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2367 if ev is None:
2368 raise Exception("EAP result timed out")
2369 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2370 raise Exception("TLS certificate error not reported")
2371 if "Domain mismatch" not in ev:
2372 raise Exception("Domain mismatch not reported")
2373
2374 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2375 "CTRL-EVENT-EAP-FAILURE",
2376 "CTRL-EVENT-CONNECTED",
2377 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2378 if ev is None:
2379 raise Exception("EAP result(2) timed out")
2380 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2381 raise Exception("EAP failure not reported")
2382
2383 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2384 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2385 if ev is None:
2386 raise Exception("EAP result(3) timed out")
2387 if "CTRL-EVENT-DISCONNECTED" not in ev:
2388 raise Exception("Disconnection not reported")
2389
2390 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2391 if ev is None:
2392 raise Exception("Network block disabling not reported")
2393
3b74982f
JM		 2394def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
2395 """WPA2-Enterprise negative test - subject mismatch"""
2396 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2397 hostapd.add_ap(apdev[0], params)
3b74982f
JM		 2398 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2399 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2400 password="password", phase2="auth=MSCHAPV2",
2401 ca_cert="auth_serv/ca.pem",
2402 subject_match="/C=FI/O=w1.fi/CN=example.com",
2403 wait_connect=False, scan_freq="2412")
2404
412c6030 2405 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
3b74982f
JM		 2406 if ev is None:
2407 raise Exception("Association and EAP start timed out")
2408
506b2f05
JM		 2409 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2410 "EAP: Failed to initialize EAP method"], timeout=10)
3b74982f
JM		 2411 if ev is None:
2412 raise Exception("EAP method selection timed out")
506b2f05
JM		 2413 if "EAP: Failed to initialize EAP method" in ev:
2414 tls = dev[0].request("GET tls_library")
2415 if tls.startswith("OpenSSL"):
2416 raise Exception("Failed to select EAP method")
2417 logger.info("subject_match not supported - connection failed, so test succeeded")
2418 return
3b74982f
JM		 2419 if "TTLS" not in ev:
2420 raise Exception("Unexpected EAP method")
2421
2422 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2423 "CTRL-EVENT-EAP-SUCCESS",
2424 "CTRL-EVENT-EAP-FAILURE",
2425 "CTRL-EVENT-CONNECTED",
2426 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2427 if ev is None:
2428 raise Exception("EAP result timed out")
2429 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2430 raise Exception("TLS certificate error not reported")
2431 if "Subject mismatch" not in ev:
2432 raise Exception("Subject mismatch not reported")
2433
2434 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2435 "CTRL-EVENT-EAP-FAILURE",
2436 "CTRL-EVENT-CONNECTED",
2437 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2438 if ev is None:
2439 raise Exception("EAP result(2) timed out")
2440 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2441 raise Exception("EAP failure not reported")
2442
2443 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2444 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2445 if ev is None:
2446 raise Exception("EAP result(3) timed out")
2447 if "CTRL-EVENT-DISCONNECTED" not in ev:
2448 raise Exception("Disconnection not reported")
2449
2450 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2451 if ev is None:
2452 raise Exception("Network block disabling not reported")
2453
2454def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
2455 """WPA2-Enterprise negative test - altsubject mismatch"""
2456 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2457 hostapd.add_ap(apdev[0], params)
37d61355
JM		 2458
2459 tests = [ "incorrect.example.com",
2460 "DNS:incorrect.example.com",
2461 "DNS:w1.fi",
2462 "DNS:erver.w1.fi" ]
2463 for match in tests:
2464 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
2465
2466def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
3b74982f
JM		 2467 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2468 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2469 password="password", phase2="auth=MSCHAPV2",
2470 ca_cert="auth_serv/ca.pem",
37d61355 2471 altsubject_match=match,
3b74982f
JM		 2472 wait_connect=False, scan_freq="2412")
2473
412c6030 2474 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
3b74982f
JM		 2475 if ev is None:
2476 raise Exception("Association and EAP start timed out")
2477
506b2f05
JM		 2478 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2479 "EAP: Failed to initialize EAP method"], timeout=10)
3b74982f
JM		 2480 if ev is None:
2481 raise Exception("EAP method selection timed out")
506b2f05
JM		 2482 if "EAP: Failed to initialize EAP method" in ev:
2483 tls = dev[0].request("GET tls_library")
2484 if tls.startswith("OpenSSL"):
2485 raise Exception("Failed to select EAP method")
2486 logger.info("altsubject_match not supported - connection failed, so test succeeded")
2487 return
3b74982f
JM		 2488 if "TTLS" not in ev:
2489 raise Exception("Unexpected EAP method")
2490
2491 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2492 "CTRL-EVENT-EAP-SUCCESS",
2493 "CTRL-EVENT-EAP-FAILURE",
2494 "CTRL-EVENT-CONNECTED",
2495 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2496 if ev is None:
2497 raise Exception("EAP result timed out")
2498 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2499 raise Exception("TLS certificate error not reported")
2500 if "AltSubject mismatch" not in ev:
2501 raise Exception("altsubject mismatch not reported")
2502
2503 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2504 "CTRL-EVENT-EAP-FAILURE",
2505 "CTRL-EVENT-CONNECTED",
2506 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2507 if ev is None:
2508 raise Exception("EAP result(2) timed out")
2509 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2510 raise Exception("EAP failure not reported")
2511
2512 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2513 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2514 if ev is None:
2515 raise Exception("EAP result(3) timed out")
2516 if "CTRL-EVENT-DISCONNECTED" not in ev:
2517 raise Exception("Disconnection not reported")
2518
2519 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2520 if ev is None:
2521 raise Exception("Network block disabling not reported")
2522
37d61355
JM		 2523 dev[0].request("REMOVE_NETWORK all")
2524
5a0c1517
JM		 2525def test_ap_wpa2_eap_unauth_tls(dev, apdev):
2526 """WPA2-Enterprise connection using UNAUTH-TLS"""
2527 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2528 hapd = hostapd.add_ap(apdev[0], params)
2529 eap_connect(dev[0], hapd, "UNAUTH-TLS", "unauth-tls",
5a0c1517
JM		 2530 ca_cert="auth_serv/ca.pem")
2531 eap_reauth(dev[0], "UNAUTH-TLS")
2532
57be05e1
JM		 2533def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
2534 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
4bf4e9db 2535 check_cert_probe_support(dev[0])
ca158ea6 2536 skip_with_fips(dev[0])
1dd66fc1 2537 srv_cert_hash = "4704e62784f36cc5fd964c6410402f4938773bb471dce9d42939bf22fdbdb2dd"
57be05e1 2538 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 2539 hapd = hostapd.add_ap(apdev[0], params)
57be05e1
JM		 2540 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2541 identity="probe", ca_cert="probe://",
2542 wait_connect=False, scan_freq="2412")
412c6030 2543 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
57be05e1
JM		 2544 if ev is None:
2545 raise Exception("Association and EAP start timed out")
2546 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
2547 if ev is None:
2548 raise Exception("No peer server certificate event seen")
2549 if "hash=" + srv_cert_hash not in ev:
2550 raise Exception("Expected server certificate hash not reported")
2551 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2552 if ev is None:
2553 raise Exception("EAP result timed out")
2554 if "Server certificate chain probe" not in ev:
2555 raise Exception("Server certificate probe not reported")
5f35a5e2 2556 dev[0].wait_disconnected(timeout=10)
57be05e1
JM		 2557 dev[0].request("REMOVE_NETWORK all")
2558
2559 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2560 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2561 password="password", phase2="auth=MSCHAPV2",
2562 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2563 wait_connect=False, scan_freq="2412")
412c6030 2564 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
57be05e1
JM		 2565 if ev is None:
2566 raise Exception("Association and EAP start timed out")
2567 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2568 if ev is None:
2569 raise Exception("EAP result timed out")
2570 if "Server certificate mismatch" not in ev:
2571 raise Exception("Server certificate mismatch not reported")
5f35a5e2 2572 dev[0].wait_disconnected(timeout=10)
57be05e1
JM		 2573 dev[0].request("REMOVE_NETWORK all")
2574
3b3e2687 2575 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
57be05e1
JM		 2576 anonymous_identity="ttls", password="password",
2577 ca_cert="hash://server/sha256/" + srv_cert_hash,
2578 phase2="auth=MSCHAPV2")
2579
2a6a2192
JM		 2580def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
2581 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2582 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2583 hostapd.add_ap(apdev[0], params)
2a6a2192
JM		 2584 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2585 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2586 password="password", phase2="auth=MSCHAPV2",
2587 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2588 wait_connect=False, scan_freq="2412")
2589 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2590 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2591 password="password", phase2="auth=MSCHAPV2",
2592 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2593 wait_connect=False, scan_freq="2412")
2594 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2595 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2596 password="password", phase2="auth=MSCHAPV2",
2597 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2598 wait_connect=False, scan_freq="2412")
2599 for i in range(0, 3):
412c6030 2600 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2a6a2192
JM		 2601 if ev is None:
2602 raise Exception("Association and EAP start timed out")
cbb85a03
JM		 2603 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2604 if ev is None:
2605 raise Exception("Did not report EAP method initialization failure")
2a6a2192 2606
22b99086
JM		 2607def test_ap_wpa2_eap_pwd(dev, apdev):
2608 """WPA2-Enterprise connection using EAP-pwd"""
3b51cc63 2609 check_eap_capa(dev[0], "PWD")
22b99086 2610 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2611 hapd = hostapd.add_ap(apdev[0], params)
2612 eap_connect(dev[0], hapd, "PWD", "pwd user", password="secret password")
75b2b9cf 2613 eap_reauth(dev[0], "PWD")
6daf5b9c 2614 dev[0].request("REMOVE_NETWORK all")
0403fa0a 2615
3b3e2687 2616 eap_connect(dev[1], hapd, "PWD",
0403fa0a
JM		 2617 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2618 password="secret password",
6daf5b9c
JM		 2619 fragment_size="90")
2620
f10ba3b2 2621 logger.info("Negative test with incorrect password")
3b3e2687 2622 eap_connect(dev[2], hapd, "PWD", "pwd user", password="secret-password",
f10ba3b2
JM		 2623 expect_failure=True, local_error_report=True)
2624
3b3e2687 2625 eap_connect(dev[0], hapd, "PWD",
0403fa0a
JM		 2626 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2627 password="secret password",
2628 fragment_size="31")
2629
b898a6ee
JM		 2630def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2631 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2632 check_eap_capa(dev[0], "PWD")
0392867b 2633 skip_with_fips(dev[0])
b898a6ee 2634 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2635 hapd = hostapd.add_ap(apdev[0], params)
2636 eap_connect(dev[0], hapd, "PWD", "pwd-hash", password="secret password")
2637 eap_connect(dev[1], hapd, "PWD", "pwd-hash",
b898a6ee 2638 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
3b3e2687 2639 eap_connect(dev[2], hapd, "PWD", "pwd user",
b898a6ee
JM		 2640 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2641 expect_failure=True, local_error_report=True)
2642
5e597ed9
JM		 2643def test_ap_wpa2_eap_pwd_salt_sha1(dev, apdev):
2644 """WPA2-Enterprise connection using EAP-pwd and salted password SHA-1"""
2645 check_eap_capa(dev[0], "PWD")
2646 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2647 hapd = hostapd.add_ap(apdev[0], params)
2648 eap_connect(dev[0], hapd, "PWD", "pwd-hash-sha1",
2649 password="secret password")
2650
2651def test_ap_wpa2_eap_pwd_salt_sha256(dev, apdev):
2652 """WPA2-Enterprise connection using EAP-pwd and salted password SHA256"""
2653 check_eap_capa(dev[0], "PWD")
2654 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2655 hapd = hostapd.add_ap(apdev[0], params)
2656 eap_connect(dev[0], hapd, "PWD", "pwd-hash-sha256",
2657 password="secret password")
2658
2659def test_ap_wpa2_eap_pwd_salt_sha512(dev, apdev):
2660 """WPA2-Enterprise connection using EAP-pwd and salted password SHA512"""
2661 check_eap_capa(dev[0], "PWD")
2662 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2663 hapd = hostapd.add_ap(apdev[0], params)
2664 eap_connect(dev[0], hapd, "PWD", "pwd-hash-sha512",
2665 password="secret password")
2666
c075f040
JM		 2667def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2668 """WPA2-Enterprise connection using various EAP-pwd groups"""
3b51cc63 2669 check_eap_capa(dev[0], "PWD")
5f2e4547 2670 tls = dev[0].request("GET tls_library")
c075f040
JM		 2671 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2672 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2673 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
f2d789f2
JM		 2674 groups = [ 19, 20, 21, 25, 26 ]
2675 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
6bf7a547
JM		 2676 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2677 groups += [ 27, 28, 29, 30 ]
2678 if tls.startswith("OpenSSL") and "build=OpenSSL 1.1" in tls and "run=OpenSSL 1.1" in tls:
f2d789f2
JM		 2679 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2680 groups += [ 27, 28, 29, 30 ]
2681 for i in groups:
2682 logger.info("Group %d" % i)
c075f040 2683 params['pwd_group'] = str(i)
3b3e2687 2684 hapd = hostapd.add_ap(apdev[0], params)
5f2e4547 2685 try:
3b3e2687 2686 eap_connect(dev[0], hapd, "PWD", "pwd user",
5f2e4547 2687 password="secret password")
f2d789f2
JM		 2688 dev[0].request("REMOVE_NETWORK all")
2689 dev[0].wait_disconnected()
2690 dev[0].dump_monitor()
5f2e4547
JM		 2691 except:
2692 if "BoringSSL" in tls and i in [ 25 ]:
2693 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2694 dev[0].request("DISCONNECT")
2695 time.sleep(0.1)
f2d789f2
JM		 2696 dev[0].request("REMOVE_NETWORK all")
2697 dev[0].dump_monitor()
5f2e4547
JM		 2698 continue
2699 raise
c075f040 2700
4b2d2098
JM		 2701def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2702 """WPA2-Enterprise connection using invalid EAP-pwd group"""
3b51cc63 2703 check_eap_capa(dev[0], "PWD")
4b2d2098
JM		 2704 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2705 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2706 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2707 params['pwd_group'] = "0"
8b8a1864 2708 hostapd.add_ap(apdev[0], params)
4b2d2098
JM		 2709 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2710 identity="pwd user", password="secret password",
2711 scan_freq="2412", wait_connect=False)
2712 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2713 if ev is None:
2714 raise Exception("Timeout on EAP failure report")
2715
8ba89e0a
JM		 2716def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2717 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
3b51cc63 2718 check_eap_capa(dev[0], "PWD")
8ba89e0a
JM		 2719 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2720 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2721 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2722 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2723 "pwd_group": "19", "fragment_size": "40" }
3b3e2687
JD		 2724 hapd = hostapd.add_ap(apdev[0], params)
2725 eap_connect(dev[0], hapd, "PWD", "pwd user", password="secret password")
8ba89e0a 2726
22b99086
JM		 2727def test_ap_wpa2_eap_gpsk(dev, apdev):
2728 """WPA2-Enterprise connection using EAP-GPSK"""
2729 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2730 hapd = hostapd.add_ap(apdev[0], params)
2731 id = eap_connect(dev[0], hapd, "GPSK", "gpsk user",
369f9c20 2732 password="abcdefghijklmnop0123456789abcdef")
75b2b9cf 2733 eap_reauth(dev[0], "GPSK")
22b99086 2734
369f9c20
JM		 2735 logger.info("Test forced algorithm selection")
2736 for phase1 in [ "cipher=1", "cipher=2" ]:
2737 dev[0].set_network_quoted(id, "phase1", phase1)
2738 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2739 if ev is None:
2740 raise Exception("EAP success timed out")
5f35a5e2 2741 dev[0].wait_connected(timeout=10)
369f9c20
JM		 2742
2743 logger.info("Test failed algorithm negotiation")
2744 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2745 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2746 if ev is None:
2747 raise Exception("EAP failure timed out")
2748
f10ba3b2
JM		 2749 logger.info("Negative test with incorrect password")
2750 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2751 eap_connect(dev[0], hapd, "GPSK", "gpsk user",
f10ba3b2
JM		 2752 password="ffcdefghijklmnop0123456789abcdef",
2753 expect_failure=True)
2754
22b99086
JM		 2755def test_ap_wpa2_eap_sake(dev, apdev):
2756 """WPA2-Enterprise connection using EAP-SAKE"""
2757 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2758 hapd = hostapd.add_ap(apdev[0], params)
2759 eap_connect(dev[0], hapd, "SAKE", "sake user",
22b99086 2760 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
75b2b9cf 2761 eap_reauth(dev[0], "SAKE")
22b99086 2762
f10ba3b2
JM		 2763 logger.info("Negative test with incorrect password")
2764 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2765 eap_connect(dev[0], hapd, "SAKE", "sake user",
f10ba3b2
JM		 2766 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2767 expect_failure=True)
2768
22b99086
JM		 2769def test_ap_wpa2_eap_eke(dev, apdev):
2770 """WPA2-Enterprise connection using EAP-EKE"""
2771 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2772 hapd = hostapd.add_ap(apdev[0], params)
2773 id = eap_connect(dev[0], hapd, "EKE", "eke user", password="hello")
75b2b9cf 2774 eap_reauth(dev[0], "EKE")
22b99086 2775
2bb9e283
JM		 2776 logger.info("Test forced algorithm selection")
2777 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2778 "dhgroup=4 encr=1 prf=2 mac=2",
2779 "dhgroup=3 encr=1 prf=2 mac=2",
2780 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2781 dev[0].set_network_quoted(id, "phase1", phase1)
2782 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2783 if ev is None:
2784 raise Exception("EAP success timed out")
5f35a5e2 2785 dev[0].wait_connected(timeout=10)
2bb9e283
JM		 2786
2787 logger.info("Test failed algorithm negotiation")
2788 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2789 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2790 if ev is None:
2791 raise Exception("EAP failure timed out")
2792
f10ba3b2
JM		 2793 logger.info("Negative test with incorrect password")
2794 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2795 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello1",
f10ba3b2
JM		 2796 expect_failure=True)
2797
3b6f3b37
JM		 2798def test_ap_wpa2_eap_eke_many(dev, apdev, params):
2799 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2800 if not params['long']:
2801 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2802 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2803 hostapd.add_ap(apdev[0], params)
3b6f3b37
JM		 2804 success = 0
2805 fail = 0
2806 for i in range(100):
2807 for j in range(3):
2808 dev[j].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="EKE",
2809 identity="eke user", password="hello",
2810 phase1="dhgroup=3 encr=1 prf=1 mac=1",
2811 scan_freq="2412", wait_connect=False)
2812 for j in range(3):
2813 ev = dev[j].wait_event(["CTRL-EVENT-CONNECTED",
2814 "CTRL-EVENT-DISCONNECTED"], timeout=15)
2815 if ev is None:
2816 raise Exception("No connected/disconnected event")
2817 if "CTRL-EVENT-DISCONNECTED" in ev:
2818 fail += 1
2819 # The RADIUS server limits on active sessions can be hit when
2820 # going through this test case, so try to give some more time
2821 # for the server to remove sessions.
2822 logger.info("Failed to connect i=%d j=%d" % (i, j))
2823 dev[j].request("REMOVE_NETWORK all")
2824 time.sleep(1)
2825 else:
2826 success += 1
2827 dev[j].request("REMOVE_NETWORK all")
2828 dev[j].wait_disconnected()
2829 dev[j].dump_monitor()
2830 logger.info("Total success=%d failure=%d" % (success, fail))
2831
f7e3c17b
JM		 2832def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2833 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2834 params = int_eap_server_params()
2835 params['server_id'] = 'example.server@w1.fi'
3b3e2687
JD		 2836 hapd = hostapd.add_ap(apdev[0], params)
2837 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello")
f7e3c17b 2838
5e0bedc6
JM		 2839def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2840 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2841 params = int_eap_server_params()
8b8a1864 2842 hapd = hostapd.add_ap(apdev[0], params)
5e0bedc6
JM		 2843 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2844
2845 for count,func in [ (1, "eap_eke_build_commit"),
2846 (2, "eap_eke_build_commit"),
2847 (3, "eap_eke_build_commit"),
2848 (1, "eap_eke_build_confirm"),
2849 (2, "eap_eke_build_confirm"),
2850 (1, "eap_eke_process_commit"),
2851 (2, "eap_eke_process_commit"),
2852 (1, "eap_eke_process_confirm"),
2853 (1, "eap_eke_process_identity"),
2854 (2, "eap_eke_process_identity"),
2855 (3, "eap_eke_process_identity"),
2856 (4, "eap_eke_process_identity") ]:
2857 with alloc_fail(hapd, count, func):
3b3e2687 2858 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello",
5e0bedc6
JM		 2859 expect_failure=True)
2860 dev[0].request("REMOVE_NETWORK all")
2861
2862 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2863 (1, "eap_eke_get_session_id", "hello"),
2864 (1, "eap_eke_getKey", "hello"),
2865 (1, "eap_eke_build_msg", "hello"),
2866 (1, "eap_eke_build_failure", "wrong"),
2867 (1, "eap_eke_build_identity", "hello"),
2868 (2, "eap_eke_build_identity", "hello") ]:
2869 with alloc_fail(hapd, count, func):
2870 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2871 eap="EKE", identity="eke user", password=pw,
2872 wait_connect=False, scan_freq="2412")
2873 # This would eventually time out, but we can stop after having
2874 # reached the allocation failure.
2875 for i in range(20):
2876 time.sleep(0.1)
2877 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2878 break
2879 dev[0].request("REMOVE_NETWORK all")
2880
2881 for count in range(1, 1000):
2882 try:
2883 with alloc_fail(hapd, count, "eap_server_sm_step"):
2884 dev[0].connect("test-wpa2-eap",
2885 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2886 eap="EKE", identity="eke user", password=pw,
2887 wait_connect=False, scan_freq="2412")
2888 # This would eventually time out, but we can stop after having
2889 # reached the allocation failure.
