]> git.ipfire.org Git - thirdparty/hostap.git/blame - tests/hwsim/test_ap_eap.py
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tests: Use python3 compatible "except" statement
[thirdparty/hostap.git] / tests / hwsim / test_ap_eap.py
CommitLineData
eac67440 1# -*- coding: utf-8 -*-
9626962d 2# WPA2-Enterprise tests
fb643190 3# Copyright (c) 2013-2019, Jouni Malinen <j@w1.fi>
9626962d
JM		 4#
5# This software may be distributed under the terms of the BSD license.
6# See README for more details.
7
6ea231e6 8import base64
5b3c40a6 9import binascii
9626962d
JM		 10import time
11import subprocess
12import logging
c9aa4308 13logger = logging.getLogger()
873e7c29 14import os
c9aba19b 15import signal
d4c3c055
JM		 16import socket
17import SocketServer
98d125ca
JM		 18import struct
19import tempfile
9626962d
JM		 20
21import hwsim_utils
67e34a28 22from hwsim import HWSimRadio
9626962d 23import hostapd
67e34a28 24from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger, require_under_vm
52352802 25from wpasupplicant import WpaSupplicant
0ceff76e 26from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
9626962d 27
ca27ee09
JM		 28try:
29 import OpenSSL
30 openssl_imported = True
31except ImportError:
32 openssl_imported = False
33
81e787b7
JM		 34def check_hlr_auc_gw_support():
35 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
36 raise HwsimSkip("No hlr_auc_gw available")
37
3b51cc63
JM		 38def check_eap_capa(dev, method):
39 res = dev.get_capability("eap")
40 if method not in res:
41 raise HwsimSkip("EAP method %s not supported in the build" % method)
42
506b2f05
JM		 43def check_subject_match_support(dev):
44 tls = dev.request("GET tls_library")
d8003dcb 45 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
506b2f05
JM		 46 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
47
48def check_altsubject_match_support(dev):
49 tls = dev.request("GET tls_library")
d8003dcb 50 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
506b2f05
JM		 51 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
52
e78eb404
JM		 53def check_domain_match(dev):
54 tls = dev.request("GET tls_library")
55 if tls.startswith("internal"):
56 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
57
58def check_domain_suffix_match(dev):
59 tls = dev.request("GET tls_library")
60 if tls.startswith("internal"):
61 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
62
24579e70
JM		 63def check_domain_match_full(dev):
64 tls = dev.request("GET tls_library")
d8003dcb 65 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
24579e70
JM		 66 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
67
4bf4e9db
JM		 68def check_cert_probe_support(dev):
69 tls = dev.request("GET tls_library")
0fc1b583 70 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
4bf4e9db
JM		 71 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
72
ca27ee09
JM		 73def check_ext_cert_check_support(dev):
74 tls = dev.request("GET tls_library")
75 if not tls.startswith("OpenSSL"):
76 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
77
0dae8c99
JM		 78def check_ocsp_support(dev):
79 tls = dev.request("GET tls_library")
138903f9
JM		 80 #if tls.startswith("internal"):
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
0c6185fc
JM		 82 #if "BoringSSL" in tls:
83 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
585e728a
JM		 84 if tls.startswith("wolfSSL"):
85 raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
0dae8c99 86
969e5250
JM		 87def check_pkcs5_v15_support(dev):
88 tls = dev.request("GET tls_library")
2d9ad634 89 if "BoringSSL" in tls or "GnuTLS" in tls:
969e5250
JM		 90 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls)
91
98d125ca
JM		 92def check_ocsp_multi_support(dev):
93 tls = dev.request("GET tls_library")
94 if not tls.startswith("internal"):
95 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls)
96 as_hapd = hostapd.Hostapd("as")
97 res = as_hapd.request("GET tls_library")
98 del as_hapd
99 if not res.startswith("internal"):
100 raise HwsimSkip("Authentication server does not support ocsp_multi")
101
686eee77
JM		 102def check_pkcs12_support(dev):
103 tls = dev.request("GET tls_library")
16c43d2a
JM		 104 #if tls.startswith("internal"):
105 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
d8003dcb
SP		 106 if tls.startswith("wolfSSL"):
107 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
686eee77 108
404597e6
JM		 109def check_dh_dsa_support(dev):
110 tls = dev.request("GET tls_library")
111 if tls.startswith("internal"):
112 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
113
6ea231e6
JM		 114def read_pem(fname):
115 with open(fname, "r") as f:
116 lines = f.readlines()
117 copy = False
118 cert = ""
119 for l in lines:
120 if "-----END" in l:
121 break
122 if copy:
123 cert = cert + l
124 if "-----BEGIN" in l:
125 copy = True
126 return base64.b64decode(cert)
127
3b3e2687 128def eap_connect(dev, hapd, method, identity,
6f939e59 129 sha256=False, expect_failure=False, local_error_report=False,
a61ee84d 130 maybe_local_error=False, report_failure=False, **kwargs):
2bb9e283
JM		 131 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
132 eap=method, identity=identity,
6f939e59
JM		 133 wait_connect=False, scan_freq="2412", ieee80211w="1",
134 **kwargs)
f10ba3b2
JM		 135 eap_check_auth(dev, method, True, sha256=sha256,
136 expect_failure=expect_failure,
9dd21d51 137 local_error_report=local_error_report,
a61ee84d
JM		 138 maybe_local_error=maybe_local_error,
139 report_failure=report_failure)
f10ba3b2
JM		 140 if expect_failure:
141 return id
cb33ee14
JM		 142 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
143 if ev is None:
144 raise Exception("No connection event received from hostapd")
2bb9e283 145 return id
75b2b9cf 146
f10ba3b2 147def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
9dd21d51 148 expect_failure=False, local_error_report=False,
a61ee84d 149 maybe_local_error=False, report_failure=False):
412c6030 150 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
9626962d
JM		 151 if ev is None:
152 raise Exception("Association and EAP start timed out")
06cdd1cd
JM		 153 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
154 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
9626962d
JM		 155 if ev is None:
156 raise Exception("EAP method selection timed out")
06cdd1cd
JM		 157 if "CTRL-EVENT-EAP-FAILURE" in ev:
158 if maybe_local_error:
159 return
160 raise Exception("Could not select EAP method")
9626962d
JM		 161 if method not in ev:
162 raise Exception("Unexpected EAP method")
f10ba3b2
JM		 163 if expect_failure:
164 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
165 if ev is None:
166 raise Exception("EAP failure timed out")
5f35a5e2 167 ev = dev.wait_disconnected(timeout=10)
9dd21d51
JM		 168 if maybe_local_error and "locally_generated=1" in ev:
169 return
f10ba3b2
JM		 170 if not local_error_report:
171 if "reason=23" not in ev:
172 raise Exception("Proper reason code for disconnection not reported")
173 return
a61ee84d
JM		 174 if report_failure:
175 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
176 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
177 if ev is None:
178 raise Exception("EAP success timed out")
179 if "CTRL-EVENT-EAP-SUCCESS" not in ev:
180 raise Exception("EAP failed")
181 else:
182 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
183 if ev is None:
184 raise Exception("EAP success timed out")
9626962d 185
75b2b9cf
JM		 186 if initial:
187 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
75b2b9cf 188 else:
bce774ad
JM		 189 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
190 if ev is None:
191 raise Exception("Association with the AP timed out")
192 status = dev.get_status()
193 if status["wpa_state"] != "COMPLETED":
194 raise Exception("Connection not completed")
75b2b9cf 195
9626962d
JM		 196 if status["suppPortStatus"] != "Authorized":
197 raise Exception("Port not authorized")
447fb0b0
JM		 198 if "selectedMethod" not in status:
199 logger.info("Status: " + str(status))
200 raise Exception("No selectedMethod in status")
9626962d
JM		 201 if method not in status["selectedMethod"]:
202 raise Exception("Incorrect EAP method status")
2b005194
JM		 203 if sha256:
204 e = "WPA2-EAP-SHA256"
205 elif rsn:
71390dc8
JM		 206 e = "WPA2/IEEE 802.1X/EAP"
207 else:
208 e = "WPA/IEEE 802.1X/EAP"
209 if status["key_mgmt"] != e:
210 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
2fc4749c 211 return status
9626962d 212
5b1aaf6c 213def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
75b2b9cf 214 dev.request("REAUTHENTICATE")
2fc4749c
JM		 215 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
216 expect_failure=expect_failure)
75b2b9cf 217
9626962d
JM		 218def test_ap_wpa2_eap_sim(dev, apdev):
219 """WPA2-Enterprise connection using EAP-SIM"""
81e787b7 220 check_hlr_auc_gw_support()
9626962d 221 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 222 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 223 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
9626962d 224 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
a8375c94 225 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 226 eap_reauth(dev[0], "SIM")
9626962d 227
3b3e2687 228 eap_connect(dev[1], hapd, "SIM", "1232010000000001",
a0f350fd 229 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3b3e2687 230 eap_connect(dev[2], hapd, "SIM", "1232010000000002",
a0f350fd
JM		 231 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
232 expect_failure=True)
233
f10ba3b2
JM		 234 logger.info("Negative test with incorrect key")
235 dev[0].request("REMOVE_NETWORK all")
3b3e2687 236 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
f10ba3b2
JM		 237 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
238 expect_failure=True)
239
32747a3e
JM		 240 logger.info("Invalid GSM-Milenage key")
241 dev[0].request("REMOVE_NETWORK all")
3b3e2687 242 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 243 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
244 expect_failure=True)
245
246 logger.info("Invalid GSM-Milenage key(2)")
247 dev[0].request("REMOVE_NETWORK all")
3b3e2687 248 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 249 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
250 expect_failure=True)
251
252 logger.info("Invalid GSM-Milenage key(3)")
253 dev[0].request("REMOVE_NETWORK all")
3b3e2687 254 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 255 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
256 expect_failure=True)
257
258 logger.info("Invalid GSM-Milenage key(4)")
259 dev[0].request("REMOVE_NETWORK all")
3b3e2687 260 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 261 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
262 expect_failure=True)
263
264 logger.info("Missing key configuration")
265 dev[0].request("REMOVE_NETWORK all")
3b3e2687 266 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
32747a3e
JM		 267 expect_failure=True)
268
5b1aaf6c
JM		 269def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
270 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
81e787b7 271 check_hlr_auc_gw_support()
5b1aaf6c
JM		 272 try:
273 import sqlite3
274 except ImportError:
81e787b7 275 raise HwsimSkip("No sqlite3 module available")
5b1aaf6c
JM		 276 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
277 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
278 params['auth_server_port'] = "1814"
3b3e2687
JD		 279 hapd = hostapd.add_ap(apdev[0], params)
280 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
5b1aaf6c
JM		 281 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
282
283 logger.info("SIM fast re-authentication")
284 eap_reauth(dev[0], "SIM")
285
286 logger.info("SIM full auth with pseudonym")
287 with con:
288 cur = con.cursor()
289 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
290 eap_reauth(dev[0], "SIM")
291
292 logger.info("SIM full auth with permanent identity")
293 with con:
294 cur = con.cursor()
295 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
296 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
297 eap_reauth(dev[0], "SIM")
298
299 logger.info("SIM reauth with mismatching MK")
300 with con:
301 cur = con.cursor()
302 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
303 eap_reauth(dev[0], "SIM", expect_failure=True)
304 dev[0].request("REMOVE_NETWORK all")
305
3b3e2687 306 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
5b1aaf6c
JM		 307 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
308 with con:
309 cur = con.cursor()
310 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
311 eap_reauth(dev[0], "SIM")
312 with con:
313 cur = con.cursor()
314 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
315 logger.info("SIM reauth with mismatching counter")
316 eap_reauth(dev[0], "SIM")
317 dev[0].request("REMOVE_NETWORK all")
318
3b3e2687 319 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
5b1aaf6c
JM		 320 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
321 with con:
322 cur = con.cursor()
323 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
324 logger.info("SIM reauth with max reauth count reached")
325 eap_reauth(dev[0], "SIM")
326
e2a90a4c
JM		 327def test_ap_wpa2_eap_sim_config(dev, apdev):
328 """EAP-SIM configuration options"""
329 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 330 hapd = hostapd.add_ap(apdev[0], params)
e2a90a4c
JM		 331 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
332 identity="1232010000000000",
333 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
334 phase1="sim_min_num_chal=1",
335 wait_connect=False, scan_freq="2412")
336 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
337 if ev is None:
338 raise Exception("No EAP error message seen")
339 dev[0].request("REMOVE_NETWORK all")
340
341 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
342 identity="1232010000000000",
343 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
344 phase1="sim_min_num_chal=4",
345 wait_connect=False, scan_freq="2412")
346 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
347 if ev is None:
348 raise Exception("No EAP error message seen (2)")
349 dev[0].request("REMOVE_NETWORK all")
350
3b3e2687 351 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
e2a90a4c
JM		 352 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
353 phase1="sim_min_num_chal=2")
3b3e2687 354 eap_connect(dev[1], hapd, "SIM", "1232010000000000",
e2a90a4c
JM		 355 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
356 anonymous_identity="345678")
357
72cbc684
JM		 358def test_ap_wpa2_eap_sim_ext(dev, apdev):
359 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
47dcb118 360 try:
81e787b7 361 _test_ap_wpa2_eap_sim_ext(dev, apdev)
47dcb118
JM		 362 finally:
363 dev[0].request("SET external_sim 0")
364
365def _test_ap_wpa2_eap_sim_ext(dev, apdev):
81e787b7 366 check_hlr_auc_gw_support()
72cbc684 367 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 368 hostapd.add_ap(apdev[0], params)
72cbc684
JM		 369 dev[0].request("SET external_sim 1")
370 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
371 identity="1232010000000000",
372 wait_connect=False, scan_freq="2412")
373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
374 if ev is None:
375 raise Exception("Network connected timed out")
376
377 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
378 if ev is None:
379 raise Exception("Wait for external SIM processing request timed out")
380 p = ev.split(':', 2)
381 if p[1] != "GSM-AUTH":
382 raise Exception("Unexpected CTRL-REQ-SIM type")
383 rid = p[0].split('-')[3]
384
385 # IK:CK:RES
386 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
387 # This will fail during processing, but the ctrl_iface command succeeds
388 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
389 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
390 if ev is None:
391 raise Exception("EAP failure not reported")
392 dev[0].request("DISCONNECT")
90ad11e6
JM		 393 dev[0].wait_disconnected()
394 time.sleep(0.1)
72cbc684
JM		 395
396 dev[0].select_network(id, freq="2412")
397 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
398 if ev is None:
399 raise Exception("Wait for external SIM processing request timed out")
400 p = ev.split(':', 2)
401 if p[1] != "GSM-AUTH":
402 raise Exception("Unexpected CTRL-REQ-SIM type")
403 rid = p[0].split('-')[3]
404 # This will fail during GSM auth validation
405 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
406 raise Exception("CTRL-RSP-SIM failed")
407 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
408 if ev is None:
409 raise Exception("EAP failure not reported")
410 dev[0].request("DISCONNECT")
90ad11e6
JM		 411 dev[0].wait_disconnected()
412 time.sleep(0.1)
72cbc684
JM		 413
414 dev[0].select_network(id, freq="2412")
415 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
416 if ev is None:
417 raise Exception("Wait for external SIM processing request timed out")
418 p = ev.split(':', 2)
419 if p[1] != "GSM-AUTH":
420 raise Exception("Unexpected CTRL-REQ-SIM type")
421 rid = p[0].split('-')[3]
422 # This will fail during GSM auth validation
423 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
424 raise Exception("CTRL-RSP-SIM failed")
425 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
426 if ev is None:
427 raise Exception("EAP failure not reported")
428 dev[0].request("DISCONNECT")
90ad11e6
JM		 429 dev[0].wait_disconnected()
430 time.sleep(0.1)
72cbc684
JM		 431
432 dev[0].select_network(id, freq="2412")
433 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
434 if ev is None:
435 raise Exception("Wait for external SIM processing request timed out")
436 p = ev.split(':', 2)
437 if p[1] != "GSM-AUTH":
438 raise Exception("Unexpected CTRL-REQ-SIM type")
439 rid = p[0].split('-')[3]
440 # This will fail during GSM auth validation
441 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
442 raise Exception("CTRL-RSP-SIM failed")
443 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
444 if ev is None:
445 raise Exception("EAP failure not reported")
446 dev[0].request("DISCONNECT")
90ad11e6
JM		 447 dev[0].wait_disconnected()
448 time.sleep(0.1)
72cbc684
JM		 449
450 dev[0].select_network(id, freq="2412")
451 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
452 if ev is None:
453 raise Exception("Wait for external SIM processing request timed out")
454 p = ev.split(':', 2)
455 if p[1] != "GSM-AUTH":
456 raise Exception("Unexpected CTRL-REQ-SIM type")
457 rid = p[0].split('-')[3]
458 # This will fail during GSM auth validation
459 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
460 raise Exception("CTRL-RSP-SIM failed")
461 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
462 if ev is None:
463 raise Exception("EAP failure not reported")
464 dev[0].request("DISCONNECT")
90ad11e6
JM		 465 dev[0].wait_disconnected()
466 time.sleep(0.1)
72cbc684
JM		 467
468 dev[0].select_network(id, freq="2412")
469 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
470 if ev is None:
471 raise Exception("Wait for external SIM processing request timed out")
472 p = ev.split(':', 2)
473 if p[1] != "GSM-AUTH":
474 raise Exception("Unexpected CTRL-REQ-SIM type")
475 rid = p[0].split('-')[3]
476 # This will fail during GSM auth validation
477 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
478 raise Exception("CTRL-RSP-SIM failed")
479 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
480 if ev is None:
481 raise Exception("EAP failure not reported")
482 dev[0].request("DISCONNECT")
90ad11e6
JM		 483 dev[0].wait_disconnected()
484 time.sleep(0.1)
72cbc684
JM		 485
486 dev[0].select_network(id, freq="2412")
487 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
488 if ev is None:
489 raise Exception("Wait for external SIM processing request timed out")
490 p = ev.split(':', 2)
491 if p[1] != "GSM-AUTH":
492 raise Exception("Unexpected CTRL-REQ-SIM type")
493 rid = p[0].split('-')[3]
494 # This will fail during GSM auth validation
495 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
496 raise Exception("CTRL-RSP-SIM failed")
497 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
498 if ev is None:
499 raise Exception("EAP failure not reported")
500
40c654cc
JM		 501def test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
502 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
503 try:
504 _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev)
505 finally:
506 dev[0].request("SET external_sim 0")
507
508def _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
509 check_hlr_auc_gw_support()
510 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 511 hostapd.add_ap(apdev[0], params)
40c654cc
JM		 512 dev[0].request("SET external_sim 1")
513 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
514 identity="1232010000000000",
515 wait_connect=False, scan_freq="2412")
516
517 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
518 if ev is None:
519 raise Exception("Wait for external SIM processing request timed out")
520 p = ev.split(':', 2)
521 if p[1] != "GSM-AUTH":
522 raise Exception("Unexpected CTRL-REQ-SIM type")
523 rid = p[0].split('-')[3]
524 rand = p[2].split(' ')[0]
525
526 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
527 "-m",
528 "auth_serv/hlr_auc_gw.milenage_db",
529 "GSM-AUTH-REQ 232010000000000 " + rand])
530 if "GSM-AUTH-RESP" not in res:
531 raise Exception("Unexpected hlr_auc_gw response")
532 resp = res.split(' ')[2].rstrip()
533
534 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
535 dev[0].wait_connected(timeout=15)
536 dev[0].request("DISCONNECT")
537 dev[0].wait_disconnected()
538
539 # Replace SIM, but forget to drop the previous pseudonym identity
540 dev[0].set_network_quoted(id, "identity", "1232010000000009")
541 dev[0].select_network(id, freq="2412")
542
543 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
544 if ev is None:
545 raise Exception("Wait for external SIM processing request timed out")
546 p = ev.split(':', 2)
547 if p[1] != "GSM-AUTH":
548 raise Exception("Unexpected CTRL-REQ-SIM type")
549 rid = p[0].split('-')[3]
550 rand = p[2].split(' ')[0]
551
552 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
553 "-m",
554 "auth_serv/hlr_auc_gw.milenage_db",
555 "GSM-AUTH-REQ 232010000000009 " + rand])
556 if "GSM-AUTH-RESP" not in res:
557 raise Exception("Unexpected hlr_auc_gw response")
558 resp = res.split(' ')[2].rstrip()
559
560 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
561 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
562 if ev is None:
563 raise Exception("EAP-Failure not reported")
564 dev[0].request("DISCONNECT")
565 dev[0].wait_disconnected()
566
567def test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
568 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
569 try:
570 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev)
571 finally:
572 dev[0].request("SET external_sim 0")
573
574def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
575 check_hlr_auc_gw_support()
576 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 577 hostapd.add_ap(apdev[0], params)
40c654cc
JM		 578 dev[0].request("SET external_sim 1")
579 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
580 identity="1232010000000000",
581 wait_connect=False, scan_freq="2412")
582
583 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
584 if ev is None:
585 raise Exception("Wait for external SIM processing request timed out")
586 p = ev.split(':', 2)
587 if p[1] != "GSM-AUTH":
588 raise Exception("Unexpected CTRL-REQ-SIM type")
589 rid = p[0].split('-')[3]
590 rand = p[2].split(' ')[0]
591
592 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
593 "-m",
594 "auth_serv/hlr_auc_gw.milenage_db",
595 "GSM-AUTH-REQ 232010000000000 " + rand])
596 if "GSM-AUTH-RESP" not in res:
597 raise Exception("Unexpected hlr_auc_gw response")
598 resp = res.split(' ')[2].rstrip()
599
600 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
601 dev[0].wait_connected(timeout=15)
602 dev[0].request("DISCONNECT")
603 dev[0].wait_disconnected()
604
605 # Replace SIM and drop the previous pseudonym identity
606 dev[0].set_network_quoted(id, "identity", "1232010000000009")
607 dev[0].set_network(id, "anonymous_identity", "NULL")
608 dev[0].select_network(id, freq="2412")
609
610 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
611 if ev is None:
612 raise Exception("Wait for external SIM processing request timed out")
613 p = ev.split(':', 2)
614 if p[1] != "GSM-AUTH":
615 raise Exception("Unexpected CTRL-REQ-SIM type")
616 rid = p[0].split('-')[3]
617 rand = p[2].split(' ')[0]
618
619 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
620 "-m",
621 "auth_serv/hlr_auc_gw.milenage_db",
622 "GSM-AUTH-REQ 232010000000009 " + rand])
623 if "GSM-AUTH-RESP" not in res:
624 raise Exception("Unexpected hlr_auc_gw response")
625 resp = res.split(' ')[2].rstrip()
626
627 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
628 dev[0].wait_connected()
629 dev[0].request("DISCONNECT")
630 dev[0].wait_disconnected()
631
632def test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
633 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
634 try:
635 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev)
636 finally:
637 dev[0].request("SET external_sim 0")
638
639def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
640 check_hlr_auc_gw_support()
641 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 642 hostapd.add_ap(apdev[0], params)
40c654cc
JM		 643 dev[0].request("SET external_sim 1")
644 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
645 wait_connect=False, scan_freq="2412")
646
647 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
648 if ev is None:
649 raise Exception("Request for identity timed out")
650 rid = ev.split(':')[0].split('-')[-1]
651 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000000")
652
653 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
654 if ev is None:
655 raise Exception("Wait for external SIM processing request timed out")
656 p = ev.split(':', 2)
657 if p[1] != "GSM-AUTH":
658 raise Exception("Unexpected CTRL-REQ-SIM type")
659 rid = p[0].split('-')[3]
660 rand = p[2].split(' ')[0]
661
662 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
663 "-m",
664 "auth_serv/hlr_auc_gw.milenage_db",
665 "GSM-AUTH-REQ 232010000000000 " + rand])
666 if "GSM-AUTH-RESP" not in res:
667 raise Exception("Unexpected hlr_auc_gw response")
668 resp = res.split(' ')[2].rstrip()
669
670 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
671 dev[0].wait_connected(timeout=15)
672 dev[0].request("DISCONNECT")
673 dev[0].wait_disconnected()
674
675 # Replace SIM and drop the previous permanent and pseudonym identities
676 dev[0].set_network(id, "identity", "NULL")
677 dev[0].set_network(id, "anonymous_identity", "NULL")
678 dev[0].select_network(id, freq="2412")
679
680 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
681 if ev is None:
682 raise Exception("Request for identity timed out")
683 rid = ev.split(':')[0].split('-')[-1]
684 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000009")
685
686 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
687 if ev is None:
688 raise Exception("Wait for external SIM processing request timed out")
689 p = ev.split(':', 2)
690 if p[1] != "GSM-AUTH":
691 raise Exception("Unexpected CTRL-REQ-SIM type")
692 rid = p[0].split('-')[3]
693 rand = p[2].split(' ')[0]
694
695 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
696 "-m",
697 "auth_serv/hlr_auc_gw.milenage_db",
698 "GSM-AUTH-REQ 232010000000009 " + rand])
699 if "GSM-AUTH-RESP" not in res:
700 raise Exception("Unexpected hlr_auc_gw response")
701 resp = res.split(' ')[2].rstrip()
702
703 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
704 dev[0].wait_connected()
705 dev[0].request("DISCONNECT")
706 dev[0].wait_disconnected()
707
c397edf2
JM		 708def test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
709 """EAP-SIM with external GSM auth and auth failing"""
710 try:
711 _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev)
712 finally:
713 dev[0].request("SET external_sim 0")
714
715def _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
716 check_hlr_auc_gw_support()
717 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 718 hostapd.add_ap(apdev[0], params)
c397edf2
JM		 719 dev[0].request("SET external_sim 1")
720 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
721 identity="1232010000000000",
722 wait_connect=False, scan_freq="2412")
723
724 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
725 if ev is None:
726 raise Exception("Wait for external SIM processing request timed out")
727 p = ev.split(':', 2)
728 rid = p[0].split('-')[3]
729 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-FAIL")
730 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
731 if ev is None:
732 raise Exception("EAP failure not reported")
733 dev[0].request("REMOVE_NETWORK all")
734 dev[0].wait_disconnected()
735
6c7fed46
JM		 736def test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
737 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
738 try:
739 _test_ap_wpa2_eap_sim_change_bssid(dev, apdev)
740 finally:
741 dev[0].request("SET external_sim 0")
742
743def _test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
744 check_hlr_auc_gw_support()
745 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 746 hostapd.add_ap(apdev[0], params)
6c7fed46
JM		 747 dev[0].request("SET external_sim 1")
748 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
749 identity="1232010000000000",
750 wait_connect=False, scan_freq="2412")
751
752 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
753 if ev is None:
754 raise Exception("Wait for external SIM processing request timed out")
755 p = ev.split(':', 2)
756 if p[1] != "GSM-AUTH":
757 raise Exception("Unexpected CTRL-REQ-SIM type")
758 rid = p[0].split('-')[3]
759 rand = p[2].split(' ')[0]
760
761 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
762 "-m",
763 "auth_serv/hlr_auc_gw.milenage_db",
764 "GSM-AUTH-REQ 232010000000000 " + rand])
765 if "GSM-AUTH-RESP" not in res:
766 raise Exception("Unexpected hlr_auc_gw response")
767 resp = res.split(' ')[2].rstrip()
768
769 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
770 dev[0].wait_connected(timeout=15)
771
772 # Verify that EAP-SIM Reauthentication can be used after a profile change
773 # that does not affect EAP parameters.
