]> git.ipfire.org Git - thirdparty/hostap.git/blame - tests/hwsim/test_ap_eap.py
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tests: EAP-FAST using PAC file
[thirdparty/hostap.git] / tests / hwsim / test_ap_eap.py
CommitLineData
eac67440 1# -*- coding: utf-8 -*-
9626962d 2# WPA2-Enterprise tests
bce774ad 3# Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi>
9626962d
JM		 4#
5# This software may be distributed under the terms of the BSD license.
6# See README for more details.
7
6ea231e6 8import base64
9626962d
JM		 9import time
10import subprocess
11import logging
c9aa4308 12logger = logging.getLogger()
873e7c29 13import os
9626962d
JM		 14
15import hwsim_utils
16import hostapd
eaf3f9b1 17from test_ap_psk import check_mib
9626962d 18
6ea231e6
JM		 19def read_pem(fname):
20 with open(fname, "r") as f:
21 lines = f.readlines()
22 copy = False
23 cert = ""
24 for l in lines:
25 if "-----END" in l:
26 break
27 if copy:
28 cert = cert + l
29 if "-----BEGIN" in l:
30 copy = True
31 return base64.b64decode(cert)
32
6f939e59
JM		 33def eap_connect(dev, ap, method, identity,
34 sha256=False, expect_failure=False, local_error_report=False,
35 **kwargs):
cb33ee14 36 hapd = hostapd.Hostapd(ap['ifname'])
2bb9e283
JM		 37 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
38 eap=method, identity=identity,
6f939e59
JM		 39 wait_connect=False, scan_freq="2412", ieee80211w="1",
40 **kwargs)
f10ba3b2
JM		 41 eap_check_auth(dev, method, True, sha256=sha256,
42 expect_failure=expect_failure,
43 local_error_report=local_error_report)
44 if expect_failure:
45 return id
cb33ee14
JM		 46 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
47 if ev is None:
48 raise Exception("No connection event received from hostapd")
2bb9e283 49 return id
75b2b9cf 50
f10ba3b2
JM		 51def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
52 expect_failure=False, local_error_report=False):
9626962d
JM		 53 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
54 if ev is None:
55 raise Exception("Association and EAP start timed out")
56 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
57 if ev is None:
58 raise Exception("EAP method selection timed out")
59 if method not in ev:
60 raise Exception("Unexpected EAP method")
f10ba3b2
JM		 61 if expect_failure:
62 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
63 if ev is None:
64 raise Exception("EAP failure timed out")
65 ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED"])
66 if ev is None:
67 raise Exception("Disconnection timed out")
68 if not local_error_report:
69 if "reason=23" not in ev:
70 raise Exception("Proper reason code for disconnection not reported")
71 return
9626962d
JM		 72 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
73 if ev is None:
74 raise Exception("EAP success timed out")
9626962d 75
75b2b9cf
JM		 76 if initial:
77 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
75b2b9cf 78 else:
bce774ad
JM		 79 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
80 if ev is None:
81 raise Exception("Association with the AP timed out")
82 status = dev.get_status()
83 if status["wpa_state"] != "COMPLETED":
84 raise Exception("Connection not completed")
75b2b9cf 85
9626962d
JM		 86 if status["suppPortStatus"] != "Authorized":
87 raise Exception("Port not authorized")
88 if method not in status["selectedMethod"]:
89 raise Exception("Incorrect EAP method status")
2b005194
JM		 90 if sha256:
91 e = "WPA2-EAP-SHA256"
92 elif rsn:
71390dc8
JM		 93 e = "WPA2/IEEE 802.1X/EAP"
94 else:
95 e = "WPA/IEEE 802.1X/EAP"
96 if status["key_mgmt"] != e:
97 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
9626962d 98
5b1aaf6c 99def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
75b2b9cf 100 dev.request("REAUTHENTICATE")
5b1aaf6c
JM		 101 eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
102 expect_failure=expect_failure)
75b2b9cf 103
9626962d
JM		 104def test_ap_wpa2_eap_sim(dev, apdev):
105 """WPA2-Enterprise connection using EAP-SIM"""
0d4c5494
JM		 106 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
107 logger.info("No hlr_auc_gw available");
108 return "skip"
9626962d
JM		 109 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
110 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 111 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
9626962d
JM		 112 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
113 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 114 eap_reauth(dev[0], "SIM")
9626962d 115
a0f350fd
JM		 116 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
117 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
118 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
119 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
120 expect_failure=True)
121
f10ba3b2
JM		 122 logger.info("Negative test with incorrect key")
123 dev[0].request("REMOVE_NETWORK all")
124 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
125 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
126 expect_failure=True)
127
5b1aaf6c
JM		 128def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
129 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
130 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
131 logger.info("No hlr_auc_gw available");
132 return "skip"
133 try:
134 import sqlite3
135 except ImportError:
136 return "skip"
137 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
139 params['auth_server_port'] = "1814"
140 hostapd.add_ap(apdev[0]['ifname'], params)
141 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
142 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
143
144 logger.info("SIM fast re-authentication")
145 eap_reauth(dev[0], "SIM")
146
147 logger.info("SIM full auth with pseudonym")
148 with con:
149 cur = con.cursor()
150 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
151 eap_reauth(dev[0], "SIM")
152
153 logger.info("SIM full auth with permanent identity")
154 with con:
155 cur = con.cursor()
156 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
157 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
158 eap_reauth(dev[0], "SIM")
159
160 logger.info("SIM reauth with mismatching MK")
161 with con:
162 cur = con.cursor()
163 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
164 eap_reauth(dev[0], "SIM", expect_failure=True)
165 dev[0].request("REMOVE_NETWORK all")
166
167 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
168 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
169 with con:
170 cur = con.cursor()
171 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
172 eap_reauth(dev[0], "SIM")
173 with con:
174 cur = con.cursor()
175 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
176 logger.info("SIM reauth with mismatching counter")
177 eap_reauth(dev[0], "SIM")
178 dev[0].request("REMOVE_NETWORK all")
179
180 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
181 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
182 with con:
183 cur = con.cursor()
184 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
185 logger.info("SIM reauth with max reauth count reached")
186 eap_reauth(dev[0], "SIM")
187
e2a90a4c
JM		 188def test_ap_wpa2_eap_sim_config(dev, apdev):
189 """EAP-SIM configuration options"""
190 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
191 hostapd.add_ap(apdev[0]['ifname'], params)
192 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
193 identity="1232010000000000",
194 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
195 phase1="sim_min_num_chal=1",
196 wait_connect=False, scan_freq="2412")
197 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
198 if ev is None:
199 raise Exception("No EAP error message seen")
200 dev[0].request("REMOVE_NETWORK all")
201
202 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
203 identity="1232010000000000",
204 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
205 phase1="sim_min_num_chal=4",
206 wait_connect=False, scan_freq="2412")
207 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
208 if ev is None:
209 raise Exception("No EAP error message seen (2)")
210 dev[0].request("REMOVE_NETWORK all")
211
212 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
213 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
214 phase1="sim_min_num_chal=2")
215 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
216 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
217 anonymous_identity="345678")
218
9626962d
JM		 219def test_ap_wpa2_eap_aka(dev, apdev):
220 """WPA2-Enterprise connection using EAP-AKA"""
0d4c5494
JM		 221 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
222 logger.info("No hlr_auc_gw available");
223 return "skip"
9626962d
JM		 224 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
225 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 226 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
9626962d
JM		 227 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
228 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 229 eap_reauth(dev[0], "AKA")
9626962d 230
f10ba3b2
JM		 231 logger.info("Negative test with incorrect key")
232 dev[0].request("REMOVE_NETWORK all")
233 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
234 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
235 expect_failure=True)
236
5b1aaf6c
JM		 237def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
238 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