2890 for i in range(10):
2891 time.sleep(0.1)
2892 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2893 break
2894 dev[0].request("REMOVE_NETWORK all")
bab493b9 2895 except Exception as e:
5e0bedc6
JM		 2896 if str(e) == "Allocation failure did not trigger":
2897 if count < 30:
2898 raise Exception("Too few allocation failures")
2899 logger.info("%d allocation failures tested" % (count - 1))
2900 break
2901 raise e
2902
22b99086
JM		 2903def test_ap_wpa2_eap_ikev2(dev, apdev):
2904 """WPA2-Enterprise connection using EAP-IKEv2"""
c8e82c94 2905 check_eap_capa(dev[0], "IKEV2")
22b99086 2906 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2907 hapd = hostapd.add_ap(apdev[0], params)
2908 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
cb33ee14 2909 password="ike password")
75b2b9cf 2910 eap_reauth(dev[0], "IKEV2")
6daf5b9c 2911 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2912 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
47a74ad8 2913 password="ike password", fragment_size="50")
22b99086 2914
f10ba3b2
JM		 2915 logger.info("Negative test with incorrect password")
2916 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2917 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
f10ba3b2 2918 password="ike-password", expect_failure=True)
35372f6c
JM		 2919 dev[0].request("REMOVE_NETWORK all")
2920
3b3e2687 2921 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
35372f6c
JM		 2922 password="ike password", fragment_size="0")
2923 dev[0].request("REMOVE_NETWORK all")
2924 dev[0].wait_disconnected()
f10ba3b2 2925
47a74ad8
JM		 2926def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2927 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
c8e82c94 2928 check_eap_capa(dev[0], "IKEV2")
47a74ad8
JM		 2929 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2930 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2931 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2932 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2933 "fragment_size": "50" }
3b3e2687
JD		 2934 hapd = hostapd.add_ap(apdev[0], params)
2935 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
47a74ad8
JM		 2936 password="ike password")
2937 eap_reauth(dev[0], "IKEV2")
2938
f1ab79c3
JM		 2939def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2940 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
c8e82c94 2941 check_eap_capa(dev[0], "IKEV2")
f1ab79c3 2942 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2943 hostapd.add_ap(apdev[0], params)
f1ab79c3
JM		 2944
2945 tests = [ (1, "dh_init"),
2946 (2, "dh_init"),
2947 (1, "dh_derive_shared") ]
2948 for count, func in tests:
2949 with alloc_fail(dev[0], count, func):
2950 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2951 identity="ikev2 user", password="ike password",
2952 wait_connect=False, scan_freq="2412")
2953 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2954 if ev is None:
2955 raise Exception("EAP method not selected")
2956 for i in range(10):
2957 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2958 break
2959 time.sleep(0.02)
2960 dev[0].request("REMOVE_NETWORK all")
2961
d8003dcb
SP		 2962 tls = dev[0].request("GET tls_library")
2963 if not tls.startswith("wolfSSL"):
2964 tests = [ (1, "os_get_random;dh_init") ]
2965 else:
2966 tests = [ (1, "crypto_dh_init;dh_init") ]
f1ab79c3
JM		 2967 for count, func in tests:
2968 with fail_test(dev[0], count, func):
2969 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2970 identity="ikev2 user", password="ike password",
2971 wait_connect=False, scan_freq="2412")
2972 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2973 if ev is None:
2974 raise Exception("EAP method not selected")
2975 for i in range(10):
2976 if "0:" in dev[0].request("GET_FAIL"):
2977 break
2978 time.sleep(0.02)
2979 dev[0].request("REMOVE_NETWORK all")
2980
22b99086
JM		 2981def test_ap_wpa2_eap_pax(dev, apdev):
2982 """WPA2-Enterprise connection using EAP-PAX"""
2983 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2984 hapd = hostapd.add_ap(apdev[0], params)
2985 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
22b99086 2986 password_hex="0123456789abcdef0123456789abcdef")
75b2b9cf 2987 eap_reauth(dev[0], "PAX")
22b99086 2988
f10ba3b2
JM		 2989 logger.info("Negative test with incorrect password")
2990 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2991 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
f10ba3b2
JM		 2992 password_hex="ff23456789abcdef0123456789abcdef",
2993 expect_failure=True)
2994
22b99086
JM		 2995def test_ap_wpa2_eap_psk(dev, apdev):
2996 """WPA2-Enterprise connection using EAP-PSK"""
2997 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2b005194
JM		 2998 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2999 params["ieee80211w"] = "2"
3b3e2687
JD		 3000 hapd = hostapd.add_ap(apdev[0], params)
3001 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
2b005194
JM		 3002 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
3003 eap_reauth(dev[0], "PSK", sha256=True)
eaf3f9b1
JM		 3004 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
3005 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
71390dc8 3006
d463c556
JM		 3007 bss = dev[0].get_bss(apdev[0]['bssid'])
3008 if 'flags' not in bss:
3009 raise Exception("Could not get BSS flags from BSS table")
3010 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
3011 raise Exception("Unexpected BSS flags: " + bss['flags'])
3012
f10ba3b2
JM		 3013 logger.info("Negative test with incorrect password")
3014 dev[0].request("REMOVE_NETWORK all")
3b3e2687 3015 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
f10ba3b2
JM		 3016 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
3017 expect_failure=True)
3018
8c4e4c01
JM		 3019def test_ap_wpa2_eap_psk_oom(dev, apdev):
3020 """WPA2-Enterprise connection using EAP-PSK and OOM"""
38934ed1 3021 skip_with_fips(dev[0])
8c4e4c01 3022 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3023 hostapd.add_ap(apdev[0], params)
7cbc8e67
JM		 3024 tests = [ (1, "=aes_128_eax_encrypt"),
3025 (1, "=aes_128_eax_decrypt") ]
3026 for count, func in tests:
3027 with alloc_fail(dev[0], count, func):
3028 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
3029 identity="psk.user@example.com",
3030 password_hex="0123456789abcdef0123456789abcdef",
3031 wait_connect=False, scan_freq="2412")
3032 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
3033 if ev is None:
3034 raise Exception("EAP method not selected")
3035 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
3036 note="Failure not triggered: %d:%s" % (count, func))
3037 dev[0].request("REMOVE_NETWORK all")
3038 dev[0].wait_disconnected()
3039
677c2283 3040 tests = [ (1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
8c4e4c01
JM		 3041 (1, "omac1_aes_128;aes_128_eax_encrypt"),
3042 (2, "omac1_aes_128;aes_128_eax_encrypt"),
3043 (3, "omac1_aes_128;aes_128_eax_encrypt"),
8c4e4c01 3044 (1, "omac1_aes_vector"),
8c4e4c01
JM		 3045 (1, "omac1_aes_128;aes_128_eax_decrypt"),
3046 (2, "omac1_aes_128;aes_128_eax_decrypt"),
3047 (3, "omac1_aes_128;aes_128_eax_decrypt"),
677c2283 3048 (1, "aes_ctr_encrypt;aes_128_eax_decrypt") ]
8c4e4c01 3049 for count, func in tests:
7cbc8e67 3050 with fail_test(dev[0], count, func):
8c4e4c01
JM		 3051 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
3052 identity="psk.user@example.com",
3053 password_hex="0123456789abcdef0123456789abcdef",
3054 wait_connect=False, scan_freq="2412")
3055 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
3056 if ev is None:
3057 raise Exception("EAP method not selected")
7cbc8e67
JM		 3058 wait_fail_trigger(dev[0], "GET_FAIL",
3059 note="Failure not triggered: %d:%s" % (count, func))
8c4e4c01 3060 dev[0].request("REMOVE_NETWORK all")
7cbc8e67 3061 dev[0].wait_disconnected()
8c4e4c01 3062
7cbc8e67 3063 with fail_test(dev[0], 1, "aes_128_encrypt_block"):
8c4e4c01
JM		 3064 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
3065 identity="psk.user@example.com",
3066 password_hex="0123456789abcdef0123456789abcdef",
3067 wait_connect=False, scan_freq="2412")
3068 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3069 if ev is None:
3070 raise Exception("EAP method failure not reported")
3071 dev[0].request("REMOVE_NETWORK all")
7cbc8e67 3072 dev[0].wait_disconnected()
8c4e4c01 3073
71390dc8
JM		 3074def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
3075 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
e7ac04ce 3076 check_eap_capa(dev[0], "MSCHAPV2")
71390dc8 3077 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
8b8a1864 3078 hapd = hostapd.add_ap(apdev[0], params)
71390dc8
JM		 3079 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
3080 identity="user", password="password", phase2="auth=MSCHAPV2",
3081 ca_cert="auth_serv/ca.pem", wait_connect=False,
3082 scan_freq="2412")
3083 eap_check_auth(dev[0], "PEAP", True, rsn=False)
a8375c94 3084 hwsim_utils.test_connectivity(dev[0], hapd)
71390dc8 3085 eap_reauth(dev[0], "PEAP", rsn=False)
eaf3f9b1
JM		 3086 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3087 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
48bb2e68
JM		 3088 status = dev[0].get_status(extra="VERBOSE")
3089 if 'portControl' not in status:
3090 raise Exception("portControl missing from STATUS-VERBOSE")
3091 if status['portControl'] != 'Auto':
3092 raise Exception("Unexpected portControl value: " + status['portControl'])
3093 if 'eap_session_id' not in status:
3094 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3095 if not status['eap_session_id'].startswith("19"):
3096 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
40759604
JM		 3097
3098def test_ap_wpa2_eap_interactive(dev, apdev):
3099 """WPA2-Enterprise connection using interactive identity/password entry"""
e7ac04ce 3100 check_eap_capa(dev[0], "MSCHAPV2")
40759604 3101 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6f334bf7 3102 hapd = hostapd.add_ap(apdev[0], params)
40759604
JM		 3103
3104 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
3105 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3106 None, "password"),
3107 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3108 "TTLS", "ttls", None, "auth=MSCHAPV2",
3109 "DOMAIN\mschapv2 user", "password"),
3110 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3111 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3112 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3113 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3114 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3115 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3116 ("Connection with dynamic PEAP/EAP-GTC password entry",
3117 "PEAP", None, "user", "auth=GTC", None, "password") ]
3118 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
3119 logger.info(desc)
3120 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
3121 anonymous_identity=anon, identity=identity,
3122 ca_cert="auth_serv/ca.pem", phase2=phase2,
3123 wait_connect=False, scan_freq="2412")
3124 if req_id:
3125 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
3126 if ev is None:
3127 raise Exception("Request for identity timed out")
3128 id = ev.split(':')[0].split('-')[-1]
3129 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
3130 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
3131 if ev is None:
3132 raise Exception("Request for password timed out")
3133 id = ev.split(':')[0].split('-')[-1]
3134 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
3135 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
5f35a5e2 3136 dev[0].wait_connected(timeout=10)
40759604 3137 dev[0].request("REMOVE_NETWORK all")
e745c811 3138
f455998a
JM		 3139def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
3140 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3141 check_eap_capa(dev[0], "MSCHAPV2")
3142 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6f334bf7 3143 hapd = hostapd.add_ap(apdev[0], params)
f455998a
JM		 3144
3145 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
3146 only_add_network=True)
3147
3148 req_id = "DOMAIN\mschapv2 user"
3149 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3150 anonymous_identity="ttls", identity=None,
3151 password="password",
3152 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3153 wait_connect=False, scan_freq="2412")
3154 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
3155 if ev is None:
3156 raise Exception("Request for identity timed out")
3157 id = ev.split(':')[0].split('-')[-1]
3158 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
3159 dev[0].wait_connected(timeout=10)
3160
3161 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
3162 raise Exception("Failed to enable network")
3163 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
3164 if ev is not None:
3165 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3166 dev[0].request("REMOVE_NETWORK all")
3167
e745c811
JM		 3168def test_ap_wpa2_eap_vendor_test(dev, apdev):
3169 """WPA2-Enterprise connection using EAP vendor test"""
3170 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 3171 hapd = hostapd.add_ap(apdev[0], params)
3172 eap_connect(dev[0], hapd, "VENDOR-TEST", "vendor-test")
e745c811 3173 eap_reauth(dev[0], "VENDOR-TEST")
3b3e2687 3174 eap_connect(dev[1], hapd, "VENDOR-TEST", "vendor-test",
467775c5 3175 password="pending")
53a6f06a 3176
79a3973c
JM		 3177def test_ap_wpa2_eap_vendor_test_oom(dev, apdev):
3178 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3179 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3180 hostapd.add_ap(apdev[0], params)
79a3973c
JM		 3181
3182 tests = [ "eap_vendor_test_init",
3183 "eap_msg_alloc;eap_vendor_test_process",
3184 "eap_vendor_test_getKey" ]
3185 for func in tests:
3186 with alloc_fail(dev[0], 1, func):
3187 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
3188 scan_freq="2412",
3189 eap="VENDOR-TEST", identity="vendor-test",
3190 wait_connect=False)
3191 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
3192 dev[0].request("REMOVE_NETWORK all")
3193 dev[0].wait_disconnected()
3194
53a6f06a
JM		 3195def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
3196 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3b51cc63 3197 check_eap_capa(dev[0], "FAST")
53a6f06a 3198 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3199 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 3200 eap_connect(dev[0], hapd, "FAST", "user",
53a6f06a
JM		 3201 anonymous_identity="FAST", password="password",
3202 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3203 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
a8375c94 3204 hwsim_utils.test_connectivity(dev[0], hapd)
2fc4749c
JM		 3205 res = eap_reauth(dev[0], "FAST")
3206 if res['tls_session_reused'] != '1':
3207 raise Exception("EAP-FAST could not use PAC session ticket")
53a6f06a 3208
873e7c29
JM		 3209def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
3210 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3b51cc63 3211 check_eap_capa(dev[0], "FAST")
873e7c29
JM		 3212 pac_file = os.path.join(params['logdir'], "fast.pac")
3213 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
3214 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 3215 hapd = hostapd.add_ap(apdev[0], params)
873e7c29
JM		 3216
3217 try:
3b3e2687 3218 eap_connect(dev[0], hapd, "FAST", "user",
873e7c29
JM		 3219 anonymous_identity="FAST", password="password",
3220 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3221 phase1="fast_provisioning=1", pac_file=pac_file)
3222 with open(pac_file, "r") as f:
3223 data = f.read()
3224 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
3225 raise Exception("PAC file header missing")
3226 if "PAC-Key=" not in data:
3227 raise Exception("PAC-Key missing from PAC file")
3228 dev[0].request("REMOVE_NETWORK all")
3b3e2687 3229 eap_connect(dev[0], hapd, "FAST", "user",
873e7c29
JM		 3230 anonymous_identity="FAST", password="password",
3231 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3232 pac_file=pac_file)
3233
3b3e2687 3234 eap_connect(dev[1], hapd, "FAST", "user",
873e7c29
JM		 3235 anonymous_identity="FAST", password="password",
3236 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3237 phase1="fast_provisioning=1 fast_pac_format=binary",
3238 pac_file=pac_file2)
3239 dev[1].request("REMOVE_NETWORK all")
3b3e2687 3240 eap_connect(dev[1], hapd, "FAST", "user",
873e7c29
JM		 3241 anonymous_identity="FAST", password="password",
3242 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3243 phase1="fast_pac_format=binary",
3244 pac_file=pac_file2)
3245 finally:
b638f703
JM		 3246 try:
3247 os.remove(pac_file)
3248 except:
3249 pass
3250 try:
3251 os.remove(pac_file2)
3252 except:
3253 pass
873e7c29 3254
c6ab1cdb
JM		 3255def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
3256 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3b51cc63 3257 check_eap_capa(dev[0], "FAST")
c6ab1cdb 3258 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 3259 hapd = hostapd.add_ap(apdev[0], params)
3260 eap_connect(dev[0], hapd, "FAST", "user",
c6ab1cdb
JM		 3261 anonymous_identity="FAST", password="password",
3262 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3263 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3264 pac_file="blob://fast_pac_bin")
2fc4749c
JM		 3265 res = eap_reauth(dev[0], "FAST")
3266 if res['tls_session_reused'] != '1':
3267 raise Exception("EAP-FAST could not use PAC session ticket")
c6ab1cdb 3268
d7ef6e63
JM		 3269 # Verify fast_max_pac_list_len=0 special case
3270 dev[0].request("REMOVE_NETWORK all")
3271 dev[0].wait_disconnected()
3b3e2687 3272 eap_connect(dev[0], hapd, "FAST", "user",
d7ef6e63
JM		 3273 anonymous_identity="FAST", password="password",
3274 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3275 phase1="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3276 pac_file="blob://fast_pac_bin")
3277
46e094bd
JM		 3278def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
3279 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3b51cc63 3280 check_eap_capa(dev[0], "FAST")
46e094bd 3281 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3282 hostapd.add_ap(apdev[0], params)
46e094bd
JM		 3283
3284 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3285 identity="user", anonymous_identity="FAST",
3286 password="password",
3287 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3288 pac_file="blob://fast_pac_not_in_use",
3289 wait_connect=False, scan_freq="2412")
3290 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3291 if ev is None:
3292 raise Exception("Timeout on EAP failure report")
3293 dev[0].request("REMOVE_NETWORK all")
3294
3295 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3296 identity="user", anonymous_identity="FAST",
3297 password="password",
3298 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3299 wait_connect=False, scan_freq="2412")
3300 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3301 if ev is None:
3302 raise Exception("Timeout on EAP failure report")
3303
93aa1e16
JM		 3304def test_ap_wpa2_eap_fast_binary_pac_errors(dev, apdev):
3305 """EAP-FAST and binary PAC errors"""
3306 check_eap_capa(dev[0], "FAST")
3307 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 3308 hapd = hostapd.add_ap(apdev[0], params)
93aa1e16
JM		 3309
3310 tests = [ (1, "=eap_fast_save_pac_bin"),
3311 (1, "eap_fast_write_pac"),
3312 (2, "eap_fast_write_pac"), ]
3313 for count, func in tests:
3314 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors "):
3315 raise Exception("Could not set blob")
3316
3317 with alloc_fail(dev[0], count, func):
3b3e2687 3318 eap_connect(dev[0], hapd, "FAST", "user",
93aa1e16
JM		 3319 anonymous_identity="FAST", password="password",
3320 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3321 phase1="fast_provisioning=1 fast_pac_format=binary",
3322 pac_file="blob://fast_pac_bin_errors")
3323 dev[0].request("REMOVE_NETWORK all")
3324 dev[0].wait_disconnected()
3325
3326 tests = [ "00", "000000000000", "6ae4920c0001",
3327 "6ae4920c000000",
3328 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3329 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3330 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3331 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3332 for t in tests:
3333 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + t):
3334 raise Exception("Could not set blob")
3335
3336 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3337 identity="user", anonymous_identity="FAST",
3338 password="password",
3339 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3340 phase1="fast_provisioning=1 fast_pac_format=binary",
3341 pac_file="blob://fast_pac_bin_errors",
3342 scan_freq="2412", wait_connect=False)
3343 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3344 timeout=5)
3345 if ev is None:
3346 raise Exception("Failure not reported")
3347 dev[0].request("REMOVE_NETWORK all")
3348 dev[0].wait_disconnected()
3349
3350 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3351 tests = [ (1, "eap_fast_load_pac_bin"),
3352 (2, "eap_fast_load_pac_bin"),
3353 (3, "eap_fast_load_pac_bin") ]
3354 for count, func in tests:
3355 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3356 raise Exception("Could not set blob")
3357
3358 with alloc_fail(dev[0], count, func):
3359 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3360 identity="user", anonymous_identity="FAST",
3361 password="password",
3362 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3363 phase1="fast_provisioning=1 fast_pac_format=binary",
3364 pac_file="blob://fast_pac_bin_errors",
3365 scan_freq="2412", wait_connect=False)
3366 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3367 timeout=5)
3368 if ev is None:
3369 raise Exception("Failure not reported")
3370 dev[0].request("REMOVE_NETWORK all")
3371 dev[0].wait_disconnected()
3372
3373 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3374 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3375 raise Exception("Could not set blob")
3376
3b3e2687 3377 eap_connect(dev[0], hapd, "FAST", "user",
93aa1e16
JM		 3378 anonymous_identity="FAST", password="password",
3379 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3380 phase1="fast_provisioning=1 fast_pac_format=binary",