774 dev[0].set_network(id, "bssid", "any")
775 eap_reauth(dev[0], "SIM")
776
07f0da30
JM		 777def test_ap_wpa2_eap_sim_no_change_set(dev, apdev):
778 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
779 try:
780 _test_ap_wpa2_eap_sim_no_change_set(dev, apdev)
781 finally:
782 dev[0].request("SET external_sim 0")
783
784def _test_ap_wpa2_eap_sim_no_change_set(dev, apdev):
785 check_hlr_auc_gw_support()
786 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 787 hostapd.add_ap(apdev[0], params)
07f0da30
JM		 788 dev[0].request("SET external_sim 1")
789 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
790 identity="1232010000000000",
791 wait_connect=False, scan_freq="2412")
792
793 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
794 if ev is None:
795 raise Exception("Wait for external SIM processing request timed out")
796 p = ev.split(':', 2)
797 if p[1] != "GSM-AUTH":
798 raise Exception("Unexpected CTRL-REQ-SIM type")
799 rid = p[0].split('-')[3]
800 rand = p[2].split(' ')[0]
801
802 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
803 "-m",
804 "auth_serv/hlr_auc_gw.milenage_db",
805 "GSM-AUTH-REQ 232010000000000 " + rand])
806 if "GSM-AUTH-RESP" not in res:
807 raise Exception("Unexpected hlr_auc_gw response")
808 resp = res.split(' ')[2].rstrip()
809
810 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
811 dev[0].wait_connected(timeout=15)
812
813 # Verify that EAP-SIM Reauthentication can be used after network profile
814 # SET_NETWORK commands that do not actually change previously set
815 # parameter values.
816 dev[0].set_network(id, "key_mgmt", "WPA-EAP")
817 dev[0].set_network(id, "eap", "SIM")
818 dev[0].set_network_quoted(id, "identity", "1232010000000000")
819 dev[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
820 eap_reauth(dev[0], "SIM")
821
486f4e3c
JM		 822def test_ap_wpa2_eap_sim_oom(dev, apdev):
823 """EAP-SIM and OOM"""
824 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 825 hostapd.add_ap(apdev[0], params)
486f4e3c
JM		 826 tests = [ (1, "milenage_f2345"),
827 (2, "milenage_f2345"),
828 (3, "milenage_f2345"),
829 (4, "milenage_f2345"),
830 (5, "milenage_f2345"),
831 (6, "milenage_f2345"),
832 (7, "milenage_f2345"),
833 (8, "milenage_f2345"),
834 (9, "milenage_f2345"),
835 (10, "milenage_f2345"),
836 (11, "milenage_f2345"),
837 (12, "milenage_f2345") ]
838 for count, func in tests:
7cbc8e67 839 with fail_test(dev[0], count, func):
486f4e3c
JM		 840 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
841 identity="1232010000000000",
842 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
843 wait_connect=False, scan_freq="2412")
844 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
845 if ev is None:
846 raise Exception("EAP method not selected")
847 dev[0].wait_disconnected()
848 dev[0].request("REMOVE_NETWORK all")
849
9626962d
JM		 850def test_ap_wpa2_eap_aka(dev, apdev):
851 """WPA2-Enterprise connection using EAP-AKA"""
81e787b7 852 check_hlr_auc_gw_support()
9626962d 853 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 854 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 855 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
9626962d 856 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
a8375c94 857 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 858 eap_reauth(dev[0], "AKA")
9626962d 859
f10ba3b2
JM		 860 logger.info("Negative test with incorrect key")
861 dev[0].request("REMOVE_NETWORK all")
3b3e2687 862 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
f10ba3b2
JM		 863 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
864 expect_failure=True)
865
32747a3e
JM		 866 logger.info("Invalid Milenage key")
867 dev[0].request("REMOVE_NETWORK all")
3b3e2687 868 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 869 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
870 expect_failure=True)
871
872 logger.info("Invalid Milenage key(2)")
3b3e2687 873 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 874 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
875 expect_failure=True)
876
877 logger.info("Invalid Milenage key(3)")
3b3e2687 878 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 879 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
880 expect_failure=True)
881
882 logger.info("Invalid Milenage key(4)")
3b3e2687 883 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 884 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
885 expect_failure=True)
886
887 logger.info("Invalid Milenage key(5)")
888 dev[0].request("REMOVE_NETWORK all")
3b3e2687 889 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 890 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
891 expect_failure=True)
892
893 logger.info("Invalid Milenage key(6)")
894 dev[0].request("REMOVE_NETWORK all")
3b3e2687 895 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 896 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
897 expect_failure=True)
898
899 logger.info("Missing key configuration")
900 dev[0].request("REMOVE_NETWORK all")
3b3e2687 901 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
32747a3e
JM		 902 expect_failure=True)
903
5b1aaf6c
JM		 904def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
905 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
81e787b7 906 check_hlr_auc_gw_support()
5b1aaf6c
JM		 907 try:
908 import sqlite3
909 except ImportError:
81e787b7 910 raise HwsimSkip("No sqlite3 module available")
5b1aaf6c
JM		 911 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
912 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
913 params['auth_server_port'] = "1814"
3b3e2687
JD		 914 hapd = hostapd.add_ap(apdev[0], params)
915 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
5b1aaf6c
JM		 916 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
917
918 logger.info("AKA fast re-authentication")
919 eap_reauth(dev[0], "AKA")
920
921 logger.info("AKA full auth with pseudonym")
922 with con:
923 cur = con.cursor()
924 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
925 eap_reauth(dev[0], "AKA")
926
927 logger.info("AKA full auth with permanent identity")
928 with con:
929 cur = con.cursor()
930 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
931 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
932 eap_reauth(dev[0], "AKA")
933
934 logger.info("AKA reauth with mismatching MK")
935 with con:
936 cur = con.cursor()
937 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
938 eap_reauth(dev[0], "AKA", expect_failure=True)
939 dev[0].request("REMOVE_NETWORK all")
940
3b3e2687 941 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
5b1aaf6c
JM		 942 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
943 with con:
944 cur = con.cursor()
945 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
946 eap_reauth(dev[0], "AKA")
947 with con:
948 cur = con.cursor()
949 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
950 logger.info("AKA reauth with mismatching counter")
951 eap_reauth(dev[0], "AKA")
952 dev[0].request("REMOVE_NETWORK all")
953
3b3e2687 954 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
5b1aaf6c
JM		 955 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
956 with con:
957 cur = con.cursor()
958 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
959 logger.info("AKA reauth with max reauth count reached")
960 eap_reauth(dev[0], "AKA")
961
e2a90a4c
JM		 962def test_ap_wpa2_eap_aka_config(dev, apdev):
963 """EAP-AKA configuration options"""
964 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 965 hapd = hostapd.add_ap(apdev[0], params)
966 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
e2a90a4c
JM		 967 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
968 anonymous_identity="2345678")
969
d314bedf
JM		 970def test_ap_wpa2_eap_aka_ext(dev, apdev):
971 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
47dcb118 972 try:
81e787b7 973 _test_ap_wpa2_eap_aka_ext(dev, apdev)
47dcb118
JM		 974 finally:
975 dev[0].request("SET external_sim 0")
976
977def _test_ap_wpa2_eap_aka_ext(dev, apdev):
81e787b7 978 check_hlr_auc_gw_support()
d314bedf 979 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 980 hostapd.add_ap(apdev[0], params)
d314bedf
JM		 981 dev[0].request("SET external_sim 1")
982 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
983 identity="0232010000000000",
984 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
985 wait_connect=False, scan_freq="2412")
986 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
987 if ev is None:
988 raise Exception("Network connected timed out")
989
990 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
991 if ev is None:
992 raise Exception("Wait for external SIM processing request timed out")
993 p = ev.split(':', 2)
994 if p[1] != "UMTS-AUTH":
995 raise Exception("Unexpected CTRL-REQ-SIM type")
996 rid = p[0].split('-')[3]
997
998 # IK:CK:RES
999 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
1000 # This will fail during processing, but the ctrl_iface command succeeds
1001 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
1002 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1003 if ev is None:
1004 raise Exception("EAP failure not reported")
1005 dev[0].request("DISCONNECT")
584e4197 1006 dev[0].wait_disconnected()
90ad11e6 1007 time.sleep(0.1)
a359c7bb 1008 dev[0].dump_monitor()
d314bedf 1009
d8e02214
JM		 1010 dev[0].select_network(id, freq="2412")
1011 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1012 if ev is None:
1013 raise Exception("Wait for external SIM processing request timed out")
1014 p = ev.split(':', 2)
1015 if p[1] != "UMTS-AUTH":
1016 raise Exception("Unexpected CTRL-REQ-SIM type")
1017 rid = p[0].split('-')[3]
1018 # This will fail during UMTS auth validation
1019 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
1020 raise Exception("CTRL-RSP-SIM failed")
1021 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1022 if ev is None:
1023 raise Exception("Wait for external SIM processing request timed out")
1024 p = ev.split(':', 2)
1025 if p[1] != "UMTS-AUTH":
1026 raise Exception("Unexpected CTRL-REQ-SIM type")
1027 rid = p[0].split('-')[3]
1028 # This will fail during UMTS auth validation
1029 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
1030 raise Exception("CTRL-RSP-SIM failed")
1031 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1032 if ev is None:
1033 raise Exception("EAP failure not reported")
1034 dev[0].request("DISCONNECT")
584e4197 1035 dev[0].wait_disconnected()
90ad11e6 1036 time.sleep(0.1)
a359c7bb 1037 dev[0].dump_monitor()
d8e02214 1038
0258cf10
JM		 1039 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1040 ":UMTS-AUTH:34",
1041 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1042 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1043 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1044 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1045 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1046 for t in tests:
1047 dev[0].select_network(id, freq="2412")
1048 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1049 if ev is None:
1050 raise Exception("Wait for external SIM processing request timed out")
1051 p = ev.split(':', 2)
1052 if p[1] != "UMTS-AUTH":
1053 raise Exception("Unexpected CTRL-REQ-SIM type")
1054 rid = p[0].split('-')[3]
1055 # This will fail during UMTS auth validation
1056 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
1057 raise Exception("CTRL-RSP-SIM failed")
1058 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1059 if ev is None:
1060 raise Exception("EAP failure not reported")
1061 dev[0].request("DISCONNECT")
1062 dev[0].wait_disconnected()
90ad11e6 1063 time.sleep(0.1)
a359c7bb 1064 dev[0].dump_monitor()
d314bedf 1065
c397edf2
JM		 1066def test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1067 """EAP-AKA with external UMTS auth and auth failing"""
1068 try:
1069 _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev)
1070 finally:
1071 dev[0].request("SET external_sim 0")
1072
1073def _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1074 check_hlr_auc_gw_support()
1075 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1076 hostapd.add_ap(apdev[0], params)
c397edf2
JM		 1077 dev[0].request("SET external_sim 1")
1078 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
1079 identity="0232010000000000",
1080 wait_connect=False, scan_freq="2412")
1081
1082 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1083 if ev is None:
1084 raise Exception("Wait for external SIM processing request timed out")
1085 p = ev.split(':', 2)
1086 rid = p[0].split('-')[3]
1087 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1088 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1089 if ev is None:
1090 raise Exception("EAP failure not reported")
1091 dev[0].request("REMOVE_NETWORK all")
1092 dev[0].wait_disconnected()
1093
9626962d
JM		 1094def test_ap_wpa2_eap_aka_prime(dev, apdev):
1095 """WPA2-Enterprise connection using EAP-AKA'"""
81e787b7 1096 check_hlr_auc_gw_support()
9626962d 1097 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1098 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1099 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
9626962d 1100 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
a8375c94 1101 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1102 eap_reauth(dev[0], "AKA'")
9626962d 1103
8583d664
JM		 1104 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1105 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
1106 identity="6555444333222111@both",
1107 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1108 wait_connect=False, scan_freq="2412")
5f35a5e2 1109 dev[1].wait_connected(timeout=15)
8583d664 1110
f10ba3b2
JM		 1111 logger.info("Negative test with incorrect key")
1112 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1113 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
f10ba3b2
JM		 1114 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1115 expect_failure=True)
1116
5b1aaf6c
JM		 1117def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
1118 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
81e787b7 1119 check_hlr_auc_gw_support()
5b1aaf6c
JM		 1120 try:
1121 import sqlite3
1122 except ImportError:
81e787b7 1123 raise HwsimSkip("No sqlite3 module available")
5b1aaf6c
JM		 1124 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
1125 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1126 params['auth_server_port'] = "1814"
3b3e2687
JD		 1127 hapd = hostapd.add_ap(apdev[0], params)
1128 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
5b1aaf6c
JM		 1129 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1130
1131 logger.info("AKA' fast re-authentication")
1132 eap_reauth(dev[0], "AKA'")
1133
1134 logger.info("AKA' full auth with pseudonym")
1135 with con:
1136 cur = con.cursor()
1137 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1138 eap_reauth(dev[0], "AKA'")
1139
1140 logger.info("AKA' full auth with permanent identity")
1141 with con:
1142 cur = con.cursor()
1143 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1144 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1145 eap_reauth(dev[0], "AKA'")
1146
1147 logger.info("AKA' reauth with mismatching k_aut")
1148 with con:
1149 cur = con.cursor()
1150 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1151 eap_reauth(dev[0], "AKA'", expect_failure=True)
1152 dev[0].request("REMOVE_NETWORK all")
1153
3b3e2687 1154 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
5b1aaf6c
JM		 1155 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1156 with con:
1157 cur = con.cursor()
1158 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1159 eap_reauth(dev[0], "AKA'")
1160 with con:
1161 cur = con.cursor()
1162 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1163 logger.info("AKA' reauth with mismatching counter")
1164 eap_reauth(dev[0], "AKA'")
1165 dev[0].request("REMOVE_NETWORK all")
1166
3b3e2687 1167 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
5b1aaf6c
JM		 1168 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1169 with con:
1170 cur = con.cursor()
1171 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1172 logger.info("AKA' reauth with max reauth count reached")
1173 eap_reauth(dev[0], "AKA'")
1174
c397edf2
JM		 1175def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1176 """EAP-AKA' with external UMTS auth and auth failing"""
1177 try:
1178 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev)
1179 finally:
1180 dev[0].request("SET external_sim 0")
1181
1182def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1183 check_hlr_auc_gw_support()
1184 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1185 hostapd.add_ap(apdev[0], params)
c397edf2
JM		 1186 dev[0].request("SET external_sim 1")
1187 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1188 identity="6555444333222111",
1189 wait_connect=False, scan_freq="2412")
1190
1191 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1192 if ev is None:
1193 raise Exception("Wait for external SIM processing request timed out")
1194 p = ev.split(':', 2)
1195 rid = p[0].split('-')[3]
1196 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1197 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1198 if ev is None:
1199 raise Exception("EAP failure not reported")
1200 dev[0].request("REMOVE_NETWORK all")
1201 dev[0].wait_disconnected()
1202
c25aada9
JM		 1203def test_ap_wpa2_eap_aka_prime_ext(dev, apdev):
1204 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1205 try:
1206 _test_ap_wpa2_eap_aka_prime_ext(dev, apdev)
1207 finally:
1208 dev[0].request("SET external_sim 0")
1209
1210def _test_ap_wpa2_eap_aka_prime_ext(dev, apdev):
1211 check_hlr_auc_gw_support()
1212 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1213 hostapd.add_ap(apdev[0], params)
1214 dev[0].request("SET external_sim 1")
1215 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1216 identity="6555444333222111",
1217 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1218 wait_connect=False, scan_freq="2412")
1219 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
1220 if ev is None:
1221 raise Exception("Network connected timed out")
1222
1223 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1224 if ev is None:
1225 raise Exception("Wait for external SIM processing request timed out")
1226 p = ev.split(':', 2)
1227 if p[1] != "UMTS-AUTH":
1228 raise Exception("Unexpected CTRL-REQ-SIM type")
1229 rid = p[0].split('-')[3]
1230 # This will fail during UMTS auth validation
1231 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
1232 raise Exception("CTRL-RSP-SIM failed")
1233 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1234 if ev is None:
1235 raise Exception("Wait for external SIM processing request timed out")
1236
9626962d
JM		 1237def test_ap_wpa2_eap_ttls_pap(dev, apdev):
1238 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1239 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1240 hapd = hostapd.add_ap(apdev[0], params)
65038313
JM		 1241 key_mgmt = hapd.get_config()['key_mgmt']
1242 if key_mgmt.split(' ')[0] != "WPA-EAP":
1243 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3b3e2687 1244 eap_connect(dev[0], hapd, "TTLS", "pap user",
9626962d 1245 anonymous_identity="ttls", password="password",
506b2f05 1246 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
a8375c94 1247 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1248 eap_reauth(dev[0], "TTLS")
eaf3f9b1
JM		 1249 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1250 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
9626962d 1251
506b2f05
JM		 1252def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
1253 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1254 check_subject_match_support(dev[0])
1255 check_altsubject_match_support(dev[0])
1256 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1257 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1258 eap_connect(dev[0], hapd, "TTLS", "pap user",
506b2f05
JM		 1259 anonymous_identity="ttls", password="password",
1260 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1261 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
1262 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1263 eap_reauth(dev[0], "TTLS")
1264
82a8f5b5
JM		 1265def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
1266 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1267 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1268 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1269 eap_connect(dev[0], hapd, "TTLS", "pap user",
82a8f5b5
JM		 1270 anonymous_identity="ttls", password="wrong",
1271 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1272 expect_failure=True)
3b3e2687 1273 eap_connect(dev[1], hapd, "TTLS", "user",
82a8f5b5
JM		 1274 anonymous_identity="ttls", password="password",
1275 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1276 expect_failure=True)
1277
9626962d
JM		 1278def test_ap_wpa2_eap_ttls_chap(dev, apdev):
1279 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
ca158ea6 1280 skip_with_fips(dev[0])
9626962d 1281 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1282 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1283 eap_connect(dev[0], hapd, "TTLS", "chap user",
506b2f05
JM		 1284 anonymous_identity="ttls", password="password",
1285 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
1286 hwsim_utils.test_connectivity(dev[0], hapd)
1287 eap_reauth(dev[0], "TTLS")
1288
1289def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
1290 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
ca158ea6 1291 skip_with_fips(dev[0])
506b2f05
JM		 1292 check_altsubject_match_support(dev[0])
1293 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1294 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1295 eap_connect(dev[0], hapd, "TTLS", "chap user",
9626962d 1296 anonymous_identity="ttls", password="password",
5c65e277
JM		 1297 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1298 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
75b2b9cf 1299 eap_reauth(dev[0], "TTLS")
9626962d 1300
82a8f5b5
JM		 1301def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
1302 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
ca158ea6 1303 skip_with_fips(dev[0])
82a8f5b5 1304 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1305 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1306 eap_connect(dev[0], hapd, "TTLS", "chap user",
82a8f5b5
JM		 1307 anonymous_identity="ttls", password="wrong",
1308 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1309 expect_failure=True)
3b3e2687 1310 eap_connect(dev[1], hapd, "TTLS", "user",
82a8f5b5
JM		 1311 anonymous_identity="ttls", password="password",
1312 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1313 expect_failure=True)
1314
9626962d
JM		 1315def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
1316 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
ca158ea6 1317 skip_with_fips(dev[0])
e78eb404 1318 check_domain_suffix_match(dev[0])
9626962d 1319 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1320 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1321 eap_connect(dev[0], hapd, "TTLS", "mschap user",
9626962d 1322 anonymous_identity="ttls", password="password",
72c052d5
JM		 1323 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1324 domain_suffix_match="server.w1.fi")
a8375c94 1325 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1326 eap_reauth(dev[0], "TTLS")
6daf5b9c 1327 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1328 eap_connect(dev[0], hapd, "TTLS", "mschap user",
6daf5b9c
JM		 1329 anonymous_identity="ttls", password="password",
1330 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1331 fragment_size="200")
bfdb90d4
JM		 1332 dev[0].request("REMOVE_NETWORK all")
1333 dev[0].wait_disconnected()
3b3e2687 1334 eap_connect(dev[0], hapd, "TTLS", "mschap user",
bfdb90d4
JM		 1335 anonymous_identity="ttls",
1336 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1337 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
9626962d 1338
82a8f5b5 1339def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
ca158ea6
JM		 1340 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1341 skip_with_fips(dev[0])
82a8f5b5 1342 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1343 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1344 eap_connect(dev[0], hapd, "TTLS", "mschap user",
82a8f5b5
JM		 1345 anonymous_identity="ttls", password="wrong",
1346 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1347 expect_failure=True)
3b3e2687 1348 eap_connect(dev[1], hapd, "TTLS", "user",
82a8f5b5
JM		 1349 anonymous_identity="ttls", password="password",
1350 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1351 expect_failure=True)
3b3e2687 1352 eap_connect(dev[2], hapd, "TTLS", "no such user",
82a8f5b5
JM		 1353 anonymous_identity="ttls", password="password",
1354 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1355 expect_failure=True)
1356
9626962d
JM		 1357def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
1358 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
e78eb404 1359 check_domain_suffix_match(dev[0])
ca158ea6 1360 check_eap_capa(dev[0], "MSCHAPV2")
9626962d 1361 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1362 hapd = hostapd.add_ap(apdev[0], params)
1363 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
9626962d 1364 anonymous_identity="ttls", password="password",
72c052d5 1365 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
24579e70 1366 domain_suffix_match="server.w1.fi")
a8375c94 1367 hwsim_utils.test_connectivity(dev[0], hapd)
5dec879d
JM		 1368 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
1369 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
75b2b9cf 1370 eap_reauth(dev[0], "TTLS")
5dec879d
JM		 1371 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
1372 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1373 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
1374 raise Exception("dot1xAuthEapolFramesRx did not increase")
1375 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
1376 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1377 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
1378 raise Exception("backendAuthSuccesses did not increase")
9626962d 1379
fa0ddb14
JM		 1380 logger.info("Password as hash value")
1381 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1382 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
fa0ddb14
JM		 1383 anonymous_identity="ttls",
1384 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1385 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1386
c4e06b9b
JM		 1387def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
1388 """EAP-TTLS with invalid phase2 parameter values"""
1389 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1390 hostapd.add_ap(apdev[0], params)
c4e06b9b 1391 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
53827125
JM		 1392 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1393 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
c4e06b9b
JM		 1394 for t in tests:
1395 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1396 identity="DOMAIN\mschapv2 user",
1397 anonymous_identity="ttls", password="password",
1398 ca_cert="auth_serv/ca.pem", phase2=t,
1399 wait_connect=False, scan_freq="2412")
1400 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
1401 if ev is None or "method=21" not in ev:
1402 raise Exception("EAP-TTLS not started")
1403 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
1404 "CTRL-EVENT-CONNECTED"], timeout=5)
1405 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
1406 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
1407 dev[0].request("REMOVE_NETWORK all")
1408 dev[0].wait_disconnected()
1409 dev[0].dump_monitor()
1410
24579e70
JM		 1411def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
1412 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1413 check_domain_match_full(dev[0])
ca158ea6 1414 skip_with_fips(dev[0])
24579e70 1415 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1416 hapd = hostapd.add_ap(apdev[0], params)
1417 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
24579e70
JM		 1418 anonymous_identity="ttls", password="password",
1419 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1420 domain_suffix_match="w1.fi")
1421 hwsim_utils.test_connectivity(dev[0], hapd)
1422 eap_reauth(dev[0], "TTLS")
1423
061cbb25
JM		 1424def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
1425 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
e78eb404 1426 check_domain_match(dev[0])
ca158ea6 1427 skip_with_fips(dev[0])
061cbb25 1428 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1429 hapd = hostapd.add_ap(apdev[0], params)
1430 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
061cbb25
JM		 1431 anonymous_identity="ttls", password="password",
1432 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1433 domain_match="Server.w1.fi")
1434 hwsim_utils.test_connectivity(dev[0], hapd)
1435 eap_reauth(dev[0], "TTLS")
1436
82a8f5b5
JM		 1437def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
1438 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
ca158ea6 1439 skip_with_fips(dev[0])
82a8f5b5 1440 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1441 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1442 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
f10ba3b2
JM		 1443 anonymous_identity="ttls", password="password1",
1444 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1445 expect_failure=True)
3b3e2687 1446 eap_connect(dev[1], hapd, "TTLS", "user",
82a8f5b5
JM		 1447 anonymous_identity="ttls", password="password",
1448 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1449 expect_failure=True)
f10ba3b2 1450
eac67440
JM		 1451def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1452 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
ca158ea6 1453 skip_with_fips(dev[0])
eac67440 1454 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1455 hapd = hostapd.add_ap(apdev[0], params)
1456 eap_connect(dev[0], hapd, "TTLS", "utf8-user-hash",
eac67440
JM		 1457 anonymous_identity="ttls", password="secret-åäö-€-password",
1458 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3b3e2687 1459 eap_connect(dev[1], hapd, "TTLS", "utf8-user",
eac67440
JM		 1460 anonymous_identity="ttls",
1461 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1462 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
0d2a7bad
JM		 1463 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1464 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1465 eap="TTLS", identity="utf8-user-hash",
1466 anonymous_identity="ttls", password_hex=p,
1467 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1468 wait_connect=False, scan_freq="2412")
1469 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1470 if ev is None:
1471 raise Exception("No failure reported")
1472 dev[2].request("REMOVE_NETWORK all")
1473 dev[2].wait_disconnected()
eac67440 1474
9626962d
JM		 1475def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1476 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1477 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1478 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1479 eap_connect(dev[0], hapd, "TTLS", "user",
9626962d
JM		 1480 anonymous_identity="ttls", password="password",
1481 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
a8375c94 1482 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1483 eap_reauth(dev[0], "TTLS")
9626962d 1484
95a15d79
JM		 1485def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1486 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1487 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1488 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1489 eap_connect(dev[0], hapd, "TTLS", "user",
95a15d79
JM		 1490 anonymous_identity="ttls", password="wrong",
1491 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1492 expect_failure=True)
1493
1494def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1495 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1496 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1497 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1498 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
95a15d79
JM		 1499 anonymous_identity="ttls", password="password",
1500 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1501 expect_failure=True)
1502
1503def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1504 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1505 params = int_eap_server_params()
8b8a1864 1506 hapd = hostapd.add_ap(apdev[0], params)
95a15d79 1507 with alloc_fail(hapd, 1, "eap_gtc_init"):
3b3e2687 1508 eap_connect(dev[0], hapd, "TTLS", "user",
95a15d79
JM		 1509 anonymous_identity="ttls", password="password",
1510 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1511 expect_failure=True)
1512 dev[0].request("REMOVE_NETWORK all")
1513
1514 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1515 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1516 eap="TTLS", identity="user",
1517 anonymous_identity="ttls", password="password",
1518 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1519 wait_connect=False, scan_freq="2412")
1520 # This would eventually time out, but we can stop after having reached
1521 # the allocation failure.