239 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
240 logger.info("No hlr_auc_gw available");
241 return "skip"
242 try:
243 import sqlite3
244 except ImportError:
245 return "skip"
246 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
247 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
248 params['auth_server_port'] = "1814"
249 hostapd.add_ap(apdev[0]['ifname'], params)
250 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
251 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
252
253 logger.info("AKA fast re-authentication")
254 eap_reauth(dev[0], "AKA")
255
256 logger.info("AKA full auth with pseudonym")
257 with con:
258 cur = con.cursor()
259 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
260 eap_reauth(dev[0], "AKA")
261
262 logger.info("AKA full auth with permanent identity")
263 with con:
264 cur = con.cursor()
265 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
266 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
267 eap_reauth(dev[0], "AKA")
268
269 logger.info("AKA reauth with mismatching MK")
270 with con:
271 cur = con.cursor()
272 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
273 eap_reauth(dev[0], "AKA", expect_failure=True)
274 dev[0].request("REMOVE_NETWORK all")
275
276 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
277 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
278 with con:
279 cur = con.cursor()
280 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
281 eap_reauth(dev[0], "AKA")
282 with con:
283 cur = con.cursor()
284 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
285 logger.info("AKA reauth with mismatching counter")
286 eap_reauth(dev[0], "AKA")
287 dev[0].request("REMOVE_NETWORK all")
288
289 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
290 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
291 with con:
292 cur = con.cursor()
293 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
294 logger.info("AKA reauth with max reauth count reached")
295 eap_reauth(dev[0], "AKA")
296
e2a90a4c
JM		 297def test_ap_wpa2_eap_aka_config(dev, apdev):
298 """EAP-AKA configuration options"""
299 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
300 hostapd.add_ap(apdev[0]['ifname'], params)
301 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
302 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
303 anonymous_identity="2345678")
304
d314bedf
JM		 305def test_ap_wpa2_eap_aka_ext(dev, apdev):
306 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
307 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
308 logger.info("No hlr_auc_gw available");
309 return "skip"
310 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
311 hostapd.add_ap(apdev[0]['ifname'], params)
312 dev[0].request("SET external_sim 1")
313 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
314 identity="0232010000000000",
315 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
316 wait_connect=False, scan_freq="2412")
317 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
318 if ev is None:
319 raise Exception("Network connected timed out")
320
321 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
322 if ev is None:
323 raise Exception("Wait for external SIM processing request timed out")
324 p = ev.split(':', 2)
325 if p[1] != "UMTS-AUTH":
326 raise Exception("Unexpected CTRL-REQ-SIM type")
327 rid = p[0].split('-')[3]
328
329 # IK:CK:RES
330 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
331 # This will fail during processing, but the ctrl_iface command succeeds
332 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
333 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
334 if ev is None:
335 raise Exception("EAP failure not reported")
336 dev[0].request("DISCONNECT")
337
338 dev[0].request("REASSOCIATE")
339 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
340 if ev is None:
341 raise Exception("Wait for external SIM processing request timed out")
342 p = ev.split(':', 2)
343 if p[1] != "UMTS-AUTH":
344 raise Exception("Unexpected CTRL-REQ-SIM type")
345 rid = p[0].split('-')[3]
346 # This will fail during UMTS auth validation
347 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp):
348 raise Exception("CTRL-RSP-SIM failed")
349 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
350 if ev is None:
351 raise Exception("EAP failure not reported")
352
9626962d
JM		 353def test_ap_wpa2_eap_aka_prime(dev, apdev):
354 """WPA2-Enterprise connection using EAP-AKA'"""
0d4c5494
JM		 355 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
356 logger.info("No hlr_auc_gw available");
357 return "skip"
9626962d
JM		 358 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
359 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 360 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
9626962d
JM		 361 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
362 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 363 eap_reauth(dev[0], "AKA'")
9626962d 364
8583d664
JM		 365 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
366 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
367 identity="6555444333222111@both",
368 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
369 wait_connect=False, scan_freq="2412")
370 ev = dev[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout=15)
371 if ev is None:
372 raise Exception("Connection with the AP timed out")
373
f10ba3b2
JM		 374 logger.info("Negative test with incorrect key")
375 dev[0].request("REMOVE_NETWORK all")
376 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
377 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
378 expect_failure=True)
379
5b1aaf6c
JM		 380def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
381 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
382 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
383 logger.info("No hlr_auc_gw available");
384 return "skip"
385 try:
386 import sqlite3
387 except ImportError:
388 return "skip"
389 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
390 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
391 params['auth_server_port'] = "1814"
392 hostapd.add_ap(apdev[0]['ifname'], params)
393 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
394 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
395
396 logger.info("AKA' fast re-authentication")
397 eap_reauth(dev[0], "AKA'")
398
399 logger.info("AKA' full auth with pseudonym")
400 with con:
401 cur = con.cursor()
402 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
403 eap_reauth(dev[0], "AKA'")
404
405 logger.info("AKA' full auth with permanent identity")
406 with con:
407 cur = con.cursor()
408 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
409 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
410 eap_reauth(dev[0], "AKA'")
411
412 logger.info("AKA' reauth with mismatching k_aut")
413 with con:
414 cur = con.cursor()
415 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
416 eap_reauth(dev[0], "AKA'", expect_failure=True)
417 dev[0].request("REMOVE_NETWORK all")
418
419 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
420 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
421 with con:
422 cur = con.cursor()
423 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
424 eap_reauth(dev[0], "AKA'")
425 with con:
426 cur = con.cursor()
427 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
428 logger.info("AKA' reauth with mismatching counter")
429 eap_reauth(dev[0], "AKA'")
430 dev[0].request("REMOVE_NETWORK all")
431
432 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
433 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
434 with con:
435 cur = con.cursor()
436 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
437 logger.info("AKA' reauth with max reauth count reached")
438 eap_reauth(dev[0], "AKA'")
439
9626962d
JM		 440def test_ap_wpa2_eap_ttls_pap(dev, apdev):
441 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
442 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
65038313
JM		 443 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
444 key_mgmt = hapd.get_config()['key_mgmt']
445 if key_mgmt.split(' ')[0] != "WPA-EAP":
446 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
cb33ee14 447 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
9626962d 448 anonymous_identity="ttls", password="password",
3b74982f
JM		 449 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
450 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
451 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
9626962d 452 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 453 eap_reauth(dev[0], "TTLS")
eaf3f9b1
JM		 454 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
455 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
9626962d 456
82a8f5b5
JM		 457def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
458 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
459 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
460 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
461 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
462 anonymous_identity="ttls", password="wrong",
463 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
464 expect_failure=True)
465 eap_connect(dev[1], apdev[0], "TTLS", "user",
466 anonymous_identity="ttls", password="password",
467 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
468 expect_failure=True)