3381 pac_file="blob://fast_pac_bin_errors")
3382 dev[0].request("REMOVE_NETWORK all")
3383 dev[0].wait_disconnected()
3384
3385 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3386 tests = [ (1, "eap_fast_pac_get_a_id"),
3387 (2, "eap_fast_pac_get_a_id") ]
3388 for count, func in tests:
3389 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3390 raise Exception("Could not set blob")
3391 with alloc_fail(dev[0], count, func):
3b3e2687 3392 eap_connect(dev[0], hapd, "FAST", "user",
93aa1e16
JM		 3393 anonymous_identity="FAST", password="password",
3394 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3395 phase1="fast_provisioning=1 fast_pac_format=binary",
3396 pac_file="blob://fast_pac_bin_errors")
3397 dev[0].request("REMOVE_NETWORK all")
3398 dev[0].wait_disconnected()
3399
592790bf
JM		 3400def test_ap_wpa2_eap_fast_text_pac_errors(dev, apdev):
3401 """EAP-FAST and text PAC errors"""
3402 check_eap_capa(dev[0], "FAST")
3403 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3404 hostapd.add_ap(apdev[0], params)
592790bf
JM		 3405
3406 tests = [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3407 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3408 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3409 (1, "eap_fast_parse_start"),
3410 (1, "eap_fast_save_pac") ]
3411 for count, func in tests:
3412 dev[0].request("FLUSH")
3413 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3414 raise Exception("Could not set blob")
3415
3416 with alloc_fail(dev[0], count, func):
3417 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3418 identity="user", anonymous_identity="FAST",
3419 password="password",
3420 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3421 phase1="fast_provisioning=1",
3422 pac_file="blob://fast_pac_text_errors",
3423 scan_freq="2412", wait_connect=False)
3424 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
3425 dev[0].request("REMOVE_NETWORK all")
3426 dev[0].wait_disconnected()
3427
3428 pac = "wpa_supplicant EAP-FAST PAC file - version 1\n"
3429 pac += "START\n"
3430 pac += "PAC-Type\n"
3431 pac += "END\n"
54c58f29 3432 if "OK" not in dev[0].request("SET blob fast_pac_text_errors " + binascii.hexlify(pac.encode()).decode()):
592790bf
JM		 3433 raise Exception("Could not set blob")
3434
3435 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3436 identity="user", anonymous_identity="FAST",
3437 password="password",
3438 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3439 phase1="fast_provisioning=1",
3440 pac_file="blob://fast_pac_text_errors",
3441 scan_freq="2412", wait_connect=False)
3442 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=5)
3443 if ev is None:
3444 raise Exception("Failure not reported")
3445 dev[0].request("REMOVE_NETWORK all")
3446 dev[0].wait_disconnected()
3447
3448 dev[0].request("FLUSH")
3449 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3450 raise Exception("Could not set blob")
3451
3452 with alloc_fail(dev[0], 1, "eap_fast_add_pac_data"):
3453 for i in range(3):
3454 params = int_eap_server_params()
3455 params['ssid'] = "test-wpa2-eap-2"
3456 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3457 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3458 params['eap_fast_a_id_info'] = "test server %d" % i
3459
8b8a1864 3460 hapd2 = hostapd.add_ap(apdev[1], params)
592790bf
JM		 3461
3462 dev[0].connect("test-wpa2-eap-2", key_mgmt="WPA-EAP", eap="FAST",
3463 identity="user", anonymous_identity="FAST",
3464 password="password",
3465 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3466 phase1="fast_provisioning=1",
3467 pac_file="blob://fast_pac_text_errors",
3468 scan_freq="2412", wait_connect=False)
3469 dev[0].wait_connected()
3470 dev[0].request("REMOVE_NETWORK all")
3471 dev[0].wait_disconnected()
3472
3473 hapd2.disable()
3474
3475def test_ap_wpa2_eap_fast_pac_truncate(dev, apdev):
3476 """EAP-FAST and PAC list truncation"""
3477 check_eap_capa(dev[0], "FAST")
3478 if "OK" not in dev[0].request("SET blob fast_pac_truncate "):
3479 raise Exception("Could not set blob")
3480 for i in range(5):
3481 params = int_eap_server_params()
3482 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3483 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3484 params['eap_fast_a_id_info'] = "test server %d" % i
8b8a1864 3485 hapd = hostapd.add_ap(apdev[0], params)
592790bf
JM		 3486
3487 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3488 identity="user", anonymous_identity="FAST",
3489 password="password",
3490 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3491 phase1="fast_provisioning=1 fast_max_pac_list_len=2",
3492 pac_file="blob://fast_pac_truncate",
3493 scan_freq="2412", wait_connect=False)
3494 dev[0].wait_connected()
3495 dev[0].request("REMOVE_NETWORK all")
3496 dev[0].wait_disconnected()
3497
3498 hapd.disable()
3499
3500def test_ap_wpa2_eap_fast_pac_refresh(dev, apdev):
3501 """EAP-FAST and PAC refresh"""
3502 check_eap_capa(dev[0], "FAST")
3503 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3504 raise Exception("Could not set blob")
3505 for i in range(2):
3506 params = int_eap_server_params()
3507 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3508 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3509 params['eap_fast_a_id_info'] = "test server %d" % i
3510 params['pac_key_refresh_time'] = "1"
3511 params['pac_key_lifetime'] = "10"
8b8a1864 3512 hapd = hostapd.add_ap(apdev[0], params)
592790bf
JM		 3513
3514 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3515 identity="user", anonymous_identity="FAST",
3516 password="password",
3517 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3518 phase1="fast_provisioning=1",
3519 pac_file="blob://fast_pac_refresh",
3520 scan_freq="2412", wait_connect=False)
3521 dev[0].wait_connected()
3522 dev[0].request("REMOVE_NETWORK all")
3523 dev[0].wait_disconnected()
3524
3525 hapd.disable()
3526
3527 for i in range(2):
3528 params = int_eap_server_params()
3529 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3530 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3531 params['eap_fast_a_id_info'] = "test server %d" % i
3532 params['pac_key_refresh_time'] = "10"
3533 params['pac_key_lifetime'] = "10"
8b8a1864 3534 hapd = hostapd.add_ap(apdev[0], params)
592790bf
JM		 3535
3536 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3537 identity="user", anonymous_identity="FAST",
3538 password="password",
3539 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3540 phase1="fast_provisioning=1",
3541 pac_file="blob://fast_pac_refresh",
3542 scan_freq="2412", wait_connect=False)
3543 dev[0].wait_connected()
3544 dev[0].request("REMOVE_NETWORK all")
3545 dev[0].wait_disconnected()
3546
3547 hapd.disable()
3548
3549def test_ap_wpa2_eap_fast_pac_lifetime(dev, apdev):
3550 """EAP-FAST and PAC lifetime"""
3551 check_eap_capa(dev[0], "FAST")
3552 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3553 raise Exception("Could not set blob")
3554
3555 i = 0
3556 params = int_eap_server_params()
3557 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3558 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3559 params['eap_fast_a_id_info'] = "test server %d" % i
3560 params['pac_key_refresh_time'] = "0"
3561 params['pac_key_lifetime'] = "2"
8b8a1864 3562 hapd = hostapd.add_ap(apdev[0], params)
592790bf
JM		 3563
3564 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3565 identity="user", anonymous_identity="FAST",
3566 password="password",
3567 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3568 phase1="fast_provisioning=2",
3569 pac_file="blob://fast_pac_refresh",
3570 scan_freq="2412", wait_connect=False)
3571 dev[0].wait_connected()
3572 dev[0].request("DISCONNECT")
3573 dev[0].wait_disconnected()
3574
3575 time.sleep(3)
3576 dev[0].request("PMKSA_FLUSH")
3577 dev[0].request("RECONNECT")
3578 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3579 if ev is None:
3580 raise Exception("No EAP-Failure seen after expired PAC")
3581 dev[0].request("DISCONNECT")
3582 dev[0].wait_disconnected()
3583
3584 dev[0].select_network(id)
3585 dev[0].wait_connected()
3586 dev[0].request("REMOVE_NETWORK all")
3587 dev[0].wait_disconnected()
3588
53a6f06a
JM		 3589def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
3590 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3b51cc63 3591 check_eap_capa(dev[0], "FAST")
53a6f06a 3592 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3593 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 3594 eap_connect(dev[0], hapd, "FAST", "user",
53a6f06a
JM		 3595 anonymous_identity="FAST", password="password",
3596 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3597 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
a8375c94 3598 hwsim_utils.test_connectivity(dev[0], hapd)
2fc4749c
JM		 3599 res = eap_reauth(dev[0], "FAST")
3600 if res['tls_session_reused'] != '1':
3601 raise Exception("EAP-FAST could not use PAC session ticket")
d4c7a2b9 3602
95a15d79
JM		 3603def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
3604 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3605 check_eap_capa(dev[0], "FAST")
3606 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3607 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 3608 id = eap_connect(dev[0], hapd, "FAST", "user",
95a15d79
JM		 3609 anonymous_identity="FAST", password="password",
3610 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3611 phase1="fast_provisioning=2",
3612 pac_file="blob://fast_pac_auth")
3613 dev[0].set_network_quoted(id, "identity", "user2")
3614 dev[0].wait_disconnected()
3615 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
3616 if ev is None:
3617 raise Exception("EAP-FAST not started")
3618 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
3619 if ev is None:
3620 raise Exception("EAP failure not reported")
3621 dev[0].wait_disconnected()
3622
27f2fab0
JM		 3623def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
3624 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3625 check_eap_capa(dev[0], "FAST")
cc71035f
JM		 3626 tls = dev[0].request("GET tls_library")
3627 if tls.startswith("OpenSSL"):
90b4c73f 3628 func = "tls_connection_get_eap_fast_key"
cc71035f
JM		 3629 count = 2
3630 elif tls.startswith("internal"):
3631 func = "tls_connection_prf"
3632 count = 1
3633 else:
3634 raise HwsimSkip("Unsupported TLS library")
27f2fab0 3635 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3636 hapd = hostapd.add_ap(apdev[0], params)
cc71035f 3637 with alloc_fail(dev[0], count, func):
27f2fab0
JM		 3638 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3639 identity="user", anonymous_identity="FAST",
3640 password="password", ca_cert="auth_serv/ca.pem",
3641 phase2="auth=GTC",
3642 phase1="fast_provisioning=2",
3643 pac_file="blob://fast_pac_auth",
3644 wait_connect=False, scan_freq="2412")
3645 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
3646 if ev is None:
3647 raise Exception("EAP failure not reported")
3648 dev[0].request("DISCONNECT")
3649
6eddd530
JM		 3650def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
3651 """EAP-FAST/MSCHAPv2 and server OOM"""
3652 check_eap_capa(dev[0], "FAST")
3653
3654 params = int_eap_server_params()
3655 params['dh_file'] = 'auth_serv/dh.conf'
3656 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3657 params['eap_fast_a_id'] = '1011'
3658 params['eap_fast_a_id_info'] = 'another test server'
8b8a1864 3659 hapd = hostapd.add_ap(apdev[0], params)
6eddd530
JM		 3660
3661 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
3b3e2687 3662 id = eap_connect(dev[0], hapd, "FAST", "user",
6eddd530
JM		 3663 anonymous_identity="FAST", password="password",
3664 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3665 phase1="fast_provisioning=1",
3666 pac_file="blob://fast_pac",
3667 expect_failure=True)
3668 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3669 if ev is None:
3670 raise Exception("No EAP failure reported")
3671 dev[0].wait_disconnected()
3672 dev[0].request("DISCONNECT")
3673
3674 dev[0].select_network(id, freq="2412")
3675
ecd07de4
JM		 3676def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev):
3677 """EAP-FAST and different TLS cipher suites"""
3678 check_eap_capa(dev[0], "FAST")
3679 tls = dev[0].request("GET tls_library")
d8003dcb
SP		 3680 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
3681 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls)
ecd07de4
JM		 3682
3683 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3684 hapd = hostapd.add_ap(apdev[0], params)
ecd07de4
JM		 3685
3686 dev[0].request("SET blob fast_pac_ciphers ")
3b3e2687 3687 eap_connect(dev[0], hapd, "FAST", "user",
ecd07de4
JM		 3688 anonymous_identity="FAST", password="password",
3689 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3690 phase1="fast_provisioning=2",
3691 pac_file="blob://fast_pac_ciphers")
3692 res = dev[0].get_status_field('EAP TLS cipher')
3693 dev[0].request("REMOVE_NETWORK all")
3694 dev[0].wait_disconnected()
3695 if res != "DHE-RSA-AES256-SHA":
3696 raise Exception("Unexpected cipher suite for provisioning: " + res)
3697
3698 tests = [ "DHE-RSA-AES128-SHA",
3699 "RC4-SHA",
3700 "AES128-SHA",
3701 "AES256-SHA",
3702 "DHE-RSA-AES256-SHA" ]
3703 for cipher in tests:
71666dc3
JM		 3704 dev[0].dump_monitor()
3705 logger.info("Testing " + cipher)
3706 try:
3b3e2687 3707 eap_connect(dev[0], hapd, "FAST", "user",
71666dc3
JM		 3708 openssl_ciphers=cipher,
3709 anonymous_identity="FAST", password="password",
3710 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
a61ee84d
JM		 3711 pac_file="blob://fast_pac_ciphers",
3712 report_failure=True)
bab493b9 3713 except Exception as e:
a61ee84d
JM		 3714 if cipher == "RC4-SHA" and \
3715 ("Could not select EAP method" in str(e) or \
3716 "EAP failed" in str(e)):
71666dc3
JM		 3717 if "run=OpenSSL 1.1" in tls:
3718 logger.info("Allow failure due to missing TLS library support")
3719 dev[0].request("REMOVE_NETWORK all")
3720 dev[0].wait_disconnected()
3721 continue
3722 raise
ecd07de4
JM		 3723 res = dev[0].get_status_field('EAP TLS cipher')
3724 dev[0].request("REMOVE_NETWORK all")
3725 dev[0].wait_disconnected()
3726 if res != cipher:
3727 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher, res))
3728
4c626382
JM		 3729def test_ap_wpa2_eap_fast_prov(dev, apdev):
3730 """EAP-FAST and provisioning options"""
3731 check_eap_capa(dev[0], "FAST")
3732 if "OK" not in dev[0].request("SET blob fast_pac_prov "):
3733 raise Exception("Could not set blob")
3734
3735 i = 100
3736 params = int_eap_server_params()
3737 params['disable_pmksa_caching'] = '1'
3738 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3739 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3740 params['eap_fast_a_id_info'] = "test server %d" % i
3741 params['eap_fast_prov'] = "0"
3742 hapd = hostapd.add_ap(apdev[0], params)
3743
3744 logger.info("Provisioning attempt while server has provisioning disabled")
3745 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3746 identity="user", anonymous_identity="FAST",
3747 password="password",
3748 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3749 phase1="fast_provisioning=2",
3750 pac_file="blob://fast_pac_prov",
3751 scan_freq="2412", wait_connect=False)
3752 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3753 timeout=15)
3754 if ev is None:
3755 raise Exception("EAP result not reported")
3756 if "parameter='failure'" not in ev:
3757 raise Exception("Unexpected EAP result: " + ev)
3758 dev[0].wait_disconnected()
3759 dev[0].request("DISCONNECT")
3760 dev[0].dump_monitor()
3761
3762 hapd.disable()
3763 logger.info("Authenticated provisioning")
3764 hapd.set("eap_fast_prov", "2")
3765 hapd.enable()
3766
3767 dev[0].select_network(id, freq="2412")
3768 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3769 timeout=15)
3770 if ev is None:
3771 raise Exception("EAP result not reported")
3772 if "parameter='success'" not in ev:
3773 raise Exception("Unexpected EAP result: " + ev)
3774 dev[0].wait_connected()
3775 dev[0].request("DISCONNECT")
3776 dev[0].wait_disconnected()
3777 dev[0].dump_monitor()
3778
3779 hapd.disable()
3780 logger.info("Provisioning disabled - using previously provisioned PAC")
3781 hapd.set("eap_fast_prov", "0")
3782 hapd.enable()
3783
3784 dev[0].select_network(id, freq="2412")
3785 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3786 timeout=15)
3787 if ev is None:
3788 raise Exception("EAP result not reported")
3789 if "parameter='success'" not in ev:
3790 raise Exception("Unexpected EAP result: " + ev)
3791 dev[0].wait_connected()
3792 dev[0].request("DISCONNECT")
3793 dev[0].wait_disconnected()
3794 dev[0].dump_monitor()
3795
3796 logger.info("Drop PAC and verify connection failure")
3797 if "OK" not in dev[0].request("SET blob fast_pac_prov "):
3798 raise Exception("Could not set blob")
3799
3800 dev[0].select_network(id, freq="2412")
3801 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3802 timeout=15)
3803 if ev is None:
3804 raise Exception("EAP result not reported")
3805 if "parameter='failure'" not in ev:
3806 raise Exception("Unexpected EAP result: " + ev)
3807 dev[0].wait_disconnected()
3808 dev[0].request("DISCONNECT")
3809 dev[0].dump_monitor()
3810
3811 hapd.disable()
3812 logger.info("Anonymous provisioning")
3813 hapd.set("eap_fast_prov", "1")
3814 hapd.enable()
3815 dev[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3816 dev[0].select_network(id, freq="2412")
3817 # Anonymous provisioning results in EAP-Failure first
3818 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3819 timeout=15)
3820 if ev is None:
3821 raise Exception("EAP result not reported")
3822 if "parameter='failure'" not in ev:
3823 raise Exception("Unexpected EAP result: " + ev)
3824 dev[0].wait_disconnected()
3825 # And then the actual data connection
3826 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3827 timeout=15)
3828 if ev is None:
3829 raise Exception("EAP result not reported")
3830 if "parameter='success'" not in ev:
3831 raise Exception("Unexpected EAP result: " + ev)
3832 dev[0].wait_connected()
3833 dev[0].request("DISCONNECT")
3834 dev[0].wait_disconnected()
3835 dev[0].dump_monitor()
3836
3837 hapd.disable()
3838 logger.info("Provisioning disabled - using previously provisioned PAC")
3839 hapd.set("eap_fast_prov", "0")
3840 hapd.enable()
3841
3842 dev[0].select_network(id, freq="2412")
3843 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3844 timeout=15)
3845 if ev is None:
3846 raise Exception("EAP result not reported")
3847 if "parameter='success'" not in ev:
3848 raise Exception("Unexpected EAP result: " + ev)
3849 dev[0].wait_connected()
3850 dev[0].request("DISCONNECT")
3851 dev[0].wait_disconnected()
3852 dev[0].dump_monitor()
3853
d4c7a2b9
JM		 3854def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
3855 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
0dae8c99 3856 check_ocsp_support(dev[0])
16c43d2a 3857 check_pkcs12_support(dev[0])
d4c7a2b9 3858 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 3859 hapd = hostapd.add_ap(apdev[0], params)
3860 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
d4c7a2b9
JM		 3861 private_key="auth_serv/user.pkcs12",
3862 private_key_passwd="whatever", ocsp=2)
3863
98d125ca
JM		 3864def test_ap_wpa2_eap_tls_ocsp_multi(dev, apdev):
3865 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3866 check_ocsp_multi_support(dev[0])
3867 check_pkcs12_support(dev[0])
3868
3869 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 3870 hapd = hostapd.add_ap(apdev[0], params)
3871 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
98d125ca
JM		 3872 private_key="auth_serv/user.pkcs12",
3873 private_key_passwd="whatever", ocsp=2)
3874
64e05f96 3875def int_eap_server_params():
d4c7a2b9
JM		 3876 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3877 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3878 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3879 "ca_cert": "auth_serv/ca.pem",
3880 "server_cert": "auth_serv/server.pem",
8adce07a
JM		 3881 "private_key": "auth_serv/server.key",
3882 "dh_file": "auth_serv/dh.conf" }
64e05f96 3883 return params
d2a1047e 3884
58a40620
JM		 3885def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
3886 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3887 check_ocsp_support(dev[0])
ff7affcc 3888 check_pkcs12_support(dev[0])
58a40620
JM		 3889 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
3890 if not os.path.exists(ocsp):
3891 raise HwsimSkip("No OCSP response available")
3892 params = int_eap_server_params()
3893 params["ocsp_stapling_response"] = ocsp
8b8a1864 3894 hostapd.add_ap(apdev[0], params)
58a40620
JM		 3895 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3896 identity="tls user", ca_cert="auth_serv/ca.pem",
3897 private_key="auth_serv/user.pkcs12",
3898 private_key_passwd="whatever", ocsp=2,
3899 scan_freq="2412")
3900
d79ce4a6
JM		 3901def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
3902 """EAP-TLS and CA signed OCSP response (good)"""
3903 check_ocsp_support(dev[0])
ff7affcc 3904 check_pkcs12_support(dev[0])
d79ce4a6
JM		 3905 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
3906 if not os.path.exists(ocsp):
3907 raise HwsimSkip("No OCSP response available")
3908 params = int_eap_server_params()
3909 params["ocsp_stapling_response"] = ocsp
8b8a1864 3910 hostapd.add_ap(apdev[0], params)
d79ce4a6
JM		 3911 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3912 identity="tls user", ca_cert="auth_serv/ca.pem",
3913 private_key="auth_serv/user.pkcs12",
3914 private_key_passwd="whatever", ocsp=2,
3915 scan_freq="2412")
3916
3917def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
3918 """EAP-TLS and CA signed OCSP response (revoked)"""
3919 check_ocsp_support(dev[0])
ff7affcc 3920 check_pkcs12_support(dev[0])
d79ce4a6
JM		 3921 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
3922 if not os.path.exists(ocsp):
3923 raise HwsimSkip("No OCSP response available")
3924 params = int_eap_server_params()
3925 params["ocsp_stapling_response"] = ocsp
8b8a1864 3926 hostapd.add_ap(apdev[0], params)
d79ce4a6
JM		 3927 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3928 identity="tls user", ca_cert="auth_serv/ca.pem",