1522 for i in range(20):
1523 time.sleep(0.1)
1524 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1525 break
1526
ac713c09
JM		 1527def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev, apdev):
1528 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1529 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1530 hapd = hostapd.add_ap(apdev[0], params)
ac713c09
JM		 1531
1532 tests = [ "eap_gtc_init",
1533 "eap_msg_alloc;eap_gtc_process" ]
1534 for func in tests:
1535 with alloc_fail(dev[0], 1, func):
1536 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1537 scan_freq="2412",
1538 eap="TTLS", identity="user",
1539 anonymous_identity="ttls", password="password",
1540 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1541 wait_connect=False)
1542 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1543 dev[0].request("REMOVE_NETWORK all")
1544 dev[0].wait_disconnected()
1545
9626962d
JM		 1546def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1547 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
e7ac04ce 1548 check_eap_capa(dev[0], "MD5")
9626962d 1549 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1550 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1551 eap_connect(dev[0], hapd, "TTLS", "user",
9626962d
JM		 1552 anonymous_identity="ttls", password="password",
1553 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
a8375c94 1554 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1555 eap_reauth(dev[0], "TTLS")
9626962d 1556
ee9533eb
JM		 1557def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1558 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
e7ac04ce 1559 check_eap_capa(dev[0], "MD5")
ee9533eb 1560 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1561 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1562 eap_connect(dev[0], hapd, "TTLS", "user",
ee9533eb
JM		 1563 anonymous_identity="ttls", password="wrong",
1564 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1565 expect_failure=True)
1566
95a15d79
JM		 1567def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1568 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
e7ac04ce 1569 check_eap_capa(dev[0], "MD5")
95a15d79 1570 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1571 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1572 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
95a15d79
JM		 1573 anonymous_identity="ttls", password="password",
1574 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1575 expect_failure=True)
1576
ee9533eb
JM		 1577def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1578 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
e7ac04ce 1579 check_eap_capa(dev[0], "MD5")
ee9533eb 1580 params = int_eap_server_params()
8b8a1864 1581 hapd = hostapd.add_ap(apdev[0], params)
ee9533eb 1582 with alloc_fail(hapd, 1, "eap_md5_init"):
3b3e2687 1583 eap_connect(dev[0], hapd, "TTLS", "user",
ee9533eb
JM		 1584 anonymous_identity="ttls", password="password",
1585 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1586 expect_failure=True)
1587 dev[0].request("REMOVE_NETWORK all")
1588
1589 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1590 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1591 eap="TTLS", identity="user",
1592 anonymous_identity="ttls", password="password",
1593 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1594 wait_connect=False, scan_freq="2412")
1595 # This would eventually time out, but we can stop after having reached
1596 # the allocation failure.
1597 for i in range(20):
1598 time.sleep(0.1)
1599 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1600 break
1601
9626962d
JM		 1602def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1603 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
e7ac04ce 1604 check_eap_capa(dev[0], "MSCHAPV2")
9626962d 1605 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1606 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1607 eap_connect(dev[0], hapd, "TTLS", "user",
9626962d
JM		 1608 anonymous_identity="ttls", password="password",
1609 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
a8375c94 1610 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1611 eap_reauth(dev[0], "TTLS")
9626962d 1612
f10ba3b2
JM		 1613 logger.info("Negative test with incorrect password")
1614 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1615 eap_connect(dev[0], hapd, "TTLS", "user",
f10ba3b2
JM		 1616 anonymous_identity="ttls", password="password1",
1617 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1618 expect_failure=True)
1619
95a15d79
JM		 1620def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1621 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
e7ac04ce 1622 check_eap_capa(dev[0], "MSCHAPV2")
95a15d79 1623 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1624 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1625 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
95a15d79
JM		 1626 anonymous_identity="ttls", password="password",
1627 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1628 expect_failure=True)
1629
ef318402
JM		 1630def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1631 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
e7ac04ce 1632 check_eap_capa(dev[0], "MSCHAPV2")
ef318402 1633 params = int_eap_server_params()
8b8a1864 1634 hapd = hostapd.add_ap(apdev[0], params)
ef318402 1635 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
3b3e2687 1636 eap_connect(dev[0], hapd, "TTLS", "user",
ef318402
JM		 1637 anonymous_identity="ttls", password="password",
1638 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1639 expect_failure=True)
1640 dev[0].request("REMOVE_NETWORK all")
1641
1642 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1643 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1644 eap="TTLS", identity="user",
1645 anonymous_identity="ttls", password="password",
1646 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1647 wait_connect=False, scan_freq="2412")
1648 # This would eventually time out, but we can stop after having reached
1649 # the allocation failure.
1650 for i in range(20):
1651 time.sleep(0.1)
1652 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1653 break
1654 dev[0].request("REMOVE_NETWORK all")
1655
1656 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1657 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1658 eap="TTLS", identity="user",
1659 anonymous_identity="ttls", password="password",
1660 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1661 wait_connect=False, scan_freq="2412")
1662 # This would eventually time out, but we can stop after having reached
1663 # the allocation failure.
1664 for i in range(20):
1665 time.sleep(0.1)
1666 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1667 break
1668 dev[0].request("REMOVE_NETWORK all")
1669
1670 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1671 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1672 eap="TTLS", identity="user",
1673 anonymous_identity="ttls", password="wrong",
1674 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1675 wait_connect=False, scan_freq="2412")
1676 # This would eventually time out, but we can stop after having reached
1677 # the allocation failure.
1678 for i in range(20):
1679 time.sleep(0.1)
1680 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1681 break
1682 dev[0].request("REMOVE_NETWORK all")
1683
f22bc118
JM		 1684def test_ap_wpa2_eap_ttls_eap_sim(dev, apdev):
1685 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1686 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1687 hapd = hostapd.add_ap(apdev[0], params)
1688 eap_connect(dev[0], hapd, "TTLS", "1232010000000000",
1689 anonymous_identity="1232010000000000@ttls",
1690 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1691 ca_cert="auth_serv/ca.pem", phase2="autheap=SIM")
1692 eap_reauth(dev[0], "TTLS")
1693
1694def run_ext_sim_auth(dev):
1695 ev = dev.wait_event(["CTRL-REQ-SIM"], timeout=15)
1696 if ev is None:
1697 raise Exception("Wait for external SIM processing request timed out")
1698 p = ev.split(':', 2)
1699 if p[1] != "GSM-AUTH":
1700 raise Exception("Unexpected CTRL-REQ-SIM type")
1701 rid = p[0].split('-')[3]
1702 rand = p[2].split(' ')[0]
1703
1704 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
1705 "-m",
1706 "auth_serv/hlr_auc_gw.milenage_db",
1707 "GSM-AUTH-REQ 232010000000000 " + rand])
1708 if "GSM-AUTH-RESP" not in res:
1709 raise Exception("Unexpected hlr_auc_gw response")
1710 resp = res.split(' ')[2].rstrip()
1711
1712 dev.request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
1713 dev.wait_connected(timeout=15)
1714
1715 dev.dump_monitor()
1716 dev.request("REAUTHENTICATE")
1717 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5)
1718 if ev is None:
1719 raise Exception("EAP reauthentication did not succeed")
1720 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=5)
1721 if ev is None:
1722 raise Exception("Key negotiation did not complete")
1723 dev.dump_monitor()
1724
1725def test_ap_wpa2_eap_ttls_eap_sim_ext(dev, apdev):
1726 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1727 check_hlr_auc_gw_support()
1728 try:
1729 run_ap_wpa2_eap_ttls_eap_sim_ext(dev, apdev)
1730 finally:
1731 dev[0].request("SET external_sim 0")
1732
1733def run_ap_wpa2_eap_ttls_eap_sim_ext(dev, apdev):
1734 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1735 hapd = hostapd.add_ap(apdev[0], params)
1736 dev[0].request("SET external_sim 1")
1737 dev[0].connect("test-wpa2-eap", eap="TTLS", key_mgmt="WPA-EAP",
1738 identity="1232010000000000",
1739 anonymous_identity="1232010000000000@ttls",
1740 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1741 ca_cert="auth_serv/ca.pem", phase2="autheap=SIM",
1742 wait_connect=False, scan_freq="2412")
1743 run_ext_sim_auth(dev[0])
1744
1745def test_ap_wpa2_eap_peap_eap_sim(dev, apdev):
1746 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1747 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1748 hapd = hostapd.add_ap(apdev[0], params)
1749 eap_connect(dev[0], hapd, "PEAP", "1232010000000000",
1750 anonymous_identity="1232010000000000@peap",
1751 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1752 ca_cert="auth_serv/ca.pem", phase2="auth=SIM")
1753 eap_reauth(dev[0], "PEAP")
1754
1755def test_ap_wpa2_eap_peap_eap_sim_ext(dev, apdev):
1756 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1757 check_hlr_auc_gw_support()
1758 try:
1759 run_ap_wpa2_eap_peap_eap_sim_ext(dev, apdev)
1760 finally:
1761 dev[0].request("SET external_sim 0")
1762
1763def run_ap_wpa2_eap_peap_eap_sim_ext(dev, apdev):
1764 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1765 hapd = hostapd.add_ap(apdev[0], params)
1766 dev[0].request("SET external_sim 1")
1767 dev[0].connect("test-wpa2-eap", eap="PEAP", key_mgmt="WPA-EAP",
1768 identity="1232010000000000",
1769 anonymous_identity="1232010000000000@peap",
1770 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1771 ca_cert="auth_serv/ca.pem", phase2="auth=SIM",
1772 wait_connect=False, scan_freq="2412")
1773 run_ext_sim_auth(dev[0])
1774
1775def test_ap_wpa2_eap_fast_eap_sim(dev, apdev):
1776 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
9626bfbb 1777 check_eap_capa(dev[0], "FAST")
f22bc118
JM		 1778 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1779 hapd = hostapd.add_ap(apdev[0], params)
1780 eap_connect(dev[0], hapd, "FAST", "1232010000000000",
1781 anonymous_identity="1232010000000000@fast",
1782 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1783 phase1="fast_provisioning=2",
1784 pac_file="blob://fast_pac_auth_sim",
1785 ca_cert="auth_serv/ca.pem", phase2="auth=SIM")
1786 eap_reauth(dev[0], "FAST")
1787
1788def test_ap_wpa2_eap_fast_eap_sim_ext(dev, apdev):
1789 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1790 check_hlr_auc_gw_support()
1791 try:
1792 run_ap_wpa2_eap_fast_eap_sim_ext(dev, apdev)
1793 finally:
1794 dev[0].request("SET external_sim 0")
1795
1796def run_ap_wpa2_eap_fast_eap_sim_ext(dev, apdev):
1797 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1798 hapd = hostapd.add_ap(apdev[0], params)
1799 dev[0].request("SET external_sim 1")
1800 dev[0].connect("test-wpa2-eap", eap="PEAP", key_mgmt="WPA-EAP",
1801 identity="1232010000000000",
1802 anonymous_identity="1232010000000000@peap",
1803 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1804 phase1="fast_provisioning=2",
1805 pac_file="blob://fast_pac_auth_sim",
1806 ca_cert="auth_serv/ca.pem", phase2="auth=SIM",
1807 wait_connect=False, scan_freq="2412")
1808 run_ext_sim_auth(dev[0])
1809
95fb531c
JM		 1810def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1811 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1812 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1813 hapd = hostapd.add_ap(apdev[0], params)
1814 eap_connect(dev[0], hapd, "TTLS", "0232010000000000",
95fb531c
JM		 1815 anonymous_identity="0232010000000000@ttls",
1816 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1817 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
8a303f09 1818 eap_reauth(dev[0], "TTLS")
95fb531c
JM		 1819
1820def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1821 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1823 hapd = hostapd.add_ap(apdev[0], params)
1824 eap_connect(dev[0], hapd, "PEAP", "0232010000000000",
95fb531c
JM		 1825 anonymous_identity="0232010000000000@peap",
1826 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1827 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
8a303f09 1828 eap_reauth(dev[0], "PEAP")
95fb531c
JM		 1829
1830def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1831 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
3b51cc63 1832 check_eap_capa(dev[0], "FAST")
95fb531c 1833 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1834 hapd = hostapd.add_ap(apdev[0], params)
1835 eap_connect(dev[0], hapd, "FAST", "0232010000000000",
95fb531c
JM		 1836 anonymous_identity="0232010000000000@fast",
1837 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1838 phase1="fast_provisioning=2",
1839 pac_file="blob://fast_pac_auth_aka",
1840 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
8a303f09 1841 eap_reauth(dev[0], "FAST")
95fb531c 1842
9626962d
JM		 1843def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1844 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
e7ac04ce 1845 check_eap_capa(dev[0], "MSCHAPV2")
9626962d 1846 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1847 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1848 eap_connect(dev[0], hapd, "PEAP", "user",
698f8324 1849 anonymous_identity="peap", password="password",
9626962d 1850 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
a8375c94 1851 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1852 eap_reauth(dev[0], "PEAP")
6daf5b9c 1853 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1854 eap_connect(dev[0], hapd, "PEAP", "user",
6daf5b9c
JM		 1855 anonymous_identity="peap", password="password",
1856 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1857 fragment_size="200")
c7afc078 1858
fa0ddb14
JM		 1859 logger.info("Password as hash value")
1860 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1861 eap_connect(dev[0], hapd, "PEAP", "user",
fa0ddb14
JM		 1862 anonymous_identity="peap",
1863 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1864 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1865
f10ba3b2
JM		 1866 logger.info("Negative test with incorrect password")
1867 dev[0].request("REMOVE_NETWORK all")
3b3e2687 1868 eap_connect(dev[0], hapd, "PEAP", "user",
f10ba3b2
JM		 1869 anonymous_identity="peap", password="password1",
1870 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1871 expect_failure=True)
1872
0d33f504
JM		 1873def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1874 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
e7ac04ce 1875 check_eap_capa(dev[0], "MSCHAPV2")
0d33f504 1876 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1877 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1878 eap_connect(dev[0], hapd, "PEAP", "DOMAIN\user3",
0d33f504
JM		 1879 anonymous_identity="peap", password="password",
1880 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1881 hwsim_utils.test_connectivity(dev[0], hapd)
1882 eap_reauth(dev[0], "PEAP")
1883
f4cd0f64
JM		 1884def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1885 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
e7ac04ce 1886 check_eap_capa(dev[0], "MSCHAPV2")
f4cd0f64 1887 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1888 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1889 eap_connect(dev[0], hapd, "PEAP", "user",
f4cd0f64
JM		 1890 anonymous_identity="peap", password="wrong",
1891 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1892 expect_failure=True)
1893
698f8324
JM		 1894def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1895 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
e7ac04ce 1896 check_eap_capa(dev[0], "MSCHAPV2")
698f8324 1897 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 1898 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 1899 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
698f8324
JM		 1900 ca_cert="auth_serv/ca.pem",
1901 phase1="peapver=0 crypto_binding=2",
1902 phase2="auth=MSCHAPV2")
a8375c94 1903 hwsim_utils.test_connectivity(dev[0], hapd)
75b2b9cf 1904 eap_reauth(dev[0], "PEAP")
698f8324 1905
3b3e2687 1906 eap_connect(dev[1], hapd, "PEAP", "user", password="password",
ea6464b0
JM		 1907 ca_cert="auth_serv/ca.pem",
1908 phase1="peapver=0 crypto_binding=1",
1909 phase2="auth=MSCHAPV2")
3b3e2687 1910 eap_connect(dev[2], hapd, "PEAP", "user", password="password",
ea6464b0
JM		 1911 ca_cert="auth_serv/ca.pem",
1912 phase1="peapver=0 crypto_binding=0",
1913 phase2="auth=MSCHAPV2")
1914
ef318402
JM		 1915def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1916 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
e7ac04ce 1917 check_eap_capa(dev[0], "MSCHAPV2")
ef318402 1918 params = int_eap_server_params()
8b8a1864 1919 hapd = hostapd.add_ap(apdev[0], params)
ef318402 1920 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
3b3e2687 1921 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
ef318402
JM		 1922 ca_cert="auth_serv/ca.pem",
1923 phase1="peapver=0 crypto_binding=2",
1924 phase2="auth=MSCHAPV2",
1925 expect_failure=True, local_error_report=True)
1926
c4d37011
JM		 1927def test_ap_wpa2_eap_peap_params(dev, apdev):
1928 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
e7ac04ce 1929 check_eap_capa(dev[0], "MSCHAPV2")
c4d37011 1930 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 1931 hapd = hostapd.add_ap(apdev[0], params)
1932 eap_connect(dev[0], hapd, "PEAP", "user",
c4d37011
JM		 1933 anonymous_identity="peap", password="password",
1934 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1935 phase1="peapver=0 peaplabel=1",
1936 expect_failure=True)
1937 dev[0].request("REMOVE_NETWORK all")
09ad98c5
JM		 1938 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1939 identity="user",
1940 anonymous_identity="peap", password="password",
1941 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1942 phase1="peap_outer_success=0",
1943 wait_connect=False, scan_freq="2412")
1944 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1945 if ev is None:
1946 raise Exception("No EAP success seen")
1947 # This won't succeed to connect with peap_outer_success=0, so stop here.
1948 dev[0].request("REMOVE_NETWORK all")
1949 dev[0].wait_disconnected()
3b3e2687 1950 eap_connect(dev[1], hapd, "PEAP", "user", password="password",
c4d37011
JM		 1951 ca_cert="auth_serv/ca.pem",
1952 phase1="peap_outer_success=1",
1953 phase2="auth=MSCHAPV2")
3b3e2687 1954 eap_connect(dev[2], hapd, "PEAP", "user", password="password",
c4d37011
JM		 1955 ca_cert="auth_serv/ca.pem",
1956 phase1="peap_outer_success=2",
1957 phase2="auth=MSCHAPV2")
1958 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1959 identity="user",
1960 anonymous_identity="peap", password="password",
1961 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1962 phase1="peapver=1 peaplabel=1",
1963 wait_connect=False, scan_freq="2412")
1964 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1965 if ev is None:
1966 raise Exception("No EAP success seen")
1967 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1968 if ev is not None:
1969 raise Exception("Unexpected connection")
1970
09a4404a
JM		 1971 tests = [ ("peap-ver0", ""),
1972 ("peap-ver1", ""),
1973 ("peap-ver0", "peapver=0"),
1974 ("peap-ver1", "peapver=1") ]
1975 for anon,phase1 in tests:
1976 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1977 identity="user", anonymous_identity=anon,
1978 password="password", phase1=phase1,
1979 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1980 scan_freq="2412")
1981 dev[0].request("REMOVE_NETWORK all")
1982 dev[0].wait_disconnected()
1983
1984 tests = [ ("peap-ver0", "peapver=1"),
1985 ("peap-ver1", "peapver=0") ]
1986 for anon,phase1 in tests:
1987 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1988 identity="user", anonymous_identity=anon,
1989 password="password", phase1=phase1,
1990 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1991 wait_connect=False, scan_freq="2412")
1992 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1993 if ev is None:
1994 raise Exception("No EAP-Failure seen")
1995 dev[0].request("REMOVE_NETWORK all")
1996 dev[0].wait_disconnected()
1997
3b3e2687 1998 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
d5f5d260
JM		 1999 ca_cert="auth_serv/ca.pem",
2000 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
2001 phase2="auth=MSCHAPV2")
2002
d0ce1050
JM		 2003def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
2004 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
2005 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2006 hapd = hostapd.add_ap(apdev[0], params)
2007 eap_connect(dev[0], hapd, "PEAP", "cert user",
d0ce1050
JM		 2008 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
2009 ca_cert2="auth_serv/ca.pem",
2010 client_cert2="auth_serv/user.pem",
2011 private_key2="auth_serv/user.key")
2012 eap_reauth(dev[0], "PEAP")
2013
e114c49c
JM		 2014def test_ap_wpa2_eap_tls(dev, apdev):
2015 """WPA2-Enterprise connection using EAP-TLS"""
2016 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2017 hapd = hostapd.add_ap(apdev[0], params)
2018 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
e114c49c
JM		 2019 client_cert="auth_serv/user.pem",
2020 private_key="auth_serv/user.key")
75b2b9cf 2021 eap_reauth(dev[0], "TLS")
e114c49c 2022
96bf8fe1
JM		 2023def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
2024 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2025 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2026 hapd = hostapd.add_ap(apdev[0], params)
2027 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
96bf8fe1
JM		 2028 client_cert="auth_serv/user.pem",
2029 private_key="auth_serv/user.key.pkcs8",
2030 private_key_passwd="whatever")
2031
2032def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
2033 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
969e5250 2034 check_pkcs5_v15_support(dev[0])
96bf8fe1 2035 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2036 hapd = hostapd.add_ap(apdev[0], params)
2037 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
96bf8fe1
JM		 2038 client_cert="auth_serv/user.pem",
2039 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
2040 private_key_passwd="whatever")
2041
6ea231e6
JM		 2042def test_ap_wpa2_eap_tls_blob(dev, apdev):
2043 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2044 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 2045 hapd = hostapd.add_ap(apdev[0], params)
6ea231e6
JM		 2046 cert = read_pem("auth_serv/ca.pem")
2047 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
2048 raise Exception("Could not set cacert blob")
2049 cert = read_pem("auth_serv/user.pem")
2050 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
2051 raise Exception("Could not set usercert blob")
62750c3e 2052 key = read_pem("auth_serv/user.rsa-key")
6ea231e6
JM		 2053 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
2054 raise Exception("Could not set cacert blob")
3b3e2687 2055 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="blob://cacert",
6ea231e6
JM		 2056 client_cert="blob://usercert",
2057 private_key="blob://userkey")
2058
cef42a44
JM		 2059def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
2060 """EAP-TLS and config blob missing"""
2061 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2062 hostapd.add_ap(apdev[0], params)
cef42a44
JM		 2063 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2064 identity="tls user",
2065 ca_cert="blob://testing-blob-does-not-exist",
2066 client_cert="blob://testing-blob-does-not-exist",
2067 private_key="blob://testing-blob-does-not-exist",
2068 wait_connect=False, scan_freq="2412")
2069 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
2070 if ev is None:
2071 raise Exception("EAP failure not reported")
2072 dev[0].request("REMOVE_NETWORK all")
2073 dev[0].wait_disconnected()
2074
7cb27f89
JM		 2075def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
2076 """EAP-TLS and TLS Message Length in unfragmented packets"""
2077 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2078 hapd = hostapd.add_ap(apdev[0], params)
2079 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
7cb27f89
JM		 2080 phase1="include_tls_length=1",
2081 client_cert="auth_serv/user.pem",
2082 private_key="auth_serv/user.key")
2083
2d10eb0e
JM		 2084def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
2085 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
686eee77 2086 check_pkcs12_support(dev[0])
2d10eb0e 2087 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2088 hapd = hostapd.add_ap(apdev[0], params)
2089 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2d10eb0e
JM		 2090 private_key="auth_serv/user.pkcs12",
2091 private_key_passwd="whatever")
2092 dev[0].request("REMOVE_NETWORK all")
0c83ae04
JM		 2093 dev[0].wait_disconnected()
2094
2d10eb0e
JM		 2095 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2096 identity="tls user",
2097 ca_cert="auth_serv/ca.pem",
2098 private_key="auth_serv/user.pkcs12",
2099 wait_connect=False, scan_freq="2412")
2100 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2101 if ev is None:
2102 raise Exception("Request for private key passphrase timed out")
2103 id = ev.split(':')[0].split('-')[-1]
2104 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
5f35a5e2 2105 dev[0].wait_connected(timeout=10)
0c83ae04
JM		 2106 dev[0].request("REMOVE_NETWORK all")
2107 dev[0].wait_disconnected()
2108
6da3b745
JM		 2109 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2110 # different files to cover both cases of the extra certificate being the
2111 # one that signed the client certificate and it being unrelated to the
2112 # client certificate.