469
9626962d
JM		 470def test_ap_wpa2_eap_ttls_chap(dev, apdev):
471 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
472 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
473 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 474 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
9626962d 475 anonymous_identity="ttls", password="password",
5c65e277
JM		 476 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
477 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
9626962d 478 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 479 eap_reauth(dev[0], "TTLS")
9626962d 480
82a8f5b5
JM		 481def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
482 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
483 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
484 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
485 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
486 anonymous_identity="ttls", password="wrong",
487 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
488 expect_failure=True)
489 eap_connect(dev[1], apdev[0], "TTLS", "user",
490 anonymous_identity="ttls", password="password",
491 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
492 expect_failure=True)
493
9626962d
JM		 494def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
495 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
496 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
497 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 498 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
9626962d 499 anonymous_identity="ttls", password="password",
72c052d5
JM		 500 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
501 domain_suffix_match="server.w1.fi")
9626962d 502 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 503 eap_reauth(dev[0], "TTLS")
6daf5b9c
JM		 504 dev[0].request("REMOVE_NETWORK all")
505 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
506 anonymous_identity="ttls", password="password",
507 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
508 fragment_size="200")
9626962d 509
82a8f5b5
JM		 510def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
511 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
512 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
513 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
514 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
515 anonymous_identity="ttls", password="wrong",
516 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
517 expect_failure=True)
518 eap_connect(dev[1], apdev[0], "TTLS", "user",
519 anonymous_identity="ttls", password="password",
520 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
521 expect_failure=True)
522 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
523 anonymous_identity="ttls", password="password",
524 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
525 expect_failure=True)
526
9626962d
JM		 527def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
528 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
529 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
530 hostapd.add_ap(apdev[0]['ifname'], params)
5dec879d 531 hapd = hostapd.Hostapd(apdev[0]['ifname'])
cb33ee14 532 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
9626962d 533 anonymous_identity="ttls", password="password",
72c052d5
JM		 534 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
535 domain_suffix_match="w1.fi")
9626962d 536 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
5dec879d
JM		 537 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
538 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
75b2b9cf 539 eap_reauth(dev[0], "TTLS")
5dec879d
JM		 540 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
541 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
542 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
543 raise Exception("dot1xAuthEapolFramesRx did not increase")
544 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
545 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
546 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
547 raise Exception("backendAuthSuccesses did not increase")
9626962d 548
fa0ddb14
JM		 549 logger.info("Password as hash value")
550 dev[0].request("REMOVE_NETWORK all")
551 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
552 anonymous_identity="ttls",
553 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
554 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
555
82a8f5b5
JM		 556def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
557 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
558 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
559 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
f10ba3b2
JM		 560 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
561 anonymous_identity="ttls", password="password1",
562 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
563 expect_failure=True)
82a8f5b5
JM		 564 eap_connect(dev[1], apdev[0], "TTLS", "user",
565 anonymous_identity="ttls", password="password",
566 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
567 expect_failure=True)
f10ba3b2 568
eac67440
JM		 569def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
570 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
571 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
572 hostapd.add_ap(apdev[0]['ifname'], params)
573 hapd = hostapd.Hostapd(apdev[0]['ifname'])
574 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
575 anonymous_identity="ttls", password="secret-åäö-€-password",
576 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
577 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
578 anonymous_identity="ttls",
579 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
580 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
581
9626962d
JM		 582def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
583 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
584 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
585 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 586 eap_connect(dev[0], apdev[0], "TTLS", "user",
9626962d
JM		 587 anonymous_identity="ttls", password="password",
588 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
589 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 590 eap_reauth(dev[0], "TTLS")
9626962d
JM		 591
592def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
593 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
594 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
595 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 596 eap_connect(dev[0], apdev[0], "TTLS", "user",
9626962d
JM		 597 anonymous_identity="ttls", password="password",
598 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
599 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 600 eap_reauth(dev[0], "TTLS")
9626962d
JM		 601
602def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
603 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
604 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
605 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 606 eap_connect(dev[0], apdev[0], "TTLS", "user",
9626962d
JM		 607 anonymous_identity="ttls", password="password",
608 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
609 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 610 eap_reauth(dev[0], "TTLS")
9626962d 611
f10ba3b2
JM		 612 logger.info("Negative test with incorrect password")
613 dev[0].request("REMOVE_NETWORK all")
614 eap_connect(dev[0], apdev[0], "TTLS", "user",
615 anonymous_identity="ttls", password="password1",
616 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
617 expect_failure=True)
618
95fb531c
JM		 619def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
620 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
621 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
622 hostapd.add_ap(apdev[0]['ifname'], params)
623 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
624 anonymous_identity="0232010000000000@ttls",
625 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
626 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
627
628def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
629 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
630 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
631 hostapd.add_ap(apdev[0]['ifname'], params)
632 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
633 anonymous_identity="0232010000000000@peap",
634 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
635 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
636
637def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
638 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
639 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
640 hostapd.add_ap(apdev[0]['ifname'], params)
641 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
642 anonymous_identity="0232010000000000@fast",
643 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
644 phase1="fast_provisioning=2",
645 pac_file="blob://fast_pac_auth_aka",
646 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
647
9626962d
JM		 648def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
649 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
650 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
651 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 652 eap_connect(dev[0], apdev[0], "PEAP", "user",