3929 private_key="auth_serv/user.pkcs12",
3930 private_key_passwd="whatever", ocsp=2,
3931 wait_connect=False, scan_freq="2412")
3932 count = 0
3933 while True:
3934 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3935 if ev is None:
3936 raise Exception("Timeout on EAP status")
3937 if 'bad certificate status response' in ev:
3938 break
3939 if 'certificate revoked' in ev:
3940 break
3941 count = count + 1
3942 if count > 10:
3943 raise Exception("Unexpected number of EAP status messages")
3944
3945 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3946 if ev is None:
3947 raise Exception("Timeout on EAP failure report")
3948
3949def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
3950 """EAP-TLS and CA signed OCSP response (unknown)"""
3951 check_ocsp_support(dev[0])
ff7affcc 3952 check_pkcs12_support(dev[0])
d79ce4a6
JM		 3953 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
3954 if not os.path.exists(ocsp):
3955 raise HwsimSkip("No OCSP response available")
3956 params = int_eap_server_params()
3957 params["ocsp_stapling_response"] = ocsp
8b8a1864 3958 hostapd.add_ap(apdev[0], params)
d79ce4a6
JM		 3959 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3960 identity="tls user", ca_cert="auth_serv/ca.pem",
3961 private_key="auth_serv/user.pkcs12",
3962 private_key_passwd="whatever", ocsp=2,
3963 wait_connect=False, scan_freq="2412")
3964 count = 0
3965 while True:
3966 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3967 if ev is None:
3968 raise Exception("Timeout on EAP status")
3969 if 'bad certificate status response' in ev:
3970 break
3971 count = count + 1
3972 if count > 10:
3973 raise Exception("Unexpected number of EAP status messages")
3974
3975 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3976 if ev is None:
3977 raise Exception("Timeout on EAP failure report")
3978
3979def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
3980 """EAP-TLS and server signed OCSP response"""
3981 check_ocsp_support(dev[0])
ff7affcc 3982 check_pkcs12_support(dev[0])
d79ce4a6
JM		 3983 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
3984 if not os.path.exists(ocsp):
3985 raise HwsimSkip("No OCSP response available")
3986 params = int_eap_server_params()
3987 params["ocsp_stapling_response"] = ocsp
8b8a1864 3988 hostapd.add_ap(apdev[0], params)
d79ce4a6
JM		 3989 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3990 identity="tls user", ca_cert="auth_serv/ca.pem",
3991 private_key="auth_serv/user.pkcs12",
3992 private_key_passwd="whatever", ocsp=2,
3993 wait_connect=False, scan_freq="2412")
3994 count = 0
3995 while True:
3996 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3997 if ev is None:
3998 raise Exception("Timeout on EAP status")
3999 if 'bad certificate status response' in ev:
4000 break
4001 count = count + 1
4002 if count > 10:
4003 raise Exception("Unexpected number of EAP status messages")
4004
4005 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4006 if ev is None:
4007 raise Exception("Timeout on EAP failure report")
4008
d2a1047e
JM		 4009def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
4010 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
0dae8c99 4011 check_ocsp_support(dev[0])
ff7affcc 4012 check_pkcs12_support(dev[0])
d2a1047e
JM		 4013 params = int_eap_server_params()
4014 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
8b8a1864 4015 hostapd.add_ap(apdev[0], params)
d2a1047e
JM		 4016 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4017 identity="tls user", ca_cert="auth_serv/ca.pem",
4018 private_key="auth_serv/user.pkcs12",
4019 private_key_passwd="whatever", ocsp=2,
4020 wait_connect=False, scan_freq="2412")
4021 count = 0
4022 while True:
4023 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4024 if ev is None:
4025 raise Exception("Timeout on EAP status")
4026 if 'bad certificate status response' in ev:
4027 break
4028 count = count + 1
4029 if count > 10:
4030 raise Exception("Unexpected number of EAP status messages")
4031
4032 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4033 if ev is None:
4034 raise Exception("Timeout on EAP failure report")
4035
64e05f96
JM		 4036def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
4037 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
0dae8c99 4038 check_ocsp_support(dev[0])
ff7affcc 4039 check_pkcs12_support(dev[0])
64e05f96
JM		 4040 params = int_eap_server_params()
4041 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
8b8a1864 4042 hostapd.add_ap(apdev[0], params)
df7ad0fa
JM		 4043 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4044 identity="tls user", ca_cert="auth_serv/ca.pem",
4045 private_key="auth_serv/user.pkcs12",
4046 private_key_passwd="whatever", ocsp=2,
4047 wait_connect=False, scan_freq="2412")
4048 count = 0
4049 while True:
4050 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4051 if ev is None:
4052 raise Exception("Timeout on EAP status")
4053 if 'bad certificate status response' in ev:
4054 break
4055 count = count + 1
4056 if count > 10:
4057 raise Exception("Unexpected number of EAP status messages")
4058
4059 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4060 if ev is None:
4061 raise Exception("Timeout on EAP failure report")
4062
4063def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
4064 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
0dae8c99 4065 check_ocsp_support(dev[0])
ff7affcc 4066 check_pkcs12_support(dev[0])
df7ad0fa
JM		 4067 params = int_eap_server_params()
4068 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
8b8a1864 4069 hostapd.add_ap(apdev[0], params)
d4c7a2b9
JM		 4070 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4071 identity="tls user", ca_cert="auth_serv/ca.pem",
4072 private_key="auth_serv/user.pkcs12",
4073 private_key_passwd="whatever", ocsp=2,
4074 wait_connect=False, scan_freq="2412")
4075 count = 0
4076 while True:
4077 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4078 if ev is None:
4079 raise Exception("Timeout on EAP status")
4080 if 'bad certificate status response' in ev:
4081 break
4082 count = count + 1
4083 if count > 10:
4084 raise Exception("Unexpected number of EAP status messages")
4085
4086 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4087 if ev is None:
4088 raise Exception("Timeout on EAP failure report")
64e05f96 4089
37b4a66c
JM		 4090def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
4091 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
0dae8c99 4092 check_ocsp_support(dev[0])
37b4a66c
JM		 4093 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
4094 if not os.path.exists(ocsp):
4095 raise HwsimSkip("No OCSP response available")
4096 params = int_eap_server_params()
4097 params["ocsp_stapling_response"] = ocsp
8b8a1864 4098 hostapd.add_ap(apdev[0], params)
37b4a66c
JM		 4099 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4100 identity="pap user", ca_cert="auth_serv/ca.pem",
4101 anonymous_identity="ttls", password="password",
4102 phase2="auth=PAP", ocsp=2,
4103 wait_connect=False, scan_freq="2412")
4104 count = 0
4105 while True:
4106 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4107 if ev is None:
4108 raise Exception("Timeout on EAP status")
4109 if 'bad certificate status response' in ev:
4110 break
4111 if 'certificate revoked' in ev:
4112 break
4113 count = count + 1
4114 if count > 10:
4115 raise Exception("Unexpected number of EAP status messages")
4116
4117 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4118 if ev is None:
4119 raise Exception("Timeout on EAP failure report")
4120
4121def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
4122 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
0dae8c99 4123 check_ocsp_support(dev[0])
37b4a66c
JM		 4124 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
4125 if not os.path.exists(ocsp):
4126 raise HwsimSkip("No OCSP response available")
4127 params = int_eap_server_params()
4128 params["ocsp_stapling_response"] = ocsp
8b8a1864 4129 hostapd.add_ap(apdev[0], params)
37b4a66c
JM		 4130 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4131 identity="pap user", ca_cert="auth_serv/ca.pem",
4132 anonymous_identity="ttls", password="password",
4133 phase2="auth=PAP", ocsp=2,
4134 wait_connect=False, scan_freq="2412")
4135 count = 0
4136 while True:
4137 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4138 if ev is None:
4139 raise Exception("Timeout on EAP status")
4140 if 'bad certificate status response' in ev:
4141 break
4142 count = count + 1
4143 if count > 10:
4144 raise Exception("Unexpected number of EAP status messages")
4145
4146 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4147 if ev is None:
4148 raise Exception("Timeout on EAP failure report")
4149
4150def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
4151 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
585e728a 4152 check_ocsp_support(dev[0])
37b4a66c
JM		 4153 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
4154 if not os.path.exists(ocsp):
4155 raise HwsimSkip("No OCSP response available")
4156 params = int_eap_server_params()
4157 params["ocsp_stapling_response"] = ocsp
8b8a1864 4158 hostapd.add_ap(apdev[0], params)
37b4a66c
JM		 4159 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4160 identity="pap user", ca_cert="auth_serv/ca.pem",
4161 anonymous_identity="ttls", password="password",
4162 phase2="auth=PAP", ocsp=1, scan_freq="2412")
4163
52811b8c
JM		 4164def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
4165 """EAP-TLS with intermediate server/user CA"""
4166 params = int_eap_server_params()
4167 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4168 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4169 params["private_key"] = "auth_serv/iCA-server/server.key"
8b8a1864 4170 hostapd.add_ap(apdev[0], params)
b4635f0a 4171 tls = dev[0].request("GET tls_library")
f08362e9 4172 if "GnuTLS" in tls or "wolfSSL" in tls:
b4635f0a
JM		 4173 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4174 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4175 else:
4176 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4177 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4178 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4179 identity="tls user",
b4635f0a
JM		 4180 ca_cert=ca_cert,
4181 client_cert=client_cert,
52811b8c
JM		 4182 private_key="auth_serv/iCA-user/user.key",
4183 scan_freq="2412")
4184
4185def root_ocsp(cert):
4186 ca = "auth_serv/ca.pem"
4187
4188 fd2, fn2 = tempfile.mkstemp()
4189 os.close(fd2)
4190
d40d959e
JB		 4191 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256",
4192 "-cert", cert, "-no_nonce", "-text" ]
4193 logger.info(' '.join(arg))
52811b8c
JM		 4194 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4195 stderr=subprocess.PIPE)
06faf9e4 4196 res = cmd.stdout.read().decode() + "\n" + cmd.stderr.read().decode()
52811b8c
JM		 4197 cmd.stdout.close()
4198 cmd.stderr.close()
d40d959e
JB		 4199 cmd.wait()
4200 if cmd.returncode != 0:
4201 raise Exception("bad return code from openssl ocsp\n\n" + res)
52811b8c
JM		 4202 logger.info("OCSP request:\n" + res)
4203
4204 fd, fn = tempfile.mkstemp()
4205 os.close(fd)
40ae4a2f
JM		 4206 arg = [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4207 "-rsigner", ca, "-rkey", "auth_serv/ca-key.pem",
52811b8c
JM		 4208 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
4209 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
4210 "-text" ]
4211 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4212 stderr=subprocess.PIPE)
06faf9e4 4213 res = cmd.stdout.read().decode() + "\n" + cmd.stderr.read().decode()
52811b8c
JM		 4214 cmd.stdout.close()
4215 cmd.stderr.close()
d40d959e
JB		 4216 cmd.wait()
4217 if cmd.returncode != 0:
4218 raise Exception("bad return code from openssl ocsp\n\n" + res)
52811b8c
JM		 4219 logger.info("OCSP response:\n" + res)
4220 os.unlink(fn2)
4221 return fn
4222
b7288e5d 4223def ica_ocsp(cert, md="-sha256"):
52811b8c
JM		 4224 prefix = "auth_serv/iCA-server/"
4225 ca = prefix + "cacert.pem"
4226 cert = prefix + cert
4227
4228 fd2, fn2 = tempfile.mkstemp()
4229 os.close(fd2)
4230
b7288e5d 4231 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, md,
d40d959e 4232 "-cert", cert, "-no_nonce", "-text" ]
52811b8c
JM		 4233 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4234 stderr=subprocess.PIPE)
04fa9fc7 4235 res = cmd.stdout.read().decode() + "\n" + cmd.stderr.read().decode()
52811b8c
JM		 4236 cmd.stdout.close()
4237 cmd.stderr.close()
d40d959e
JB		 4238 cmd.wait()
4239 if cmd.returncode != 0:
4240 raise Exception("bad return code from openssl ocsp\n\n" + res)
52811b8c
JM		 4241 logger.info("OCSP request:\n" + res)
4242
4243 fd, fn = tempfile.mkstemp()
4244 os.close(fd)
4245 arg = [ "openssl", "ocsp", "-index", prefix + "index.txt",
4246 "-rsigner", ca, "-rkey", prefix + "private/cakey.pem",
4247 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
4248 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
4249 "-text" ]
4250 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4251 stderr=subprocess.PIPE)
04fa9fc7 4252 res = cmd.stdout.read().decode() + "\n" + cmd.stderr.read().decode()
52811b8c
JM		 4253 cmd.stdout.close()
4254 cmd.stderr.close()
d40d959e
JB		 4255 cmd.wait()
4256 if cmd.returncode != 0:
4257 raise Exception("bad return code from openssl ocsp\n\n" + res)
52811b8c
JM		 4258 logger.info("OCSP response:\n" + res)
4259 os.unlink(fn2)
4260 return fn
4261
4262def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
4263 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
b7288e5d
JM		 4264 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, "-sha256")
4265
4266def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev, apdev, params):
4267 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4268 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, "-sha1")
4269
4270def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, md):
52811b8c
JM		 4271 params = int_eap_server_params()
4272 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4273 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4274 params["private_key"] = "auth_serv/iCA-server/server.key"
b7288e5d 4275 fn = ica_ocsp("server.pem", md)
52811b8c
JM		 4276 params["ocsp_stapling_response"] = fn
4277 try:
8b8a1864 4278 hostapd.add_ap(apdev[0], params)
b4635f0a 4279 tls = dev[0].request("GET tls_library")
f08362e9 4280 if "GnuTLS" in tls or "wolfSSL" in tls:
b4635f0a
JM		 4281 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4282 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4283 else:
4284 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4285 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4286 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4287 identity="tls user",
b4635f0a
JM		 4288 ca_cert=ca_cert,
4289 client_cert=client_cert,
52811b8c
JM		 4290 private_key="auth_serv/iCA-user/user.key",
4291 scan_freq="2412", ocsp=2)
4292 finally:
4293 os.unlink(fn)
4294
4295def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params):
4296 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
b7288e5d
JM		 4297 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params,
4298 "-sha256")
4299
4300def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev, apdev, params):
4301 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4302 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params,
4303 "-sha1")
4304
4305def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params, md):
585e728a 4306 check_ocsp_support(dev[0])
52811b8c
JM		 4307 params = int_eap_server_params()
4308 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4309 params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4310 params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
b7288e5d 4311 fn = ica_ocsp("server-revoked.pem", md)
52811b8c
JM		 4312 params["ocsp_stapling_response"] = fn
4313 try:
8b8a1864 4314 hostapd.add_ap(apdev[0], params)
b4635f0a 4315 tls = dev[0].request("GET tls_library")
f08362e9 4316 if "GnuTLS" in tls or "wolfSSL" in tls:
b4635f0a
JM		 4317 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4318 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4319 else:
4320 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4321 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4322 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4323 identity="tls user",
b4635f0a
JM		 4324 ca_cert=ca_cert,
4325 client_cert=client_cert,
52811b8c
JM		 4326 private_key="auth_serv/iCA-user/user.key",
4327 scan_freq="2412", ocsp=1, wait_connect=False)
4328 count = 0
4329 while True:
4330 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4331 "CTRL-EVENT-EAP-SUCCESS"])
4332 if ev is None:
4333 raise Exception("Timeout on EAP status")
4334 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4335 raise Exception("Unexpected EAP-Success")
4336 if 'bad certificate status response' in ev:
4337 break
4338 if 'certificate revoked' in ev:
4339 break
4340 count = count + 1
4341 if count > 10:
4342 raise Exception("Unexpected number of EAP status messages")
4343
4344 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4345 if ev is None:
4346 raise Exception("Timeout on EAP failure report")
4347 dev[0].request("REMOVE_NETWORK all")
4348 dev[0].wait_disconnected()
4349 finally:
4350 os.unlink(fn)
4351
4352def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, params):
4353 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4354 check_ocsp_support(dev[0])
4355 check_ocsp_multi_support(dev[0])
4356
4357 params = int_eap_server_params()
4358 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4359 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4360 params["private_key"] = "auth_serv/iCA-server/server.key"
4361 fn = ica_ocsp("server.pem")
4362 params["ocsp_stapling_response"] = fn
4363 try:
8b8a1864 4364 hostapd.add_ap(apdev[0], params)
b4635f0a 4365 tls = dev[0].request("GET tls_library")
f08362e9 4366 if "GnuTLS" in tls or "wolfSSL" in tls:
b4635f0a
JM		 4367 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4368 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4369 else:
4370 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4371 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4372 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4373 identity="tls user",
b4635f0a
JM		 4374 ca_cert=ca_cert,
4375 client_cert=client_cert,
52811b8c
JM		 4376 private_key="auth_serv/iCA-user/user.key",
4377 scan_freq="2412", ocsp=3, wait_connect=False)
4378 count = 0
4379 while True:
4380 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4381 "CTRL-EVENT-EAP-SUCCESS"])
4382 if ev is None:
4383 raise Exception("Timeout on EAP status")
4384 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4385 raise Exception("Unexpected EAP-Success")
4386 if 'bad certificate status response' in ev:
4387 break
4388 if 'certificate revoked' in ev:
4389 break
4390 count = count + 1
4391 if count > 10:
4392 raise Exception("Unexpected number of EAP status messages")
4393
4394 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4395 if ev is None:
4396 raise Exception("Timeout on EAP failure report")
4397 dev[0].request("REMOVE_NETWORK all")
4398 dev[0].wait_disconnected()
4399 finally:
4400 os.unlink(fn)
4401
4402def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
4403 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4404 check_ocsp_support(dev[0])
4405 check_ocsp_multi_support(dev[0])
4406
4407 params = int_eap_server_params()
4408 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4409 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4410 params["private_key"] = "auth_serv/iCA-server/server.key"
4411 fn = ica_ocsp("server.pem")
4412 fn2 = root_ocsp("auth_serv/iCA-server/cacert.pem")
4413 params["ocsp_stapling_response"] = fn
4414
06faf9e4 4415 with open(fn, "rb") as f:
52811b8c 4416 resp_server = f.read()
06faf9e4 4417 with open(fn2, "rb") as f:
52811b8c
JM		 4418 resp_ica = f.read()
4419
4420 fd3, fn3 = tempfile.mkstemp()
4421 try:
06faf9e4 4422 f = os.fdopen(fd3, 'wb')
52811b8c
JM		 4423 f.write(struct.pack(">L", len(resp_server))[1:4])
4424 f.write(resp_server)
4425 f.write(struct.pack(">L", len(resp_ica))[1:4])
4426 f.write(resp_ica)
4427 f.close()
4428
4429 params["ocsp_stapling_response_multi"] = fn3
4430
8b8a1864 4431 hostapd.add_ap(apdev[0], params)
b4635f0a 4432 tls = dev[0].request("GET tls_library")
f08362e9 4433 if "GnuTLS" in tls or "wolfSSL" in tls:
b4635f0a
JM		 4434 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4435 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4436 else:
4437 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4438 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4439 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4440 identity="tls user",
b4635f0a
JM		 4441 ca_cert=ca_cert,
4442 client_cert=client_cert,
52811b8c 4443 private_key="auth_serv/iCA-user/user.key",
40ae4a2f 4444 scan_freq="2412", ocsp=3)
52811b8c
JM		 4445 dev[0].request("REMOVE_NETWORK all")
4446 dev[0].wait_disconnected()
4447 finally:
4448 os.unlink(fn)
4449 os.unlink(fn2)
4450 os.unlink(fn3)
4451
98d125ca
JM		 4452def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
4453 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4454 check_ocsp_support(dev[0])
4455 check_ocsp_multi_support(dev[0])
ff7affcc 4456 check_pkcs12_support(dev[0])
98d125ca
JM		 4457
4458 ocsp_revoked = os.path.join(params['logdir'],
4459 "ocsp-resp-ca-signed-revoked.der")
4460 if not os.path.exists(ocsp_revoked):
4461 raise HwsimSkip("No OCSP response (revoked) available")
4462 ocsp_unknown = os.path.join(params['logdir'],
4463 "ocsp-resp-ca-signed-unknown.der")
4464 if not os.path.exists(ocsp_unknown):
4465 raise HwsimSkip("No OCSP response(unknown) available")
4466
06faf9e4 4467 with open(ocsp_revoked, "rb") as f:
98d125ca 4468 resp_revoked = f.read()
06faf9e4 4469 with open(ocsp_unknown, "rb") as f:
98d125ca
JM		 4470 resp_unknown = f.read()
4471
4472 fd, fn = tempfile.mkstemp()
4473 try:
4474 # This is not really a valid order of the OCSPResponse items in the
4475 # list, but this works for now to verify parsing and processing of
4476 # multiple responses.