2113 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2114 for i in range(2):
3b3e2687 2115 eap_connect(dev[0], hapd, "TLS", "tls user",
6da3b745
JM		 2116 ca_cert="auth_serv/ca.pem",
2117 private_key=pkcs12,
2118 private_key_passwd="whatever")
2119 dev[0].request("REMOVE_NETWORK all")
2120 dev[0].wait_disconnected()
2d10eb0e 2121
6ea231e6
JM		 2122def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
2123 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
686eee77 2124 check_pkcs12_support(dev[0])
6ea231e6 2125 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 2126 hapd = hostapd.add_ap(apdev[0], params)
6ea231e6
JM		 2127 cert = read_pem("auth_serv/ca.pem")
2128 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
2129 raise Exception("Could not set cacert blob")
2130 with open("auth_serv/user.pkcs12", "rb") as f:
2131 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
2132 raise Exception("Could not set pkcs12 blob")
3b3e2687 2133 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="blob://cacert",
6ea231e6
JM		 2134 private_key="blob://pkcs12",
2135 private_key_passwd="whatever")
2136
c7afc078
JM		 2137def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
2138 """WPA2-Enterprise negative test - incorrect trust root"""
e7ac04ce 2139 check_eap_capa(dev[0], "MSCHAPV2")
c7afc078 2140 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2141 hostapd.add_ap(apdev[0], params)
6ea231e6
JM		 2142 cert = read_pem("auth_serv/ca-incorrect.pem")
2143 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
2144 raise Exception("Could not set cacert blob")
c7afc078 2145 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
6ea231e6
JM		 2146 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2147 password="password", phase2="auth=MSCHAPV2",
2148 ca_cert="blob://cacert",
2149 wait_connect=False, scan_freq="2412")
2150 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
c7afc078
JM		 2151 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2152 password="password", phase2="auth=MSCHAPV2",
2153 ca_cert="auth_serv/ca-incorrect.pem",
c65f23ab 2154 wait_connect=False, scan_freq="2412")
c7afc078 2155
6ea231e6 2156 for dev in (dev[0], dev[1]):
412c6030 2157 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
6ea231e6
JM		 2158 if ev is None:
2159 raise Exception("Association and EAP start timed out")
c7afc078 2160
6ea231e6
JM		 2161 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2162 if ev is None:
2163 raise Exception("EAP method selection timed out")
2164 if "TTLS" not in ev:
2165 raise Exception("Unexpected EAP method")
2166
2167 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2168 "CTRL-EVENT-EAP-SUCCESS",
2169 "CTRL-EVENT-EAP-FAILURE",
2170 "CTRL-EVENT-CONNECTED",
2171 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2172 if ev is None:
2173 raise Exception("EAP result timed out")
2174 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2175 raise Exception("TLS certificate error not reported")
2176
2177 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2178 "CTRL-EVENT-EAP-FAILURE",
2179 "CTRL-EVENT-CONNECTED",
2180 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2181 if ev is None:
2182 raise Exception("EAP result(2) timed out")
2183 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2184 raise Exception("EAP failure not reported")
c7afc078 2185
6ea231e6
JM		 2186 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
2187 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2188 if ev is None:
2189 raise Exception("EAP result(3) timed out")
2190 if "CTRL-EVENT-DISCONNECTED" not in ev:
2191 raise Exception("Disconnection not reported")
c7afc078 2192
6ea231e6
JM		 2193 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2194 if ev is None:
2195 raise Exception("Network block disabling not reported")
72c052d5 2196
9a5cfd70
JM		 2197def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
2198 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2199 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2200 hapd = hostapd.add_ap(apdev[0], params)
9a5cfd70
JM		 2201 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2202 identity="pap user", anonymous_identity="ttls",
2203 password="password", phase2="auth=PAP",
2204 ca_cert="auth_serv/ca.pem",
2205 wait_connect=True, scan_freq="2412")
2206 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2207 identity="pap user", anonymous_identity="ttls",
2208 password="password", phase2="auth=PAP",
2209 ca_cert="auth_serv/ca-incorrect.pem",
2210 only_add_network=True, scan_freq="2412")
2211
2212 dev[0].request("DISCONNECT")
90ad11e6 2213 dev[0].wait_disconnected()
9a5cfd70
JM		 2214 dev[0].dump_monitor()
2215 dev[0].select_network(id, freq="2412")
2216
2217 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2218 if ev is None:
2219 raise Exception("EAP-TTLS not re-started")
db98b587 2220
5f35a5e2 2221 ev = dev[0].wait_disconnected(timeout=15)
9a5cfd70
JM		 2222 if "reason=23" not in ev:
2223 raise Exception("Proper reason code for disconnection not reported")
2224
2225def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
2226 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2227 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2228 hapd = hostapd.add_ap(apdev[0], params)
9a5cfd70
JM		 2229 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2230 identity="pap user", anonymous_identity="ttls",
2231 password="password", phase2="auth=PAP",
2232 wait_connect=True, scan_freq="2412")
2233 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2234 identity="pap user", anonymous_identity="ttls",
2235 password="password", phase2="auth=PAP",
2236 ca_cert="auth_serv/ca-incorrect.pem",
2237 only_add_network=True, scan_freq="2412")
2238
2239 dev[0].request("DISCONNECT")
90ad11e6 2240 dev[0].wait_disconnected()
9a5cfd70
JM		 2241 dev[0].dump_monitor()
2242 dev[0].select_network(id, freq="2412")
2243
2244 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2245 if ev is None:
2246 raise Exception("EAP-TTLS not re-started")
db98b587 2247
5f35a5e2 2248 ev = dev[0].wait_disconnected(timeout=15)
9a5cfd70
JM		 2249 if "reason=23" not in ev:
2250 raise Exception("Proper reason code for disconnection not reported")
2251
2252def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
2253 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2254 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2255 hapd = hostapd.add_ap(apdev[0], params)
9a5cfd70
JM		 2256 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2257 identity="pap user", anonymous_identity="ttls",
2258 password="password", phase2="auth=PAP",
2259 ca_cert="auth_serv/ca.pem",
2260 wait_connect=True, scan_freq="2412")
2261 dev[0].request("DISCONNECT")
90ad11e6 2262 dev[0].wait_disconnected()
9a5cfd70
JM		 2263 dev[0].dump_monitor()
2264 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2265 dev[0].select_network(id, freq="2412")
2266
2267 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2268 if ev is None:
2269 raise Exception("EAP-TTLS not re-started")
db98b587 2270
5f35a5e2 2271 ev = dev[0].wait_disconnected(timeout=15)
9a5cfd70
JM		 2272 if "reason=23" not in ev:
2273 raise Exception("Proper reason code for disconnection not reported")
2274
72c052d5
JM		 2275def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
2276 """WPA2-Enterprise negative test - domain suffix mismatch"""
e78eb404 2277 check_domain_suffix_match(dev[0])
72c052d5 2278 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2279 hostapd.add_ap(apdev[0], params)
72c052d5
JM		 2280 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2281 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2282 password="password", phase2="auth=MSCHAPV2",
2283 ca_cert="auth_serv/ca.pem",
2284 domain_suffix_match="incorrect.example.com",
c65f23ab 2285 wait_connect=False, scan_freq="2412")
72c052d5 2286
412c6030 2287 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
72c052d5
JM		 2288 if ev is None:
2289 raise Exception("Association and EAP start timed out")
2290
2291 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2292 if ev is None:
2293 raise Exception("EAP method selection timed out")
2294 if "TTLS" not in ev:
2295 raise Exception("Unexpected EAP method")
2296
2297 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2298 "CTRL-EVENT-EAP-SUCCESS",
2299 "CTRL-EVENT-EAP-FAILURE",
2300 "CTRL-EVENT-CONNECTED",
2301 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2302 if ev is None:
2303 raise Exception("EAP result timed out")
2304 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2305 raise Exception("TLS certificate error not reported")
2306 if "Domain suffix mismatch" not in ev:
2307 raise Exception("Domain suffix mismatch not reported")
2308
2309 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2310 "CTRL-EVENT-EAP-FAILURE",
2311 "CTRL-EVENT-CONNECTED",
2312 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2313 if ev is None:
2314 raise Exception("EAP result(2) timed out")
2315 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2316 raise Exception("EAP failure not reported")
2317
2318 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2319 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2320 if ev is None:
2321 raise Exception("EAP result(3) timed out")
2322 if "CTRL-EVENT-DISCONNECTED" not in ev:
2323 raise Exception("Disconnection not reported")
2324
2325 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2326 if ev is None:
2327 raise Exception("Network block disabling not reported")
22b99086 2328
061cbb25
JM		 2329def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
2330 """WPA2-Enterprise negative test - domain mismatch"""
e78eb404 2331 check_domain_match(dev[0])
061cbb25 2332 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2333 hostapd.add_ap(apdev[0], params)
061cbb25
JM		 2334 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2335 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2336 password="password", phase2="auth=MSCHAPV2",
2337 ca_cert="auth_serv/ca.pem",
2338 domain_match="w1.fi",
2339 wait_connect=False, scan_freq="2412")
2340
412c6030 2341 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
061cbb25
JM		 2342 if ev is None:
2343 raise Exception("Association and EAP start timed out")
2344
2345 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2346 if ev is None:
2347 raise Exception("EAP method selection timed out")
2348 if "TTLS" not in ev:
2349 raise Exception("Unexpected EAP method")
2350
2351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2352 "CTRL-EVENT-EAP-SUCCESS",
2353 "CTRL-EVENT-EAP-FAILURE",
2354 "CTRL-EVENT-CONNECTED",
2355 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2356 if ev is None:
2357 raise Exception("EAP result timed out")
2358 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2359 raise Exception("TLS certificate error not reported")
2360 if "Domain mismatch" not in ev:
2361 raise Exception("Domain mismatch not reported")
2362
2363 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2364 "CTRL-EVENT-EAP-FAILURE",
2365 "CTRL-EVENT-CONNECTED",
2366 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2367 if ev is None:
2368 raise Exception("EAP result(2) timed out")
2369 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2370 raise Exception("EAP failure not reported")
2371
2372 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2373 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2374 if ev is None:
2375 raise Exception("EAP result(3) timed out")
2376 if "CTRL-EVENT-DISCONNECTED" not in ev:
2377 raise Exception("Disconnection not reported")
2378
2379 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2380 if ev is None:
2381 raise Exception("Network block disabling not reported")
2382
3b74982f
JM		 2383def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
2384 """WPA2-Enterprise negative test - subject mismatch"""
2385 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2386 hostapd.add_ap(apdev[0], params)
3b74982f
JM		 2387 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2388 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2389 password="password", phase2="auth=MSCHAPV2",
2390 ca_cert="auth_serv/ca.pem",
2391 subject_match="/C=FI/O=w1.fi/CN=example.com",
2392 wait_connect=False, scan_freq="2412")
2393
412c6030 2394 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
3b74982f
JM		 2395 if ev is None:
2396 raise Exception("Association and EAP start timed out")
2397
506b2f05
JM		 2398 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2399 "EAP: Failed to initialize EAP method"], timeout=10)
3b74982f
JM		 2400 if ev is None:
2401 raise Exception("EAP method selection timed out")
506b2f05
JM		 2402 if "EAP: Failed to initialize EAP method" in ev:
2403 tls = dev[0].request("GET tls_library")
2404 if tls.startswith("OpenSSL"):
2405 raise Exception("Failed to select EAP method")
2406 logger.info("subject_match not supported - connection failed, so test succeeded")
2407 return
3b74982f
JM		 2408 if "TTLS" not in ev:
2409 raise Exception("Unexpected EAP method")
2410
2411 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2412 "CTRL-EVENT-EAP-SUCCESS",
2413 "CTRL-EVENT-EAP-FAILURE",
2414 "CTRL-EVENT-CONNECTED",
2415 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2416 if ev is None:
2417 raise Exception("EAP result timed out")
2418 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2419 raise Exception("TLS certificate error not reported")
2420 if "Subject mismatch" not in ev:
2421 raise Exception("Subject mismatch not reported")
2422
2423 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2424 "CTRL-EVENT-EAP-FAILURE",
2425 "CTRL-EVENT-CONNECTED",
2426 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2427 if ev is None:
2428 raise Exception("EAP result(2) timed out")
2429 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2430 raise Exception("EAP failure not reported")
2431
2432 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2433 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2434 if ev is None:
2435 raise Exception("EAP result(3) timed out")
2436 if "CTRL-EVENT-DISCONNECTED" not in ev:
2437 raise Exception("Disconnection not reported")
2438
2439 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2440 if ev is None:
2441 raise Exception("Network block disabling not reported")
2442
2443def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
2444 """WPA2-Enterprise negative test - altsubject mismatch"""
2445 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2446 hostapd.add_ap(apdev[0], params)
37d61355
JM		 2447
2448 tests = [ "incorrect.example.com",
2449 "DNS:incorrect.example.com",
2450 "DNS:w1.fi",
2451 "DNS:erver.w1.fi" ]
2452 for match in tests:
2453 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
2454
2455def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
3b74982f
JM		 2456 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2457 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2458 password="password", phase2="auth=MSCHAPV2",
2459 ca_cert="auth_serv/ca.pem",
37d61355 2460 altsubject_match=match,
3b74982f
JM		 2461 wait_connect=False, scan_freq="2412")
2462
412c6030 2463 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
3b74982f
JM		 2464 if ev is None:
2465 raise Exception("Association and EAP start timed out")
2466
506b2f05
JM		 2467 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2468 "EAP: Failed to initialize EAP method"], timeout=10)
3b74982f
JM		 2469 if ev is None:
2470 raise Exception("EAP method selection timed out")
506b2f05
JM		 2471 if "EAP: Failed to initialize EAP method" in ev:
2472 tls = dev[0].request("GET tls_library")
2473 if tls.startswith("OpenSSL"):
2474 raise Exception("Failed to select EAP method")
2475 logger.info("altsubject_match not supported - connection failed, so test succeeded")
2476 return
3b74982f
JM		 2477 if "TTLS" not in ev:
2478 raise Exception("Unexpected EAP method")
2479
2480 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2481 "CTRL-EVENT-EAP-SUCCESS",
2482 "CTRL-EVENT-EAP-FAILURE",
2483 "CTRL-EVENT-CONNECTED",
2484 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2485 if ev is None:
2486 raise Exception("EAP result timed out")
2487 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2488 raise Exception("TLS certificate error not reported")
2489 if "AltSubject mismatch" not in ev:
2490 raise Exception("altsubject mismatch not reported")
2491
2492 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2493 "CTRL-EVENT-EAP-FAILURE",
2494 "CTRL-EVENT-CONNECTED",
2495 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2496 if ev is None:
2497 raise Exception("EAP result(2) timed out")
2498 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2499 raise Exception("EAP failure not reported")
2500
2501 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2502 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2503 if ev is None:
2504 raise Exception("EAP result(3) timed out")
2505 if "CTRL-EVENT-DISCONNECTED" not in ev:
2506 raise Exception("Disconnection not reported")
2507
2508 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2509 if ev is None:
2510 raise Exception("Network block disabling not reported")
2511
37d61355
JM		 2512 dev[0].request("REMOVE_NETWORK all")
2513
5a0c1517
JM		 2514def test_ap_wpa2_eap_unauth_tls(dev, apdev):
2515 """WPA2-Enterprise connection using UNAUTH-TLS"""
2516 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2517 hapd = hostapd.add_ap(apdev[0], params)
2518 eap_connect(dev[0], hapd, "UNAUTH-TLS", "unauth-tls",
5a0c1517
JM		 2519 ca_cert="auth_serv/ca.pem")
2520 eap_reauth(dev[0], "UNAUTH-TLS")
2521
57be05e1
JM		 2522def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
2523 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
4bf4e9db 2524 check_cert_probe_support(dev[0])
ca158ea6 2525 skip_with_fips(dev[0])
1dd66fc1 2526 srv_cert_hash = "4704e62784f36cc5fd964c6410402f4938773bb471dce9d42939bf22fdbdb2dd"
57be05e1 2527 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 2528 hapd = hostapd.add_ap(apdev[0], params)
57be05e1
JM		 2529 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2530 identity="probe", ca_cert="probe://",
2531 wait_connect=False, scan_freq="2412")
412c6030 2532 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
57be05e1
JM		 2533 if ev is None:
2534 raise Exception("Association and EAP start timed out")
2535 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
2536 if ev is None:
2537 raise Exception("No peer server certificate event seen")
2538 if "hash=" + srv_cert_hash not in ev:
2539 raise Exception("Expected server certificate hash not reported")
2540 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2541 if ev is None:
2542 raise Exception("EAP result timed out")
2543 if "Server certificate chain probe" not in ev:
2544 raise Exception("Server certificate probe not reported")
5f35a5e2 2545 dev[0].wait_disconnected(timeout=10)
57be05e1
JM		 2546 dev[0].request("REMOVE_NETWORK all")
2547
2548 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2549 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2550 password="password", phase2="auth=MSCHAPV2",
2551 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2552 wait_connect=False, scan_freq="2412")
412c6030 2553 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
57be05e1
JM		 2554 if ev is None:
2555 raise Exception("Association and EAP start timed out")
2556 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2557 if ev is None:
2558 raise Exception("EAP result timed out")
2559 if "Server certificate mismatch" not in ev:
2560 raise Exception("Server certificate mismatch not reported")
5f35a5e2 2561 dev[0].wait_disconnected(timeout=10)
57be05e1
JM		 2562 dev[0].request("REMOVE_NETWORK all")
2563
3b3e2687 2564 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
57be05e1
JM		 2565 anonymous_identity="ttls", password="password",
2566 ca_cert="hash://server/sha256/" + srv_cert_hash,
2567 phase2="auth=MSCHAPV2")
2568
2a6a2192
JM		 2569def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
2570 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2571 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2572 hostapd.add_ap(apdev[0], params)
2a6a2192
JM		 2573 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2574 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2575 password="password", phase2="auth=MSCHAPV2",
2576 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2577 wait_connect=False, scan_freq="2412")
2578 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2579 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2580 password="password", phase2="auth=MSCHAPV2",
2581 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2582 wait_connect=False, scan_freq="2412")
2583 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2584 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2585 password="password", phase2="auth=MSCHAPV2",
2586 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2587 wait_connect=False, scan_freq="2412")
2588 for i in range(0, 3):
412c6030 2589 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2a6a2192
JM		 2590 if ev is None:
2591 raise Exception("Association and EAP start timed out")
cbb85a03
JM		 2592 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2593 if ev is None:
2594 raise Exception("Did not report EAP method initialization failure")
2a6a2192 2595
22b99086
JM		 2596def test_ap_wpa2_eap_pwd(dev, apdev):
2597 """WPA2-Enterprise connection using EAP-pwd"""
3b51cc63 2598 check_eap_capa(dev[0], "PWD")
22b99086 2599 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2600 hapd = hostapd.add_ap(apdev[0], params)
2601 eap_connect(dev[0], hapd, "PWD", "pwd user", password="secret password")
75b2b9cf 2602 eap_reauth(dev[0], "PWD")
6daf5b9c 2603 dev[0].request("REMOVE_NETWORK all")
0403fa0a 2604
3b3e2687 2605 eap_connect(dev[1], hapd, "PWD",
0403fa0a
JM		 2606 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2607 password="secret password",
6daf5b9c
JM		 2608 fragment_size="90")
2609
f10ba3b2 2610 logger.info("Negative test with incorrect password")
3b3e2687 2611 eap_connect(dev[2], hapd, "PWD", "pwd user", password="secret-password",
f10ba3b2
JM		 2612 expect_failure=True, local_error_report=True)
2613
3b3e2687 2614 eap_connect(dev[0], hapd, "PWD",
0403fa0a
JM		 2615 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2616 password="secret password",
2617 fragment_size="31")
2618
b898a6ee
JM		 2619def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2620 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2621 check_eap_capa(dev[0], "PWD")
0392867b 2622 skip_with_fips(dev[0])
b898a6ee 2623 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2624 hapd = hostapd.add_ap(apdev[0], params)
2625 eap_connect(dev[0], hapd, "PWD", "pwd-hash", password="secret password")
2626 eap_connect(dev[1], hapd, "PWD", "pwd-hash",
b898a6ee 2627 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
3b3e2687 2628 eap_connect(dev[2], hapd, "PWD", "pwd user",
b898a6ee
JM		 2629 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2630 expect_failure=True, local_error_report=True)
2631
5e597ed9
JM		 2632def test_ap_wpa2_eap_pwd_salt_sha1(dev, apdev):
2633 """WPA2-Enterprise connection using EAP-pwd and salted password SHA-1"""
2634 check_eap_capa(dev[0], "PWD")
2635 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2636 hapd = hostapd.add_ap(apdev[0], params)
2637 eap_connect(dev[0], hapd, "PWD", "pwd-hash-sha1",
2638 password="secret password")
2639
2640def test_ap_wpa2_eap_pwd_salt_sha256(dev, apdev):
2641 """WPA2-Enterprise connection using EAP-pwd and salted password SHA256"""
2642 check_eap_capa(dev[0], "PWD")
2643 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2644 hapd = hostapd.add_ap(apdev[0], params)
2645 eap_connect(dev[0], hapd, "PWD", "pwd-hash-sha256",
2646 password="secret password")
2647
2648def test_ap_wpa2_eap_pwd_salt_sha512(dev, apdev):
2649 """WPA2-Enterprise connection using EAP-pwd and salted password SHA512"""
2650 check_eap_capa(dev[0], "PWD")
2651 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2652 hapd = hostapd.add_ap(apdev[0], params)
2653 eap_connect(dev[0], hapd, "PWD", "pwd-hash-sha512",
2654 password="secret password")
2655
c075f040
JM		 2656def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2657 """WPA2-Enterprise connection using various EAP-pwd groups"""
3b51cc63 2658 check_eap_capa(dev[0], "PWD")
5f2e4547 2659 tls = dev[0].request("GET tls_library")
c075f040
JM		 2660 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2661 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2662 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
f2d789f2
JM		 2663 groups = [ 19, 20, 21, 25, 26 ]
2664 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
6bf7a547
JM		 2665 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2666 groups += [ 27, 28, 29, 30 ]
2667 if tls.startswith("OpenSSL") and "build=OpenSSL 1.1" in tls and "run=OpenSSL 1.1" in tls:
f2d789f2
JM		 2668 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2669 groups += [ 27, 28, 29, 30 ]
2670 for i in groups:
2671 logger.info("Group %d" % i)
c075f040 2672 params['pwd_group'] = str(i)
3b3e2687 2673 hapd = hostapd.add_ap(apdev[0], params)
5f2e4547 2674 try:
3b3e2687 2675 eap_connect(dev[0], hapd, "PWD", "pwd user",
5f2e4547 2676 password="secret password")
f2d789f2
JM		 2677 dev[0].request("REMOVE_NETWORK all")
2678 dev[0].wait_disconnected()
2679 dev[0].dump_monitor()
5f2e4547
JM		 2680 except:
2681 if "BoringSSL" in tls and i in [ 25 ]:
2682 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2683 dev[0].request("DISCONNECT")
2684 time.sleep(0.1)
f2d789f2
JM		 2685 dev[0].request("REMOVE_NETWORK all")
2686 dev[0].dump_monitor()
5f2e4547
JM		 2687 continue
2688 raise
c075f040 2689
4b2d2098
JM		 2690def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2691 """WPA2-Enterprise connection using invalid EAP-pwd group"""
3b51cc63 2692 check_eap_capa(dev[0], "PWD")
4b2d2098
JM		 2693 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2694 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2695 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2696 params['pwd_group'] = "0"
8b8a1864 2697 hostapd.add_ap(apdev[0], params)
4b2d2098
JM		 2698 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2699 identity="pwd user", password="secret password",
2700 scan_freq="2412", wait_connect=False)
2701 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2702 if ev is None:
2703 raise Exception("Timeout on EAP failure report")
2704
8ba89e0a
JM		 2705def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2706 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
3b51cc63 2707 check_eap_capa(dev[0], "PWD")
8ba89e0a
JM		 2708 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2709 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2710 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2711 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2712 "pwd_group": "19", "fragment_size": "40" }
3b3e2687
JD		 2713 hapd = hostapd.add_ap(apdev[0], params)
2714 eap_connect(dev[0], hapd, "PWD", "pwd user", password="secret password")
8ba89e0a 2715
22b99086
JM		 2716def test_ap_wpa2_eap_gpsk(dev, apdev):
2717 """WPA2-Enterprise connection using EAP-GPSK"""
2718 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2719 hapd = hostapd.add_ap(apdev[0], params)
2720 id = eap_connect(dev[0], hapd, "GPSK", "gpsk user",
369f9c20 2721 password="abcdefghijklmnop0123456789abcdef")
75b2b9cf 2722 eap_reauth(dev[0], "GPSK")
22b99086 2723
369f9c20
JM		 2724 logger.info("Test forced algorithm selection")
2725 for phase1 in [ "cipher=1", "cipher=2" ]:
2726 dev[0].set_network_quoted(id, "phase1", phase1)
2727 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2728 if ev is None:
2729 raise Exception("EAP success timed out")
5f35a5e2 2730 dev[0].wait_connected(timeout=10)
369f9c20
JM		 2731
2732 logger.info("Test failed algorithm negotiation")
2733 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2734 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2735 if ev is None:
2736 raise Exception("EAP failure timed out")
2737
f10ba3b2
JM		 2738 logger.info("Negative test with incorrect password")
2739 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2740 eap_connect(dev[0], hapd, "GPSK", "gpsk user",
f10ba3b2
JM		 2741 password="ffcdefghijklmnop0123456789abcdef",
2742 expect_failure=True)
2743
22b99086
JM		 2744def test_ap_wpa2_eap_sake(dev, apdev):
2745 """WPA2-Enterprise connection using EAP-SAKE"""
2746 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2747 hapd = hostapd.add_ap(apdev[0], params)
2748 eap_connect(dev[0], hapd, "SAKE", "sake user",
22b99086 2749 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
75b2b9cf 2750 eap_reauth(dev[0], "SAKE")
22b99086 2751
f10ba3b2
JM		 2752 logger.info("Negative test with incorrect password")
2753 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2754 eap_connect(dev[0], hapd, "SAKE", "sake user",
f10ba3b2
JM		 2755 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2756 expect_failure=True)
2757
22b99086
JM		 2758def test_ap_wpa2_eap_eke(dev, apdev):
2759 """WPA2-Enterprise connection using EAP-EKE"""
2760 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2761 hapd = hostapd.add_ap(apdev[0], params)
2762 id = eap_connect(dev[0], hapd, "EKE", "eke user", password="hello")
75b2b9cf 2763 eap_reauth(dev[0], "EKE")
22b99086 2764
2bb9e283
JM		 2765 logger.info("Test forced algorithm selection")
2766 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2767 "dhgroup=4 encr=1 prf=2 mac=2",
2768 "dhgroup=3 encr=1 prf=2 mac=2",
2769 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2770 dev[0].set_network_quoted(id, "phase1", phase1)
2771 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2772 if ev is None:
2773 raise Exception("EAP success timed out")
5f35a5e2 2774 dev[0].wait_connected(timeout=10)
2bb9e283
JM		 2775
2776 logger.info("Test failed algorithm negotiation")
2777 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2778 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2779 if ev is None:
2780 raise Exception("EAP failure timed out")
2781
f10ba3b2
JM		 2782 logger.info("Negative test with incorrect password")
2783 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2784 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello1",
f10ba3b2
JM		 2785 expect_failure=True)
2786
3b6f3b37
JM		 2787def test_ap_wpa2_eap_eke_many(dev, apdev, params):
2788 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2789 if not params['long']:
2790 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2791 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2792 hostapd.add_ap(apdev[0], params)
3b6f3b37
JM		 2793 success = 0
2794 fail = 0
2795 for i in range(100):
2796 for j in range(3):
2797 dev[j].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="EKE",
2798 identity="eke user", password="hello",
2799 phase1="dhgroup=3 encr=1 prf=1 mac=1",
2800 scan_freq="2412", wait_connect=False)
2801 for j in range(3):
2802 ev = dev[j].wait_event(["CTRL-EVENT-CONNECTED",
2803 "CTRL-EVENT-DISCONNECTED"], timeout=15)
2804 if ev is None:
2805 raise Exception("No connected/disconnected event")
2806 if "CTRL-EVENT-DISCONNECTED" in ev:
2807 fail += 1
2808 # The RADIUS server limits on active sessions can be hit when
2809 # going through this test case, so try to give some more time
2810 # for the server to remove sessions.
2811 logger.info("Failed to connect i=%d j=%d" % (i, j))
2812 dev[j].request("REMOVE_NETWORK all")
2813 time.sleep(1)
2814 else:
2815 success += 1
2816 dev[j].request("REMOVE_NETWORK all")
2817 dev[j].wait_disconnected()
2818 dev[j].dump_monitor()
2819 logger.info("Total success=%d failure=%d" % (success, fail))
2820
f7e3c17b
JM		 2821def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2822 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2823 params = int_eap_server_params()
2824 params['server_id'] = 'example.server@w1.fi'
3b3e2687
JD		 2825 hapd = hostapd.add_ap(apdev[0], params)
2826 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello")
f7e3c17b 2827
5e0bedc6
JM		 2828def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2829 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2830 params = int_eap_server_params()
8b8a1864 2831 hapd = hostapd.add_ap(apdev[0], params)
5e0bedc6
JM		 2832 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2833
2834 for count,func in [ (1, "eap_eke_build_commit"),
2835 (2, "eap_eke_build_commit"),
2836 (3, "eap_eke_build_commit"),
2837 (1, "eap_eke_build_confirm"),
2838 (2, "eap_eke_build_confirm"),
2839 (1, "eap_eke_process_commit"),
2840 (2, "eap_eke_process_commit"),
2841 (1, "eap_eke_process_confirm"),
2842 (1, "eap_eke_process_identity"),
2843 (2, "eap_eke_process_identity"),
2844 (3, "eap_eke_process_identity"),
2845 (4, "eap_eke_process_identity") ]:
2846 with alloc_fail(hapd, count, func):
3b3e2687 2847 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello",
5e0bedc6
JM		 2848 expect_failure=True)
2849 dev[0].request("REMOVE_NETWORK all")
2850
2851 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2852 (1, "eap_eke_get_session_id", "hello"),
2853 (1, "eap_eke_getKey", "hello"),
2854 (1, "eap_eke_build_msg", "hello"),
2855 (1, "eap_eke_build_failure", "wrong"),
2856 (1, "eap_eke_build_identity", "hello"),
2857 (2, "eap_eke_build_identity", "hello") ]:
2858 with alloc_fail(hapd, count, func):
2859 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2860 eap="EKE", identity="eke user", password=pw,
2861 wait_connect=False, scan_freq="2412")
2862 # This would eventually time out, but we can stop after having
2863 # reached the allocation failure.