698f8324 653 anonymous_identity="peap", password="password",
9626962d
JM		 654 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
655 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 656 eap_reauth(dev[0], "PEAP")
6daf5b9c
JM		 657 dev[0].request("REMOVE_NETWORK all")
658 eap_connect(dev[0], apdev[0], "PEAP", "user",
659 anonymous_identity="peap", password="password",
660 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
661 fragment_size="200")
c7afc078 662
fa0ddb14
JM		 663 logger.info("Password as hash value")
664 dev[0].request("REMOVE_NETWORK all")
665 eap_connect(dev[0], apdev[0], "PEAP", "user",
666 anonymous_identity="peap",
667 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
668 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
669
f10ba3b2
JM		 670 logger.info("Negative test with incorrect password")
671 dev[0].request("REMOVE_NETWORK all")
672 eap_connect(dev[0], apdev[0], "PEAP", "user",
673 anonymous_identity="peap", password="password1",
674 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
675 expect_failure=True)
676
698f8324
JM		 677def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
678 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
679 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
680 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 681 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
698f8324
JM		 682 ca_cert="auth_serv/ca.pem",
683 phase1="peapver=0 crypto_binding=2",
684 phase2="auth=MSCHAPV2")
685 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 686 eap_reauth(dev[0], "PEAP")
698f8324 687
d0ce1050
JM		 688def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
689 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
690 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
691 hostapd.add_ap(apdev[0]['ifname'], params)
692 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
693 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
694 ca_cert2="auth_serv/ca.pem",
695 client_cert2="auth_serv/user.pem",
696 private_key2="auth_serv/user.key")
697 eap_reauth(dev[0], "PEAP")
698
e114c49c
JM		 699def test_ap_wpa2_eap_tls(dev, apdev):
700 """WPA2-Enterprise connection using EAP-TLS"""
701 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
702 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 703 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
e114c49c
JM		 704 client_cert="auth_serv/user.pem",
705 private_key="auth_serv/user.key")
75b2b9cf 706 eap_reauth(dev[0], "TLS")
e114c49c 707
6ea231e6
JM		 708def test_ap_wpa2_eap_tls_blob(dev, apdev):
709 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
710 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
711 hostapd.add_ap(apdev[0]['ifname'], params)
712 cert = read_pem("auth_serv/ca.pem")
713 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
714 raise Exception("Could not set cacert blob")
715 cert = read_pem("auth_serv/user.pem")
716 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
717 raise Exception("Could not set usercert blob")
718 key = read_pem("auth_serv/user.key")
719 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
720 raise Exception("Could not set cacert blob")
721 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
722 client_cert="blob://usercert",
723 private_key="blob://userkey")
724
2d10eb0e
JM		 725def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
726 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
727 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
728 hostapd.add_ap(apdev[0]['ifname'], params)
729 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
730 private_key="auth_serv/user.pkcs12",
731 private_key_passwd="whatever")
732 dev[0].request("REMOVE_NETWORK all")
733 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
734 identity="tls user",
735 ca_cert="auth_serv/ca.pem",
736 private_key="auth_serv/user.pkcs12",
737 wait_connect=False, scan_freq="2412")
738 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
739 if ev is None:
740 raise Exception("Request for private key passphrase timed out")
741 id = ev.split(':')[0].split('-')[-1]
742 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
743 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
744 if ev is None:
745 raise Exception("Connection timed out")
746
6ea231e6
JM		 747def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
748 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
749 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
750 hostapd.add_ap(apdev[0]['ifname'], params)
751 cert = read_pem("auth_serv/ca.pem")
752 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
753 raise Exception("Could not set cacert blob")
754 with open("auth_serv/user.pkcs12", "rb") as f:
755 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
756 raise Exception("Could not set pkcs12 blob")
757 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
758 private_key="blob://pkcs12",
759 private_key_passwd="whatever")
760
c7afc078
JM		 761def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
762 """WPA2-Enterprise negative test - incorrect trust root"""
763 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
764 hostapd.add_ap(apdev[0]['ifname'], params)
6ea231e6
JM		 765 cert = read_pem("auth_serv/ca-incorrect.pem")
766 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
767 raise Exception("Could not set cacert blob")
c7afc078 768 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
6ea231e6
JM		 769 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
770 password="password", phase2="auth=MSCHAPV2",
771 ca_cert="blob://cacert",
772 wait_connect=False, scan_freq="2412")
773 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
c7afc078
JM		 774 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
775 password="password", phase2="auth=MSCHAPV2",
776 ca_cert="auth_serv/ca-incorrect.pem",
c65f23ab 777 wait_connect=False, scan_freq="2412")
c7afc078 778
6ea231e6
JM		 779 for dev in (dev[0], dev[1]):
780 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
781 if ev is None:
782 raise Exception("Association and EAP start timed out")
c7afc078 783
6ea231e6
JM		 784 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
785 if ev is None:
786 raise Exception("EAP method selection timed out")
787 if "TTLS" not in ev:
788 raise Exception("Unexpected EAP method")
789
790 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
791 "CTRL-EVENT-EAP-SUCCESS",
792 "CTRL-EVENT-EAP-FAILURE",
793 "CTRL-EVENT-CONNECTED",
794 "CTRL-EVENT-DISCONNECTED"], timeout=10)
795 if ev is None:
796 raise Exception("EAP result timed out")
797 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
798 raise Exception("TLS certificate error not reported")
799
800 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
801 "CTRL-EVENT-EAP-FAILURE",
802 "CTRL-EVENT-CONNECTED",
803 "CTRL-EVENT-DISCONNECTED"], timeout=10)
804 if ev is None:
805 raise Exception("EAP result(2) timed out")
806 if "CTRL-EVENT-EAP-FAILURE" not in ev:
807 raise Exception("EAP failure not reported")
c7afc078 808
6ea231e6
JM		 809 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
810 "CTRL-EVENT-DISCONNECTED"], timeout=10)
811 if ev is None:
812 raise Exception("EAP result(3) timed out")
813 if "CTRL-EVENT-DISCONNECTED" not in ev:
814 raise Exception("Disconnection not reported")
c7afc078 815
6ea231e6
JM		 816 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
817 if ev is None:
818 raise Exception("Network block disabling not reported")
72c052d5
JM		 819
820def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
821 """WPA2-Enterprise negative test - domain suffix mismatch"""
822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
823 hostapd.add_ap(apdev[0]['ifname'], params)
824 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
825 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
826 password="password", phase2="auth=MSCHAPV2",
827 ca_cert="auth_serv/ca.pem",
828 domain_suffix_match="incorrect.example.com",
c65f23ab 829 wait_connect=False, scan_freq="2412")
72c052d5
JM		 830
831 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
832 if ev is None:
833 raise Exception("Association and EAP start timed out")
834
835 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
836 if ev is None:
837 raise Exception("EAP method selection timed out")
838 if "TTLS" not in ev:
839 raise Exception("Unexpected EAP method")
840
841 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
842 "CTRL-EVENT-EAP-SUCCESS",
843 "CTRL-EVENT-EAP-FAILURE",
844 "CTRL-EVENT-CONNECTED",
845 "CTRL-EVENT-DISCONNECTED"], timeout=10)
846 if ev is None:
847 raise Exception("EAP result timed out")
848 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
849 raise Exception("TLS certificate error not reported")
850 if "Domain suffix mismatch" not in ev:
851 raise Exception("Domain suffix mismatch not reported")
852
853 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
854 "CTRL-EVENT-EAP-FAILURE",
855 "CTRL-EVENT-CONNECTED",
856 "CTRL-EVENT-DISCONNECTED"], timeout=10)
857 if ev is None:
858 raise Exception("EAP result(2) timed out")
859 if "CTRL-EVENT-EAP-FAILURE" not in ev:
860 raise Exception("EAP failure not reported")
861
862 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
863 "CTRL-EVENT-DISCONNECTED"], timeout=10)
864 if ev is None:
865 raise Exception("EAP result(3) timed out")
866 if "CTRL-EVENT-DISCONNECTED" not in ev:
867 raise Exception("Disconnection not reported")
868
869 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
870 if ev is None:
871 raise Exception("Network block disabling not reported")
22b99086 872
3b74982f
JM		 873def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
874 """WPA2-Enterprise negative test - subject mismatch"""
875 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
876 hostapd.add_ap(apdev[0]['ifname'], params)
877 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
878 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
879 password="password", phase2="auth=MSCHAPV2",
880 ca_cert="auth_serv/ca.pem",
881 subject_match="/C=FI/O=w1.fi/CN=example.com",
882 wait_connect=False, scan_freq="2412")
883
884 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
885 if ev is None:
886 raise Exception("Association and EAP start timed out")
887
888 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
889 if ev is None:
890 raise Exception("EAP method selection timed out")
891 if "TTLS" not in ev:
892 raise Exception("Unexpected EAP method")
893
894 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
895 "CTRL-EVENT-EAP-SUCCESS",
896 "CTRL-EVENT-EAP-FAILURE",
897 "CTRL-EVENT-CONNECTED",
898 "CTRL-EVENT-DISCONNECTED"], timeout=10)
899 if ev is None:
900 raise Exception("EAP result timed out")
901 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
902 raise Exception("TLS certificate error not reported")
903 if "Subject mismatch" not in ev:
904 raise Exception("Subject mismatch not reported")
905
906 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
907 "CTRL-EVENT-EAP-FAILURE",
908 "CTRL-EVENT-CONNECTED",
909 "CTRL-EVENT-DISCONNECTED"], timeout=10)
910 if ev is None:
911 raise Exception("EAP result(2) timed out")
912 if "CTRL-EVENT-EAP-FAILURE" not in ev:
913 raise Exception("EAP failure not reported")
914
915 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
916 "CTRL-EVENT-DISCONNECTED"], timeout=10)
917 if ev is None:
918 raise Exception("EAP result(3) timed out")
919 if "CTRL-EVENT-DISCONNECTED" not in ev:
920 raise Exception("Disconnection not reported")
921
922 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
923 if ev is None:
924 raise Exception("Network block disabling not reported")
925
926def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
927 """WPA2-Enterprise negative test - altsubject mismatch"""
928 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
929 hostapd.add_ap(apdev[0]['ifname'], params)
930 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
931 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
932 password="password", phase2="auth=MSCHAPV2",
933 ca_cert="auth_serv/ca.pem",
934 altsubject_match="incorrect.example.com",
935 wait_connect=False, scan_freq="2412")
936
937 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
938 if ev is None:
939 raise Exception("Association and EAP start timed out")
940
941 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
942 if ev is None:
943 raise Exception("EAP method selection timed out")
944 if "TTLS" not in ev:
945 raise Exception("Unexpected EAP method")
946
947 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
948 "CTRL-EVENT-EAP-SUCCESS",
949 "CTRL-EVENT-EAP-FAILURE",
950 "CTRL-EVENT-CONNECTED",
951 "CTRL-EVENT-DISCONNECTED"], timeout=10)
952 if ev is None:
953 raise Exception("EAP result timed out")
954 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
955 raise Exception("TLS certificate error not reported")
956 if "AltSubject mismatch" not in ev:
957 raise Exception("altsubject mismatch not reported")
958
959 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
960 "CTRL-EVENT-EAP-FAILURE",
961 "CTRL-EVENT-CONNECTED",
962 "CTRL-EVENT-DISCONNECTED"], timeout=10)
963 if ev is None:
964 raise Exception("EAP result(2) timed out")
965 if "CTRL-EVENT-EAP-FAILURE" not in ev:
966 raise Exception("EAP failure not reported")
967
968 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
969 "CTRL-EVENT-DISCONNECTED"], timeout=10)
970 if ev is None:
971 raise Exception("EAP result(3) timed out")
972 if "CTRL-EVENT-DISCONNECTED" not in ev:
973 raise Exception("Disconnection not reported")
974
975 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
976 if ev is None:
977 raise Exception("Network block disabling not reported")
978
5a0c1517
JM		 979def test_ap_wpa2_eap_unauth_tls(dev, apdev):
980 """WPA2-Enterprise connection using UNAUTH-TLS"""
981 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
982 hostapd.add_ap(apdev[0]['ifname'], params)
983 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
984 ca_cert="auth_serv/ca.pem")
985 eap_reauth(dev[0], "UNAUTH-TLS")
986
57be05e1
JM		 987def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
988 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
989 srv_cert_hash = "0a3f81f63569226657a069855bb13f3b922670437a2b87585a4734f70ac7315b"
990 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
991 hostapd.add_ap(apdev[0]['ifname'], params)
992 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
993 identity="probe", ca_cert="probe://",
994 wait_connect=False, scan_freq="2412")
995 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
996 if ev is None:
997 raise Exception("Association and EAP start timed out")
998 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
999 if ev is None:
1000 raise Exception("No peer server certificate event seen")
1001 if "hash=" + srv_cert_hash not in ev:
1002 raise Exception("Expected server certificate hash not reported")
1003 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1004 if ev is None:
1005 raise Exception("EAP result timed out")
1006 if "Server certificate chain probe" not in ev:
1007 raise Exception("Server certificate probe not reported")
1008 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=10)
1009 if ev is None:
1010 raise Exception("Disconnection event not seen")
1011 dev[0].request("REMOVE_NETWORK all")
1012
1013 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1014 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1015 password="password", phase2="auth=MSCHAPV2",
1016 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1017 wait_connect=False, scan_freq="2412")
1018 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1019 if ev is None:
1020 raise Exception("Association and EAP start timed out")
1021 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1022 if ev is None:
1023 raise Exception("EAP result timed out")
1024 if "Server certificate mismatch" not in ev:
1025 raise Exception("Server certificate mismatch not reported")
1026 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=10)
1027 if ev is None:
1028 raise Exception("Disconnection event not seen")
1029 dev[0].request("REMOVE_NETWORK all")
1030
1031 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1032 anonymous_identity="ttls", password="password",
1033 ca_cert="hash://server/sha256/" + srv_cert_hash,
1034 phase2="auth=MSCHAPV2")
1035
2a6a2192
JM		 1036def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1037 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1038 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1039 hostapd.add_ap(apdev[0]['ifname'], params)
1040 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1041 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1042 password="password", phase2="auth=MSCHAPV2",
1043 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1044 wait_connect=False, scan_freq="2412")
1045 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1046 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1047 password="password", phase2="auth=MSCHAPV2",
1048 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1049 wait_connect=False, scan_freq="2412")
1050 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1051 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1052 password="password", phase2="auth=MSCHAPV2",
1053 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1054 wait_connect=False, scan_freq="2412")
1055 for i in range(0, 3):
1056 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1057 if ev is None:
1058 raise Exception("Association and EAP start timed out")
cbb85a03
JM		 1059 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1060 if ev is None:
1061 raise Exception("Did not report EAP method initialization failure")
2a6a2192 1062
22b99086
JM		 1063def test_ap_wpa2_eap_pwd(dev, apdev):
1064 """WPA2-Enterprise connection using EAP-pwd"""
1065 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1066 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 1067 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
75b2b9cf 1068 eap_reauth(dev[0], "PWD")
6daf5b9c 1069 dev[0].request("REMOVE_NETWORK all")
0403fa0a
JM		 1070
1071 eap_connect(dev[1], apdev[0], "PWD",
1072 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1073 password="secret password",
6daf5b9c
JM		 1074 fragment_size="90")
1075
f10ba3b2 1076 logger.info("Negative test with incorrect password")
0403fa0a 1077 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
f10ba3b2
JM		 1078 expect_failure=True, local_error_report=True)
1079
0403fa0a
JM		 1080 eap_connect(dev[0], apdev[0], "PWD",
1081 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1082 password="secret password",
1083 fragment_size="31")
1084
c075f040