06faf9e4 4477 f = os.fdopen(fd, 'wb')
98d125ca
JM		 4478 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4479 f.write(resp_unknown)
4480 f.write(struct.pack(">L", len(resp_revoked))[1:4])
4481 f.write(resp_revoked)
4482 f.write(struct.pack(">L", 0)[1:4])
4483 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4484 f.write(resp_unknown)
4485 f.close()
4486
4487 params = int_eap_server_params()
4488 params["ocsp_stapling_response_multi"] = fn
8b8a1864 4489 hostapd.add_ap(apdev[0], params)
98d125ca
JM		 4490 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4491 identity="tls user", ca_cert="auth_serv/ca.pem",
4492 private_key="auth_serv/user.pkcs12",
4493 private_key_passwd="whatever", ocsp=1,
4494 wait_connect=False, scan_freq="2412")
4495 count = 0
4496 while True:
4497 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4498 "CTRL-EVENT-EAP-SUCCESS"])
4499 if ev is None:
4500 raise Exception("Timeout on EAP status")
4501 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4502 raise Exception("Unexpected EAP-Success")
4503 if 'bad certificate status response' in ev:
4504 break
4505 if 'certificate revoked' in ev:
4506 break
4507 count = count + 1
4508 if count > 10:
4509 raise Exception("Unexpected number of EAP status messages")
4510 finally:
4511 os.unlink(fn)
4512
24579e70 4513def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
64e05f96 4514 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
e78eb404 4515 check_domain_match_full(dev[0])
ff7affcc 4516 check_pkcs12_support(dev[0])
64e05f96
JM		 4517 params = int_eap_server_params()
4518 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4519 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4520 hostapd.add_ap(apdev[0], params)
64e05f96
JM		 4521 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4522 identity="tls user", ca_cert="auth_serv/ca.pem",
4523 private_key="auth_serv/user.pkcs12",
4524 private_key_passwd="whatever",
4525 domain_suffix_match="server3.w1.fi",
4526 scan_freq="2412")
24579e70 4527
061cbb25
JM		 4528def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
4529 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
e78eb404 4530 check_domain_match(dev[0])
ff7affcc 4531 check_pkcs12_support(dev[0])
061cbb25
JM		 4532 params = int_eap_server_params()
4533 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4534 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4535 hostapd.add_ap(apdev[0], params)
061cbb25
JM		 4536 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4537 identity="tls user", ca_cert="auth_serv/ca.pem",
4538 private_key="auth_serv/user.pkcs12",
4539 private_key_passwd="whatever",
4540 domain_match="server3.w1.fi",
4541 scan_freq="2412")
4542
24579e70
JM		 4543def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
4544 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4545 check_domain_match_full(dev[0])
ff7affcc 4546 check_pkcs12_support(dev[0])
24579e70
JM		 4547 params = int_eap_server_params()
4548 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4549 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4550 hostapd.add_ap(apdev[0], params)
64e05f96
JM		 4551 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4552 identity="tls user", ca_cert="auth_serv/ca.pem",
4553 private_key="auth_serv/user.pkcs12",
4554 private_key_passwd="whatever",
4555 domain_suffix_match="w1.fi",
4556 scan_freq="2412")
4557
4558def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
4559 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
e78eb404 4560 check_domain_suffix_match(dev[0])
ff7affcc 4561 check_pkcs12_support(dev[0])
64e05f96
JM		 4562 params = int_eap_server_params()
4563 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4564 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4565 hostapd.add_ap(apdev[0], params)
64e05f96
JM		 4566 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4567 identity="tls user", ca_cert="auth_serv/ca.pem",
4568 private_key="auth_serv/user.pkcs12",
4569 private_key_passwd="whatever",
4570 domain_suffix_match="example.com",
4571 wait_connect=False,
4572 scan_freq="2412")
c61dca40
JM		 4573 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4574 identity="tls user", ca_cert="auth_serv/ca.pem",
4575 private_key="auth_serv/user.pkcs12",
4576 private_key_passwd="whatever",
4577 domain_suffix_match="erver3.w1.fi",
4578 wait_connect=False,
4579 scan_freq="2412")
64e05f96
JM		 4580 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4581 if ev is None:
4582 raise Exception("Timeout on EAP failure report")
c61dca40
JM		 4583 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4584 if ev is None:
4585 raise Exception("Timeout on EAP failure report (2)")
6a4d0dbe 4586
061cbb25
JM		 4587def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
4588 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
e78eb404 4589 check_domain_match(dev[0])
ff7affcc 4590 check_pkcs12_support(dev[0])
061cbb25
JM		 4591 params = int_eap_server_params()
4592 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4593 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4594 hostapd.add_ap(apdev[0], params)
061cbb25
JM		 4595 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4596 identity="tls user", ca_cert="auth_serv/ca.pem",
4597 private_key="auth_serv/user.pkcs12",
4598 private_key_passwd="whatever",
4599 domain_match="example.com",
4600 wait_connect=False,
4601 scan_freq="2412")
4602 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4603 identity="tls user", ca_cert="auth_serv/ca.pem",
4604 private_key="auth_serv/user.pkcs12",
4605 private_key_passwd="whatever",
4606 domain_match="w1.fi",
4607 wait_connect=False,
4608 scan_freq="2412")
4609 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4610 if ev is None:
4611 raise Exception("Timeout on EAP failure report")
4612 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4613 if ev is None:
4614 raise Exception("Timeout on EAP failure report (2)")
4615
6a4d0dbe
JM		 4616def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
4617 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
ca158ea6 4618 skip_with_fips(dev[0])
6a4d0dbe
JM		 4619 params = int_eap_server_params()
4620 params["server_cert"] = "auth_serv/server-expired.pem"
4621 params["private_key"] = "auth_serv/server-expired.key"
8b8a1864 4622 hostapd.add_ap(apdev[0], params)
6a4d0dbe
JM		 4623 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4624 identity="mschap user", password="password",
4625 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4626 wait_connect=False,
4627 scan_freq="2412")
4628 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4629 if ev is None:
4630 raise Exception("Timeout on EAP certificate error report")
4631 if "reason=4" not in ev or "certificate has expired" not in ev:
4632 raise Exception("Unexpected failure reason: " + ev)
4633 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4634 if ev is None:
4635 raise Exception("Timeout on EAP failure report")
4636
4637def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
4638 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
ca158ea6 4639 skip_with_fips(dev[0])
6a4d0dbe
JM		 4640 params = int_eap_server_params()
4641 params["server_cert"] = "auth_serv/server-expired.pem"
4642 params["private_key"] = "auth_serv/server-expired.key"
8b8a1864 4643 hostapd.add_ap(apdev[0], params)
6a4d0dbe
JM		 4644 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4645 identity="mschap user", password="password",
4646 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4647 phase1="tls_disable_time_checks=1",
4648 scan_freq="2412")
6ab4a7aa 4649
5748d1e5
JM		 4650def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
4651 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
ca158ea6 4652 skip_with_fips(dev[0])
5748d1e5
JM		 4653 params = int_eap_server_params()
4654 params["server_cert"] = "auth_serv/server-long-duration.pem"
4655 params["private_key"] = "auth_serv/server-long-duration.key"
8b8a1864 4656 hostapd.add_ap(apdev[0], params)
5748d1e5
JM		 4657 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4658 identity="mschap user", password="password",
4659 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4660 scan_freq="2412")
4661
6ab4a7aa
JM		 4662def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
4663 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
ca158ea6 4664 skip_with_fips(dev[0])
6ab4a7aa
JM		 4665 params = int_eap_server_params()
4666 params["server_cert"] = "auth_serv/server-eku-client.pem"
4667 params["private_key"] = "auth_serv/server-eku-client.key"
8b8a1864 4668 hostapd.add_ap(apdev[0], params)
6ab4a7aa
JM		 4669 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4670 identity="mschap user", password="password",
4671 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4672 wait_connect=False,
4673 scan_freq="2412")
4674 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4675 if ev is None:
4676 raise Exception("Timeout on EAP failure report")
242219c5 4677
14bef66d
JM		 4678def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
4679 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
ca158ea6 4680 skip_with_fips(dev[0])
14bef66d
JM		 4681 params = int_eap_server_params()
4682 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
4683 params["private_key"] = "auth_serv/server-eku-client-server.key"
8b8a1864 4684 hostapd.add_ap(apdev[0], params)
14bef66d
JM		 4685 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4686 identity="mschap user", password="password",
4687 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4688 scan_freq="2412")
4689
c37b02fc
JM		 4690def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
4691 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
ca158ea6 4692 skip_with_fips(dev[0])
c37b02fc
JM		 4693 params = int_eap_server_params()
4694 del params["server_cert"]
4695 params["private_key"] = "auth_serv/server.pkcs12"
8b8a1864 4696 hostapd.add_ap(apdev[0], params)
c37b02fc
JM		 4697 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4698 identity="mschap user", password="password",
4699 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4700 scan_freq="2412")
4701
31dd3153
JM		 4702def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev, apdev):
4703 """EAP-TTLS and server PKCS#12 file with extra certs"""
4704 skip_with_fips(dev[0])
4705 params = int_eap_server_params()
4706 del params["server_cert"]
4707 params["private_key"] = "auth_serv/server-extra.pkcs12"
4708 params["private_key_passwd"] = "whatever"
8b8a1864 4709 hostapd.add_ap(apdev[0], params)
31dd3153
JM		 4710 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4711 identity="mschap user", password="password",
4712 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4713 scan_freq="2412")
4714
242219c5
JM		 4715def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
4716 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4717 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 4718 hapd = hostapd.add_ap(apdev[0], params)
4719 eap_connect(dev[0], hapd, "TTLS", "pap user",
242219c5 4720 anonymous_identity="ttls", password="password",
ca158ea6 4721 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
242219c5 4722 dh_file="auth_serv/dh.conf")
7c50093f 4723
b3ff3dec
JM		 4724def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
4725 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
404597e6 4726 check_dh_dsa_support(dev[0])
b3ff3dec 4727 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 4728 hapd = hostapd.add_ap(apdev[0], params)
4729 eap_connect(dev[0], hapd, "TTLS", "pap user",
b3ff3dec 4730 anonymous_identity="ttls", password="password",
ca158ea6 4731 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
b3ff3dec
JM		 4732 dh_file="auth_serv/dsaparam.pem")
4733
4734def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4735 """EAP-TTLS and DH params file not found"""
ca158ea6 4736 skip_with_fips(dev[0])
b3ff3dec 4737 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4738 hostapd.add_ap(apdev[0], params)
b3ff3dec
JM		 4739 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4740 identity="mschap user", password="password",
4741 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4742 dh_file="auth_serv/dh-no-such-file.conf",
4743 scan_freq="2412", wait_connect=False)
4744 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4745 if ev is None:
4746 raise Exception("EAP failure timed out")
4747 dev[0].request("REMOVE_NETWORK all")
4748 dev[0].wait_disconnected()
4749
4750def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4751 """EAP-TTLS and invalid DH params file"""
ca158ea6 4752 skip_with_fips(dev[0])
b3ff3dec 4753 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4754 hostapd.add_ap(apdev[0], params)
b3ff3dec
JM		 4755 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4756 identity="mschap user", password="password",
4757 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4758 dh_file="auth_serv/ca.pem",
4759 scan_freq="2412", wait_connect=False)
4760 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4761 if ev is None:
4762 raise Exception("EAP failure timed out")
4763 dev[0].request("REMOVE_NETWORK all")
4764 dev[0].wait_disconnected()
4765
6ea231e6
JM		 4766def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
4767 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4768 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 4769 hapd = hostapd.add_ap(apdev[0], params)
768ea0bc 4770 dh = read_pem("auth_serv/dh2.conf")
54c58f29 4771 if "OK" not in dev[0].request("SET blob dhparams " + binascii.hexlify(dh).decode()):
6ea231e6 4772 raise Exception("Could not set dhparams blob")
3b3e2687 4773 eap_connect(dev[0], hapd, "TTLS", "pap user",
6ea231e6 4774 anonymous_identity="ttls", password="password",
ca158ea6 4775 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
6ea231e6
JM		 4776 dh_file="blob://dhparams")
4777
768ea0bc
JM		 4778def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
4779 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4780 params = int_eap_server_params()
4781 params["dh_file"] = "auth_serv/dh2.conf"
3b3e2687
JD		 4782 hapd = hostapd.add_ap(apdev[0], params)
4783 eap_connect(dev[0], hapd, "TTLS", "pap user",
768ea0bc 4784 anonymous_identity="ttls", password="password",
ca158ea6 4785 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
768ea0bc 4786
b3ff3dec
JM		 4787def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
4788 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4789 params = int_eap_server_params()
4790 params["dh_file"] = "auth_serv/dsaparam.pem"
3b3e2687
JD		 4791 hapd = hostapd.add_ap(apdev[0], params)
4792 eap_connect(dev[0], hapd, "TTLS", "pap user",
b3ff3dec 4793 anonymous_identity="ttls", password="password",
ca158ea6 4794 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
b3ff3dec
JM		 4795
4796def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4797 """EAP-TLS server and dhparams file not found"""
4798 params = int_eap_server_params()
4799 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
8b8a1864 4800 hapd = hostapd.add_ap(apdev[0], params, no_enable=True)
b3ff3dec
JM		 4801 if "FAIL" not in hapd.request("ENABLE"):
4802 raise Exception("Invalid configuration accepted")
4803
4804def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4805 """EAP-TLS server and invalid dhparams file"""
4806 params = int_eap_server_params()
4807 params["dh_file"] = "auth_serv/ca.pem"
8b8a1864 4808 hapd = hostapd.add_ap(apdev[0], params, no_enable=True)
b3ff3dec
JM		 4809 if "FAIL" not in hapd.request("ENABLE"):
4810 raise Exception("Invalid configuration accepted")
4811
7c50093f
JM		 4812def test_ap_wpa2_eap_reauth(dev, apdev):
4813 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4814 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4815 params['eap_reauth_period'] = '2'
3b3e2687
JD		 4816 hapd = hostapd.add_ap(apdev[0], params)
4817 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
7c50093f
JM		 4818 password_hex="0123456789abcdef0123456789abcdef")
4819 logger.info("Wait for reauthentication")
4820 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
4821 if ev is None:
4822 raise Exception("Timeout on reauthentication")
4823 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4824 if ev is None:
4825 raise Exception("Timeout on reauthentication")
4826 for i in range(0, 20):
4827 state = dev[0].get_status_field("wpa_state")
4828 if state == "COMPLETED":
4829 break
4830 time.sleep(0.1)
4831 if state != "COMPLETED":
4832 raise Exception("Reauthentication did not complete")
8b56743e
JM		 4833
4834def test_ap_wpa2_eap_request_identity_message(dev, apdev):
4835 """Optional displayable message in EAP Request-Identity"""
4836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4837 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3b3e2687
JD		 4838 hapd = hostapd.add_ap(apdev[0], params)
4839 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
8b56743e 4840 password_hex="0123456789abcdef0123456789abcdef")
910f16ca
JM		 4841
4842def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
4843 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
81e787b7 4844 check_hlr_auc_gw_support()
910f16ca
JM		 4845 params = int_eap_server_params()
4846 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4847 params['eap_sim_aka_result_ind'] = "1"
3b3e2687 4848 hapd = hostapd.add_ap(apdev[0], params)
910f16ca 4849
3b3e2687 4850 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
910f16ca
JM		 4851 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4852 phase1="result_ind=1")
4853 eap_reauth(dev[0], "SIM")
3b3e2687 4854 eap_connect(dev[1], hapd, "SIM", "1232010000000000",
910f16ca
JM		 4855 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4856
4857 dev[0].request("REMOVE_NETWORK all")
4858 dev[1].request("REMOVE_NETWORK all")
4859
3b3e2687 4860 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
910f16ca
JM		 4861 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4862 phase1="result_ind=1")
4863 eap_reauth(dev[0], "AKA")
3b3e2687 4864 eap_connect(dev[1], hapd, "AKA", "0232010000000000",
910f16ca
JM		 4865 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4866
4867 dev[0].request("REMOVE_NETWORK all")
4868 dev[1].request("REMOVE_NETWORK all")
4869
3b3e2687 4870 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
910f16ca
JM		 4871 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4872 phase1="result_ind=1")
4873 eap_reauth(dev[0], "AKA'")
3b3e2687 4874 eap_connect(dev[1], hapd, "AKA'", "6555444333222111",
910f16ca 4875 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
633e364b 4876
a8217972
JM		 4877def test_ap_wpa2_eap_sim_zero_db_timeout(dev, apdev):
4878 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4879 check_hlr_auc_gw_support()
4880 params = int_eap_server_params()
4881 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4882 params['eap_sim_db_timeout'] = "0"
4883 params['disable_pmksa_caching'] = '1'
4884 hapd = hostapd.add_ap(apdev[0], params)
4885
4886 # Run multiple iterations to make it more likely to hit the case where the
4887 # DB request times out and response is lost.
4888 for i in range(20):
a8217972
JM		 4889 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
4890 identity="1232010000000000",
4891 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4892 wait_connect=False, scan_freq="2412")
4893 ev = dev[0].wait_event([ "CTRL-EVENT-CONNECTED",
4894 "CTRL-EVENT-DISCONNECTED" ],
4895 timeout=15)
4896 if ev is None:
4897 raise Exception("No connection result")
4898 dev[0].request("REMOVE_NETWORK all")
4899 if "CTRL-EVENT-DISCONNECTED" in ev:
4900 break
4901 dev[0].wait_disconnected()
4902 hapd.ping()
4903
633e364b
JM		 4904def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
4905 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
ca158ea6 4906 skip_with_fips(dev[0])
633e364b 4907 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4908 hostapd.add_ap(apdev[0], params)
633e364b
JM		 4909 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4910 eap="TTLS", identity="mschap user",
4911 wait_connect=False, scan_freq="2412", ieee80211w="1",
4912 anonymous_identity="ttls", password="password",
4913 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
78d2233f
JM		 4914 fragment_size="8")
4915 ev = dev[0].wait_event(["EAP: more than",
4916 "CTRL-EVENT-EAP-SUCCESS"], timeout=20)
4917 if ev is None or "EAP: more than" not in ev:
633e364b 4918 raise Exception("EAP roundtrip limit not reached")
32dca985
JM		 4919
4920def test_ap_wpa2_eap_expanded_nak(dev, apdev):
4921 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4922 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4923 hostapd.add_ap(apdev[0], params)
32dca985
JM		 4924 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4925 eap="PSK", identity="vendor-test",
4926 password_hex="ff23456789abcdef0123456789abcdef",
4927 wait_connect=False)
4928
4929 found = False
4930 for i in range(0, 5):
412c6030 4931 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=16)
32dca985
JM		 4932 if ev is None:
4933 raise Exception("Association and EAP start timed out")
4934 if "refuse proposed method" in ev:
4935 found = True
4936 break
4937 if not found:
4938 raise Exception("Unexpected EAP status: " + ev)
4939
4940 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4941 if ev is None:
4942 raise Exception("EAP failure timed out")
745f8771
JM		 4943
4944def test_ap_wpa2_eap_sql(dev, apdev, params):
4945 """WPA2-Enterprise connection using SQLite for user DB"""
ca158ea6 4946 skip_with_fips(dev[0])
745f8771
JM		 4947 try:
4948 import sqlite3
4949 except ImportError:
81e787b7 4950 raise HwsimSkip("No sqlite3 module available")
745f8771
JM		 4951 dbfile = os.path.join(params['logdir'], "eap-user.db")
4952 try:
4953 os.remove(dbfile)
4954 except:
4955 pass
4956 con = sqlite3.connect(dbfile)
4957 with con:
4958 cur = con.cursor()
4959 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4960 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4961 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4962 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4963 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4964 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4965 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4966 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4967
4968 try:
4969 params = int_eap_server_params()
4970 params["eap_user_file"] = "sqlite:" + dbfile
3b3e2687
JD		 4971 hapd = hostapd.add_ap(apdev[0], params)
4972 eap_connect(dev[0], hapd, "TTLS", "user-mschapv2",
745f8771
JM		 4973 anonymous_identity="ttls", password="password",
4974 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4975 dev[0].request("REMOVE_NETWORK all")
3b3e2687 4976 eap_connect(dev[1], hapd, "TTLS", "user-mschap",
745f8771
JM		 4977 anonymous_identity="ttls", password="password",
4978 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
4979 dev[1].request("REMOVE_NETWORK all")
3b3e2687 4980 eap_connect(dev[0], hapd, "TTLS", "user-chap",
745f8771
JM		 4981 anonymous_identity="ttls", password="password",
4982 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3b3e2687 4983 eap_connect(dev[1], hapd, "TTLS", "user-pap",
745f8771
JM		 4984 anonymous_identity="ttls", password="password",
4985 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4986 finally:
4987 os.remove(dbfile)
b246e2af
JM		 4988
4989def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
4990 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4991 params = int_eap_server_params()
8b8a1864 4992 hostapd.add_ap(apdev[0], params)
b246e2af
JM		 4993 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4994 identity="\x80", password="password", wait_connect=False)
4995 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4996 identity="a\x80", password="password", wait_connect=False)
4997 for i in range(0, 2):
412c6030 4998 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
b246e2af
JM		 4999 if ev is None:
5000 raise Exception("Association and EAP start timed out")
5001 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
5002 if ev is None:
5003 raise Exception("EAP method selection timed out")
5004
5005def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
5006 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5007 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5008 hostapd.add_ap(apdev[0], params)
b246e2af
JM		 5009 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
5010 identity="\x80", password="password", wait_connect=False)
5011 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
5012 identity="a\x80", password="password", wait_connect=False)
5013 for i in range(0, 2):
412c6030 5014 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
b246e2af
JM		 5015 if ev is None:
5016 raise Exception("Association and EAP start timed out")
5017 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
5018 if ev is None:
5019 raise Exception("EAP method selection timed out")
89f20842
JM		 5020
5021def test_openssl_cipher_suite_config_wpas(dev, apdev):
5022 """OpenSSL cipher suite configuration on wpa_supplicant"""
a783340d
JM		 5023 tls = dev[0].request("GET tls_library")
5024 if not tls.startswith("OpenSSL"):
5025 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
89f20842 5026 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5027 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5028 eap_connect(dev[0], hapd, "TTLS", "pap user",
89f20842
JM		 5029 anonymous_identity="ttls", password="password",
5030 openssl_ciphers="AES128",
5031 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3b3e2687 5032 eap_connect(dev[1], hapd, "TTLS", "pap user",
89f20842
JM		 5033 anonymous_identity="ttls", password="password",
5034 openssl_ciphers="EXPORT",
5035 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
9dd21d51 5036 expect_failure=True, maybe_local_error=True)
7be5ec99
JM		 5037 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
5038 identity="pap user", anonymous_identity="ttls",
5039 password="password",
5040 openssl_ciphers="FOO",
5041 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
5042 wait_connect=False)
5043 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5044 if ev is None:
5045 raise Exception("EAP failure after invalid openssl_ciphers not reported")
5046 dev[2].request("DISCONNECT")
89f20842
JM		 5047
5048def test_openssl_cipher_suite_config_hapd(dev, apdev):
5049 """OpenSSL cipher suite configuration on hostapd"""
a783340d
JM		 5050 tls = dev[0].request("GET tls_library")
5051 if not tls.startswith("OpenSSL"):
5052 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
89f20842
JM		 5053 params = int_eap_server_params()
5054 params['openssl_ciphers'] = "AES256"
8b8a1864 5055 hapd = hostapd.add_ap(apdev[0], params)
a783340d
JM		 5056 tls = hapd.request("GET tls_library")
5057 if not tls.startswith("OpenSSL"):
5058 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3b3e2687 5059 eap_connect(dev[0], hapd, "TTLS", "pap user",
89f20842
JM		 5060 anonymous_identity="ttls", password="password",
5061 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3b3e2687 5062 eap_connect(dev[1], hapd, "TTLS", "pap user",
89f20842
JM		 5063 anonymous_identity="ttls", password="password",
5064 openssl_ciphers="AES128",
5065 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
5066 expect_failure=True)
3b3e2687 5067 eap_connect(dev[2], hapd, "TTLS", "pap user",
89f20842
JM		 5068 anonymous_identity="ttls", password="password",
5069 openssl_ciphers="HIGH:!ADH",
5070 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
5b3c40a6 5071
7be5ec99 5072 params['openssl_ciphers'] = "FOO"
8b8a1864 5073 hapd2 = hostapd.add_ap(apdev[1], params, no_enable=True)
7be5ec99 5074 if "FAIL" not in hapd2.request("ENABLE"):
0d34c13a
JM		 5075 if "run=OpenSSL 1.1.1" in tls:
5076 logger.info("Ignore acceptance of an invalid openssl_ciphers value with OpenSSL 1.1.1")
5077 else:
5078 raise Exception("Invalid openssl_ciphers value accepted")
7be5ec99 5079
5b3c40a6
JM		 5080def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
5081 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5082 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5083 hapd = hostapd.add_ap(apdev[0], p)
5b3c40a6 5084 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3b3e2687 5085 id = eap_connect(dev[0], hapd, "TTLS", "pap-secret",
5b3c40a6
JM		 5086 anonymous_identity="ttls", password=password,
5087 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
cdc23db2
JM		 5088 run_eap_key_lifetime_in_memory(dev, params, id, password)
5089
5090def test_wpa2_eap_peap_gtc_key_lifetime_in_memory(dev, apdev, params):
5091 """Key lifetime in memory with WPA2-Enterprise using PEAP/GTC"""
5092 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5093 hapd = hostapd.add_ap(apdev[0], p)
5094 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5095 id = eap_connect(dev[0], hapd, "PEAP", "user-secret",
5096 anonymous_identity="peap", password=password,
5097 ca_cert="auth_serv/ca.pem", phase2="auth=GTC")
5098 run_eap_key_lifetime_in_memory(dev, params, id, password)
5099
5100def run_eap_key_lifetime_in_memory(dev, params, id, password):
5101 pid = find_wpas_process(dev[0])
5102
8e416cec
JM		 5103 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5104 # event has been delivered, so verify that wpa_supplicant has returned to
5105 # eloop before reading process memory.