2864 for i in range(20):
2865 time.sleep(0.1)
2866 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2867 break
2868 dev[0].request("REMOVE_NETWORK all")
2869
2870 for count in range(1, 1000):
2871 try:
2872 with alloc_fail(hapd, count, "eap_server_sm_step"):
2873 dev[0].connect("test-wpa2-eap",
2874 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2875 eap="EKE", identity="eke user", password=pw,
2876 wait_connect=False, scan_freq="2412")
2877 # This would eventually time out, but we can stop after having
2878 # reached the allocation failure.
2879 for i in range(10):
2880 time.sleep(0.1)
2881 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2882 break
2883 dev[0].request("REMOVE_NETWORK all")
bab493b9 2884 except Exception as e:
5e0bedc6
JM		 2885 if str(e) == "Allocation failure did not trigger":
2886 if count < 30:
2887 raise Exception("Too few allocation failures")
2888 logger.info("%d allocation failures tested" % (count - 1))
2889 break
2890 raise e
2891
22b99086
JM		 2892def test_ap_wpa2_eap_ikev2(dev, apdev):
2893 """WPA2-Enterprise connection using EAP-IKEv2"""
c8e82c94 2894 check_eap_capa(dev[0], "IKEV2")
22b99086 2895 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2896 hapd = hostapd.add_ap(apdev[0], params)
2897 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
cb33ee14 2898 password="ike password")
75b2b9cf 2899 eap_reauth(dev[0], "IKEV2")
6daf5b9c 2900 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2901 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
47a74ad8 2902 password="ike password", fragment_size="50")
22b99086 2903
f10ba3b2
JM		 2904 logger.info("Negative test with incorrect password")
2905 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2906 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
f10ba3b2 2907 password="ike-password", expect_failure=True)
35372f6c
JM		 2908 dev[0].request("REMOVE_NETWORK all")
2909
3b3e2687 2910 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
35372f6c
JM		 2911 password="ike password", fragment_size="0")
2912 dev[0].request("REMOVE_NETWORK all")
2913 dev[0].wait_disconnected()
f10ba3b2 2914
47a74ad8
JM		 2915def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2916 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
c8e82c94 2917 check_eap_capa(dev[0], "IKEV2")
47a74ad8
JM		 2918 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2919 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2920 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2921 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2922 "fragment_size": "50" }
3b3e2687
JD		 2923 hapd = hostapd.add_ap(apdev[0], params)
2924 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
47a74ad8
JM		 2925 password="ike password")
2926 eap_reauth(dev[0], "IKEV2")
2927
f1ab79c3
JM		 2928def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2929 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
c8e82c94 2930 check_eap_capa(dev[0], "IKEV2")
f1ab79c3 2931 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 2932 hostapd.add_ap(apdev[0], params)
f1ab79c3
JM		 2933
2934 tests = [ (1, "dh_init"),
2935 (2, "dh_init"),
2936 (1, "dh_derive_shared") ]
2937 for count, func in tests:
2938 with alloc_fail(dev[0], count, func):
2939 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2940 identity="ikev2 user", password="ike password",
2941 wait_connect=False, scan_freq="2412")
2942 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2943 if ev is None:
2944 raise Exception("EAP method not selected")
2945 for i in range(10):
2946 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2947 break
2948 time.sleep(0.02)
2949 dev[0].request("REMOVE_NETWORK all")
2950
d8003dcb
SP		 2951 tls = dev[0].request("GET tls_library")
2952 if not tls.startswith("wolfSSL"):
2953 tests = [ (1, "os_get_random;dh_init") ]
2954 else:
2955 tests = [ (1, "crypto_dh_init;dh_init") ]
f1ab79c3
JM		 2956 for count, func in tests:
2957 with fail_test(dev[0], count, func):
2958 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2959 identity="ikev2 user", password="ike password",
2960 wait_connect=False, scan_freq="2412")
2961 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2962 if ev is None:
2963 raise Exception("EAP method not selected")
2964 for i in range(10):
2965 if "0:" in dev[0].request("GET_FAIL"):
2966 break
2967 time.sleep(0.02)
2968 dev[0].request("REMOVE_NETWORK all")
2969
22b99086
JM		 2970def test_ap_wpa2_eap_pax(dev, apdev):
2971 """WPA2-Enterprise connection using EAP-PAX"""
2972 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 2973 hapd = hostapd.add_ap(apdev[0], params)
2974 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
22b99086 2975 password_hex="0123456789abcdef0123456789abcdef")
75b2b9cf 2976 eap_reauth(dev[0], "PAX")
22b99086 2977
f10ba3b2
JM		 2978 logger.info("Negative test with incorrect password")
2979 dev[0].request("REMOVE_NETWORK all")
3b3e2687 2980 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
f10ba3b2
JM		 2981 password_hex="ff23456789abcdef0123456789abcdef",
2982 expect_failure=True)
2983
22b99086
JM		 2984def test_ap_wpa2_eap_psk(dev, apdev):
2985 """WPA2-Enterprise connection using EAP-PSK"""
2986 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2b005194
JM		 2987 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2988 params["ieee80211w"] = "2"
3b3e2687
JD		 2989 hapd = hostapd.add_ap(apdev[0], params)
2990 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
2b005194
JM		 2991 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2992 eap_reauth(dev[0], "PSK", sha256=True)
eaf3f9b1
JM		 2993 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2994 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
71390dc8 2995
d463c556
JM		 2996 bss = dev[0].get_bss(apdev[0]['bssid'])
2997 if 'flags' not in bss:
2998 raise Exception("Could not get BSS flags from BSS table")
2999 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
3000 raise Exception("Unexpected BSS flags: " + bss['flags'])
3001
f10ba3b2
JM		 3002 logger.info("Negative test with incorrect password")
3003 dev[0].request("REMOVE_NETWORK all")
3b3e2687 3004 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
f10ba3b2
JM		 3005 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
3006 expect_failure=True)
3007
8c4e4c01
JM		 3008def test_ap_wpa2_eap_psk_oom(dev, apdev):
3009 """WPA2-Enterprise connection using EAP-PSK and OOM"""
38934ed1 3010 skip_with_fips(dev[0])
8c4e4c01 3011 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3012 hostapd.add_ap(apdev[0], params)
7cbc8e67
JM		 3013 tests = [ (1, "=aes_128_eax_encrypt"),
3014 (1, "=aes_128_eax_decrypt") ]
3015 for count, func in tests:
3016 with alloc_fail(dev[0], count, func):
3017 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
3018 identity="psk.user@example.com",
3019 password_hex="0123456789abcdef0123456789abcdef",
3020 wait_connect=False, scan_freq="2412")
3021 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
3022 if ev is None:
3023 raise Exception("EAP method not selected")
3024 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
3025 note="Failure not triggered: %d:%s" % (count, func))
3026 dev[0].request("REMOVE_NETWORK all")
3027 dev[0].wait_disconnected()
3028
677c2283 3029 tests = [ (1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
8c4e4c01
JM		 3030 (1, "omac1_aes_128;aes_128_eax_encrypt"),
3031 (2, "omac1_aes_128;aes_128_eax_encrypt"),
3032 (3, "omac1_aes_128;aes_128_eax_encrypt"),
8c4e4c01 3033 (1, "omac1_aes_vector"),
8c4e4c01
JM		 3034 (1, "omac1_aes_128;aes_128_eax_decrypt"),
3035 (2, "omac1_aes_128;aes_128_eax_decrypt"),
3036 (3, "omac1_aes_128;aes_128_eax_decrypt"),
677c2283 3037 (1, "aes_ctr_encrypt;aes_128_eax_decrypt") ]
8c4e4c01 3038 for count, func in tests:
7cbc8e67 3039 with fail_test(dev[0], count, func):
8c4e4c01
JM		 3040 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
3041 identity="psk.user@example.com",
3042 password_hex="0123456789abcdef0123456789abcdef",
3043 wait_connect=False, scan_freq="2412")
3044 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
3045 if ev is None:
3046 raise Exception("EAP method not selected")
7cbc8e67
JM		 3047 wait_fail_trigger(dev[0], "GET_FAIL",
3048 note="Failure not triggered: %d:%s" % (count, func))
8c4e4c01 3049 dev[0].request("REMOVE_NETWORK all")
7cbc8e67 3050 dev[0].wait_disconnected()
8c4e4c01 3051
7cbc8e67 3052 with fail_test(dev[0], 1, "aes_128_encrypt_block"):
8c4e4c01
JM		 3053 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
3054 identity="psk.user@example.com",
3055 password_hex="0123456789abcdef0123456789abcdef",
3056 wait_connect=False, scan_freq="2412")
3057 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3058 if ev is None:
3059 raise Exception("EAP method failure not reported")
3060 dev[0].request("REMOVE_NETWORK all")
7cbc8e67 3061 dev[0].wait_disconnected()
8c4e4c01 3062
71390dc8
JM		 3063def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
3064 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
e7ac04ce 3065 check_eap_capa(dev[0], "MSCHAPV2")
71390dc8 3066 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
8b8a1864 3067 hapd = hostapd.add_ap(apdev[0], params)
71390dc8
JM		 3068 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
3069 identity="user", password="password", phase2="auth=MSCHAPV2",
3070 ca_cert="auth_serv/ca.pem", wait_connect=False,
3071 scan_freq="2412")
3072 eap_check_auth(dev[0], "PEAP", True, rsn=False)
a8375c94 3073 hwsim_utils.test_connectivity(dev[0], hapd)
71390dc8 3074 eap_reauth(dev[0], "PEAP", rsn=False)
eaf3f9b1
JM		 3075 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3076 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
48bb2e68
JM		 3077 status = dev[0].get_status(extra="VERBOSE")
3078 if 'portControl' not in status:
3079 raise Exception("portControl missing from STATUS-VERBOSE")
3080 if status['portControl'] != 'Auto':
3081 raise Exception("Unexpected portControl value: " + status['portControl'])
3082 if 'eap_session_id' not in status:
3083 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3084 if not status['eap_session_id'].startswith("19"):
3085 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
40759604
JM		 3086
3087def test_ap_wpa2_eap_interactive(dev, apdev):
3088 """WPA2-Enterprise connection using interactive identity/password entry"""
e7ac04ce 3089 check_eap_capa(dev[0], "MSCHAPV2")
40759604 3090 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6f334bf7 3091 hapd = hostapd.add_ap(apdev[0], params)
40759604
JM		 3092
3093 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
3094 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3095 None, "password"),
3096 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3097 "TTLS", "ttls", None, "auth=MSCHAPV2",
3098 "DOMAIN\mschapv2 user", "password"),
3099 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3100 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3101 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3102 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3103 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3104 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3105 ("Connection with dynamic PEAP/EAP-GTC password entry",
3106 "PEAP", None, "user", "auth=GTC", None, "password") ]
3107 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
3108 logger.info(desc)
3109 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
3110 anonymous_identity=anon, identity=identity,
3111 ca_cert="auth_serv/ca.pem", phase2=phase2,
3112 wait_connect=False, scan_freq="2412")
3113 if req_id:
3114 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
3115 if ev is None:
3116 raise Exception("Request for identity timed out")
3117 id = ev.split(':')[0].split('-')[-1]
3118 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
3119 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
3120 if ev is None:
3121 raise Exception("Request for password timed out")
3122 id = ev.split(':')[0].split('-')[-1]
3123 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
3124 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
5f35a5e2 3125 dev[0].wait_connected(timeout=10)
40759604 3126 dev[0].request("REMOVE_NETWORK all")
e745c811 3127
f455998a
JM		 3128def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
3129 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3130 check_eap_capa(dev[0], "MSCHAPV2")
3131 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6f334bf7 3132 hapd = hostapd.add_ap(apdev[0], params)
f455998a
JM		 3133
3134 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
3135 only_add_network=True)
3136
3137 req_id = "DOMAIN\mschapv2 user"
3138 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3139 anonymous_identity="ttls", identity=None,
3140 password="password",
3141 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3142 wait_connect=False, scan_freq="2412")
3143 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
3144 if ev is None:
3145 raise Exception("Request for identity timed out")
3146 id = ev.split(':')[0].split('-')[-1]
3147 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
3148 dev[0].wait_connected(timeout=10)
3149
3150 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
3151 raise Exception("Failed to enable network")
3152 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
3153 if ev is not None:
3154 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3155 dev[0].request("REMOVE_NETWORK all")
3156
e745c811
JM		 3157def test_ap_wpa2_eap_vendor_test(dev, apdev):
3158 """WPA2-Enterprise connection using EAP vendor test"""
3159 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 3160 hapd = hostapd.add_ap(apdev[0], params)
3161 eap_connect(dev[0], hapd, "VENDOR-TEST", "vendor-test")
e745c811 3162 eap_reauth(dev[0], "VENDOR-TEST")
3b3e2687 3163 eap_connect(dev[1], hapd, "VENDOR-TEST", "vendor-test",
467775c5 3164 password="pending")
53a6f06a 3165
79a3973c
JM		 3166def test_ap_wpa2_eap_vendor_test_oom(dev, apdev):
3167 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3168 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3169 hostapd.add_ap(apdev[0], params)
79a3973c
JM		 3170
3171 tests = [ "eap_vendor_test_init",
3172 "eap_msg_alloc;eap_vendor_test_process",
3173 "eap_vendor_test_getKey" ]
3174 for func in tests:
3175 with alloc_fail(dev[0], 1, func):
3176 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
3177 scan_freq="2412",
3178 eap="VENDOR-TEST", identity="vendor-test",
3179 wait_connect=False)
3180 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
3181 dev[0].request("REMOVE_NETWORK all")
3182 dev[0].wait_disconnected()
3183
53a6f06a
JM		 3184def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
3185 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3b51cc63 3186 check_eap_capa(dev[0], "FAST")
53a6f06a 3187 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3188 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 3189 eap_connect(dev[0], hapd, "FAST", "user",
53a6f06a
JM		 3190 anonymous_identity="FAST", password="password",
3191 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3192 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
a8375c94 3193 hwsim_utils.test_connectivity(dev[0], hapd)
2fc4749c
JM		 3194 res = eap_reauth(dev[0], "FAST")
3195 if res['tls_session_reused'] != '1':
3196 raise Exception("EAP-FAST could not use PAC session ticket")
53a6f06a 3197
873e7c29
JM		 3198def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
3199 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3b51cc63 3200 check_eap_capa(dev[0], "FAST")
873e7c29
JM		 3201 pac_file = os.path.join(params['logdir'], "fast.pac")
3202 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
3203 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 3204 hapd = hostapd.add_ap(apdev[0], params)
873e7c29
JM		 3205
3206 try:
3b3e2687 3207 eap_connect(dev[0], hapd, "FAST", "user",
873e7c29
JM		 3208 anonymous_identity="FAST", password="password",
3209 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3210 phase1="fast_provisioning=1", pac_file=pac_file)
3211 with open(pac_file, "r") as f:
3212 data = f.read()
3213 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
3214 raise Exception("PAC file header missing")
3215 if "PAC-Key=" not in data:
3216 raise Exception("PAC-Key missing from PAC file")
3217 dev[0].request("REMOVE_NETWORK all")
3b3e2687 3218 eap_connect(dev[0], hapd, "FAST", "user",
873e7c29
JM		 3219 anonymous_identity="FAST", password="password",
3220 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3221 pac_file=pac_file)
3222
3b3e2687 3223 eap_connect(dev[1], hapd, "FAST", "user",
873e7c29
JM		 3224 anonymous_identity="FAST", password="password",
3225 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3226 phase1="fast_provisioning=1 fast_pac_format=binary",
3227 pac_file=pac_file2)
3228 dev[1].request("REMOVE_NETWORK all")
3b3e2687 3229 eap_connect(dev[1], hapd, "FAST", "user",
873e7c29
JM		 3230 anonymous_identity="FAST", password="password",
3231 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3232 phase1="fast_pac_format=binary",
3233 pac_file=pac_file2)
3234 finally:
b638f703
JM		 3235 try:
3236 os.remove(pac_file)
3237 except:
3238 pass
3239 try:
3240 os.remove(pac_file2)
3241 except:
3242 pass
873e7c29 3243
c6ab1cdb
JM		 3244def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
3245 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3b51cc63 3246 check_eap_capa(dev[0], "FAST")
c6ab1cdb 3247 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 3248 hapd = hostapd.add_ap(apdev[0], params)
3249 eap_connect(dev[0], hapd, "FAST", "user",
c6ab1cdb
JM		 3250 anonymous_identity="FAST", password="password",
3251 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3252 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3253 pac_file="blob://fast_pac_bin")
2fc4749c
JM		 3254 res = eap_reauth(dev[0], "FAST")
3255 if res['tls_session_reused'] != '1':
3256 raise Exception("EAP-FAST could not use PAC session ticket")
c6ab1cdb 3257
d7ef6e63
JM		 3258 # Verify fast_max_pac_list_len=0 special case
3259 dev[0].request("REMOVE_NETWORK all")
3260 dev[0].wait_disconnected()
3b3e2687 3261 eap_connect(dev[0], hapd, "FAST", "user",
d7ef6e63
JM		 3262 anonymous_identity="FAST", password="password",
3263 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3264 phase1="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3265 pac_file="blob://fast_pac_bin")
3266
46e094bd
JM		 3267def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
3268 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3b51cc63 3269 check_eap_capa(dev[0], "FAST")
46e094bd 3270 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3271 hostapd.add_ap(apdev[0], params)
46e094bd
JM		 3272
3273 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3274 identity="user", anonymous_identity="FAST",
3275 password="password",
3276 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3277 pac_file="blob://fast_pac_not_in_use",
3278 wait_connect=False, scan_freq="2412")
3279 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3280 if ev is None:
3281 raise Exception("Timeout on EAP failure report")
3282 dev[0].request("REMOVE_NETWORK all")
3283
3284 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3285 identity="user", anonymous_identity="FAST",
3286 password="password",
3287 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3288 wait_connect=False, scan_freq="2412")
3289 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3290 if ev is None:
3291 raise Exception("Timeout on EAP failure report")
3292
93aa1e16
JM		 3293def test_ap_wpa2_eap_fast_binary_pac_errors(dev, apdev):
3294 """EAP-FAST and binary PAC errors"""
3295 check_eap_capa(dev[0], "FAST")
3296 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 3297 hapd = hostapd.add_ap(apdev[0], params)
93aa1e16
JM		 3298
3299 tests = [ (1, "=eap_fast_save_pac_bin"),
3300 (1, "eap_fast_write_pac"),
3301 (2, "eap_fast_write_pac"), ]
3302 for count, func in tests:
3303 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors "):
3304 raise Exception("Could not set blob")
3305
3306 with alloc_fail(dev[0], count, func):
3b3e2687 3307 eap_connect(dev[0], hapd, "FAST", "user",
93aa1e16
JM		 3308 anonymous_identity="FAST", password="password",
3309 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3310 phase1="fast_provisioning=1 fast_pac_format=binary",
3311 pac_file="blob://fast_pac_bin_errors")
3312 dev[0].request("REMOVE_NETWORK all")
3313 dev[0].wait_disconnected()
3314
3315 tests = [ "00", "000000000000", "6ae4920c0001",
3316 "6ae4920c000000",
3317 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3318 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3319 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3320 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3321 for t in tests:
3322 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + t):
3323 raise Exception("Could not set blob")
3324
3325 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3326 identity="user", anonymous_identity="FAST",
3327 password="password",
3328 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3329 phase1="fast_provisioning=1 fast_pac_format=binary",
3330 pac_file="blob://fast_pac_bin_errors",
3331 scan_freq="2412", wait_connect=False)
3332 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3333 timeout=5)
3334 if ev is None:
3335 raise Exception("Failure not reported")
3336 dev[0].request("REMOVE_NETWORK all")
3337 dev[0].wait_disconnected()
3338
3339 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3340 tests = [ (1, "eap_fast_load_pac_bin"),
3341 (2, "eap_fast_load_pac_bin"),
3342 (3, "eap_fast_load_pac_bin") ]
3343 for count, func in tests:
3344 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3345 raise Exception("Could not set blob")
3346
3347 with alloc_fail(dev[0], count, func):
3348 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3349 identity="user", anonymous_identity="FAST",
3350 password="password",
3351 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3352 phase1="fast_provisioning=1 fast_pac_format=binary",
3353 pac_file="blob://fast_pac_bin_errors",
3354 scan_freq="2412", wait_connect=False)
3355 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3356 timeout=5)
3357 if ev is None:
3358 raise Exception("Failure not reported")
3359 dev[0].request("REMOVE_NETWORK all")
3360 dev[0].wait_disconnected()
3361
3362 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3363 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3364 raise Exception("Could not set blob")
3365
3b3e2687 3366 eap_connect(dev[0], hapd, "FAST", "user",
93aa1e16
JM		 3367 anonymous_identity="FAST", password="password",
3368 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3369 phase1="fast_provisioning=1 fast_pac_format=binary",
3370 pac_file="blob://fast_pac_bin_errors")
3371 dev[0].request("REMOVE_NETWORK all")
3372 dev[0].wait_disconnected()
3373
3374 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3375 tests = [ (1, "eap_fast_pac_get_a_id"),
3376 (2, "eap_fast_pac_get_a_id") ]
3377 for count, func in tests:
3378 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3379 raise Exception("Could not set blob")
3380 with alloc_fail(dev[0], count, func):
3b3e2687 3381 eap_connect(dev[0], hapd, "FAST", "user",
93aa1e16
JM		 3382 anonymous_identity="FAST", password="password",
3383 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3384 phase1="fast_provisioning=1 fast_pac_format=binary",
3385 pac_file="blob://fast_pac_bin_errors")
3386 dev[0].request("REMOVE_NETWORK all")
3387 dev[0].wait_disconnected()
3388
592790bf
JM		 3389def test_ap_wpa2_eap_fast_text_pac_errors(dev, apdev):
3390 """EAP-FAST and text PAC errors"""
3391 check_eap_capa(dev[0], "FAST")
3392 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3393 hostapd.add_ap(apdev[0], params)
592790bf
JM		 3394
3395 tests = [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3396 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3397 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3398 (1, "eap_fast_parse_start"),
3399 (1, "eap_fast_save_pac") ]
3400 for count, func in tests:
3401 dev[0].request("FLUSH")
3402 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3403 raise Exception("Could not set blob")
3404
3405 with alloc_fail(dev[0], count, func):
3406 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3407 identity="user", anonymous_identity="FAST",
3408 password="password",
3409 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3410 phase1="fast_provisioning=1",
3411 pac_file="blob://fast_pac_text_errors",
3412 scan_freq="2412", wait_connect=False)
3413 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
3414 dev[0].request("REMOVE_NETWORK all")
3415 dev[0].wait_disconnected()
3416
3417 pac = "wpa_supplicant EAP-FAST PAC file - version 1\n"
3418 pac += "START\n"
3419 pac += "PAC-Type\n"
3420 pac += "END\n"
3421 if "OK" not in dev[0].request("SET blob fast_pac_text_errors " + pac.encode("hex")):
3422 raise Exception("Could not set blob")
3423
3424 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3425 identity="user", anonymous_identity="FAST",
3426 password="password",
3427 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3428 phase1="fast_provisioning=1",
3429 pac_file="blob://fast_pac_text_errors",
3430 scan_freq="2412", wait_connect=False)
3431 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=5)
3432 if ev is None:
3433 raise Exception("Failure not reported")
3434 dev[0].request("REMOVE_NETWORK all")
3435 dev[0].wait_disconnected()
3436
3437 dev[0].request("FLUSH")
3438 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3439 raise Exception("Could not set blob")
3440
3441 with alloc_fail(dev[0], 1, "eap_fast_add_pac_data"):
3442 for i in range(3):
3443 params = int_eap_server_params()
3444 params['ssid'] = "test-wpa2-eap-2"
3445 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3446 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3447 params['eap_fast_a_id_info'] = "test server %d" % i
3448
8b8a1864 3449 hapd2 = hostapd.add_ap(apdev[1], params)
592790bf
JM		 3450
3451 dev[0].connect("test-wpa2-eap-2", key_mgmt="WPA-EAP", eap="FAST",
3452 identity="user", anonymous_identity="FAST",
3453 password="password",
3454 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3455 phase1="fast_provisioning=1",
3456 pac_file="blob://fast_pac_text_errors",
3457 scan_freq="2412", wait_connect=False)
3458 dev[0].wait_connected()
3459 dev[0].request("REMOVE_NETWORK all")
3460 dev[0].wait_disconnected()
3461
3462 hapd2.disable()
3463
3464def test_ap_wpa2_eap_fast_pac_truncate(dev, apdev):
3465 """EAP-FAST and PAC list truncation"""
3466 check_eap_capa(dev[0], "FAST")
3467 if "OK" not in dev[0].request("SET blob fast_pac_truncate "):
3468 raise Exception("Could not set blob")
3469 for i in range(5):
3470 params = int_eap_server_params()
3471 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3472 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3473 params['eap_fast_a_id_info'] = "test server %d" % i
8b8a1864 3474 hapd = hostapd.add_ap(apdev[0], params)
592790bf
JM		 3475
3476 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3477 identity="user", anonymous_identity="FAST",
3478 password="password",
3479 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3480 phase1="fast_provisioning=1 fast_max_pac_list_len=2",
3481 pac_file="blob://fast_pac_truncate",
3482 scan_freq="2412", wait_connect=False)
3483 dev[0].wait_connected()
3484 dev[0].request("REMOVE_NETWORK all")
3485 dev[0].wait_disconnected()
3486
3487 hapd.disable()
3488
3489def test_ap_wpa2_eap_fast_pac_refresh(dev, apdev):
3490 """EAP-FAST and PAC refresh"""
3491 check_eap_capa(dev[0], "FAST")
3492 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3493 raise Exception("Could not set blob")
3494 for i in range(2):
3495 params = int_eap_server_params()
3496 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3497 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3498 params['eap_fast_a_id_info'] = "test server %d" % i
3499 params['pac_key_refresh_time'] = "1"
3500 params['pac_key_lifetime'] = "10"
8b8a1864 3501 hapd = hostapd.add_ap(apdev[0], params)
592790bf
JM		 3502
3503 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3504 identity="user", anonymous_identity="FAST",
3505 password="password",
3506 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3507 phase1="fast_provisioning=1",
3508 pac_file="blob://fast_pac_refresh",
3509 scan_freq="2412", wait_connect=False)
3510 dev[0].wait_connected()
3511 dev[0].request("REMOVE_NETWORK all")
3512 dev[0].wait_disconnected()
3513
3514 hapd.disable()
3515
3516 for i in range(2):