JM		 1085def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1086 """WPA2-Enterprise connection using various EAP-pwd groups"""
1087 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1088 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1089 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1090 for i in [ 19, 20, 21, 25, 26 ]:
1091 params['pwd_group'] = str(i)
1092 hostapd.add_ap(apdev[0]['ifname'], params)
1093 dev[0].request("REMOVE_NETWORK all")
1094 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1095
4b2d2098
JM		 1096def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1097 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1098 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1099 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1100 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1101 params['pwd_group'] = "0"
1102 hostapd.add_ap(apdev[0]['ifname'], params)
1103 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1104 identity="pwd user", password="secret password",
1105 scan_freq="2412", wait_connect=False)
1106 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1107 if ev is None:
1108 raise Exception("Timeout on EAP failure report")
1109
8ba89e0a
JM		 1110def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1111 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1112 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1113 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1114 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1115 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1116 "pwd_group": "19", "fragment_size": "40" }
1117 hostapd.add_ap(apdev[0]['ifname'], params)
1118 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1119
22b99086
JM		 1120def test_ap_wpa2_eap_gpsk(dev, apdev):
1121 """WPA2-Enterprise connection using EAP-GPSK"""
1122 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1123 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 1124 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
369f9c20 1125 password="abcdefghijklmnop0123456789abcdef")
75b2b9cf 1126 eap_reauth(dev[0], "GPSK")
22b99086 1127
369f9c20
JM		 1128 logger.info("Test forced algorithm selection")
1129 for phase1 in [ "cipher=1", "cipher=2" ]:
1130 dev[0].set_network_quoted(id, "phase1", phase1)
1131 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1132 if ev is None:
1133 raise Exception("EAP success timed out")
1134 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
1135 if ev is None:
1136 raise Exception("Association with the AP timed out")
1137
1138 logger.info("Test failed algorithm negotiation")
1139 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1140 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1141 if ev is None:
1142 raise Exception("EAP failure timed out")
1143
f10ba3b2
JM		 1144 logger.info("Negative test with incorrect password")
1145 dev[0].request("REMOVE_NETWORK all")
1146 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1147 password="ffcdefghijklmnop0123456789abcdef",
1148 expect_failure=True)
1149
22b99086
JM		 1150def test_ap_wpa2_eap_sake(dev, apdev):
1151 """WPA2-Enterprise connection using EAP-SAKE"""
1152 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1153 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 1154 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
22b99086 1155 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
75b2b9cf 1156 eap_reauth(dev[0], "SAKE")
22b99086 1157
f10ba3b2
JM		 1158 logger.info("Negative test with incorrect password")
1159 dev[0].request("REMOVE_NETWORK all")
1160 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1161 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1162 expect_failure=True)
1163
22b99086
JM		 1164def test_ap_wpa2_eap_eke(dev, apdev):
1165 """WPA2-Enterprise connection using EAP-EKE"""
1166 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1167 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 1168 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
75b2b9cf 1169 eap_reauth(dev[0], "EKE")
22b99086 1170
2bb9e283
JM		 1171 logger.info("Test forced algorithm selection")
1172 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1173 "dhgroup=4 encr=1 prf=2 mac=2",
1174 "dhgroup=3 encr=1 prf=2 mac=2",
1175 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1176 dev[0].set_network_quoted(id, "phase1", phase1)
1177 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1178 if ev is None:
1179 raise Exception("EAP success timed out")
1180 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
1181 if ev is None:
1182 raise Exception("Association with the AP timed out")
1183
1184 logger.info("Test failed algorithm negotiation")
1185 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1186 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1187 if ev is None:
1188 raise Exception("EAP failure timed out")
1189
f10ba3b2
JM		 1190 logger.info("Negative test with incorrect password")
1191 dev[0].request("REMOVE_NETWORK all")
1192 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1193 expect_failure=True)
1194
22b99086
JM		 1195def test_ap_wpa2_eap_ikev2(dev, apdev):
1196 """WPA2-Enterprise connection using EAP-IKEv2"""
1197 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1198 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14
JM		 1199 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1200 password="ike password")
75b2b9cf 1201 eap_reauth(dev[0], "IKEV2")
6daf5b9c
JM		 1202 dev[0].request("REMOVE_NETWORK all")
1203 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
47a74ad8 1204 password="ike password", fragment_size="50")
22b99086 1205
f10ba3b2
JM		 1206 logger.info("Negative test with incorrect password")
1207 dev[0].request("REMOVE_NETWORK all")
1208 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1209 password="ike-password", expect_failure=True)
1210
47a74ad8
JM		 1211def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
1212 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1213 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1214 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1215 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1216 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1217 "fragment_size": "50" }
1218 hostapd.add_ap(apdev[0]['ifname'], params)
1219 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1220 password="ike password")
1221 eap_reauth(dev[0], "IKEV2")
1222
22b99086
JM		 1223def test_ap_wpa2_eap_pax(dev, apdev):
1224 """WPA2-Enterprise connection using EAP-PAX"""
1225 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1226 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 1227 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
22b99086 1228 password_hex="0123456789abcdef0123456789abcdef")
75b2b9cf 1229 eap_reauth(dev[0], "PAX")
22b99086 1230
f10ba3b2
JM		 1231 logger.info("Negative test with incorrect password")
1232 dev[0].request("REMOVE_NETWORK all")
1233 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1234 password_hex="ff23456789abcdef0123456789abcdef",
1235 expect_failure=True)
1236
22b99086
JM		 1237def test_ap_wpa2_eap_psk(dev, apdev):
1238 """WPA2-Enterprise connection using EAP-PSK"""
1239 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2b005194
JM		 1240 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
1241 params["ieee80211w"] = "2"
22b99086 1242 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 1243 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2b005194
JM		 1244 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
1245 eap_reauth(dev[0], "PSK", sha256=True)
eaf3f9b1
JM		 1246 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
1247 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
71390dc8 1248
f10ba3b2
JM		 1249 logger.info("Negative test with incorrect password")
1250 dev[0].request("REMOVE_NETWORK all")
1251 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1252 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
1253 expect_failure=True)
1254
71390dc8
JM		 1255def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
1256 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1257 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
1258 hostapd.add_ap(apdev[0]['ifname'], params)
1259 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
1260 identity="user", password="password", phase2="auth=MSCHAPV2",
1261 ca_cert="auth_serv/ca.pem", wait_connect=False,
1262 scan_freq="2412")
1263 eap_check_auth(dev[0], "PEAP", True, rsn=False)
1264 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
1265 eap_reauth(dev[0], "PEAP", rsn=False)
eaf3f9b1
JM		 1266 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
1267 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
40759604
JM		 1268
1269def test_ap_wpa2_eap_interactive(dev, apdev):
1270 """WPA2-Enterprise connection using interactive identity/password entry"""
1271 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1272 hostapd.add_ap(apdev[0]['ifname'], params)
1273 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1274
1275 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
1276 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
1277 None, "password"),
1278 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
1279 "TTLS", "ttls", None, "auth=MSCHAPV2",
1280 "DOMAIN\mschapv2 user", "password"),
1281 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