54f2cae2 5106 time.sleep(1)
8e416cec 5107 dev[0].ping()
b3361e5d 5108 password = password.encode()
5b3c40a6
JM		 5109 buf = read_process_memory(pid, password)
5110
5111 dev[0].request("DISCONNECT")
5112 dev[0].wait_disconnected()
5113
5114 dev[0].relog()
750904dd
JM		 5115 msk = None
5116 emsk = None
5b3c40a6
JM		 5117 pmk = None
5118 ptk = None
5119 gtk = None
5120 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
5121 for l in f.readlines():
cdc23db2
JM		 5122 if "EAP-TTLS: Derived key - hexdump" in l or \
5123 "EAP-PEAP: Derived key - hexdump" in l:
750904dd
JM		 5124 val = l.strip().split(':')[3].replace(' ', '')
5125 msk = binascii.unhexlify(val)
cdc23db2
JM		 5126 if "EAP-TTLS: Derived EMSK - hexdump" in l or \
5127 "EAP-PEAP: Derived EMSK - hexdump" in l:
750904dd
JM		 5128 val = l.strip().split(':')[3].replace(' ', '')
5129 emsk = binascii.unhexlify(val)
5b3c40a6
JM		 5130 if "WPA: PMK - hexdump" in l:
5131 val = l.strip().split(':')[3].replace(' ', '')
5132 pmk = binascii.unhexlify(val)
5133 if "WPA: PTK - hexdump" in l:
5134 val = l.strip().split(':')[3].replace(' ', '')
5135 ptk = binascii.unhexlify(val)
5136 if "WPA: Group Key - hexdump" in l:
5137 val = l.strip().split(':')[3].replace(' ', '')
5138 gtk = binascii.unhexlify(val)
750904dd 5139 if not msk or not emsk or not pmk or not ptk or not gtk:
5b3c40a6
JM		 5140 raise Exception("Could not find keys from debug log")
5141 if len(gtk) != 16:
5142 raise Exception("Unexpected GTK length")
5143
5144 kck = ptk[0:16]
5145 kek = ptk[16:32]
5146 tk = ptk[32:48]
5147
5148 fname = os.path.join(params['logdir'],
5149 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5150
5151 logger.info("Checking keys in memory while associated")
5152 get_key_locations(buf, password, "Password")
5153 get_key_locations(buf, pmk, "PMK")
750904dd
JM		 5154 get_key_locations(buf, msk, "MSK")
5155 get_key_locations(buf, emsk, "EMSK")
5b3c40a6 5156 if password not in buf:
81e787b7 5157 raise HwsimSkip("Password not found while associated")
5b3c40a6 5158 if pmk not in buf:
81e787b7 5159 raise HwsimSkip("PMK not found while associated")
5b3c40a6
JM		 5160 if kck not in buf:
5161 raise Exception("KCK not found while associated")
5162 if kek not in buf:
5163 raise Exception("KEK not found while associated")
b74f82a4
JM		 5164 #if tk in buf:
5165 # raise Exception("TK found from memory")
5b3c40a6
JM		 5166
5167 logger.info("Checking keys in memory after disassociation")
5168 buf = read_process_memory(pid, password)
5169
5170 # Note: Password is still present in network configuration
5171 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5172
5173 get_key_locations(buf, password, "Password")
5174 get_key_locations(buf, pmk, "PMK")
750904dd
JM		 5175 get_key_locations(buf, msk, "MSK")
5176 get_key_locations(buf, emsk, "EMSK")
5b3c40a6
JM		 5177 verify_not_present(buf, kck, fname, "KCK")
5178 verify_not_present(buf, kek, fname, "KEK")
5179 verify_not_present(buf, tk, fname, "TK")
6db556b2
JM		 5180 if gtk in buf:
5181 get_key_locations(buf, gtk, "GTK")
5b3c40a6
JM		 5182 verify_not_present(buf, gtk, fname, "GTK")
5183
5184 dev[0].request("PMKSA_FLUSH")
5185 dev[0].set_network_quoted(id, "identity", "foo")
5186 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5187 buf = read_process_memory(pid, password)
5188 get_key_locations(buf, password, "Password")
5189 get_key_locations(buf, pmk, "PMK")
750904dd
JM		 5190 get_key_locations(buf, msk, "MSK")
5191 get_key_locations(buf, emsk, "EMSK")
5b3c40a6
JM		 5192 verify_not_present(buf, pmk, fname, "PMK")
5193
5194 dev[0].request("REMOVE_NETWORK all")
5195
5196 logger.info("Checking keys in memory after network profile removal")
5197 buf = read_process_memory(pid, password)
5198
5199 get_key_locations(buf, password, "Password")
5200 get_key_locations(buf, pmk, "PMK")
750904dd
JM		 5201 get_key_locations(buf, msk, "MSK")
5202 get_key_locations(buf, emsk, "EMSK")
5b3c40a6
JM		 5203 verify_not_present(buf, password, fname, "password")
5204 verify_not_present(buf, pmk, fname, "PMK")
5205 verify_not_present(buf, kck, fname, "KCK")
5206 verify_not_present(buf, kek, fname, "KEK")
5207 verify_not_present(buf, tk, fname, "TK")
5208 verify_not_present(buf, gtk, fname, "GTK")
750904dd
JM		 5209 verify_not_present(buf, msk, fname, "MSK")
5210 verify_not_present(buf, emsk, fname, "EMSK")
a08fdb17
JM		 5211
5212def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
5213 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5214 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5215 hapd = hostapd.add_ap(apdev[0], params)
a08fdb17 5216 bssid = apdev[0]['bssid']
3b3e2687 5217 eap_connect(dev[0], hapd, "TTLS", "pap user",
a08fdb17
JM		 5218 anonymous_identity="ttls", password="password",
5219 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
5220
5221 # Send unexpected WEP EAPOL-Key; this gets dropped
5222 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5223 if "OK" not in res:
5224 raise Exception("EAPOL_RX to wpa_supplicant failed")
52352802
JM		 5225
5226def test_ap_wpa2_eap_in_bridge(dev, apdev):
5227 """WPA2-EAP and wpas interface in a bridge"""
5228 br_ifname='sta-br0'
5229 ifname='wlan5'
5230 try:
5231 _test_ap_wpa2_eap_in_bridge(dev, apdev)
5232 finally:
5233 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
5234 subprocess.call(['brctl', 'delif', br_ifname, ifname])
5235 subprocess.call(['brctl', 'delbr', br_ifname])
5236 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
5237
5238def _test_ap_wpa2_eap_in_bridge(dev, apdev):
5239 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5240 hapd = hostapd.add_ap(apdev[0], params)
52352802
JM		 5241
5242 br_ifname='sta-br0'
5243 ifname='wlan5'
5244 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
5245 subprocess.call(['brctl', 'addbr', br_ifname])
5246 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
5247 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
5248 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
5249 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
5250 wpas.interface_add(ifname, br_ifname=br_ifname)
4b9d79b6 5251 wpas.dump_monitor()
52352802 5252
3b3e2687 5253 id = eap_connect(wpas, hapd, "PAX", "pax.user@example.com",
52352802 5254 password_hex="0123456789abcdef0123456789abcdef")
4b9d79b6 5255 wpas.dump_monitor()
52352802 5256 eap_reauth(wpas, "PAX")
4b9d79b6 5257 wpas.dump_monitor()
52352802
JM		 5258 # Try again as a regression test for packet socket workaround
5259 eap_reauth(wpas, "PAX")
4b9d79b6 5260 wpas.dump_monitor()
52352802
JM		 5261 wpas.request("DISCONNECT")
5262 wpas.wait_disconnected()
4b9d79b6 5263 wpas.dump_monitor()
52352802
JM		 5264 wpas.request("RECONNECT")
5265 wpas.wait_connected()
4b9d79b6 5266 wpas.dump_monitor()
febf5752
JM		 5267
5268def test_ap_wpa2_eap_session_ticket(dev, apdev):
5269 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5270 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5271 hapd = hostapd.add_ap(apdev[0], params)
febf5752
JM		 5272 key_mgmt = hapd.get_config()['key_mgmt']
5273 if key_mgmt.split(' ')[0] != "WPA-EAP":
5274 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3b3e2687 5275 eap_connect(dev[0], hapd, "TTLS", "pap user",
febf5752
JM		 5276 anonymous_identity="ttls", password="password",
5277 ca_cert="auth_serv/ca.pem",
5278 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
5279 eap_reauth(dev[0], "TTLS")
5280
5281def test_ap_wpa2_eap_no_workaround(dev, apdev):
5282 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5283 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5284 hapd = hostapd.add_ap(apdev[0], params)
febf5752
JM		 5285 key_mgmt = hapd.get_config()['key_mgmt']
5286 if key_mgmt.split(' ')[0] != "WPA-EAP":
5287 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3b3e2687 5288 eap_connect(dev[0], hapd, "TTLS", "pap user",
febf5752
JM		 5289 anonymous_identity="ttls", password="password",
5290 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5291 phase2="auth=PAP")
5292 eap_reauth(dev[0], "TTLS")
b197a819
JM		 5293
5294def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
5295 """EAP-TLS and server checking CRL"""
5296 params = int_eap_server_params()
5297 params['check_crl'] = '1'
8b8a1864 5298 hapd = hostapd.add_ap(apdev[0], params)
b197a819
JM		 5299
5300 # check_crl=1 and no CRL available --> reject connection
3b3e2687 5301 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
b197a819
JM		 5302 client_cert="auth_serv/user.pem",
5303 private_key="auth_serv/user.key", expect_failure=True)
5304 dev[0].request("REMOVE_NETWORK all")
5305
5306 hapd.disable()
5307 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
5308 hapd.enable()
5309
5310 # check_crl=1 and valid CRL --> accept
3b3e2687 5311 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
b197a819
JM		 5312 client_cert="auth_serv/user.pem",
5313 private_key="auth_serv/user.key")
5314 dev[0].request("REMOVE_NETWORK all")
5315
5316 hapd.disable()
5317 hapd.set("check_crl", "2")
5318 hapd.enable()
5319
5320 # check_crl=2 and valid CRL --> accept
3b3e2687 5321 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
b197a819
JM		 5322 client_cert="auth_serv/user.pem",
5323 private_key="auth_serv/user.key")
5324 dev[0].request("REMOVE_NETWORK all")
b1fb4275 5325
a18d58f4
JM		 5326def test_ap_wpa2_eap_tls_crl_reload(dev, apdev, params):
5327 """EAP-TLS and server reloading CRL from ca_cert"""
5328 ca_cert = os.path.join(params['logdir'],
5329 "ap_wpa2_eap_tls_crl_reload.ca_cert")
5330 with open('auth_serv/ca.pem', 'r') as f:
5331 only_cert = f.read()
5332 with open('auth_serv/ca-and-crl.pem', 'r') as f:
5333 cert_and_crl = f.read()
5334 with open(ca_cert, 'w') as f:
5335 f.write(only_cert)
5336 params = int_eap_server_params()
5337 params['ca_cert'] = ca_cert
5338 params['check_crl'] = '1'
5339 params['crl_reload_interval'] = '1'
5340 hapd = hostapd.add_ap(apdev[0], params)
5341
5342 # check_crl=1 and no CRL available --> reject connection
5343 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5344 client_cert="auth_serv/user.pem",
5345 private_key="auth_serv/user.key", expect_failure=True)
5346 dev[0].request("REMOVE_NETWORK all")
5347 dev[0].dump_monitor()
5348
5349 with open(ca_cert, 'w') as f:
5350 f.write(cert_and_crl)
5351 time.sleep(1)
5352
5353 # check_crl=1 and valid CRL --> accept
5354 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5355 client_cert="auth_serv/user.pem",
5356 private_key="auth_serv/user.key")
5357 dev[0].request("REMOVE_NETWORK all")
5358 dev[0].wait_disconnected()
5359
b1fb4275
JM		 5360def test_ap_wpa2_eap_tls_oom(dev, apdev):
5361 """EAP-TLS and OOM"""
5362 check_subject_match_support(dev[0])
5363 check_altsubject_match_support(dev[0])
e78eb404 5364 check_domain_match(dev[0])
b1fb4275
JM		 5365 check_domain_match_full(dev[0])
5366
5367 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5368 hostapd.add_ap(apdev[0], params)
b1fb4275
JM		 5369
5370 tests = [ (1, "tls_connection_set_subject_match"),
5371 (2, "tls_connection_set_subject_match"),
5372 (3, "tls_connection_set_subject_match"),
5373 (4, "tls_connection_set_subject_match") ]
5374 for count, func in tests:
5375 with alloc_fail(dev[0], count, func):
5376 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5377 identity="tls user", ca_cert="auth_serv/ca.pem",
5378 client_cert="auth_serv/user.pem",
5379 private_key="auth_serv/user.key",
5380 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
5381 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5382 domain_suffix_match="server.w1.fi",
5383 domain_match="server.w1.fi",
5384 wait_connect=False, scan_freq="2412")
5385 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5386 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
5387 if ev is None:
5388 raise Exception("No passphrase request")
5389 dev[0].request("REMOVE_NETWORK all")
5390 dev[0].wait_disconnected()
405c621c
JM		 5391
5392def test_ap_wpa2_eap_tls_macacl(dev, apdev):
5393 """WPA2-Enterprise connection using MAC ACL"""
5394 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5395 params["macaddr_acl"] = "2"
3b3e2687
JD		 5396 hapd = hostapd.add_ap(apdev[0], params)
5397 eap_connect(dev[1], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
405c621c
JM		 5398 client_cert="auth_serv/user.pem",
5399 private_key="auth_serv/user.key")
85774b70
JM		 5400
5401def test_ap_wpa2_eap_oom(dev, apdev):
5402 """EAP server and OOM"""
5403 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5404 hapd = hostapd.add_ap(apdev[0], params)
85774b70
JM		 5405 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
5406
5407 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
5408 # The first attempt fails, but STA will send EAPOL-Start to retry and
5409 # that succeeds.
5410 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5411 identity="tls user", ca_cert="auth_serv/ca.pem",
5412 client_cert="auth_serv/user.pem",
5413 private_key="auth_serv/user.key",
5414 scan_freq="2412")
6c4b5da4 5415
3b3e2687
JD		 5416def check_tls_ver(dev, hapd, phase1, expected):
5417 eap_connect(dev, hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
6c4b5da4
JM		 5418 client_cert="auth_serv/user.pem",
5419 private_key="auth_serv/user.key",
5420 phase1=phase1)
5421 ver = dev.get_status_field("eap_tls_version")
5422 if ver != expected:
5423 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
5424
5425def test_ap_wpa2_eap_tls_versions(dev, apdev):
5426 """EAP-TLS and TLS version configuration"""
5427 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 5428 hapd = hostapd.add_ap(apdev[0], params)
6c4b5da4
JM		 5429
5430 tls = dev[0].request("GET tls_library")
5431 if tls.startswith("OpenSSL"):
41d5af55 5432 if "build=OpenSSL 1.0.1" not in tls and "run=OpenSSL 1.0.1" not in tls:
3b3e2687 5433 check_tls_ver(dev[0], hapd,
6c4b5da4
JM		 5434 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5435 "TLSv1.2")
d8003dcb
SP		 5436 if tls.startswith("wolfSSL"):
5437 if ("build=3.10.0" in tls and "run=3.10.0" in tls) or \
5438 ("build=3.13.0" in tls and "run=3.13.0" in tls):
5439 check_tls_ver(dev[0], hapd,
5440 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5441 "TLSv1.2")
2286578f 5442 elif tls.startswith("internal"):
3b3e2687 5443 check_tls_ver(dev[0], hapd,
2286578f 5444 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3b3e2687 5445 check_tls_ver(dev[1], hapd,
6c4b5da4 5446 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3b3e2687 5447 check_tls_ver(dev[2], hapd,
6c4b5da4 5448 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
832b736f
JM		 5449 if "run=OpenSSL 1.1.1" in tls:
5450 check_tls_ver(dev[0], hapd,
5451 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
ecafa0cf 5452
6447b874
JM		 5453def test_ap_wpa2_eap_tls_13(dev, apdev):
5454 """EAP-TLS and TLS 1.3"""
5455 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5456 hapd = hostapd.add_ap(apdev[0], params)
5457
5458 tls = dev[0].request("GET tls_library")
5459 if "run=OpenSSL 1.1.1" not in tls:
5460 raise HwsimSkip("TLS v1.3 not supported")
5461 id = eap_connect(dev[0], hapd, "TLS", "tls user",
5462 ca_cert="auth_serv/ca.pem",
5463 client_cert="auth_serv/user.pem",
5464 private_key="auth_serv/user.key",
5465 phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0")
5466 ver = dev[0].get_status_field("eap_tls_version")
5467 if ver != "TLSv1.3":
5468 raise Exception("Unexpected TLS version")
5469
5470 eap_reauth(dev[0], "TLS")
5471 dev[0].request("DISCONNECT")
5472 dev[0].wait_disconnected()
5473 dev[0].request("PMKSA_FLUSH")
5474 dev[0].request("RECONNECT")
5475 dev[0].wait_connected()
5476
ecafa0cf
JM		 5477def test_rsn_ie_proto_eap_sta(dev, apdev):
5478 """RSN element protocol testing for EAP cases on STA side"""
5479 bssid = apdev[0]['bssid']
5480 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5481 # This is the RSN element used normally by hostapd
5482 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
8b8a1864 5483 hapd = hostapd.add_ap(apdev[0], params)
ecafa0cf
JM		 5484 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5485 identity="gpsk user",
5486 password="abcdefghijklmnop0123456789abcdef",
5487 scan_freq="2412")
5488
5489 tests = [ ('No RSN Capabilities field',
5490 '30120100000fac040100000fac040100000fac01'),
5491 ('No AKM Suite fields',
5492 '300c0100000fac040100000fac04'),
5493 ('No Pairwise Cipher Suite fields',
5494 '30060100000fac04'),
5495 ('No Group Data Cipher Suite field',
5496 '30020100') ]
5497 for txt,ie in tests:
5498 dev[0].request("DISCONNECT")
5499 dev[0].wait_disconnected()
5500 logger.info(txt)
5501 hapd.disable()
5502 hapd.set('own_ie_override', ie)
5503 hapd.enable()
5504 dev[0].request("BSS_FLUSH 0")
5505 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
5506 dev[0].select_network(id, freq=2412)
5507 dev[0].wait_connected()
f9dd43ea 5508
9353f07f
JM		 5509 dev[0].request("DISCONNECT")
5510 dev[0].wait_disconnected()
5511 dev[0].flush_scan_cache()
5512
f9dd43ea
JM		 5513def check_tls_session_resumption_capa(dev, hapd):
5514 tls = hapd.request("GET tls_library")
5515 if not tls.startswith("OpenSSL"):
d8003dcb 5516 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls)
f9dd43ea
JM		 5517
5518 tls = dev.request("GET tls_library")
5519 if not tls.startswith("OpenSSL"):
5520 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
5521
5522def test_eap_ttls_pap_session_resumption(dev, apdev):
5523 """EAP-TTLS/PAP session resumption"""
5524 params = int_eap_server_params()
5525 params['tls_session_lifetime'] = '60'
8b8a1864 5526 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5527 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5528 eap_connect(dev[0], hapd, "TTLS", "pap user",
f9dd43ea
JM		 5529 anonymous_identity="ttls", password="password",
5530 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5531 phase2="auth=PAP")
5532 if dev[0].get_status_field("tls_session_reused") != '0':
5533 raise Exception("Unexpected session resumption on the first connection")
5534
5535 dev[0].request("REAUTHENTICATE")
5536 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5537 if ev is None:
5538 raise Exception("EAP success timed out")
5539 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5540 if ev is None:
5541 raise Exception("Key handshake with the AP timed out")
5542 if dev[0].get_status_field("tls_session_reused") != '1':
5543 raise Exception("Session resumption not used on the second connection")
720a2e79 5544 hwsim_utils.test_connectivity(dev[0], hapd)
f9dd43ea
JM		 5545
5546def test_eap_ttls_chap_session_resumption(dev, apdev):
5547 """EAP-TTLS/CHAP session resumption"""
5548 params = int_eap_server_params()
5549 params['tls_session_lifetime'] = '60'
8b8a1864 5550 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5551 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5552 eap_connect(dev[0], hapd, "TTLS", "chap user",
f9dd43ea
JM		 5553 anonymous_identity="ttls", password="password",
5554 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
5555 if dev[0].get_status_field("tls_session_reused") != '0':
5556 raise Exception("Unexpected session resumption on the first connection")
5557
5558 dev[0].request("REAUTHENTICATE")
5559 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5560 if ev is None:
5561 raise Exception("EAP success timed out")
5562 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5563 if ev is None:
5564 raise Exception("Key handshake with the AP timed out")
5565 if dev[0].get_status_field("tls_session_reused") != '1':
5566 raise Exception("Session resumption not used on the second connection")
5567
5568def test_eap_ttls_mschap_session_resumption(dev, apdev):
5569 """EAP-TTLS/MSCHAP session resumption"""
e78eb404 5570 check_domain_suffix_match(dev[0])
f9dd43ea
JM		 5571 params = int_eap_server_params()
5572 params['tls_session_lifetime'] = '60'
8b8a1864 5573 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5574 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5575 eap_connect(dev[0], hapd, "TTLS", "mschap user",
f9dd43ea
JM		 5576 anonymous_identity="ttls", password="password",
5577 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
5578 domain_suffix_match="server.w1.fi")
5579 if dev[0].get_status_field("tls_session_reused") != '0':
5580 raise Exception("Unexpected session resumption on the first connection")
5581
5582 dev[0].request("REAUTHENTICATE")
5583 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5584 if ev is None:
5585 raise Exception("EAP success timed out")
5586 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5587 if ev is None:
5588 raise Exception("Key handshake with the AP timed out")
5589 if dev[0].get_status_field("tls_session_reused") != '1':
5590 raise Exception("Session resumption not used on the second connection")
5591
5592def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
5593 """EAP-TTLS/MSCHAPv2 session resumption"""
e78eb404 5594 check_domain_suffix_match(dev[0])
f9dd43ea
JM		 5595 check_eap_capa(dev[0], "MSCHAPV2")
5596 params = int_eap_server_params()
5597 params['tls_session_lifetime'] = '60'
8b8a1864 5598 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5599 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5600 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
f9dd43ea
JM		 5601 anonymous_identity="ttls", password="password",
5602 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5603 domain_suffix_match="server.w1.fi")
5604 if dev[0].get_status_field("tls_session_reused") != '0':
5605 raise Exception("Unexpected session resumption on the first connection")
5606
5607 dev[0].request("REAUTHENTICATE")
5608 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5609 if ev is None:
5610 raise Exception("EAP success timed out")
5611 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5612 if ev is None:
5613 raise Exception("Key handshake with the AP timed out")
5614 if dev[0].get_status_field("tls_session_reused") != '1':
5615 raise Exception("Session resumption not used on the second connection")
5616
5617def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
5618 """EAP-TTLS/EAP-GTC session resumption"""
5619 params = int_eap_server_params()
5620 params['tls_session_lifetime'] = '60'
8b8a1864 5621 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5622 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5623 eap_connect(dev[0], hapd, "TTLS", "user",
f9dd43ea
JM		 5624 anonymous_identity="ttls", password="password",
5625 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