3517 params = int_eap_server_params()
3518 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3519 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3520 params['eap_fast_a_id_info'] = "test server %d" % i
3521 params['pac_key_refresh_time'] = "10"
3522 params['pac_key_lifetime'] = "10"
8b8a1864 3523 hapd = hostapd.add_ap(apdev[0], params)
592790bf
JM		 3524
3525 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3526 identity="user", anonymous_identity="FAST",
3527 password="password",
3528 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3529 phase1="fast_provisioning=1",
3530 pac_file="blob://fast_pac_refresh",
3531 scan_freq="2412", wait_connect=False)
3532 dev[0].wait_connected()
3533 dev[0].request("REMOVE_NETWORK all")
3534 dev[0].wait_disconnected()
3535
3536 hapd.disable()
3537
3538def test_ap_wpa2_eap_fast_pac_lifetime(dev, apdev):
3539 """EAP-FAST and PAC lifetime"""
3540 check_eap_capa(dev[0], "FAST")
3541 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3542 raise Exception("Could not set blob")
3543
3544 i = 0
3545 params = int_eap_server_params()
3546 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3547 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3548 params['eap_fast_a_id_info'] = "test server %d" % i
3549 params['pac_key_refresh_time'] = "0"
3550 params['pac_key_lifetime'] = "2"
8b8a1864 3551 hapd = hostapd.add_ap(apdev[0], params)
592790bf
JM		 3552
3553 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3554 identity="user", anonymous_identity="FAST",
3555 password="password",
3556 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3557 phase1="fast_provisioning=2",
3558 pac_file="blob://fast_pac_refresh",
3559 scan_freq="2412", wait_connect=False)
3560 dev[0].wait_connected()
3561 dev[0].request("DISCONNECT")
3562 dev[0].wait_disconnected()
3563
3564 time.sleep(3)
3565 dev[0].request("PMKSA_FLUSH")
3566 dev[0].request("RECONNECT")
3567 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3568 if ev is None:
3569 raise Exception("No EAP-Failure seen after expired PAC")
3570 dev[0].request("DISCONNECT")
3571 dev[0].wait_disconnected()
3572
3573 dev[0].select_network(id)
3574 dev[0].wait_connected()
3575 dev[0].request("REMOVE_NETWORK all")
3576 dev[0].wait_disconnected()
3577
53a6f06a
JM		 3578def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
3579 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3b51cc63 3580 check_eap_capa(dev[0], "FAST")
53a6f06a 3581 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3582 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 3583 eap_connect(dev[0], hapd, "FAST", "user",
53a6f06a
JM		 3584 anonymous_identity="FAST", password="password",
3585 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3586 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
a8375c94 3587 hwsim_utils.test_connectivity(dev[0], hapd)
2fc4749c
JM		 3588 res = eap_reauth(dev[0], "FAST")
3589 if res['tls_session_reused'] != '1':
3590 raise Exception("EAP-FAST could not use PAC session ticket")
d4c7a2b9 3591
95a15d79
JM		 3592def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
3593 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3594 check_eap_capa(dev[0], "FAST")
3595 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3596 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 3597 id = eap_connect(dev[0], hapd, "FAST", "user",
95a15d79
JM		 3598 anonymous_identity="FAST", password="password",
3599 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3600 phase1="fast_provisioning=2",
3601 pac_file="blob://fast_pac_auth")
3602 dev[0].set_network_quoted(id, "identity", "user2")
3603 dev[0].wait_disconnected()
3604 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
3605 if ev is None:
3606 raise Exception("EAP-FAST not started")
3607 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
3608 if ev is None:
3609 raise Exception("EAP failure not reported")
3610 dev[0].wait_disconnected()
3611
27f2fab0
JM		 3612def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
3613 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3614 check_eap_capa(dev[0], "FAST")
cc71035f
JM		 3615 tls = dev[0].request("GET tls_library")
3616 if tls.startswith("OpenSSL"):
90b4c73f 3617 func = "tls_connection_get_eap_fast_key"
cc71035f
JM		 3618 count = 2
3619 elif tls.startswith("internal"):
3620 func = "tls_connection_prf"
3621 count = 1
3622 else:
3623 raise HwsimSkip("Unsupported TLS library")
27f2fab0 3624 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3625 hapd = hostapd.add_ap(apdev[0], params)
cc71035f 3626 with alloc_fail(dev[0], count, func):
27f2fab0
JM		 3627 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3628 identity="user", anonymous_identity="FAST",
3629 password="password", ca_cert="auth_serv/ca.pem",
3630 phase2="auth=GTC",
3631 phase1="fast_provisioning=2",
3632 pac_file="blob://fast_pac_auth",
3633 wait_connect=False, scan_freq="2412")
3634 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
3635 if ev is None:
3636 raise Exception("EAP failure not reported")
3637 dev[0].request("DISCONNECT")
3638
6eddd530
JM		 3639def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
3640 """EAP-FAST/MSCHAPv2 and server OOM"""
3641 check_eap_capa(dev[0], "FAST")
3642
3643 params = int_eap_server_params()
3644 params['dh_file'] = 'auth_serv/dh.conf'
3645 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3646 params['eap_fast_a_id'] = '1011'
3647 params['eap_fast_a_id_info'] = 'another test server'
8b8a1864 3648 hapd = hostapd.add_ap(apdev[0], params)
6eddd530
JM		 3649
3650 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
3b3e2687 3651 id = eap_connect(dev[0], hapd, "FAST", "user",
6eddd530
JM		 3652 anonymous_identity="FAST", password="password",
3653 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3654 phase1="fast_provisioning=1",
3655 pac_file="blob://fast_pac",
3656 expect_failure=True)
3657 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3658 if ev is None:
3659 raise Exception("No EAP failure reported")
3660 dev[0].wait_disconnected()
3661 dev[0].request("DISCONNECT")
3662
3663 dev[0].select_network(id, freq="2412")
3664
ecd07de4
JM		 3665def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev):
3666 """EAP-FAST and different TLS cipher suites"""
3667 check_eap_capa(dev[0], "FAST")
3668 tls = dev[0].request("GET tls_library")
d8003dcb
SP		 3669 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
3670 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls)
ecd07de4
JM		 3671
3672 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 3673 hapd = hostapd.add_ap(apdev[0], params)
ecd07de4
JM		 3674
3675 dev[0].request("SET blob fast_pac_ciphers ")
3b3e2687 3676 eap_connect(dev[0], hapd, "FAST", "user",
ecd07de4
JM		 3677 anonymous_identity="FAST", password="password",
3678 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3679 phase1="fast_provisioning=2",
3680 pac_file="blob://fast_pac_ciphers")
3681 res = dev[0].get_status_field('EAP TLS cipher')
3682 dev[0].request("REMOVE_NETWORK all")
3683 dev[0].wait_disconnected()
3684 if res != "DHE-RSA-AES256-SHA":
3685 raise Exception("Unexpected cipher suite for provisioning: " + res)
3686
3687 tests = [ "DHE-RSA-AES128-SHA",
3688 "RC4-SHA",
3689 "AES128-SHA",
3690 "AES256-SHA",
3691 "DHE-RSA-AES256-SHA" ]
3692 for cipher in tests:
71666dc3
JM		 3693 dev[0].dump_monitor()
3694 logger.info("Testing " + cipher)
3695 try:
3b3e2687 3696 eap_connect(dev[0], hapd, "FAST", "user",
71666dc3
JM		 3697 openssl_ciphers=cipher,
3698 anonymous_identity="FAST", password="password",
3699 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
a61ee84d
JM		 3700 pac_file="blob://fast_pac_ciphers",
3701 report_failure=True)
bab493b9 3702 except Exception as e:
a61ee84d
JM		 3703 if cipher == "RC4-SHA" and \
3704 ("Could not select EAP method" in str(e) or \
3705 "EAP failed" in str(e)):
71666dc3
JM		 3706 if "run=OpenSSL 1.1" in tls:
3707 logger.info("Allow failure due to missing TLS library support")
3708 dev[0].request("REMOVE_NETWORK all")
3709 dev[0].wait_disconnected()
3710 continue
3711 raise
ecd07de4
JM		 3712 res = dev[0].get_status_field('EAP TLS cipher')
3713 dev[0].request("REMOVE_NETWORK all")
3714 dev[0].wait_disconnected()
3715 if res != cipher:
3716 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher, res))
3717
4c626382
JM		 3718def test_ap_wpa2_eap_fast_prov(dev, apdev):
3719 """EAP-FAST and provisioning options"""
3720 check_eap_capa(dev[0], "FAST")
3721 if "OK" not in dev[0].request("SET blob fast_pac_prov "):
3722 raise Exception("Could not set blob")
3723
3724 i = 100
3725 params = int_eap_server_params()
3726 params['disable_pmksa_caching'] = '1'
3727 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3728 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3729 params['eap_fast_a_id_info'] = "test server %d" % i
3730 params['eap_fast_prov'] = "0"
3731 hapd = hostapd.add_ap(apdev[0], params)
3732
3733 logger.info("Provisioning attempt while server has provisioning disabled")
3734 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3735 identity="user", anonymous_identity="FAST",
3736 password="password",
3737 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3738 phase1="fast_provisioning=2",
3739 pac_file="blob://fast_pac_prov",
3740 scan_freq="2412", wait_connect=False)
3741 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3742 timeout=15)
3743 if ev is None:
3744 raise Exception("EAP result not reported")
3745 if "parameter='failure'" not in ev:
3746 raise Exception("Unexpected EAP result: " + ev)
3747 dev[0].wait_disconnected()
3748 dev[0].request("DISCONNECT")
3749 dev[0].dump_monitor()
3750
3751 hapd.disable()
3752 logger.info("Authenticated provisioning")
3753 hapd.set("eap_fast_prov", "2")
3754 hapd.enable()
3755
3756 dev[0].select_network(id, freq="2412")
3757 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3758 timeout=15)
3759 if ev is None:
3760 raise Exception("EAP result not reported")
3761 if "parameter='success'" not in ev:
3762 raise Exception("Unexpected EAP result: " + ev)
3763 dev[0].wait_connected()
3764 dev[0].request("DISCONNECT")
3765 dev[0].wait_disconnected()
3766 dev[0].dump_monitor()
3767
3768 hapd.disable()
3769 logger.info("Provisioning disabled - using previously provisioned PAC")
3770 hapd.set("eap_fast_prov", "0")
3771 hapd.enable()
3772
3773 dev[0].select_network(id, freq="2412")
3774 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3775 timeout=15)
3776 if ev is None:
3777 raise Exception("EAP result not reported")
3778 if "parameter='success'" not in ev:
3779 raise Exception("Unexpected EAP result: " + ev)
3780 dev[0].wait_connected()
3781 dev[0].request("DISCONNECT")
3782 dev[0].wait_disconnected()
3783 dev[0].dump_monitor()
3784
3785 logger.info("Drop PAC and verify connection failure")
3786 if "OK" not in dev[0].request("SET blob fast_pac_prov "):
3787 raise Exception("Could not set blob")
3788
3789 dev[0].select_network(id, freq="2412")
3790 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3791 timeout=15)
3792 if ev is None:
3793 raise Exception("EAP result not reported")
3794 if "parameter='failure'" not in ev:
3795 raise Exception("Unexpected EAP result: " + ev)
3796 dev[0].wait_disconnected()
3797 dev[0].request("DISCONNECT")
3798 dev[0].dump_monitor()
3799
3800 hapd.disable()
3801 logger.info("Anonymous provisioning")
3802 hapd.set("eap_fast_prov", "1")
3803 hapd.enable()
3804 dev[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3805 dev[0].select_network(id, freq="2412")
3806 # Anonymous provisioning results in EAP-Failure first
3807 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3808 timeout=15)
3809 if ev is None:
3810 raise Exception("EAP result not reported")
3811 if "parameter='failure'" not in ev:
3812 raise Exception("Unexpected EAP result: " + ev)
3813 dev[0].wait_disconnected()
3814 # And then the actual data connection
3815 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3816 timeout=15)
3817 if ev is None:
3818 raise Exception("EAP result not reported")
3819 if "parameter='success'" not in ev:
3820 raise Exception("Unexpected EAP result: " + ev)
3821 dev[0].wait_connected()
3822 dev[0].request("DISCONNECT")
3823 dev[0].wait_disconnected()
3824 dev[0].dump_monitor()
3825
3826 hapd.disable()
3827 logger.info("Provisioning disabled - using previously provisioned PAC")
3828 hapd.set("eap_fast_prov", "0")
3829 hapd.enable()
3830
3831 dev[0].select_network(id, freq="2412")
3832 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3833 timeout=15)
3834 if ev is None:
3835 raise Exception("EAP result not reported")
3836 if "parameter='success'" not in ev:
3837 raise Exception("Unexpected EAP result: " + ev)
3838 dev[0].wait_connected()
3839 dev[0].request("DISCONNECT")
3840 dev[0].wait_disconnected()
3841 dev[0].dump_monitor()
3842
d4c7a2b9
JM		 3843def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
3844 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
0dae8c99 3845 check_ocsp_support(dev[0])
16c43d2a 3846 check_pkcs12_support(dev[0])
d4c7a2b9 3847 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 3848 hapd = hostapd.add_ap(apdev[0], params)
3849 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
d4c7a2b9
JM		 3850 private_key="auth_serv/user.pkcs12",
3851 private_key_passwd="whatever", ocsp=2)
3852
98d125ca
JM		 3853def test_ap_wpa2_eap_tls_ocsp_multi(dev, apdev):
3854 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3855 check_ocsp_multi_support(dev[0])
3856 check_pkcs12_support(dev[0])
3857
3858 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 3859 hapd = hostapd.add_ap(apdev[0], params)
3860 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
98d125ca
JM		 3861 private_key="auth_serv/user.pkcs12",
3862 private_key_passwd="whatever", ocsp=2)
3863
64e05f96 3864def int_eap_server_params():
d4c7a2b9
JM		 3865 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3866 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3867 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3868 "ca_cert": "auth_serv/ca.pem",
3869 "server_cert": "auth_serv/server.pem",
8adce07a
JM		 3870 "private_key": "auth_serv/server.key",
3871 "dh_file": "auth_serv/dh.conf" }
64e05f96 3872 return params
d2a1047e 3873
58a40620
JM		 3874def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
3875 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3876 check_ocsp_support(dev[0])
ff7affcc 3877 check_pkcs12_support(dev[0])
58a40620
JM		 3878 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
3879 if not os.path.exists(ocsp):
3880 raise HwsimSkip("No OCSP response available")
3881 params = int_eap_server_params()
3882 params["ocsp_stapling_response"] = ocsp
8b8a1864 3883 hostapd.add_ap(apdev[0], params)
58a40620
JM		 3884 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3885 identity="tls user", ca_cert="auth_serv/ca.pem",
3886 private_key="auth_serv/user.pkcs12",
3887 private_key_passwd="whatever", ocsp=2,
3888 scan_freq="2412")
3889
d79ce4a6
JM		 3890def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
3891 """EAP-TLS and CA signed OCSP response (good)"""
3892 check_ocsp_support(dev[0])
ff7affcc 3893 check_pkcs12_support(dev[0])
d79ce4a6
JM		 3894 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
3895 if not os.path.exists(ocsp):
3896 raise HwsimSkip("No OCSP response available")
3897 params = int_eap_server_params()
3898 params["ocsp_stapling_response"] = ocsp
8b8a1864 3899 hostapd.add_ap(apdev[0], params)
d79ce4a6
JM		 3900 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3901 identity="tls user", ca_cert="auth_serv/ca.pem",
3902 private_key="auth_serv/user.pkcs12",
3903 private_key_passwd="whatever", ocsp=2,
3904 scan_freq="2412")
3905
3906def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
3907 """EAP-TLS and CA signed OCSP response (revoked)"""
3908 check_ocsp_support(dev[0])
ff7affcc 3909 check_pkcs12_support(dev[0])
d79ce4a6
JM		 3910 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
3911 if not os.path.exists(ocsp):
3912 raise HwsimSkip("No OCSP response available")
3913 params = int_eap_server_params()
3914 params["ocsp_stapling_response"] = ocsp
8b8a1864 3915 hostapd.add_ap(apdev[0], params)
d79ce4a6
JM		 3916 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3917 identity="tls user", ca_cert="auth_serv/ca.pem",
3918 private_key="auth_serv/user.pkcs12",
3919 private_key_passwd="whatever", ocsp=2,
3920 wait_connect=False, scan_freq="2412")
3921 count = 0
3922 while True:
3923 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3924 if ev is None:
3925 raise Exception("Timeout on EAP status")
3926 if 'bad certificate status response' in ev:
3927 break
3928 if 'certificate revoked' in ev:
3929 break
3930 count = count + 1
3931 if count > 10:
3932 raise Exception("Unexpected number of EAP status messages")
3933
3934 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3935 if ev is None:
3936 raise Exception("Timeout on EAP failure report")
3937
3938def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
3939 """EAP-TLS and CA signed OCSP response (unknown)"""
3940 check_ocsp_support(dev[0])
ff7affcc 3941 check_pkcs12_support(dev[0])
d79ce4a6
JM		 3942 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
3943 if not os.path.exists(ocsp):
3944 raise HwsimSkip("No OCSP response available")
3945 params = int_eap_server_params()
3946 params["ocsp_stapling_response"] = ocsp
8b8a1864 3947 hostapd.add_ap(apdev[0], params)
d79ce4a6
JM		 3948 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3949 identity="tls user", ca_cert="auth_serv/ca.pem",
3950 private_key="auth_serv/user.pkcs12",
3951 private_key_passwd="whatever", ocsp=2,
3952 wait_connect=False, scan_freq="2412")
3953 count = 0
3954 while True:
3955 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3956 if ev is None:
3957 raise Exception("Timeout on EAP status")
3958 if 'bad certificate status response' in ev:
3959 break
3960 count = count + 1
3961 if count > 10:
3962 raise Exception("Unexpected number of EAP status messages")
3963
3964 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3965 if ev is None:
3966 raise Exception("Timeout on EAP failure report")
3967
3968def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
3969 """EAP-TLS and server signed OCSP response"""
3970 check_ocsp_support(dev[0])
ff7affcc 3971 check_pkcs12_support(dev[0])
d79ce4a6
JM		 3972 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
3973 if not os.path.exists(ocsp):
3974 raise HwsimSkip("No OCSP response available")
3975 params = int_eap_server_params()
3976 params["ocsp_stapling_response"] = ocsp
8b8a1864 3977 hostapd.add_ap(apdev[0], params)
d79ce4a6
JM		 3978 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3979 identity="tls user", ca_cert="auth_serv/ca.pem",
3980 private_key="auth_serv/user.pkcs12",
3981 private_key_passwd="whatever", ocsp=2,
3982 wait_connect=False, scan_freq="2412")
3983 count = 0
3984 while True:
3985 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3986 if ev is None:
3987 raise Exception("Timeout on EAP status")
3988 if 'bad certificate status response' in ev:
3989 break
3990 count = count + 1
3991 if count > 10:
3992 raise Exception("Unexpected number of EAP status messages")
3993
3994 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3995 if ev is None:
3996 raise Exception("Timeout on EAP failure report")
3997
d2a1047e
JM		 3998def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
3999 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
0dae8c99 4000 check_ocsp_support(dev[0])
ff7affcc 4001 check_pkcs12_support(dev[0])
d2a1047e
JM		 4002 params = int_eap_server_params()
4003 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
8b8a1864 4004 hostapd.add_ap(apdev[0], params)
d2a1047e
JM		 4005 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4006 identity="tls user", ca_cert="auth_serv/ca.pem",
4007 private_key="auth_serv/user.pkcs12",
4008 private_key_passwd="whatever", ocsp=2,
4009 wait_connect=False, scan_freq="2412")
4010 count = 0
4011 while True:
4012 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4013 if ev is None:
4014 raise Exception("Timeout on EAP status")
4015 if 'bad certificate status response' in ev:
4016 break
4017 count = count + 1
4018 if count > 10:
4019 raise Exception("Unexpected number of EAP status messages")
4020
4021 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4022 if ev is None:
4023 raise Exception("Timeout on EAP failure report")
4024
64e05f96
JM		 4025def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
4026 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
0dae8c99 4027 check_ocsp_support(dev[0])
ff7affcc 4028 check_pkcs12_support(dev[0])
64e05f96
JM		 4029 params = int_eap_server_params()
4030 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
8b8a1864 4031 hostapd.add_ap(apdev[0], params)
df7ad0fa
JM		 4032 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4033 identity="tls user", ca_cert="auth_serv/ca.pem",
4034 private_key="auth_serv/user.pkcs12",
4035 private_key_passwd="whatever", ocsp=2,
4036 wait_connect=False, scan_freq="2412")
4037 count = 0
4038 while True:
4039 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4040 if ev is None:
4041 raise Exception("Timeout on EAP status")
4042 if 'bad certificate status response' in ev:
4043 break
4044 count = count + 1
4045 if count > 10:
4046 raise Exception("Unexpected number of EAP status messages")
4047
4048 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4049 if ev is None:
4050 raise Exception("Timeout on EAP failure report")
4051
4052def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
4053 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
0dae8c99 4054 check_ocsp_support(dev[0])
ff7affcc 4055 check_pkcs12_support(dev[0])
df7ad0fa
JM		 4056 params = int_eap_server_params()
4057 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
8b8a1864 4058 hostapd.add_ap(apdev[0], params)
d4c7a2b9
JM		 4059 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4060 identity="tls user", ca_cert="auth_serv/ca.pem",
4061 private_key="auth_serv/user.pkcs12",
4062 private_key_passwd="whatever", ocsp=2,
4063 wait_connect=False, scan_freq="2412")
4064 count = 0
4065 while True:
4066 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4067 if ev is None:
4068 raise Exception("Timeout on EAP status")
4069 if 'bad certificate status response' in ev:
4070 break
4071 count = count + 1
4072 if count > 10:
4073 raise Exception("Unexpected number of EAP status messages")
4074
4075 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4076 if ev is None:
4077 raise Exception("Timeout on EAP failure report")
64e05f96 4078
37b4a66c
JM		 4079def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
4080 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
0dae8c99 4081 check_ocsp_support(dev[0])
37b4a66c
JM		 4082 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
4083 if not os.path.exists(ocsp):
4084 raise HwsimSkip("No OCSP response available")
4085 params = int_eap_server_params()
4086 params["ocsp_stapling_response"] = ocsp
8b8a1864 4087 hostapd.add_ap(apdev[0], params)
37b4a66c
JM		 4088 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4089 identity="pap user", ca_cert="auth_serv/ca.pem",
4090 anonymous_identity="ttls", password="password",
4091 phase2="auth=PAP", ocsp=2,
4092 wait_connect=False, scan_freq="2412")
4093 count = 0
4094 while True:
4095 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4096 if ev is None:
4097 raise Exception("Timeout on EAP status")
4098 if 'bad certificate status response' in ev:
4099 break
4100 if 'certificate revoked' in ev:
4101 break
4102 count = count + 1
4103 if count > 10:
4104 raise Exception("Unexpected number of EAP status messages")
4105
4106 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4107 if ev is None:
4108 raise Exception("Timeout on EAP failure report")
4109
4110def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
4111 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
0dae8c99 4112 check_ocsp_support(dev[0])
37b4a66c
JM		 4113 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
4114 if not os.path.exists(ocsp):
4115 raise HwsimSkip("No OCSP response available")
4116 params = int_eap_server_params()
4117 params["ocsp_stapling_response"] = ocsp
8b8a1864 4118 hostapd.add_ap(apdev[0], params)
37b4a66c
JM		 4119 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4120 identity="pap user", ca_cert="auth_serv/ca.pem",
4121 anonymous_identity="ttls", password="password",
4122 phase2="auth=PAP", ocsp=2,
4123 wait_connect=False, scan_freq="2412")
4124 count = 0
4125 while True:
4126 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4127 if ev is None:
4128 raise Exception("Timeout on EAP status")
4129 if 'bad certificate status response' in ev:
4130 break
4131 count = count + 1
4132 if count > 10:
4133 raise Exception("Unexpected number of EAP status messages")
4134
4135 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4136 if ev is None:
4137 raise Exception("Timeout on EAP failure report")
4138
4139def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
4140 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
585e728a 4141 check_ocsp_support(dev[0])
37b4a66c
JM		 4142 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
4143 if not os.path.exists(ocsp):
4144 raise HwsimSkip("No OCSP response available")
4145 params = int_eap_server_params()
4146 params["ocsp_stapling_response"] = ocsp
8b8a1864 4147 hostapd.add_ap(apdev[0], params)
37b4a66c
JM		 4148 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4149 identity="pap user", ca_cert="auth_serv/ca.pem",
4150 anonymous_identity="ttls", password="password",
4151 phase2="auth=PAP", ocsp=1, scan_freq="2412")
4152
52811b8c
JM		 4153def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
4154 """EAP-TLS with intermediate server/user CA"""
4155 params = int_eap_server_params()
4156 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4157 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4158 params["private_key"] = "auth_serv/iCA-server/server.key"
8b8a1864 4159 hostapd.add_ap(apdev[0], params)
b4635f0a 4160 tls = dev[0].request("GET tls_library")
f08362e9 4161 if "GnuTLS" in tls or "wolfSSL" in tls:
b4635f0a
JM		 4162 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4163 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4164 else:
4165 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4166 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4167 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4168 identity="tls user",
b4635f0a
JM		 4169 ca_cert=ca_cert,
4170 client_cert=client_cert,
52811b8c
JM		 4171 private_key="auth_serv/iCA-user/user.key",
4172 scan_freq="2412")
4173
4174def root_ocsp(cert):
4175 ca = "auth_serv/ca.pem"
4176
4177 fd2, fn2 = tempfile.mkstemp()
4178 os.close(fd2)
4179
d40d959e
JB		 4180 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256",
4181 "-cert", cert, "-no_nonce", "-text" ]
4182 logger.info(' '.join(arg))
52811b8c
JM		 4183 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4184 stderr=subprocess.PIPE)
4185 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
4186 cmd.stdout.close()
4187 cmd.stderr.close()
d40d959e
JB		 4188 cmd.wait()
4189 if cmd.returncode != 0:
4190 raise Exception("bad return code from openssl ocsp\n\n" + res)
52811b8c
JM		 4191 logger.info("OCSP request:\n" + res)
4192
4193 fd, fn = tempfile.mkstemp()
4194 os.close(fd)
40ae4a2f
JM		 4195 arg = [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4196 "-rsigner", ca, "-rkey", "auth_serv/ca-key.pem",
52811b8c
JM		 4197 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
4198 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
4199 "-text" ]
4200 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4201 stderr=subprocess.PIPE)
4202 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
4203 cmd.stdout.close()
4204 cmd.stderr.close()
d40d959e
JB		 4205 cmd.wait()
4206 if cmd.returncode != 0:
4207 raise Exception("bad return code from openssl ocsp\n\n" + res)
52811b8c
JM		 4208 logger.info("OCSP response:\n" + res)
4209 os.unlink(fn2)
4210 return fn
4211
b7288e5d 4212def ica_ocsp(cert, md="-sha256"):
52811b8c
JM		 4213 prefix = "auth_serv/iCA-server/"
4214 ca = prefix + "cacert.pem"
4215 cert = prefix + cert
4216
4217 fd2, fn2 = tempfile.mkstemp()
4218 os.close(fd2)
4219
b7288e5d 4220 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, md,
d40d959e 4221 "-cert", cert, "-no_nonce", "-text" ]
52811b8c
JM		 4222 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4223 stderr=subprocess.PIPE)
4224 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
4225 cmd.stdout.close()