1282 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
1283 ("Connection with dynamic TTLS/EAP-MD5 password entry",
1284 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
1285 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
1286 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
1287 ("Connection with dynamic PEAP/EAP-GTC password entry",
1288 "PEAP", None, "user", "auth=GTC", None, "password") ]
1289 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
1290 logger.info(desc)
1291 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
1292 anonymous_identity=anon, identity=identity,
1293 ca_cert="auth_serv/ca.pem", phase2=phase2,
1294 wait_connect=False, scan_freq="2412")
1295 if req_id:
1296 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
1297 if ev is None:
1298 raise Exception("Request for identity timed out")
1299 id = ev.split(':')[0].split('-')[-1]
1300 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
1301 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
1302 if ev is None:
1303 raise Exception("Request for password timed out")
1304 id = ev.split(':')[0].split('-')[-1]
1305 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
1306 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
1307 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
1308 if ev is None:
1309 raise Exception("Connection timed out")
1310 dev[0].request("REMOVE_NETWORK all")
e745c811
JM		 1311
1312def test_ap_wpa2_eap_vendor_test(dev, apdev):
1313 """WPA2-Enterprise connection using EAP vendor test"""
1314 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1315 hostapd.add_ap(apdev[0]['ifname'], params)
1316 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
1317 eap_reauth(dev[0], "VENDOR-TEST")
53a6f06a
JM		 1318
1319def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
1320 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
1321 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1322 hostapd.add_ap(apdev[0]['ifname'], params)
1323 eap_connect(dev[0], apdev[0], "FAST", "user",
1324 anonymous_identity="FAST", password="password",
1325 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1326 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
1327 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
1328 eap_reauth(dev[0], "FAST")
1329
873e7c29
JM		 1330def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
1331 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
1332 pac_file = os.path.join(params['logdir'], "fast.pac")
1333 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
1334 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1335 hostapd.add_ap(apdev[0]['ifname'], params)
1336
1337 try:
1338 eap_connect(dev[0], apdev[0], "FAST", "user",
1339 anonymous_identity="FAST", password="password",
1340 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1341 phase1="fast_provisioning=1", pac_file=pac_file)
1342 with open(pac_file, "r") as f:
1343 data = f.read()
1344 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
1345 raise Exception("PAC file header missing")
1346 if "PAC-Key=" not in data:
1347 raise Exception("PAC-Key missing from PAC file")
1348 dev[0].request("REMOVE_NETWORK all")
1349 eap_connect(dev[0], apdev[0], "FAST", "user",
1350 anonymous_identity="FAST", password="password",
1351 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1352 pac_file=pac_file)
1353
1354 eap_connect(dev[1], apdev[0], "FAST", "user",
1355 anonymous_identity="FAST", password="password",
1356 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1357 phase1="fast_provisioning=1 fast_pac_format=binary",
1358 pac_file=pac_file2)
1359 dev[1].request("REMOVE_NETWORK all")
1360 eap_connect(dev[1], apdev[0], "FAST", "user",
1361 anonymous_identity="FAST", password="password",
1362 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1363 phase1="fast_pac_format=binary",
1364 pac_file=pac_file2)
1365 finally:
1366 subprocess.call(['sudo', 'rm', pac_file])
1367 subprocess.call(['sudo', 'rm', pac_file2])
1368
c6ab1cdb
JM		 1369def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
1370 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
1371 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1372 hostapd.add_ap(apdev[0]['ifname'], params)
1373 eap_connect(dev[0], apdev[0], "FAST", "user",
1374 anonymous_identity="FAST", password="password",
1375 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1376 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
1377 pac_file="blob://fast_pac_bin")
1378 eap_reauth(dev[0], "FAST")
1379
46e094bd
JM		 1380def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
1381 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
1382 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1383 hostapd.add_ap(apdev[0]['ifname'], params)
1384
1385 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
1386 identity="user", anonymous_identity="FAST",
1387 password="password",
1388 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1389 pac_file="blob://fast_pac_not_in_use",
1390 wait_connect=False, scan_freq="2412")
1391 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1392 if ev is None:
1393 raise Exception("Timeout on EAP failure report")
1394 dev[0].request("REMOVE_NETWORK all")
1395
1396 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
1397 identity="user", anonymous_identity="FAST",
1398 password="password",
1399 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1400 wait_connect=False, scan_freq="2412")
1401 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1402 if ev is None:
1403 raise Exception("Timeout on EAP failure report")
1404
53a6f06a
JM		 1405def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
1406 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
1407 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1408 hostapd.add_ap(apdev[0]['ifname'], params)
1409 eap_connect(dev[0], apdev[0], "FAST", "user",
1410 anonymous_identity="FAST", password="password",
1411 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
1412 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
1413 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
1414 eap_reauth(dev[0], "FAST")
d4c7a2b9
JM		 1415
1416def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
1417 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
1418 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1419 hostapd.add_ap(apdev[0]['ifname'], params)
1420 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1421 private_key="auth_serv/user.pkcs12",
1422 private_key_passwd="whatever", ocsp=2)
1423
64e05f96 1424def int_eap_server_params():
d4c7a2b9
JM		 1425 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1426 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1427 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1428 "ca_cert": "auth_serv/ca.pem",
1429 "server_cert": "auth_serv/server.pem",
64e05f96
JM		 1430 "private_key": "auth_serv/server.key" }
1431 return params
1432
1433def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
1434 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
1435 params = int_eap_server_params()
1436 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
d4c7a2b9
JM		 1437 hostapd.add_ap(apdev[0]['ifname'], params)
1438 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1439 identity="tls user", ca_cert="auth_serv/ca.pem",
1440 private_key="auth_serv/user.pkcs12",
1441 private_key_passwd="whatever", ocsp=2,
1442 wait_connect=False, scan_freq="2412")
1443 count = 0
1444 while True:
1445 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
1446 if ev is None:
1447 raise Exception("Timeout on EAP status")
1448 if 'bad certificate status response' in ev:
1449 break
1450 count = count + 1
1451 if count > 10:
1452 raise Exception("Unexpected number of EAP status messages")
1453
1454 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1455 if ev is None:
1456 raise Exception("Timeout on EAP failure report")
64e05f96
JM		 1457
1458def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
1459 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
1460 params = int_eap_server_params()
1461 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
1462 params["private_key"] = "auth_serv/server-no-dnsname.key"
1463 hostapd.add_ap(apdev[0]['ifname'], params)
1464 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1465 identity="tls user", ca_cert="auth_serv/ca.pem",
1466 private_key="auth_serv/user.pkcs12",
1467 private_key_passwd="whatever",
1468 domain_suffix_match="server3.w1.fi",
1469 scan_freq="2412")
1470 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1471 identity="tls user", ca_cert="auth_serv/ca.pem",
1472 private_key="auth_serv/user.pkcs12",
1473 private_key_passwd="whatever",
1474 domain_suffix_match="w1.fi",
1475 scan_freq="2412")
1476
1477def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
1478 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
1479 params = int_eap_server_params()
1480 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
1481 params["private_key"] = "auth_serv/server-no-dnsname.key"
1482 hostapd.add_ap(apdev[0]['ifname'], params)
1483 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1484 identity="tls user", ca_cert="auth_serv/ca.pem",
1485 private_key="auth_serv/user.pkcs12",
1486 private_key_passwd="whatever",
1487 domain_suffix_match="example.com",
1488 wait_connect=False,
1489 scan_freq="2412")
c61dca40