5626 if dev[0].get_status_field("tls_session_reused") != '0':
5627 raise Exception("Unexpected session resumption on the first connection")
5628
5629 dev[0].request("REAUTHENTICATE")
5630 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5631 if ev is None:
5632 raise Exception("EAP success timed out")
5633 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5634 if ev is None:
5635 raise Exception("Key handshake with the AP timed out")
5636 if dev[0].get_status_field("tls_session_reused") != '1':
5637 raise Exception("Session resumption not used on the second connection")
5638
5639def test_eap_ttls_no_session_resumption(dev, apdev):
5640 """EAP-TTLS session resumption disabled on server"""
5641 params = int_eap_server_params()
5642 params['tls_session_lifetime'] = '0'
8b8a1864 5643 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5644 eap_connect(dev[0], hapd, "TTLS", "pap user",
f9dd43ea
JM		 5645 anonymous_identity="ttls", password="password",
5646 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5647 phase2="auth=PAP")
5648 if dev[0].get_status_field("tls_session_reused") != '0':
5649 raise Exception("Unexpected session resumption on the first connection")
5650
5651 dev[0].request("REAUTHENTICATE")
5652 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5653 if ev is None:
5654 raise Exception("EAP success timed out")
5655 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5656 if ev is None:
5657 raise Exception("Key handshake with the AP timed out")
5658 if dev[0].get_status_field("tls_session_reused") != '0':
5659 raise Exception("Unexpected session resumption on the second connection")
5660
5661def test_eap_peap_session_resumption(dev, apdev):
5662 """EAP-PEAP session resumption"""
ead550b9 5663 check_eap_capa(dev[0], "MSCHAPV2")
f9dd43ea
JM		 5664 params = int_eap_server_params()
5665 params['tls_session_lifetime'] = '60'
8b8a1864 5666 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5667 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5668 eap_connect(dev[0], hapd, "PEAP", "user",
f9dd43ea
JM		 5669 anonymous_identity="peap", password="password",
5670 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5671 if dev[0].get_status_field("tls_session_reused") != '0':
5672 raise Exception("Unexpected session resumption on the first connection")
5673
5674 dev[0].request("REAUTHENTICATE")
5675 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5676 if ev is None:
5677 raise Exception("EAP success timed out")
5678 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5679 if ev is None:
5680 raise Exception("Key handshake with the AP timed out")
5681 if dev[0].get_status_field("tls_session_reused") != '1':
5682 raise Exception("Session resumption not used on the second connection")
5683
81e1ab85
JM		 5684def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
5685 """EAP-PEAP session resumption with crypto binding"""
5686 params = int_eap_server_params()
5687 params['tls_session_lifetime'] = '60'
8b8a1864 5688 hapd = hostapd.add_ap(apdev[0], params)
81e1ab85 5689 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5690 eap_connect(dev[0], hapd, "PEAP", "user",
81e1ab85
JM		 5691 anonymous_identity="peap", password="password",
5692 phase1="peapver=0 crypto_binding=2",
5693 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5694 if dev[0].get_status_field("tls_session_reused") != '0':
5695 raise Exception("Unexpected session resumption on the first connection")
5696
5697 dev[0].request("REAUTHENTICATE")
5698 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5699 if ev is None:
5700 raise Exception("EAP success timed out")
5701 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5702 if ev is None:
5703 raise Exception("Key handshake with the AP timed out")
5704 if dev[0].get_status_field("tls_session_reused") != '1':
5705 raise Exception("Session resumption not used on the second connection")
5706
f9dd43ea
JM		 5707def test_eap_peap_no_session_resumption(dev, apdev):
5708 """EAP-PEAP session resumption disabled on server"""
5709 params = int_eap_server_params()
8b8a1864 5710 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5711 eap_connect(dev[0], hapd, "PEAP", "user",
f9dd43ea
JM		 5712 anonymous_identity="peap", password="password",
5713 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5714 if dev[0].get_status_field("tls_session_reused") != '0':
5715 raise Exception("Unexpected session resumption on the first connection")
5716
5717 dev[0].request("REAUTHENTICATE")
5718 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5719 if ev is None:
5720 raise Exception("EAP success timed out")
5721 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5722 if ev is None:
5723 raise Exception("Key handshake with the AP timed out")
5724 if dev[0].get_status_field("tls_session_reused") != '0':
5725 raise Exception("Unexpected session resumption on the second connection")
5726
5727def test_eap_tls_session_resumption(dev, apdev):
5728 """EAP-TLS session resumption"""
5729 params = int_eap_server_params()
5730 params['tls_session_lifetime'] = '60'
8b8a1864 5731 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5732 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5733 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5734 client_cert="auth_serv/user.pem",
5735 private_key="auth_serv/user.key")
5736 if dev[0].get_status_field("tls_session_reused") != '0':
5737 raise Exception("Unexpected session resumption on the first connection")
5738
5739 dev[0].request("REAUTHENTICATE")
5740 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5741 if ev is None:
5742 raise Exception("EAP success timed out")
5743 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5744 if ev is None:
5745 raise Exception("Key handshake with the AP timed out")
5746 if dev[0].get_status_field("tls_session_reused") != '1':
5747 raise Exception("Session resumption not used on the second connection")
5748
5749 dev[0].request("REAUTHENTICATE")
5750 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5751 if ev is None:
5752 raise Exception("EAP success timed out")
5753 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5754 if ev is None:
5755 raise Exception("Key handshake with the AP timed out")
5756 if dev[0].get_status_field("tls_session_reused") != '1':
5757 raise Exception("Session resumption not used on the third connection")
5758
5759def test_eap_tls_session_resumption_expiration(dev, apdev):
5760 """EAP-TLS session resumption"""
5761 params = int_eap_server_params()
5762 params['tls_session_lifetime'] = '1'
8b8a1864 5763 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5764 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5765 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5766 client_cert="auth_serv/user.pem",
5767 private_key="auth_serv/user.key")
5768 if dev[0].get_status_field("tls_session_reused") != '0':
5769 raise Exception("Unexpected session resumption on the first connection")
5770
5771 # Allow multiple attempts since OpenSSL may not expire the cached entry
5772 # immediately.
5773 for i in range(10):
5774 time.sleep(1.2)
5775
5776 dev[0].request("REAUTHENTICATE")
5777 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5778 if ev is None:
5779 raise Exception("EAP success timed out")
5780 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5781 if ev is None:
5782 raise Exception("Key handshake with the AP timed out")
5783 if dev[0].get_status_field("tls_session_reused") == '0':
5784 break
5785 if dev[0].get_status_field("tls_session_reused") != '0':
5786 raise Exception("Session resumption used after lifetime expiration")
5787
5788def test_eap_tls_no_session_resumption(dev, apdev):
5789 """EAP-TLS session resumption disabled on server"""
5790 params = int_eap_server_params()
8b8a1864 5791 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5792 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5793 client_cert="auth_serv/user.pem",
5794 private_key="auth_serv/user.key")
5795 if dev[0].get_status_field("tls_session_reused") != '0':
5796 raise Exception("Unexpected session resumption on the first connection")
5797
5798 dev[0].request("REAUTHENTICATE")
5799 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5800 if ev is None:
5801 raise Exception("EAP success timed out")
5802 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5803 if ev is None:
5804 raise Exception("Key handshake with the AP timed out")
5805 if dev[0].get_status_field("tls_session_reused") != '0':
5806 raise Exception("Unexpected session resumption on the second connection")
5807
5808def test_eap_tls_session_resumption_radius(dev, apdev):
5809 """EAP-TLS session resumption (RADIUS)"""
5810 params = { "ssid": "as", "beacon_int": "2000",
5811 "radius_server_clients": "auth_serv/radius_clients.conf",
5812 "radius_server_auth_port": '18128',
5813 "eap_server": "1",
5814 "eap_user_file": "auth_serv/eap_user.conf",
5815 "ca_cert": "auth_serv/ca.pem",
5816 "server_cert": "auth_serv/server.pem",
5817 "private_key": "auth_serv/server.key",
5818 "tls_session_lifetime": "60" }
8b8a1864 5819 authsrv = hostapd.add_ap(apdev[1], params)
f9dd43ea
JM		 5820 check_tls_session_resumption_capa(dev[0], authsrv)
5821
5822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5823 params['auth_server_port'] = "18128"
8b8a1864 5824 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5825 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5826 client_cert="auth_serv/user.pem",
5827 private_key="auth_serv/user.key")
5828 if dev[0].get_status_field("tls_session_reused") != '0':
5829 raise Exception("Unexpected session resumption on the first connection")
5830
5831 dev[0].request("REAUTHENTICATE")
5832 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5833 if ev is None:
5834 raise Exception("EAP success timed out")
5835 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5836 if ev is None:
5837 raise Exception("Key handshake with the AP timed out")
5838 if dev[0].get_status_field("tls_session_reused") != '1':
5839 raise Exception("Session resumption not used on the second connection")
5840
5841def test_eap_tls_no_session_resumption_radius(dev, apdev):
5842 """EAP-TLS session resumption disabled (RADIUS)"""
5843 params = { "ssid": "as", "beacon_int": "2000",
5844 "radius_server_clients": "auth_serv/radius_clients.conf",
5845 "radius_server_auth_port": '18128',
5846 "eap_server": "1",
5847 "eap_user_file": "auth_serv/eap_user.conf",
5848 "ca_cert": "auth_serv/ca.pem",
5849 "server_cert": "auth_serv/server.pem",
5850 "private_key": "auth_serv/server.key",
5851 "tls_session_lifetime": "0" }
8b8a1864 5852 hostapd.add_ap(apdev[1], params)
f9dd43ea
JM		 5853
5854 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5855 params['auth_server_port'] = "18128"
8b8a1864 5856 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5857 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5858 client_cert="auth_serv/user.pem",
5859 private_key="auth_serv/user.key")
5860 if dev[0].get_status_field("tls_session_reused") != '0':
5861 raise Exception("Unexpected session resumption on the first connection")
5862
5863 dev[0].request("REAUTHENTICATE")
5864 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5865 if ev is None:
5866 raise Exception("EAP success timed out")
5867 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5868 if ev is None:
5869 raise Exception("Key handshake with the AP timed out")
5870 if dev[0].get_status_field("tls_session_reused") != '0':
5871 raise Exception("Unexpected session resumption on the second connection")
7c0d66cf
JM		 5872
5873def test_eap_mschapv2_errors(dev, apdev):
5874 """EAP-MSCHAPv2 error cases"""
5875 check_eap_capa(dev[0], "MSCHAPV2")
5876 check_eap_capa(dev[0], "FAST")
5877
5878 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
8b8a1864 5879 hapd = hostapd.add_ap(apdev[0], params)
7c0d66cf
JM		 5880 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5881 identity="phase1-user", password="password",
5882 scan_freq="2412")
5883 dev[0].request("REMOVE_NETWORK all")
5884 dev[0].wait_disconnected()
5885
5886 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5887 (1, "nt_password_hash;mschapv2_derive_response"),
5888 (1, "nt_password_hash;=mschapv2_derive_response"),
5889 (1, "generate_nt_response;mschapv2_derive_response"),
5890 (1, "generate_authenticator_response;mschapv2_derive_response"),
5891 (1, "nt_password_hash;=mschapv2_derive_response"),
5892 (1, "get_master_key;mschapv2_derive_response"),
5893 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5894 for count, func in tests:
5895 with fail_test(dev[0], count, func):
5896 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5897 identity="phase1-user", password="password",
5898 wait_connect=False, scan_freq="2412")
5899 wait_fail_trigger(dev[0], "GET_FAIL")
5900 dev[0].request("REMOVE_NETWORK all")
5901 dev[0].wait_disconnected()
5902
5903 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5904 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5905 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5906 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5907 for count, func in tests:
5908 with fail_test(dev[0], count, func):
5909 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5910 identity="phase1-user",
5911 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
5912 wait_connect=False, scan_freq="2412")
5913 wait_fail_trigger(dev[0], "GET_FAIL")
5914 dev[0].request("REMOVE_NETWORK all")
5915 dev[0].wait_disconnected()
5916
5917 tests = [ (1, "eap_mschapv2_init"),
5918 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5919 (1, "eap_msg_alloc;eap_mschapv2_success"),
5920 (1, "eap_mschapv2_getKey") ]
5921 for count, func in tests:
5922 with alloc_fail(dev[0], count, func):
5923 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5924 identity="phase1-user", password="password",
5925 wait_connect=False, scan_freq="2412")
5926 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5927 dev[0].request("REMOVE_NETWORK all")
5928 dev[0].wait_disconnected()
5929
5930 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5931 for count, func in tests:
5932 with alloc_fail(dev[0], count, func):
5933 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5934 identity="phase1-user", password="wrong password",
5935 wait_connect=False, scan_freq="2412")
5936 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5937 dev[0].request("REMOVE_NETWORK all")
5938 dev[0].wait_disconnected()
5939
5940 tests = [ (2, "eap_mschapv2_init"),
5941 (3, "eap_mschapv2_init") ]
5942 for count, func in tests:
5943 with alloc_fail(dev[0], count, func):
5944 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
5945 anonymous_identity="FAST", identity="user",
5946 password="password",
5947 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5948 phase1="fast_provisioning=1",
5949 pac_file="blob://fast_pac",
5950 wait_connect=False, scan_freq="2412")
5951 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5952 dev[0].request("REMOVE_NETWORK all")
5953 dev[0].wait_disconnected()
bf0ec17a
JM		 5954
5955def test_eap_gpsk_errors(dev, apdev):
5956 """EAP-GPSK error cases"""
5957 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
8b8a1864 5958 hapd = hostapd.add_ap(apdev[0], params)
bf0ec17a
JM		 5959 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5960 identity="gpsk user",
5961 password="abcdefghijklmnop0123456789abcdef",
5962 scan_freq="2412")
5963 dev[0].request("REMOVE_NETWORK all")
5964 dev[0].wait_disconnected()
5965
5966 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5967 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5968 "cipher=1"),
5969 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5970 "cipher=2"),
5971 (1, "eap_gpsk_derive_keys_helper", None),
5972 (2, "eap_gpsk_derive_keys_helper", None),
5973 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5974 "cipher=1"),
5975 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5976 "cipher=2"),
5977 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5978 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5979 (1, "eap_gpsk_derive_mid_helper", None) ]
5980 for count, func, phase1 in tests:
5981 with fail_test(dev[0], count, func):
5982 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5983 identity="gpsk user",
5984 password="abcdefghijklmnop0123456789abcdef",
5985 phase1=phase1,
5986 wait_connect=False, scan_freq="2412")
5987 wait_fail_trigger(dev[0], "GET_FAIL")
5988 dev[0].request("REMOVE_NETWORK all")
5989 dev[0].wait_disconnected()
5990
5991 tests = [ (1, "eap_gpsk_init"),
5992 (2, "eap_gpsk_init"),
5993 (3, "eap_gpsk_init"),
5994 (1, "eap_gpsk_process_id_server"),
5995 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5996 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5997 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5998 (1, "eap_gpsk_derive_keys"),
5999 (1, "eap_gpsk_derive_keys_helper"),
6000 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
6001 (1, "eap_gpsk_getKey"),
6002 (1, "eap_gpsk_get_emsk"),
6003 (1, "eap_gpsk_get_session_id") ]
6004 for count, func in tests:
6005 with alloc_fail(dev[0], count, func):
6006 dev[0].request("ERP_FLUSH")
6007 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
0a0c4dc1 6008 identity="gpsk user@domain", erp="1",
bf0ec17a
JM		 6009 password="abcdefghijklmnop0123456789abcdef",
6010 wait_connect=False, scan_freq="2412")
6011 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6012 dev[0].request("REMOVE_NETWORK all")
6013 dev[0].wait_disconnected()
d4c3c055
JM		 6014
6015def test_ap_wpa2_eap_sim_db(dev, apdev, params):
6016 """EAP-SIM DB error cases"""
6017 sockpath = '/tmp/hlr_auc_gw.sock-test'
6018 try:
6019 os.remove(sockpath)
6020 except:
6021 pass
6022 hparams = int_eap_server_params()
6023 hparams['eap_sim_db'] = 'unix:' + sockpath
8b8a1864 6024 hapd = hostapd.add_ap(apdev[0], hparams)
d4c3c055
JM		 6025
6026 # Initial test with hlr_auc_gw socket not available
6027 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
6028 eap="SIM", identity="1232010000000000",
6029 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
6030 scan_freq="2412", wait_connect=False)
5a30fcf5
JM		 6031 ev = dev[0].wait_event(["EAP-ERROR-CODE"], timeout=10)
6032 if ev is None:
6033 raise Exception("EAP method specific error code not reported")
6034 if int(ev.split()[1]) != 16384:
6035 raise Exception("Unexpected EAP method specific error code: " + ev)
d4c3c055
JM		 6036 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
6037 if ev is None:
6038 raise Exception("EAP-Failure not reported")
6039 dev[0].wait_disconnected()
6040 dev[0].request("DISCONNECT")
6041
6042 # Test with invalid responses and response timeout
6043
6044 class test_handler(SocketServer.DatagramRequestHandler):
6045 def handle(self):
cc02ce96 6046 data = self.request[0].decode().strip()
d4c3c055
JM		 6047 socket = self.request[1]
6048 logger.debug("Received hlr_auc_gw request: " + data)
6049 # EAP-SIM DB: Failed to parse response string
cc02ce96 6050 socket.sendto(b"FOO", self.client_address)
d4c3c055 6051 # EAP-SIM DB: Failed to parse response string
cc02ce96 6052 socket.sendto(b"FOO 1", self.client_address)
d4c3c055 6053 # EAP-SIM DB: Unknown external response
cc02ce96 6054 socket.sendto(b"FOO 1 2", self.client_address)
d4c3c055
JM		 6055 logger.info("No proper response - wait for pending eap_sim_db request timeout")
6056
6057 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
6058 server.timeout = 1
6059
6060 dev[0].select_network(id)
6061 server.handle_request()
6062 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
6063 if ev is None:
6064 raise Exception("EAP-Failure not reported")
6065 dev[0].wait_disconnected()
6066 dev[0].request("DISCONNECT")
6067
6068 # Test with a valid response
6069
6070 class test_handler2(SocketServer.DatagramRequestHandler):
6071 def handle(self):
cc02ce96 6072 data = self.request[0].decode().strip()
d4c3c055
JM		 6073 socket = self.request[1]
6074 logger.debug("Received hlr_auc_gw request: " + data)
6075 fname = os.path.join(params['logdir'],
6076 'hlr_auc_gw.milenage_db')
6077 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
6078 '-m', fname, data],
6079 stdout=subprocess.PIPE)
04fa9fc7 6080 res = cmd.stdout.read().decode().strip()
d4c3c055
JM		 6081 cmd.stdout.close()
6082 logger.debug("hlr_auc_gw response: " + res)
cc02ce96 6083 socket.sendto(res.encode(), self.client_address)
d4c3c055
JM		 6084
6085 server.RequestHandlerClass = test_handler2
6086
6087 dev[0].select_network(id)
6088 server.handle_request()
6089 dev[0].wait_connected()
6090 dev[0].request("DISCONNECT")
6091 dev[0].wait_disconnected()
d6ba709a
JM		 6092
6093def test_eap_tls_sha512(dev, apdev, params):
6094 """EAP-TLS with SHA512 signature"""
6095 params = int_eap_server_params()
6096 params["ca_cert"] = "auth_serv/sha512-ca.pem"
6097 params["server_cert"] = "auth_serv/sha512-server.pem"
6098 params["private_key"] = "auth_serv/sha512-server.key"
8b8a1864 6099 hostapd.add_ap(apdev[0], params)
d6ba709a
JM		 6100
6101 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6102 identity="tls user sha512",
6103 ca_cert="auth_serv/sha512-ca.pem",
6104 client_cert="auth_serv/sha512-user.pem",
6105 private_key="auth_serv/sha512-user.key",
6106 scan_freq="2412")
6107 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6108 identity="tls user sha512",
6109 ca_cert="auth_serv/sha512-ca.pem",
6110 client_cert="auth_serv/sha384-user.pem",
6111 private_key="auth_serv/sha384-user.key",
6112 scan_freq="2412")
6113
6114def test_eap_tls_sha384(dev, apdev, params):
6115 """EAP-TLS with SHA384 signature"""
6116 params = int_eap_server_params()
6117 params["ca_cert"] = "auth_serv/sha512-ca.pem"
6118 params["server_cert"] = "auth_serv/sha384-server.pem"
6119 params["private_key"] = "auth_serv/sha384-server.key"
8b8a1864 6120 hostapd.add_ap(apdev[0], params)
d6ba709a
JM		 6121
6122 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6123 identity="tls user sha512",
6124 ca_cert="auth_serv/sha512-ca.pem",
6125 client_cert="auth_serv/sha512-user.pem",
6126 private_key="auth_serv/sha512-user.key",
6127 scan_freq="2412")
6128 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6129 identity="tls user sha512",
6130 ca_cert="auth_serv/sha512-ca.pem",
6131 client_cert="auth_serv/sha384-user.pem",
6132 private_key="auth_serv/sha384-user.key",
6133 scan_freq="2412")
0ceff76e
JM		 6134