4226 cmd.stderr.close()
d40d959e
JB		 4227 cmd.wait()
4228 if cmd.returncode != 0:
4229 raise Exception("bad return code from openssl ocsp\n\n" + res)
52811b8c
JM		 4230 logger.info("OCSP request:\n" + res)
4231
4232 fd, fn = tempfile.mkstemp()
4233 os.close(fd)
4234 arg = [ "openssl", "ocsp", "-index", prefix + "index.txt",
4235 "-rsigner", ca, "-rkey", prefix + "private/cakey.pem",
4236 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
4237 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
4238 "-text" ]
4239 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4240 stderr=subprocess.PIPE)
4241 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
4242 cmd.stdout.close()
4243 cmd.stderr.close()
d40d959e
JB		 4244 cmd.wait()
4245 if cmd.returncode != 0:
4246 raise Exception("bad return code from openssl ocsp\n\n" + res)
52811b8c
JM		 4247 logger.info("OCSP response:\n" + res)
4248 os.unlink(fn2)
4249 return fn
4250
4251def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
4252 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
b7288e5d
JM		 4253 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, "-sha256")
4254
4255def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev, apdev, params):
4256 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4257 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, "-sha1")
4258
4259def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, md):
52811b8c
JM		 4260 params = int_eap_server_params()
4261 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4262 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4263 params["private_key"] = "auth_serv/iCA-server/server.key"
b7288e5d 4264 fn = ica_ocsp("server.pem", md)
52811b8c
JM		 4265 params["ocsp_stapling_response"] = fn
4266 try:
8b8a1864 4267 hostapd.add_ap(apdev[0], params)
b4635f0a 4268 tls = dev[0].request("GET tls_library")
f08362e9 4269 if "GnuTLS" in tls or "wolfSSL" in tls:
b4635f0a
JM		 4270 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4271 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4272 else:
4273 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4274 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4275 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4276 identity="tls user",
b4635f0a
JM		 4277 ca_cert=ca_cert,
4278 client_cert=client_cert,
52811b8c
JM		 4279 private_key="auth_serv/iCA-user/user.key",
4280 scan_freq="2412", ocsp=2)
4281 finally:
4282 os.unlink(fn)
4283
4284def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params):
4285 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
b7288e5d
JM		 4286 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params,
4287 "-sha256")
4288
4289def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev, apdev, params):
4290 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4291 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params,
4292 "-sha1")
4293
4294def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params, md):
585e728a 4295 check_ocsp_support(dev[0])
52811b8c
JM		 4296 params = int_eap_server_params()
4297 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4298 params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4299 params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
b7288e5d 4300 fn = ica_ocsp("server-revoked.pem", md)
52811b8c
JM		 4301 params["ocsp_stapling_response"] = fn
4302 try:
8b8a1864 4303 hostapd.add_ap(apdev[0], params)
b4635f0a 4304 tls = dev[0].request("GET tls_library")
f08362e9 4305 if "GnuTLS" in tls or "wolfSSL" in tls:
b4635f0a
JM		 4306 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4307 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4308 else:
4309 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4310 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4311 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4312 identity="tls user",
b4635f0a
JM		 4313 ca_cert=ca_cert,
4314 client_cert=client_cert,
52811b8c
JM		 4315 private_key="auth_serv/iCA-user/user.key",
4316 scan_freq="2412", ocsp=1, wait_connect=False)
4317 count = 0
4318 while True:
4319 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4320 "CTRL-EVENT-EAP-SUCCESS"])
4321 if ev is None:
4322 raise Exception("Timeout on EAP status")
4323 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4324 raise Exception("Unexpected EAP-Success")
4325 if 'bad certificate status response' in ev:
4326 break
4327 if 'certificate revoked' in ev:
4328 break
4329 count = count + 1
4330 if count > 10:
4331 raise Exception("Unexpected number of EAP status messages")
4332
4333 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4334 if ev is None:
4335 raise Exception("Timeout on EAP failure report")
4336 dev[0].request("REMOVE_NETWORK all")
4337 dev[0].wait_disconnected()
4338 finally:
4339 os.unlink(fn)
4340
4341def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, params):
4342 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4343 check_ocsp_support(dev[0])
4344 check_ocsp_multi_support(dev[0])
4345
4346 params = int_eap_server_params()
4347 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4348 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4349 params["private_key"] = "auth_serv/iCA-server/server.key"
4350 fn = ica_ocsp("server.pem")
4351 params["ocsp_stapling_response"] = fn
4352 try:
8b8a1864 4353 hostapd.add_ap(apdev[0], params)
b4635f0a 4354 tls = dev[0].request("GET tls_library")
f08362e9 4355 if "GnuTLS" in tls or "wolfSSL" in tls:
b4635f0a
JM		 4356 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4357 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4358 else:
4359 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4360 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4361 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4362 identity="tls user",
b4635f0a
JM		 4363 ca_cert=ca_cert,
4364 client_cert=client_cert,
52811b8c
JM		 4365 private_key="auth_serv/iCA-user/user.key",
4366 scan_freq="2412", ocsp=3, wait_connect=False)
4367 count = 0
4368 while True:
4369 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4370 "CTRL-EVENT-EAP-SUCCESS"])
4371 if ev is None:
4372 raise Exception("Timeout on EAP status")
4373 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4374 raise Exception("Unexpected EAP-Success")
4375 if 'bad certificate status response' in ev:
4376 break
4377 if 'certificate revoked' in ev:
4378 break
4379 count = count + 1
4380 if count > 10:
4381 raise Exception("Unexpected number of EAP status messages")
4382
4383 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4384 if ev is None:
4385 raise Exception("Timeout on EAP failure report")
4386 dev[0].request("REMOVE_NETWORK all")
4387 dev[0].wait_disconnected()
4388 finally:
4389 os.unlink(fn)
4390
4391def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
4392 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4393 check_ocsp_support(dev[0])
4394 check_ocsp_multi_support(dev[0])
4395
4396 params = int_eap_server_params()
4397 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4398 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4399 params["private_key"] = "auth_serv/iCA-server/server.key"
4400 fn = ica_ocsp("server.pem")
4401 fn2 = root_ocsp("auth_serv/iCA-server/cacert.pem")
4402 params["ocsp_stapling_response"] = fn
4403
4404 with open(fn, "r") as f:
4405 resp_server = f.read()
4406 with open(fn2, "r") as f:
4407 resp_ica = f.read()
4408
4409 fd3, fn3 = tempfile.mkstemp()
4410 try:
4411 f = os.fdopen(fd3, 'w')
4412 f.write(struct.pack(">L", len(resp_server))[1:4])
4413 f.write(resp_server)
4414 f.write(struct.pack(">L", len(resp_ica))[1:4])
4415 f.write(resp_ica)
4416 f.close()
4417
4418 params["ocsp_stapling_response_multi"] = fn3
4419
8b8a1864 4420 hostapd.add_ap(apdev[0], params)
b4635f0a 4421 tls = dev[0].request("GET tls_library")
f08362e9 4422 if "GnuTLS" in tls or "wolfSSL" in tls:
b4635f0a
JM		 4423 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4424 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4425 else:
4426 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4427 client_cert = "auth_serv/iCA-user/user.pem"
52811b8c
JM		 4428 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4429 identity="tls user",
b4635f0a
JM		 4430 ca_cert=ca_cert,
4431 client_cert=client_cert,
52811b8c 4432 private_key="auth_serv/iCA-user/user.key",
40ae4a2f 4433 scan_freq="2412", ocsp=3)
52811b8c
JM		 4434 dev[0].request("REMOVE_NETWORK all")
4435 dev[0].wait_disconnected()
4436 finally:
4437 os.unlink(fn)
4438 os.unlink(fn2)
4439 os.unlink(fn3)
4440
98d125ca
JM		 4441def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
4442 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4443 check_ocsp_support(dev[0])
4444 check_ocsp_multi_support(dev[0])
ff7affcc 4445 check_pkcs12_support(dev[0])
98d125ca
JM		 4446
4447 ocsp_revoked = os.path.join(params['logdir'],
4448 "ocsp-resp-ca-signed-revoked.der")
4449 if not os.path.exists(ocsp_revoked):
4450 raise HwsimSkip("No OCSP response (revoked) available")
4451 ocsp_unknown = os.path.join(params['logdir'],
4452 "ocsp-resp-ca-signed-unknown.der")
4453 if not os.path.exists(ocsp_unknown):
4454 raise HwsimSkip("No OCSP response(unknown) available")
4455
4456 with open(ocsp_revoked, "r") as f:
4457 resp_revoked = f.read()
4458 with open(ocsp_unknown, "r") as f:
4459 resp_unknown = f.read()
4460
4461 fd, fn = tempfile.mkstemp()
4462 try:
4463 # This is not really a valid order of the OCSPResponse items in the
4464 # list, but this works for now to verify parsing and processing of
4465 # multiple responses.
4466 f = os.fdopen(fd, 'w')
4467 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4468 f.write(resp_unknown)
4469 f.write(struct.pack(">L", len(resp_revoked))[1:4])
4470 f.write(resp_revoked)
4471 f.write(struct.pack(">L", 0)[1:4])
4472 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4473 f.write(resp_unknown)
4474 f.close()
4475
4476 params = int_eap_server_params()
4477 params["ocsp_stapling_response_multi"] = fn
8b8a1864 4478 hostapd.add_ap(apdev[0], params)
98d125ca
JM		 4479 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4480 identity="tls user", ca_cert="auth_serv/ca.pem",
4481 private_key="auth_serv/user.pkcs12",
4482 private_key_passwd="whatever", ocsp=1,
4483 wait_connect=False, scan_freq="2412")
4484 count = 0
4485 while True:
4486 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4487 "CTRL-EVENT-EAP-SUCCESS"])
4488 if ev is None:
4489 raise Exception("Timeout on EAP status")
4490 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4491 raise Exception("Unexpected EAP-Success")
4492 if 'bad certificate status response' in ev:
4493 break
4494 if 'certificate revoked' in ev:
4495 break
4496 count = count + 1
4497 if count > 10:
4498 raise Exception("Unexpected number of EAP status messages")
4499 finally:
4500 os.unlink(fn)
4501
24579e70 4502def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
64e05f96 4503 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
e78eb404 4504 check_domain_match_full(dev[0])
ff7affcc 4505 check_pkcs12_support(dev[0])
64e05f96
JM		 4506 params = int_eap_server_params()
4507 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4508 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4509 hostapd.add_ap(apdev[0], params)
64e05f96
JM		 4510 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4511 identity="tls user", ca_cert="auth_serv/ca.pem",
4512 private_key="auth_serv/user.pkcs12",
4513 private_key_passwd="whatever",
4514 domain_suffix_match="server3.w1.fi",
4515 scan_freq="2412")
24579e70 4516
061cbb25
JM		 4517def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
4518 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
e78eb404 4519 check_domain_match(dev[0])
ff7affcc 4520 check_pkcs12_support(dev[0])
061cbb25
JM		 4521 params = int_eap_server_params()
4522 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4523 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4524 hostapd.add_ap(apdev[0], params)
061cbb25
JM		 4525 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4526 identity="tls user", ca_cert="auth_serv/ca.pem",
4527 private_key="auth_serv/user.pkcs12",
4528 private_key_passwd="whatever",
4529 domain_match="server3.w1.fi",
4530 scan_freq="2412")
4531
24579e70
JM		 4532def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
4533 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4534 check_domain_match_full(dev[0])
ff7affcc 4535 check_pkcs12_support(dev[0])
24579e70
JM		 4536 params = int_eap_server_params()
4537 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4538 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4539 hostapd.add_ap(apdev[0], params)
64e05f96
JM		 4540 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4541 identity="tls user", ca_cert="auth_serv/ca.pem",
4542 private_key="auth_serv/user.pkcs12",
4543 private_key_passwd="whatever",
4544 domain_suffix_match="w1.fi",
4545 scan_freq="2412")
4546
4547def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
4548 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
e78eb404 4549 check_domain_suffix_match(dev[0])
ff7affcc 4550 check_pkcs12_support(dev[0])
64e05f96
JM		 4551 params = int_eap_server_params()
4552 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4553 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4554 hostapd.add_ap(apdev[0], params)
64e05f96
JM		 4555 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4556 identity="tls user", ca_cert="auth_serv/ca.pem",
4557 private_key="auth_serv/user.pkcs12",
4558 private_key_passwd="whatever",
4559 domain_suffix_match="example.com",
4560 wait_connect=False,
4561 scan_freq="2412")
c61dca40
JM		 4562 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4563 identity="tls user", ca_cert="auth_serv/ca.pem",
4564 private_key="auth_serv/user.pkcs12",
4565 private_key_passwd="whatever",
4566 domain_suffix_match="erver3.w1.fi",
4567 wait_connect=False,
4568 scan_freq="2412")
64e05f96
JM		 4569 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4570 if ev is None:
4571 raise Exception("Timeout on EAP failure report")
c61dca40
JM		 4572 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4573 if ev is None:
4574 raise Exception("Timeout on EAP failure report (2)")
6a4d0dbe 4575
061cbb25
JM		 4576def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
4577 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
e78eb404 4578 check_domain_match(dev[0])
ff7affcc 4579 check_pkcs12_support(dev[0])
061cbb25
JM		 4580 params = int_eap_server_params()
4581 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4582 params["private_key"] = "auth_serv/server-no-dnsname.key"
8b8a1864 4583 hostapd.add_ap(apdev[0], params)
061cbb25
JM		 4584 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4585 identity="tls user", ca_cert="auth_serv/ca.pem",
4586 private_key="auth_serv/user.pkcs12",
4587 private_key_passwd="whatever",
4588 domain_match="example.com",
4589 wait_connect=False,
4590 scan_freq="2412")
4591 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4592 identity="tls user", ca_cert="auth_serv/ca.pem",
4593 private_key="auth_serv/user.pkcs12",
4594 private_key_passwd="whatever",
4595 domain_match="w1.fi",
4596 wait_connect=False,
4597 scan_freq="2412")
4598 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4599 if ev is None:
4600 raise Exception("Timeout on EAP failure report")
4601 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4602 if ev is None:
4603 raise Exception("Timeout on EAP failure report (2)")
4604
6a4d0dbe
JM		 4605def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
4606 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
ca158ea6 4607 skip_with_fips(dev[0])
6a4d0dbe
JM		 4608 params = int_eap_server_params()
4609 params["server_cert"] = "auth_serv/server-expired.pem"
4610 params["private_key"] = "auth_serv/server-expired.key"
8b8a1864 4611 hostapd.add_ap(apdev[0], params)
6a4d0dbe
JM		 4612 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4613 identity="mschap user", password="password",
4614 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4615 wait_connect=False,
4616 scan_freq="2412")
4617 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4618 if ev is None:
4619 raise Exception("Timeout on EAP certificate error report")
4620 if "reason=4" not in ev or "certificate has expired" not in ev:
4621 raise Exception("Unexpected failure reason: " + ev)
4622 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4623 if ev is None:
4624 raise Exception("Timeout on EAP failure report")
4625
4626def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
4627 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
ca158ea6 4628 skip_with_fips(dev[0])
6a4d0dbe
JM		 4629 params = int_eap_server_params()
4630 params["server_cert"] = "auth_serv/server-expired.pem"
4631 params["private_key"] = "auth_serv/server-expired.key"
8b8a1864 4632 hostapd.add_ap(apdev[0], params)
6a4d0dbe
JM		 4633 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4634 identity="mschap user", password="password",
4635 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4636 phase1="tls_disable_time_checks=1",
4637 scan_freq="2412")
6ab4a7aa 4638
5748d1e5
JM		 4639def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
4640 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
ca158ea6 4641 skip_with_fips(dev[0])
5748d1e5
JM		 4642 params = int_eap_server_params()
4643 params["server_cert"] = "auth_serv/server-long-duration.pem"
4644 params["private_key"] = "auth_serv/server-long-duration.key"
8b8a1864 4645 hostapd.add_ap(apdev[0], params)
5748d1e5
JM		 4646 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4647 identity="mschap user", password="password",
4648 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4649 scan_freq="2412")
4650
6ab4a7aa
JM		 4651def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
4652 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
ca158ea6 4653 skip_with_fips(dev[0])
6ab4a7aa
JM		 4654 params = int_eap_server_params()
4655 params["server_cert"] = "auth_serv/server-eku-client.pem"
4656 params["private_key"] = "auth_serv/server-eku-client.key"
8b8a1864 4657 hostapd.add_ap(apdev[0], params)
6ab4a7aa
JM		 4658 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4659 identity="mschap user", password="password",
4660 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4661 wait_connect=False,
4662 scan_freq="2412")
4663 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4664 if ev is None:
4665 raise Exception("Timeout on EAP failure report")
242219c5 4666
14bef66d
JM		 4667def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
4668 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
ca158ea6 4669 skip_with_fips(dev[0])
14bef66d
JM		 4670 params = int_eap_server_params()
4671 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
4672 params["private_key"] = "auth_serv/server-eku-client-server.key"
8b8a1864 4673 hostapd.add_ap(apdev[0], params)
14bef66d
JM		 4674 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4675 identity="mschap user", password="password",
4676 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4677 scan_freq="2412")
4678
c37b02fc
JM		 4679def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
4680 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
ca158ea6 4681 skip_with_fips(dev[0])
c37b02fc
JM		 4682 params = int_eap_server_params()
4683 del params["server_cert"]
4684 params["private_key"] = "auth_serv/server.pkcs12"
8b8a1864 4685 hostapd.add_ap(apdev[0], params)
c37b02fc
JM		 4686 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4687 identity="mschap user", password="password",
4688 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4689 scan_freq="2412")
4690
31dd3153
JM		 4691def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev, apdev):
4692 """EAP-TTLS and server PKCS#12 file with extra certs"""
4693 skip_with_fips(dev[0])
4694 params = int_eap_server_params()
4695 del params["server_cert"]
4696 params["private_key"] = "auth_serv/server-extra.pkcs12"
4697 params["private_key_passwd"] = "whatever"
8b8a1864 4698 hostapd.add_ap(apdev[0], params)
31dd3153
JM		 4699 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4700 identity="mschap user", password="password",
4701 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4702 scan_freq="2412")
4703
242219c5
JM		 4704def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
4705 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4706 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 4707 hapd = hostapd.add_ap(apdev[0], params)
4708 eap_connect(dev[0], hapd, "TTLS", "pap user",
242219c5 4709 anonymous_identity="ttls", password="password",
ca158ea6 4710 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
242219c5 4711 dh_file="auth_serv/dh.conf")
7c50093f 4712
b3ff3dec
JM		 4713def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
4714 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
404597e6 4715 check_dh_dsa_support(dev[0])
b3ff3dec 4716 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687
JD		 4717 hapd = hostapd.add_ap(apdev[0], params)
4718 eap_connect(dev[0], hapd, "TTLS", "pap user",
b3ff3dec 4719 anonymous_identity="ttls", password="password",
ca158ea6 4720 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
b3ff3dec
JM		 4721 dh_file="auth_serv/dsaparam.pem")
4722
4723def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4724 """EAP-TTLS and DH params file not found"""
ca158ea6 4725 skip_with_fips(dev[0])
b3ff3dec 4726 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4727 hostapd.add_ap(apdev[0], params)
b3ff3dec
JM		 4728 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4729 identity="mschap user", password="password",
4730 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4731 dh_file="auth_serv/dh-no-such-file.conf",
4732 scan_freq="2412", wait_connect=False)
4733 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4734 if ev is None:
4735 raise Exception("EAP failure timed out")
4736 dev[0].request("REMOVE_NETWORK all")
4737 dev[0].wait_disconnected()
4738
4739def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4740 """EAP-TTLS and invalid DH params file"""
ca158ea6 4741 skip_with_fips(dev[0])
b3ff3dec 4742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4743 hostapd.add_ap(apdev[0], params)
b3ff3dec
JM		 4744 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4745 identity="mschap user", password="password",
4746 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4747 dh_file="auth_serv/ca.pem",
4748 scan_freq="2412", wait_connect=False)
4749 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4750 if ev is None:
4751 raise Exception("EAP failure timed out")
4752 dev[0].request("REMOVE_NETWORK all")
4753 dev[0].wait_disconnected()
4754
6ea231e6
JM		 4755def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
4756 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4757 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 4758 hapd = hostapd.add_ap(apdev[0], params)
768ea0bc 4759 dh = read_pem("auth_serv/dh2.conf")
6ea231e6
JM		 4760 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
4761 raise Exception("Could not set dhparams blob")
3b3e2687 4762 eap_connect(dev[0], hapd, "TTLS", "pap user",
6ea231e6 4763 anonymous_identity="ttls", password="password",
ca158ea6 4764 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
6ea231e6
JM		 4765 dh_file="blob://dhparams")
4766
768ea0bc
JM		 4767def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
4768 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4769 params = int_eap_server_params()
4770 params["dh_file"] = "auth_serv/dh2.conf"
3b3e2687
JD		 4771 hapd = hostapd.add_ap(apdev[0], params)
4772 eap_connect(dev[0], hapd, "TTLS", "pap user",
768ea0bc 4773 anonymous_identity="ttls", password="password",
ca158ea6 4774 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
768ea0bc 4775
b3ff3dec
JM		 4776def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
4777 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4778 params = int_eap_server_params()
4779 params["dh_file"] = "auth_serv/dsaparam.pem"
3b3e2687
JD		 4780 hapd = hostapd.add_ap(apdev[0], params)
4781 eap_connect(dev[0], hapd, "TTLS", "pap user",
b3ff3dec 4782 anonymous_identity="ttls", password="password",
ca158ea6 4783 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
b3ff3dec
JM		 4784
4785def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4786 """EAP-TLS server and dhparams file not found"""
4787 params = int_eap_server_params()
4788 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
8b8a1864 4789 hapd = hostapd.add_ap(apdev[0], params, no_enable=True)
b3ff3dec
JM		 4790 if "FAIL" not in hapd.request("ENABLE"):
4791 raise Exception("Invalid configuration accepted")
4792
4793def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4794 """EAP-TLS server and invalid dhparams file"""
4795 params = int_eap_server_params()
4796 params["dh_file"] = "auth_serv/ca.pem"
8b8a1864 4797 hapd = hostapd.add_ap(apdev[0], params, no_enable=True)
b3ff3dec
JM		 4798 if "FAIL" not in hapd.request("ENABLE"):
4799 raise Exception("Invalid configuration accepted")
4800
7c50093f
JM		 4801def test_ap_wpa2_eap_reauth(dev, apdev):
4802 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4803 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4804 params['eap_reauth_period'] = '2'
3b3e2687
JD		 4805 hapd = hostapd.add_ap(apdev[0], params)
4806 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
7c50093f
JM		 4807 password_hex="0123456789abcdef0123456789abcdef")
4808 logger.info("Wait for reauthentication")
4809 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
4810 if ev is None:
4811 raise Exception("Timeout on reauthentication")
4812 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4813 if ev is None:
4814 raise Exception("Timeout on reauthentication")
4815 for i in range(0, 20):
4816 state = dev[0].get_status_field("wpa_state")
4817 if state == "COMPLETED":
4818 break
4819 time.sleep(0.1)
4820 if state != "COMPLETED":
4821 raise Exception("Reauthentication did not complete")
8b56743e
JM		 4822
4823def test_ap_wpa2_eap_request_identity_message(dev, apdev):
4824 """Optional displayable message in EAP Request-Identity"""
4825 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4826 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3b3e2687
JD		 4827 hapd = hostapd.add_ap(apdev[0], params)
4828 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
8b56743e 4829 password_hex="0123456789abcdef0123456789abcdef")
910f16ca
JM		 4830
4831def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
4832 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
81e787b7 4833 check_hlr_auc_gw_support()
910f16ca
JM		 4834 params = int_eap_server_params()
4835 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4836 params['eap_sim_aka_result_ind'] = "1"
3b3e2687 4837 hapd = hostapd.add_ap(apdev[0], params)
910f16ca 4838
3b3e2687 4839 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
910f16ca
JM		 4840 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4841 phase1="result_ind=1")
4842 eap_reauth(dev[0], "SIM")
3b3e2687 4843 eap_connect(dev[1], hapd, "SIM", "1232010000000000",
910f16ca
JM		 4844 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4845
4846 dev[0].request("REMOVE_NETWORK all")
4847 dev[1].request("REMOVE_NETWORK all")
4848
3b3e2687 4849 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
910f16ca
JM		 4850 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4851 phase1="result_ind=1")
4852 eap_reauth(dev[0], "AKA")
3b3e2687 4853 eap_connect(dev[1], hapd, "AKA", "0232010000000000",
910f16ca
JM		 4854 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4855
4856 dev[0].request("REMOVE_NETWORK all")
4857 dev[1].request("REMOVE_NETWORK all")
4858
3b3e2687 4859 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
910f16ca
JM		 4860 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4861 phase1="result_ind=1")
4862 eap_reauth(dev[0], "AKA'")
3b3e2687 4863 eap_connect(dev[1], hapd, "AKA'", "6555444333222111",
910f16ca 4864 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
633e364b 4865
a8217972
JM		 4866def test_ap_wpa2_eap_sim_zero_db_timeout(dev, apdev):
4867 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4868 check_hlr_auc_gw_support()
4869 params = int_eap_server_params()
4870 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4871 params['eap_sim_db_timeout'] = "0"
4872 params['disable_pmksa_caching'] = '1'
4873 hapd = hostapd.add_ap(apdev[0], params)
4874
4875 # Run multiple iterations to make it more likely to hit the case where the
4876 # DB request times out and response is lost.