JM		 1490 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1491 identity="tls user", ca_cert="auth_serv/ca.pem",
1492 private_key="auth_serv/user.pkcs12",
1493 private_key_passwd="whatever",
1494 domain_suffix_match="erver3.w1.fi",
1495 wait_connect=False,
1496 scan_freq="2412")
64e05f96
JM		 1497 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1498 if ev is None:
1499 raise Exception("Timeout on EAP failure report")
c61dca40
JM		 1500 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1501 if ev is None:
1502 raise Exception("Timeout on EAP failure report (2)")
6a4d0dbe
JM		 1503
1504def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
1505 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
1506 params = int_eap_server_params()
1507 params["server_cert"] = "auth_serv/server-expired.pem"
1508 params["private_key"] = "auth_serv/server-expired.key"
1509 hostapd.add_ap(apdev[0]['ifname'], params)
1510 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1511 identity="mschap user", password="password",
1512 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1513 wait_connect=False,
1514 scan_freq="2412")
1515 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
1516 if ev is None:
1517 raise Exception("Timeout on EAP certificate error report")
1518 if "reason=4" not in ev or "certificate has expired" not in ev:
1519 raise Exception("Unexpected failure reason: " + ev)
1520 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1521 if ev is None:
1522 raise Exception("Timeout on EAP failure report")
1523
1524def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
1525 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
1526 params = int_eap_server_params()
1527 params["server_cert"] = "auth_serv/server-expired.pem"
1528 params["private_key"] = "auth_serv/server-expired.key"
1529 hostapd.add_ap(apdev[0]['ifname'], params)
1530 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1531 identity="mschap user", password="password",
1532 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1533 phase1="tls_disable_time_checks=1",
1534 scan_freq="2412")
6ab4a7aa
JM		 1535
1536def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
1537 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
1538 params = int_eap_server_params()
1539 params["server_cert"] = "auth_serv/server-eku-client.pem"
1540 params["private_key"] = "auth_serv/server-eku-client.key"
1541 hostapd.add_ap(apdev[0]['ifname'], params)
1542 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1543 identity="mschap user", password="password",
1544 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1545 wait_connect=False,
1546 scan_freq="2412")
1547 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1548 if ev is None:
1549 raise Exception("Timeout on EAP failure report")
242219c5 1550
14bef66d
JM		 1551def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
1552 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
1553 params = int_eap_server_params()
1554 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
1555 params["private_key"] = "auth_serv/server-eku-client-server.key"
1556 hostapd.add_ap(apdev[0]['ifname'], params)
1557 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1558 identity="mschap user", password="password",
1559 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1560 scan_freq="2412")
1561
c37b02fc
JM		 1562def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
1563 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
1564 params = int_eap_server_params()
1565 del params["server_cert"]
1566 params["private_key"] = "auth_serv/server.pkcs12"
1567 hostapd.add_ap(apdev[0]['ifname'], params)
1568 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1569 identity="mschap user", password="password",
1570 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1571 scan_freq="2412")
1572
242219c5
JM		 1573def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
1574 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
1575 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1576 hostapd.add_ap(apdev[0]['ifname'], params)
1577 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1578 anonymous_identity="ttls", password="password",
1579 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1580 dh_file="auth_serv/dh.conf")
7c50093f 1581
6ea231e6
JM		 1582def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
1583 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
1584 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1585 hostapd.add_ap(apdev[0]['ifname'], params)
1586 dh = read_pem("auth_serv/dh.conf")
1587 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
1588 raise Exception("Could not set dhparams blob")
1589 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1590 anonymous_identity="ttls", password="password",
1591 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1592 dh_file="blob://dhparams")
1593
7c50093f
JM		 1594def test_ap_wpa2_eap_reauth(dev, apdev):
1595 """WPA2-Enterprise and Authenticator forcing reauthentication"""
1596 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1597 params['eap_reauth_period'] = '2'
1598 hostapd.add_ap(apdev[0]['ifname'], params)
1599 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1600 password_hex="0123456789abcdef0123456789abcdef")
1601 logger.info("Wait for reauthentication")
1602 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1603 if ev is None:
1604 raise Exception("Timeout on reauthentication")
1605 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1606 if ev is None:
1607 raise Exception("Timeout on reauthentication")
1608 for i in range(0, 20):
1609 state = dev[0].get_status_field("wpa_state")
1610 if state == "COMPLETED":
1611 break
1612 time.sleep(0.1)
1613 if state != "COMPLETED":
1614 raise Exception("Reauthentication did not complete")
8b56743e
JM		 1615
1616def test_ap_wpa2_eap_request_identity_message(dev, apdev):
1617 """Optional displayable message in EAP Request-Identity"""
1618 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1619 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
1620 hostapd.add_ap(apdev[0]['ifname'], params)
1621 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1622 password_hex="0123456789abcdef0123456789abcdef")
910f16ca
JM		 1623
1624def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
1625 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
1626 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
1627 logger.info("No hlr_auc_gw available");
1628 return "skip"
1629 params = int_eap_server_params()
1630 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
1631 params['eap_sim_aka_result_ind'] = "1"
1632 hostapd.add_ap(apdev[0]['ifname'], params)
1633
1634 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
1635 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1636 phase1="result_ind=1")
1637 eap_reauth(dev[0], "SIM")
1638 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
1639 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
1640
1641 dev[0].request("REMOVE_NETWORK all")
1642 dev[1].request("REMOVE_NETWORK all")
1643
1644 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
1645 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1646 phase1="result_ind=1")
1647 eap_reauth(dev[0], "AKA")
1648 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
1649 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1650
1651 dev[0].request("REMOVE_NETWORK all")
1652 dev[1].request("REMOVE_NETWORK all")
1653
1654 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1655 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1656 phase1="result_ind=1")
1657 eap_reauth(dev[0], "AKA'")
1658 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
1659 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
633e364b
JM		 1660
1661def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
1662 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
1663 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1664 hostapd.add_ap(apdev[0]['ifname'], params)
1665 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1666 eap="TTLS", identity="mschap user",
1667 wait_connect=False, scan_freq="2412", ieee80211w="1",
1668 anonymous_identity="ttls", password="password",
1669 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1670 fragment_size="10")
1671 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
1672 if ev is None:
1673 raise Exception("EAP roundtrip limit not reached")
32dca985
JM		 1674
1675def test_ap_wpa2_eap_expanded_nak(dev, apdev):
1676 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
1677 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1678 hostapd.add_ap(apdev[0]['ifname'], params)
1679 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1680 eap="PSK", identity="vendor-test",
1681 password_hex="ff23456789abcdef0123456789abcdef",
1682 wait_connect=False)
1683
1684 found = False
1685 for i in range(0, 5):
1686 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
1687 if ev is None:
1688 raise Exception("Association and EAP start timed out")
1689 if "refuse proposed method" in ev:
1690 found = True
1691 break
1692 if not found:
1693 raise Exception("Unexpected EAP status: " + ev)
1694
1695 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1696 if ev is None:
1697 raise Exception("EAP failure timed out")
Unnamed repository; edit this file 'description' to name the repository.