6135def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
6136 """WPA2-Enterprise AP and association request RSN IE differences"""
6137 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 6138 hostapd.add_ap(apdev[0], params)
0ceff76e
JM		 6139
6140 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
6141 params["ieee80211w"] = "2"
8b8a1864 6142 hostapd.add_ap(apdev[1], params)
0ceff76e
JM		 6143
6144 # Success cases with optional RSN IE fields removed one by one
6145 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
6146 "30140100000fac040100000fac040100000fac010000"),
6147 ("Extra PMKIDCount field in RSN IE",
6148 "30160100000fac040100000fac040100000fac0100000000"),
6149 ("Extra Group Management Cipher Suite in RSN IE",
6150 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6151 ("Extra undefined extension field in RSN IE",
6152 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6153 ("RSN IE without RSN Capabilities",
6154 "30120100000fac040100000fac040100000fac01"),
6155 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6156 ("RSN IE without pairwise", "30060100000fac04"),
6157 ("RSN IE without group", "30020100") ]
6158 for title, ie in tests:
6159 logger.info(title)
6160 set_test_assoc_ie(dev[0], ie)
6161 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
6162 identity="gpsk user",
6163 password="abcdefghijklmnop0123456789abcdef",
6164 scan_freq="2412")
6165 dev[0].request("REMOVE_NETWORK all")
6166 dev[0].wait_disconnected()
6167
6168 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
6169 "30140100000fac040100000fac040100000fac01cc00"),
6170 ("Group management cipher included in assoc req RSN IE",
6171 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
6172 for title, ie in tests:
6173 logger.info(title)
6174 set_test_assoc_ie(dev[0], ie)
6175 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
6176 eap="GPSK", identity="gpsk user",
6177 password="abcdefghijklmnop0123456789abcdef",
6178 scan_freq="2412")
6179 dev[0].request("REMOVE_NETWORK all")
6180 dev[0].wait_disconnected()
6181
6182 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
6183 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
6184 for title, ie, status in tests:
6185 logger.info(title)
6186 set_test_assoc_ie(dev[0], ie)
6187 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
6188 identity="gpsk user",
6189 password="abcdefghijklmnop0123456789abcdef",
6190 scan_freq="2412", wait_connect=False)
6191 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6192 if ev is None:
6193 raise Exception("Association rejection not reported")
6194 if "status_code=" + str(status) not in ev:
6195 raise Exception("Unexpected status code: " + ev)
6196 dev[0].request("REMOVE_NETWORK all")
6197 dev[0].dump_monitor()
6198
6199 tests = [ ("Management frame protection not enabled",
6200 "30140100000fac040100000fac040100000fac010000", 31),
6201 ("Unsupported management group cipher",
80ad0680 6202 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46) ]
0ceff76e
JM		 6203 for title, ie, status in tests:
6204 logger.info(title)
6205 set_test_assoc_ie(dev[0], ie)
6206 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
6207 eap="GPSK", identity="gpsk user",
6208 password="abcdefghijklmnop0123456789abcdef",
6209 scan_freq="2412", wait_connect=False)
6210 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6211 if ev is None:
6212 raise Exception("Association rejection not reported")
6213 if "status_code=" + str(status) not in ev:
6214 raise Exception("Unexpected status code: " + ev)
6215 dev[0].request("REMOVE_NETWORK all")
6216 dev[0].dump_monitor()
ca27ee09
JM		 6217
6218def test_eap_tls_ext_cert_check(dev, apdev):
6219 """EAP-TLS and external server certification validation"""
6220 # With internal server certificate chain validation
6221 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6222 identity="tls user",
6223 ca_cert="auth_serv/ca.pem",
6224 client_cert="auth_serv/user.pem",
6225 private_key="auth_serv/user.key",
6226 phase1="tls_ext_cert_check=1", scan_freq="2412",
6227 only_add_network=True)
6228 run_ext_cert_check(dev, apdev, id)
6229
6230def test_eap_ttls_ext_cert_check(dev, apdev):
6231 """EAP-TTLS and external server certification validation"""
6232 # Without internal server certificate chain validation
6233 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
6234 identity="pap user", anonymous_identity="ttls",
6235 password="password", phase2="auth=PAP",
6236 phase1="tls_ext_cert_check=1", scan_freq="2412",
6237 only_add_network=True)
6238 run_ext_cert_check(dev, apdev, id)
6239
6240def test_eap_peap_ext_cert_check(dev, apdev):
6241 """EAP-PEAP and external server certification validation"""
6242 # With internal server certificate chain validation
6243 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
6244 identity="user", anonymous_identity="peap",
6245 ca_cert="auth_serv/ca.pem",
6246 password="password", phase2="auth=MSCHAPV2",
6247 phase1="tls_ext_cert_check=1", scan_freq="2412",
6248 only_add_network=True)
6249 run_ext_cert_check(dev, apdev, id)
6250
6251def test_eap_fast_ext_cert_check(dev, apdev):
6252 """EAP-FAST and external server certification validation"""
6253 check_eap_capa(dev[0], "FAST")
6254 # With internal server certificate chain validation
6255 dev[0].request("SET blob fast_pac_auth_ext ")
6256 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
6257 identity="user", anonymous_identity="FAST",
6258 ca_cert="auth_serv/ca.pem",
6259 password="password", phase2="auth=GTC",
6260 phase1="tls_ext_cert_check=1 fast_provisioning=2",
6261 pac_file="blob://fast_pac_auth_ext",
6262 scan_freq="2412",
6263 only_add_network=True)
6264 run_ext_cert_check(dev, apdev, id)
6265
6266def run_ext_cert_check(dev, apdev, net_id):
6267 check_ext_cert_check_support(dev[0])
6268 if not openssl_imported:
6269 raise HwsimSkip("OpenSSL python method not available")
6270
6271 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 6272 hapd = hostapd.add_ap(apdev[0], params)
ca27ee09
JM		 6273
6274 dev[0].select_network(net_id)
6275 certs = {}
6276 while True:
6277 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6278 "CTRL-REQ-EXT_CERT_CHECK",
6279 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
6280 if ev is None:
6281 raise Exception("No peer server certificate event seen")
6282 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
6283 depth = None
6284 cert = None
6285 vals = ev.split(' ')
6286 for v in vals:
6287 if v.startswith("depth="):
6288 depth = int(v.split('=')[1])
6289 elif v.startswith("cert="):
6290 cert = v.split('=')[1]
6291 if depth is not None and cert:
6292 certs[depth] = binascii.unhexlify(cert)
6293 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
6294 raise Exception("Unexpected EAP-Success")
6295 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
6296 id = ev.split(':')[0].split('-')[-1]
6297 break
6298 if 0 not in certs:
6299 raise Exception("Server certificate not received")
6300 if 1 not in certs:
6301 raise Exception("Server certificate issuer not received")
6302
6303 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
6304 certs[0])
6305 cn = cert.get_subject().commonName
6306 logger.info("Server certificate CN=" + cn)
6307
6308 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
6309 certs[1])
6310 icn = issuer.get_subject().commonName
6311 logger.info("Issuer certificate CN=" + icn)
6312
6313 if cn != "server.w1.fi":
6314 raise Exception("Unexpected server certificate CN: " + cn)
6315 if icn != "Root CA":
6316 raise Exception("Unexpected server certificate issuer CN: " + icn)
6317
6318 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
6319 if ev:
6320 raise Exception("Unexpected EAP-Success before external check result indication")
6321
6322 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6323 dev[0].wait_connected()
6324
6325 dev[0].request("DISCONNECT")
6326 dev[0].wait_disconnected()
6327 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
6328 raise Exception("PMKSA_FLUSH failed")
6329 dev[0].request("SET blob fast_pac_auth_ext ")
6330 dev[0].request("RECONNECT")
6331
6332 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
6333 if ev is None:
6334 raise Exception("No peer server certificate event seen (2)")
6335 id = ev.split(':')[0].split('-')[-1]
6336 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6337 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
6338 if ev is None:
6339 raise Exception("EAP-Failure not reported")
6340 dev[0].request("REMOVE_NETWORK all")
6341 dev[0].wait_disconnected()
a89faedc
JM		 6342
6343def test_eap_tls_errors(dev, apdev):
6344 """EAP-TLS error cases"""
6345 params = int_eap_server_params()
6346 params['fragment_size'] = '100'
8b8a1864 6347 hostapd.add_ap(apdev[0], params)
a89faedc
JM		 6348 with alloc_fail(dev[0], 1,
6349 "eap_peer_tls_reassemble_fragment"):
6350 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6351 identity="tls user", ca_cert="auth_serv/ca.pem",
6352 client_cert="auth_serv/user.pem",
6353 private_key="auth_serv/user.key",
6354 wait_connect=False, scan_freq="2412")
6355 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6356 dev[0].request("REMOVE_NETWORK all")
6357 dev[0].wait_disconnected()
6358
6359 with alloc_fail(dev[0], 1, "eap_tls_init"):
6360 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6361 identity="tls user", ca_cert="auth_serv/ca.pem",
6362 client_cert="auth_serv/user.pem",
6363 private_key="auth_serv/user.key",
6364 wait_connect=False, scan_freq="2412")
6365 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6366 dev[0].request("REMOVE_NETWORK all")
6367 dev[0].wait_disconnected()
6368
6369 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init"):
6370 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6371 identity="tls user", ca_cert="auth_serv/ca.pem",
6372 client_cert="auth_serv/user.pem",
6373 private_key="auth_serv/user.key",
6374 engine="1",
6375 wait_connect=False, scan_freq="2412")
6376 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6377 ev = dev[0].wait_event(["CTRL-REQ-PIN"], timeout=5)
6378 if ev is None:
6379 raise Exception("No CTRL-REQ-PIN seen")
6380 dev[0].request("REMOVE_NETWORK all")
6381 dev[0].wait_disconnected()
6382
6383 tests = [ "eap_peer_tls_derive_key;eap_tls_success",
6384 "eap_peer_tls_derive_session_id;eap_tls_success",
6385 "eap_tls_getKey",
6386 "eap_tls_get_emsk",
6387 "eap_tls_get_session_id" ]
6388 for func in tests:
6389 with alloc_fail(dev[0], 1, func):
6390 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
0a0c4dc1
JM		 6391 identity="tls user@domain",
6392 ca_cert="auth_serv/ca.pem",
a89faedc
JM		 6393 client_cert="auth_serv/user.pem",
6394 private_key="auth_serv/user.key",
6395 erp="1",
6396 wait_connect=False, scan_freq="2412")
6397 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6398 dev[0].request("REMOVE_NETWORK all")
6399 dev[0].wait_disconnected()
6400
6401 with alloc_fail(dev[0], 1, "eap_unauth_tls_init"):
6402 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
6403 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
6404 wait_connect=False, scan_freq="2412")
6405 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6406 dev[0].request("REMOVE_NETWORK all")
6407 dev[0].wait_disconnected()
6408
6409 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6410 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
6411 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
6412 wait_connect=False, scan_freq="2412")
6413 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6414 dev[0].request("REMOVE_NETWORK all")
6415 dev[0].wait_disconnected()
6416
6417 with alloc_fail(dev[0], 1, "eap_wfa_unauth_tls_init"):
6418 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
6419 eap="WFA-UNAUTH-TLS",
6420 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
6421 wait_connect=False, scan_freq="2412")
6422 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6423 dev[0].request("REMOVE_NETWORK all")
6424 dev[0].wait_disconnected()
6425
6426 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6427 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
6428 eap="WFA-UNAUTH-TLS",
6429 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
6430 wait_connect=False, scan_freq="2412")
6431 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6432 dev[0].request("REMOVE_NETWORK all")
6433 dev[0].wait_disconnected()
0918fe4d
JM		 6434
6435def test_ap_wpa2_eap_status(dev, apdev):
6436 """EAP state machine status information"""
6437 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 6438 hostapd.add_ap(apdev[0], params)
0918fe4d
JM		 6439 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
6440 identity="cert user",
6441 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
6442 ca_cert2="auth_serv/ca.pem",
6443 client_cert2="auth_serv/user.pem",
6444 private_key2="auth_serv/user.key",
6445 scan_freq="2412", wait_connect=False)
6446 success = False
6447 states = []
6448 method_states = []
6449 decisions = []
6450 req_methods = []
6451 selected_methods = []
6452 for i in range(100000):
6453 s = dev[0].get_status(extra="VERBOSE")
6454 if 'EAP state' in s:
6455 state = s['EAP state']
6456 if state:
6457 if state not in states:
6458 states.append(state)
6459 if state == "SUCCESS":
6460 success = True
6461 break
6462 if 'methodState' in s:
6463 val = s['methodState']
6464 if val not in method_states:
6465 method_states.append(val)
6466 if 'decision' in s:
6467 val = s['decision']
6468 if val not in decisions:
6469 decisions.append(val)
6470 if 'reqMethod' in s:
6471 val = s['reqMethod']
6472 if val not in req_methods:
6473 req_methods.append(val)
6474 if 'selectedMethod' in s:
6475 val = s['selectedMethod']
6476 if val not in selected_methods:
6477 selected_methods.append(val)
6478 logger.info("Iterations: %d" % i)
6479 logger.info("EAP states: " + str(states))
6480 logger.info("methodStates: " + str(method_states))
6481 logger.info("decisions: " + str(decisions))
6482 logger.info("reqMethods: " + str(req_methods))
6483 logger.info("selectedMethods: " + str(selected_methods))
6484 if not success:
6485 raise Exception("EAP did not succeed")
6486 dev[0].wait_connected()
6487 dev[0].request("REMOVE_NETWORK all")
6488 dev[0].wait_disconnected()
29b508e7
JM		 6489
6490def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev, apdev):
6491 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6492 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6493 params['wpa_ptk_rekey'] = '2'
8b8a1864 6494 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 6495 id = eap_connect(dev[0], hapd, "GPSK", "gpsk user",
29b508e7
JM		 6496 password="abcdefghijklmnop0123456789abcdef")
6497 ev = dev[0].wait_event(["WPA: Key negotiation completed"])
6498 if ev is None:
6499 raise Exception("PTK rekey timed out")
6500 hwsim_utils.test_connectivity(dev[0], hapd)
2833743d
JM		 6501
6502def test_ap_wpa2_eap_wildcard_ssid(dev, apdev):
6503 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6504 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6505 hapd = hostapd.add_ap(apdev[0], params)
6506 dev[0].connect(bssid=apdev[0]['bssid'], key_mgmt="WPA-EAP", eap="GPSK",
6507 identity="gpsk user",
6508 password="abcdefghijklmnop0123456789abcdef",
6509 scan_freq="2412")
c9aba19b
JM		 6510
6511def test_ap_wpa2_eap_psk_mac_addr_change(dev, apdev):
6512 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
6513 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6514 hapd = hostapd.add_ap(apdev[0], params)
6515
6516 cmd = subprocess.Popen(['ps', '-eo', 'pid,command'], stdout=subprocess.PIPE)
04fa9fc7 6517 res = cmd.stdout.read().decode()
c9aba19b
JM		 6518 cmd.stdout.close()
6519 pid = 0
6520 for p in res.splitlines():
6521 if "wpa_supplicant" not in p:
6522 continue
6523 if dev[0].ifname not in p:
6524 continue
6525 pid = int(p.strip().split(' ')[0])
6526 if pid == 0:
6527 logger.info("Could not find wpa_supplicant PID")
6528 else:
6529 logger.info("wpa_supplicant PID %d" % pid)
6530
6531 addr = dev[0].get_status_field("address")
6532 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'down'])
6533 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'address',
6534 '02:11:22:33:44:55'])
6535 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'up'])
6536 addr1 = dev[0].get_status_field("address")
6537 if addr1 != '02:11:22:33:44:55':
6538 raise Exception("Failed to change MAC address")
6539
6540 # Scan using the externally set MAC address, stop the wpa_supplicant
6541 # process to avoid it from processing the ifdown event before the interface
6542 # is already UP, change the MAC address back, allow the wpa_supplicant
6543 # process to continue. This will result in the ifdown + ifup sequence of
6544 # RTM_NEWLINK events to be processed while the interface is already UP.
6545 try:
6546 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
6547 os.kill(pid, signal.SIGSTOP)
6548 time.sleep(0.1)
6549 finally:
6550 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'down'])
6551 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'address',
6552 addr])
6553 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'up'])
6554 time.sleep(0.1)
6555 os.kill(pid, signal.SIGCONT)
6556
6557 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
6558 password_hex="0123456789abcdef0123456789abcdef")
6559
6560 addr2 = dev[0].get_status_field("address")
6561 if addr != addr2:
6562 raise Exception("Failed to restore MAC address")
fb643190
JM		 6563
6564def test_ap_wpa2_eap_server_get_id(dev, apdev):
6565 """Internal EAP server and dot1xAuthSessionUserName"""
6566 params = int_eap_server_params()
6567 hapd = hostapd.add_ap(apdev[0], params)
6568 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
6569 client_cert="auth_serv/user.pem",
6570 private_key="auth_serv/user.key")
6571 sta = hapd.get_sta(dev[0].own_addr())
6572 if 'dot1xAuthSessionUserName' not in sta:
6573 raise Exception("No dot1xAuthSessionUserName included")
6574 user = sta['dot1xAuthSessionUserName']
6575 if user != "tls user":
6576 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user)
6577
6578def test_ap_wpa2_radius_server_get_id(dev, apdev):
6579 """External RADIUS server and dot1xAuthSessionUserName"""
6580 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6581 hapd = hostapd.add_ap(apdev[0], params)
6582 eap_connect(dev[0], hapd, "TTLS", "test-user",
6583 anonymous_identity="ttls", password="password",
6584 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
6585 sta = hapd.get_sta(dev[0].own_addr())
6586 if 'dot1xAuthSessionUserName' not in sta:
6587 raise Exception("No dot1xAuthSessionUserName included")
6588 user = sta['dot1xAuthSessionUserName']
6589 if user != "real-user":
6590 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user)
67e34a28
JM		 6591
6592def test_openssl_systemwide_policy(dev, apdev, test_params):
6593 """OpenSSL systemwide policy and overrides"""
6594 prefix = "openssl_systemwide_policy"
6595 pidfile = os.path.join(test_params['logdir'], prefix + '.pid-wpas')
6596 try:
6597 with HWSimRadio() as (radio, iface):
6598 run_openssl_systemwide_policy(iface, apdev, test_params)
6599 finally:
6600 if os.path.exists(pidfile):
6601 with open(pidfile, 'r') as f:
6602 pid = int(f.read().strip())
6603 os.kill(pid, signal.SIGTERM)
6604
6605def write_openssl_cnf(cnf, MinProtocol=None, CipherString=None):
6606 with open(cnf, "w") as f:
6607 f.write("""openssl_conf = default_conf
6608[default_conf]
6609ssl_conf = ssl_sect
6610[ssl_sect]
6611system_default = system_default_sect
6612[system_default_sect]
6613""")
6614 if MinProtocol:
6615 f.write("MinProtocol = %s\n" % MinProtocol)
6616 if CipherString:
6617 f.write("CipherString = %s\n" % CipherString)
6618
6619def run_openssl_systemwide_policy(iface, apdev, test_params):
6620 prefix = "openssl_systemwide_policy"
6621 logfile = os.path.join(test_params['logdir'], prefix + '.log-wpas')
6622 pidfile = os.path.join(test_params['logdir'], prefix + '.pid-wpas')
6623 conffile = os.path.join(test_params['logdir'], prefix + '.conf')
6624 openssl_cnf = os.path.join(test_params['logdir'], prefix + '.openssl.cnf')
6625
6626 write_openssl_cnf(openssl_cnf, "TLSv1.2", "DEFAULT@SECLEVEL=2")
6627
6628 with open(conffile, 'w') as f:
6629 f.write("ctrl_interface=DIR=/var/run/wpa_supplicant\n")
6630
6631 params = int_eap_server_params()
6632 params['tls_flags'] = "[DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"
6633
6634 hapd = hostapd.add_ap(apdev[0], params)
6635
6636 prg = os.path.join(test_params['logdir'],
6637 'alt-wpa_supplicant/wpa_supplicant/wpa_supplicant')
6638 if not os.path.exists(prg):
6639 prg = '../../wpa_supplicant/wpa_supplicant'
6640 arg = [ prg, '-BddtK', '-P', pidfile, '-f', logfile,
6641 '-Dnl80211', '-c', conffile, '-i', iface ]
6642 logger.info("Start wpa_supplicant: " + str(arg))
6643 subprocess.call(arg, env={'OPENSSL_CONF': openssl_cnf})
6644 wpas = WpaSupplicant(ifname=iface)
6645 if "PONG" not in wpas.request("PING"):
6646 raise Exception("Could not PING wpa_supplicant")
6647 tls = wpas.request("GET tls_library")
6648 if not tls.startswith("OpenSSL"):
6649 raise HwsimSkip("Not using OpenSSL")
6650
6651 # Use default configuration without any TLS version overrides. This should
6652 # end up using OpenSSL systemwide policy and result in failure to find a
6653 # compatible protocol version.
6654 ca_file = os.path.join(os.getcwd(), "auth_serv/ca.pem")
6655 id = wpas.connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
6656 identity="pap user", anonymous_identity="ttls",
6657 password="password", phase2="auth=PAP",
6658 ca_cert=ca_file,
6659 scan_freq="2412", wait_connect=False)
6660 ev = wpas.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
6661 if ev is None:
6662 raise Exception("EAP not started")
6663 ev = wpas.wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'"],
6664 timeout=1)
6665 if ev is None:
6666 raise HwsimSkip("OpenSSL systemwide policy not supported")
6667 wpas.request("DISCONNECT")
6668 wpas.wait_disconnected()
6669 wpas.dump_monitor()
6670
6671 # Explicitly allow TLSv1.0 to be used to override OpenSSL systemwide policy
6672 wpas.set_network_quoted(id, "openssl_ciphers", "DEFAULT@SECLEVEL=1")
6673 wpas.set_network_quoted(id, "phase1", "tls_disable_tlsv1_0=0")
6674 wpas.select_network(id, freq="2412")
6675 wpas.wait_connected()
6676
6677 wpas.request("TERMINATE")
Unnamed repository; edit this file 'description' to name the repository.