4877 for i in range(20):
a8217972
JM		 4878 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
4879 identity="1232010000000000",
4880 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4881 wait_connect=False, scan_freq="2412")
4882 ev = dev[0].wait_event([ "CTRL-EVENT-CONNECTED",
4883 "CTRL-EVENT-DISCONNECTED" ],
4884 timeout=15)
4885 if ev is None:
4886 raise Exception("No connection result")
4887 dev[0].request("REMOVE_NETWORK all")
4888 if "CTRL-EVENT-DISCONNECTED" in ev:
4889 break
4890 dev[0].wait_disconnected()
4891 hapd.ping()
4892
633e364b
JM		 4893def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
4894 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
ca158ea6 4895 skip_with_fips(dev[0])
633e364b 4896 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4897 hostapd.add_ap(apdev[0], params)
633e364b
JM		 4898 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4899 eap="TTLS", identity="mschap user",
4900 wait_connect=False, scan_freq="2412", ieee80211w="1",
4901 anonymous_identity="ttls", password="password",
4902 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
78d2233f
JM		 4903 fragment_size="8")
4904 ev = dev[0].wait_event(["EAP: more than",
4905 "CTRL-EVENT-EAP-SUCCESS"], timeout=20)
4906 if ev is None or "EAP: more than" not in ev:
633e364b 4907 raise Exception("EAP roundtrip limit not reached")
32dca985
JM		 4908
4909def test_ap_wpa2_eap_expanded_nak(dev, apdev):
4910 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4911 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4912 hostapd.add_ap(apdev[0], params)
32dca985
JM		 4913 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4914 eap="PSK", identity="vendor-test",
4915 password_hex="ff23456789abcdef0123456789abcdef",
4916 wait_connect=False)
4917
4918 found = False
4919 for i in range(0, 5):
412c6030 4920 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=16)
32dca985
JM		 4921 if ev is None:
4922 raise Exception("Association and EAP start timed out")
4923 if "refuse proposed method" in ev:
4924 found = True
4925 break
4926 if not found:
4927 raise Exception("Unexpected EAP status: " + ev)
4928
4929 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4930 if ev is None:
4931 raise Exception("EAP failure timed out")
745f8771
JM		 4932
4933def test_ap_wpa2_eap_sql(dev, apdev, params):
4934 """WPA2-Enterprise connection using SQLite for user DB"""
ca158ea6 4935 skip_with_fips(dev[0])
745f8771
JM		 4936 try:
4937 import sqlite3
4938 except ImportError:
81e787b7 4939 raise HwsimSkip("No sqlite3 module available")
745f8771
JM		 4940 dbfile = os.path.join(params['logdir'], "eap-user.db")
4941 try:
4942 os.remove(dbfile)
4943 except:
4944 pass
4945 con = sqlite3.connect(dbfile)
4946 with con:
4947 cur = con.cursor()
4948 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4949 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4950 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4951 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4952 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4953 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4954 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4955 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4956
4957 try:
4958 params = int_eap_server_params()
4959 params["eap_user_file"] = "sqlite:" + dbfile
3b3e2687
JD		 4960 hapd = hostapd.add_ap(apdev[0], params)
4961 eap_connect(dev[0], hapd, "TTLS", "user-mschapv2",
745f8771
JM		 4962 anonymous_identity="ttls", password="password",
4963 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4964 dev[0].request("REMOVE_NETWORK all")
3b3e2687 4965 eap_connect(dev[1], hapd, "TTLS", "user-mschap",
745f8771
JM		 4966 anonymous_identity="ttls", password="password",
4967 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
4968 dev[1].request("REMOVE_NETWORK all")
3b3e2687 4969 eap_connect(dev[0], hapd, "TTLS", "user-chap",
745f8771
JM		 4970 anonymous_identity="ttls", password="password",
4971 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3b3e2687 4972 eap_connect(dev[1], hapd, "TTLS", "user-pap",
745f8771
JM		 4973 anonymous_identity="ttls", password="password",
4974 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4975 finally:
4976 os.remove(dbfile)
b246e2af
JM		 4977
4978def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
4979 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4980 params = int_eap_server_params()
8b8a1864 4981 hostapd.add_ap(apdev[0], params)
b246e2af
JM		 4982 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4983 identity="\x80", password="password", wait_connect=False)
4984 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4985 identity="a\x80", password="password", wait_connect=False)
4986 for i in range(0, 2):
412c6030 4987 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
b246e2af
JM		 4988 if ev is None:
4989 raise Exception("Association and EAP start timed out")
4990 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4991 if ev is None:
4992 raise Exception("EAP method selection timed out")
4993
4994def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
4995 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4996 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 4997 hostapd.add_ap(apdev[0], params)
b246e2af
JM		 4998 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4999 identity="\x80", password="password", wait_connect=False)
5000 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
5001 identity="a\x80", password="password", wait_connect=False)
5002 for i in range(0, 2):
412c6030 5003 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
b246e2af
JM		 5004 if ev is None:
5005 raise Exception("Association and EAP start timed out")
5006 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
5007 if ev is None:
5008 raise Exception("EAP method selection timed out")
89f20842
JM		 5009
5010def test_openssl_cipher_suite_config_wpas(dev, apdev):
5011 """OpenSSL cipher suite configuration on wpa_supplicant"""
a783340d
JM		 5012 tls = dev[0].request("GET tls_library")
5013 if not tls.startswith("OpenSSL"):
5014 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
89f20842 5015 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5016 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5017 eap_connect(dev[0], hapd, "TTLS", "pap user",
89f20842
JM		 5018 anonymous_identity="ttls", password="password",
5019 openssl_ciphers="AES128",
5020 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3b3e2687 5021 eap_connect(dev[1], hapd, "TTLS", "pap user",
89f20842
JM		 5022 anonymous_identity="ttls", password="password",
5023 openssl_ciphers="EXPORT",
5024 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
9dd21d51 5025 expect_failure=True, maybe_local_error=True)
7be5ec99
JM		 5026 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
5027 identity="pap user", anonymous_identity="ttls",
5028 password="password",
5029 openssl_ciphers="FOO",
5030 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
5031 wait_connect=False)
5032 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5033 if ev is None:
5034 raise Exception("EAP failure after invalid openssl_ciphers not reported")
5035 dev[2].request("DISCONNECT")
89f20842
JM		 5036
5037def test_openssl_cipher_suite_config_hapd(dev, apdev):
5038 """OpenSSL cipher suite configuration on hostapd"""
a783340d
JM		 5039 tls = dev[0].request("GET tls_library")
5040 if not tls.startswith("OpenSSL"):
5041 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
89f20842
JM		 5042 params = int_eap_server_params()
5043 params['openssl_ciphers'] = "AES256"
8b8a1864 5044 hapd = hostapd.add_ap(apdev[0], params)
a783340d
JM		 5045 tls = hapd.request("GET tls_library")
5046 if not tls.startswith("OpenSSL"):
5047 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3b3e2687 5048 eap_connect(dev[0], hapd, "TTLS", "pap user",
89f20842
JM		 5049 anonymous_identity="ttls", password="password",
5050 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3b3e2687 5051 eap_connect(dev[1], hapd, "TTLS", "pap user",
89f20842
JM		 5052 anonymous_identity="ttls", password="password",
5053 openssl_ciphers="AES128",
5054 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
5055 expect_failure=True)
3b3e2687 5056 eap_connect(dev[2], hapd, "TTLS", "pap user",
89f20842
JM		 5057 anonymous_identity="ttls", password="password",
5058 openssl_ciphers="HIGH:!ADH",
5059 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
5b3c40a6 5060
7be5ec99 5061 params['openssl_ciphers'] = "FOO"
8b8a1864 5062 hapd2 = hostapd.add_ap(apdev[1], params, no_enable=True)
7be5ec99 5063 if "FAIL" not in hapd2.request("ENABLE"):
0d34c13a
JM		 5064 if "run=OpenSSL 1.1.1" in tls:
5065 logger.info("Ignore acceptance of an invalid openssl_ciphers value with OpenSSL 1.1.1")
5066 else:
5067 raise Exception("Invalid openssl_ciphers value accepted")
7be5ec99 5068
5b3c40a6
JM		 5069def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
5070 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5071 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5072 hapd = hostapd.add_ap(apdev[0], p)
5b3c40a6
JM		 5073 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5074 pid = find_wpas_process(dev[0])
3b3e2687 5075 id = eap_connect(dev[0], hapd, "TTLS", "pap-secret",
5b3c40a6
JM		 5076 anonymous_identity="ttls", password=password,
5077 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
8e416cec
JM		 5078 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5079 # event has been delivered, so verify that wpa_supplicant has returned to
5080 # eloop before reading process memory.
54f2cae2 5081 time.sleep(1)
8e416cec 5082 dev[0].ping()
5b3c40a6
JM		 5083 buf = read_process_memory(pid, password)
5084
5085 dev[0].request("DISCONNECT")
5086 dev[0].wait_disconnected()
5087
5088 dev[0].relog()
750904dd
JM		 5089 msk = None
5090 emsk = None
5b3c40a6
JM		 5091 pmk = None
5092 ptk = None
5093 gtk = None
5094 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
5095 for l in f.readlines():
750904dd
JM		 5096 if "EAP-TTLS: Derived key - hexdump" in l:
5097 val = l.strip().split(':')[3].replace(' ', '')
5098 msk = binascii.unhexlify(val)
5099 if "EAP-TTLS: Derived EMSK - hexdump" in l:
5100 val = l.strip().split(':')[3].replace(' ', '')
5101 emsk = binascii.unhexlify(val)
5b3c40a6
JM		 5102 if "WPA: PMK - hexdump" in l:
5103 val = l.strip().split(':')[3].replace(' ', '')
5104 pmk = binascii.unhexlify(val)
5105 if "WPA: PTK - hexdump" in l:
5106 val = l.strip().split(':')[3].replace(' ', '')
5107 ptk = binascii.unhexlify(val)
5108 if "WPA: Group Key - hexdump" in l:
5109 val = l.strip().split(':')[3].replace(' ', '')
5110 gtk = binascii.unhexlify(val)
750904dd 5111 if not msk or not emsk or not pmk or not ptk or not gtk:
5b3c40a6
JM		 5112 raise Exception("Could not find keys from debug log")
5113 if len(gtk) != 16:
5114 raise Exception("Unexpected GTK length")
5115
5116 kck = ptk[0:16]
5117 kek = ptk[16:32]
5118 tk = ptk[32:48]
5119
5120 fname = os.path.join(params['logdir'],
5121 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5122
5123 logger.info("Checking keys in memory while associated")
5124 get_key_locations(buf, password, "Password")
5125 get_key_locations(buf, pmk, "PMK")
750904dd
JM		 5126 get_key_locations(buf, msk, "MSK")
5127 get_key_locations(buf, emsk, "EMSK")
5b3c40a6 5128 if password not in buf:
81e787b7 5129 raise HwsimSkip("Password not found while associated")
5b3c40a6 5130 if pmk not in buf:
81e787b7 5131 raise HwsimSkip("PMK not found while associated")
5b3c40a6
JM		 5132 if kck not in buf:
5133 raise Exception("KCK not found while associated")
5134 if kek not in buf:
5135 raise Exception("KEK not found while associated")
b74f82a4
JM		 5136 #if tk in buf:
5137 # raise Exception("TK found from memory")
5b3c40a6
JM		 5138
5139 logger.info("Checking keys in memory after disassociation")
5140 buf = read_process_memory(pid, password)
5141
5142 # Note: Password is still present in network configuration
5143 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5144
5145 get_key_locations(buf, password, "Password")
5146 get_key_locations(buf, pmk, "PMK")
750904dd
JM		 5147 get_key_locations(buf, msk, "MSK")
5148 get_key_locations(buf, emsk, "EMSK")
5b3c40a6
JM		 5149 verify_not_present(buf, kck, fname, "KCK")
5150 verify_not_present(buf, kek, fname, "KEK")
5151 verify_not_present(buf, tk, fname, "TK")
6db556b2
JM		 5152 if gtk in buf:
5153 get_key_locations(buf, gtk, "GTK")
5b3c40a6
JM		 5154 verify_not_present(buf, gtk, fname, "GTK")
5155
5156 dev[0].request("PMKSA_FLUSH")
5157 dev[0].set_network_quoted(id, "identity", "foo")
5158 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5159 buf = read_process_memory(pid, password)
5160 get_key_locations(buf, password, "Password")
5161 get_key_locations(buf, pmk, "PMK")
750904dd
JM		 5162 get_key_locations(buf, msk, "MSK")
5163 get_key_locations(buf, emsk, "EMSK")
5b3c40a6
JM		 5164 verify_not_present(buf, pmk, fname, "PMK")
5165
5166 dev[0].request("REMOVE_NETWORK all")
5167
5168 logger.info("Checking keys in memory after network profile removal")
5169 buf = read_process_memory(pid, password)
5170
5171 get_key_locations(buf, password, "Password")
5172 get_key_locations(buf, pmk, "PMK")
750904dd
JM		 5173 get_key_locations(buf, msk, "MSK")
5174 get_key_locations(buf, emsk, "EMSK")
5b3c40a6
JM		 5175 verify_not_present(buf, password, fname, "password")
5176 verify_not_present(buf, pmk, fname, "PMK")
5177 verify_not_present(buf, kck, fname, "KCK")
5178 verify_not_present(buf, kek, fname, "KEK")
5179 verify_not_present(buf, tk, fname, "TK")
5180 verify_not_present(buf, gtk, fname, "GTK")
750904dd
JM		 5181 verify_not_present(buf, msk, fname, "MSK")
5182 verify_not_present(buf, emsk, fname, "EMSK")
a08fdb17
JM		 5183
5184def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
5185 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5186 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5187 hapd = hostapd.add_ap(apdev[0], params)
a08fdb17 5188 bssid = apdev[0]['bssid']
3b3e2687 5189 eap_connect(dev[0], hapd, "TTLS", "pap user",
a08fdb17
JM		 5190 anonymous_identity="ttls", password="password",
5191 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
5192
5193 # Send unexpected WEP EAPOL-Key; this gets dropped
5194 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5195 if "OK" not in res:
5196 raise Exception("EAPOL_RX to wpa_supplicant failed")
52352802
JM		 5197
5198def test_ap_wpa2_eap_in_bridge(dev, apdev):
5199 """WPA2-EAP and wpas interface in a bridge"""
5200 br_ifname='sta-br0'
5201 ifname='wlan5'
5202 try:
5203 _test_ap_wpa2_eap_in_bridge(dev, apdev)
5204 finally:
5205 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
5206 subprocess.call(['brctl', 'delif', br_ifname, ifname])
5207 subprocess.call(['brctl', 'delbr', br_ifname])
5208 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
5209
5210def _test_ap_wpa2_eap_in_bridge(dev, apdev):
5211 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5212 hapd = hostapd.add_ap(apdev[0], params)
52352802
JM		 5213
5214 br_ifname='sta-br0'
5215 ifname='wlan5'
5216 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
5217 subprocess.call(['brctl', 'addbr', br_ifname])
5218 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
5219 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
5220 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
5221 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
5222 wpas.interface_add(ifname, br_ifname=br_ifname)
4b9d79b6 5223 wpas.dump_monitor()
52352802 5224
3b3e2687 5225 id = eap_connect(wpas, hapd, "PAX", "pax.user@example.com",
52352802 5226 password_hex="0123456789abcdef0123456789abcdef")
4b9d79b6 5227 wpas.dump_monitor()
52352802 5228 eap_reauth(wpas, "PAX")
4b9d79b6 5229 wpas.dump_monitor()
52352802
JM		 5230 # Try again as a regression test for packet socket workaround
5231 eap_reauth(wpas, "PAX")
4b9d79b6 5232 wpas.dump_monitor()
52352802
JM		 5233 wpas.request("DISCONNECT")
5234 wpas.wait_disconnected()
4b9d79b6 5235 wpas.dump_monitor()
52352802
JM		 5236 wpas.request("RECONNECT")
5237 wpas.wait_connected()
4b9d79b6 5238 wpas.dump_monitor()
febf5752
JM		 5239
5240def test_ap_wpa2_eap_session_ticket(dev, apdev):
5241 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5242 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5243 hapd = hostapd.add_ap(apdev[0], params)
febf5752
JM		 5244 key_mgmt = hapd.get_config()['key_mgmt']
5245 if key_mgmt.split(' ')[0] != "WPA-EAP":
5246 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3b3e2687 5247 eap_connect(dev[0], hapd, "TTLS", "pap user",
febf5752
JM		 5248 anonymous_identity="ttls", password="password",
5249 ca_cert="auth_serv/ca.pem",
5250 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
5251 eap_reauth(dev[0], "TTLS")
5252
5253def test_ap_wpa2_eap_no_workaround(dev, apdev):
5254 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5255 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5256 hapd = hostapd.add_ap(apdev[0], params)
febf5752
JM		 5257 key_mgmt = hapd.get_config()['key_mgmt']
5258 if key_mgmt.split(' ')[0] != "WPA-EAP":
5259 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3b3e2687 5260 eap_connect(dev[0], hapd, "TTLS", "pap user",
febf5752
JM		 5261 anonymous_identity="ttls", password="password",
5262 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5263 phase2="auth=PAP")
5264 eap_reauth(dev[0], "TTLS")
b197a819
JM		 5265
5266def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
5267 """EAP-TLS and server checking CRL"""
5268 params = int_eap_server_params()
5269 params['check_crl'] = '1'
8b8a1864 5270 hapd = hostapd.add_ap(apdev[0], params)
b197a819
JM		 5271
5272 # check_crl=1 and no CRL available --> reject connection
3b3e2687 5273 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
b197a819
JM		 5274 client_cert="auth_serv/user.pem",
5275 private_key="auth_serv/user.key", expect_failure=True)
5276 dev[0].request("REMOVE_NETWORK all")
5277
5278 hapd.disable()
5279 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
5280 hapd.enable()
5281
5282 # check_crl=1 and valid CRL --> accept
3b3e2687 5283 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
b197a819
JM		 5284 client_cert="auth_serv/user.pem",
5285 private_key="auth_serv/user.key")
5286 dev[0].request("REMOVE_NETWORK all")
5287
5288 hapd.disable()
5289 hapd.set("check_crl", "2")
5290 hapd.enable()
5291
5292 # check_crl=2 and valid CRL --> accept
3b3e2687 5293 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
b197a819
JM		 5294 client_cert="auth_serv/user.pem",
5295 private_key="auth_serv/user.key")
5296 dev[0].request("REMOVE_NETWORK all")
b1fb4275
JM		 5297
5298def test_ap_wpa2_eap_tls_oom(dev, apdev):
5299 """EAP-TLS and OOM"""
5300 check_subject_match_support(dev[0])
5301 check_altsubject_match_support(dev[0])
e78eb404 5302 check_domain_match(dev[0])
b1fb4275
JM		 5303 check_domain_match_full(dev[0])
5304
5305 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5306 hostapd.add_ap(apdev[0], params)
b1fb4275
JM		 5307
5308 tests = [ (1, "tls_connection_set_subject_match"),
5309 (2, "tls_connection_set_subject_match"),
5310 (3, "tls_connection_set_subject_match"),
5311 (4, "tls_connection_set_subject_match") ]
5312 for count, func in tests:
5313 with alloc_fail(dev[0], count, func):
5314 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5315 identity="tls user", ca_cert="auth_serv/ca.pem",
5316 client_cert="auth_serv/user.pem",
5317 private_key="auth_serv/user.key",
5318 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
5319 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5320 domain_suffix_match="server.w1.fi",
5321 domain_match="server.w1.fi",
5322 wait_connect=False, scan_freq="2412")
5323 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5324 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
5325 if ev is None:
5326 raise Exception("No passphrase request")
5327 dev[0].request("REMOVE_NETWORK all")
5328 dev[0].wait_disconnected()
405c621c
JM		 5329
5330def test_ap_wpa2_eap_tls_macacl(dev, apdev):
5331 """WPA2-Enterprise connection using MAC ACL"""
5332 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5333 params["macaddr_acl"] = "2"
3b3e2687
JD		 5334 hapd = hostapd.add_ap(apdev[0], params)
5335 eap_connect(dev[1], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
405c621c
JM		 5336 client_cert="auth_serv/user.pem",
5337 private_key="auth_serv/user.key")
85774b70
JM		 5338
5339def test_ap_wpa2_eap_oom(dev, apdev):
5340 """EAP server and OOM"""
5341 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 5342 hapd = hostapd.add_ap(apdev[0], params)
85774b70
JM		 5343 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
5344
5345 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
5346 # The first attempt fails, but STA will send EAPOL-Start to retry and
5347 # that succeeds.
5348 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5349 identity="tls user", ca_cert="auth_serv/ca.pem",
5350 client_cert="auth_serv/user.pem",
5351 private_key="auth_serv/user.key",
5352 scan_freq="2412")
6c4b5da4 5353
3b3e2687
JD		 5354def check_tls_ver(dev, hapd, phase1, expected):
5355 eap_connect(dev, hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
6c4b5da4
JM		 5356 client_cert="auth_serv/user.pem",
5357 private_key="auth_serv/user.key",
5358 phase1=phase1)
5359 ver = dev.get_status_field("eap_tls_version")
5360 if ver != expected:
5361 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
5362
5363def test_ap_wpa2_eap_tls_versions(dev, apdev):
5364 """EAP-TLS and TLS version configuration"""
5365 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3b3e2687 5366 hapd = hostapd.add_ap(apdev[0], params)
6c4b5da4
JM		 5367
5368 tls = dev[0].request("GET tls_library")
5369 if tls.startswith("OpenSSL"):
41d5af55 5370 if "build=OpenSSL 1.0.1" not in tls and "run=OpenSSL 1.0.1" not in tls:
3b3e2687 5371 check_tls_ver(dev[0], hapd,
6c4b5da4
JM		 5372 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5373 "TLSv1.2")
d8003dcb
SP		 5374 if tls.startswith("wolfSSL"):
5375 if ("build=3.10.0" in tls and "run=3.10.0" in tls) or \
5376 ("build=3.13.0" in tls and "run=3.13.0" in tls):
5377 check_tls_ver(dev[0], hapd,
5378 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5379 "TLSv1.2")
2286578f 5380 elif tls.startswith("internal"):
3b3e2687 5381 check_tls_ver(dev[0], hapd,
2286578f 5382 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3b3e2687 5383 check_tls_ver(dev[1], hapd,
6c4b5da4 5384 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3b3e2687 5385 check_tls_ver(dev[2], hapd,
6c4b5da4 5386 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
832b736f
JM		 5387 if "run=OpenSSL 1.1.1" in tls:
5388 check_tls_ver(dev[0], hapd,
5389 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
ecafa0cf
JM		 5390
5391def test_rsn_ie_proto_eap_sta(dev, apdev):
5392 """RSN element protocol testing for EAP cases on STA side"""
5393 bssid = apdev[0]['bssid']
5394 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5395 # This is the RSN element used normally by hostapd
5396 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
8b8a1864 5397 hapd = hostapd.add_ap(apdev[0], params)
ecafa0cf
JM		 5398 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5399 identity="gpsk user",
5400 password="abcdefghijklmnop0123456789abcdef",
5401 scan_freq="2412")
5402
5403 tests = [ ('No RSN Capabilities field',
5404 '30120100000fac040100000fac040100000fac01'),
5405 ('No AKM Suite fields',
5406 '300c0100000fac040100000fac04'),
5407 ('No Pairwise Cipher Suite fields',
5408 '30060100000fac04'),
5409 ('No Group Data Cipher Suite field',
5410 '30020100') ]
5411 for txt,ie in tests:
5412 dev[0].request("DISCONNECT")
5413 dev[0].wait_disconnected()
5414 logger.info(txt)
5415 hapd.disable()
5416 hapd.set('own_ie_override', ie)
5417 hapd.enable()
5418 dev[0].request("BSS_FLUSH 0")
5419 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
5420 dev[0].select_network(id, freq=2412)
5421 dev[0].wait_connected()
f9dd43ea 5422
9353f07f
JM		 5423 dev[0].request("DISCONNECT")
5424 dev[0].wait_disconnected()
5425 dev[0].flush_scan_cache()
5426
f9dd43ea
JM		 5427def check_tls_session_resumption_capa(dev, hapd):
5428 tls = hapd.request("GET tls_library")
5429 if not tls.startswith("OpenSSL"):
d8003dcb 5430 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls)
f9dd43ea
JM		 5431
5432 tls = dev.request("GET tls_library")
5433 if not tls.startswith("OpenSSL"):
5434 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
5435
5436def test_eap_ttls_pap_session_resumption(dev, apdev):
5437 """EAP-TTLS/PAP session resumption"""
5438 params = int_eap_server_params()
5439 params['tls_session_lifetime'] = '60'
8b8a1864 5440 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5441 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5442 eap_connect(dev[0], hapd, "TTLS", "pap user",
f9dd43ea
JM		 5443 anonymous_identity="ttls", password="password",
5444 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5445 phase2="auth=PAP")
5446 if dev[0].get_status_field("tls_session_reused") != '0':
5447 raise Exception("Unexpected session resumption on the first connection")
5448
5449 dev[0].request("REAUTHENTICATE")
5450 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5451 if ev is None:
5452 raise Exception("EAP success timed out")
5453 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5454 if ev is None:
5455 raise Exception("Key handshake with the AP timed out")
5456 if dev[0].get_status_field("tls_session_reused") != '1':
5457 raise Exception("Session resumption not used on the second connection")
720a2e79 5458 hwsim_utils.test_connectivity(dev[0], hapd)
f9dd43ea
JM		 5459
5460def test_eap_ttls_chap_session_resumption(dev, apdev):
5461 """EAP-TTLS/CHAP session resumption"""
5462 params = int_eap_server_params()
5463 params['tls_session_lifetime'] = '60'
8b8a1864 5464 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5465 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5466 eap_connect(dev[0], hapd, "TTLS", "chap user",
f9dd43ea
JM		 5467 anonymous_identity="ttls", password="password",
5468 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
5469 if dev[0].get_status_field("tls_session_reused") != '0':
5470 raise Exception("Unexpected session resumption on the first connection")
5471
5472 dev[0].request("REAUTHENTICATE")
5473 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5474 if ev is None:
5475 raise Exception("EAP success timed out")
5476 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5477 if ev is None:
5478 raise Exception("Key handshake with the AP timed out")
5479 if dev[0].get_status_field("tls_session_reused") != '1':
5480 raise Exception("Session resumption not used on the second connection")
5481
5482def test_eap_ttls_mschap_session_resumption(dev, apdev):
5483 """EAP-TTLS/MSCHAP session resumption"""
e78eb404 5484 check_domain_suffix_match(dev[0])
f9dd43ea
JM		 5485 params = int_eap_server_params()
5486 params['tls_session_lifetime'] = '60'
8b8a1864 5487 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5488 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5489 eap_connect(dev[0], hapd, "TTLS", "mschap user",
f9dd43ea
JM		 5490 anonymous_identity="ttls", password="password",
5491 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
5492 domain_suffix_match="server.w1.fi")
5493 if dev[0].get_status_field("tls_session_reused") != '0':
5494 raise Exception("Unexpected session resumption on the first connection")
5495
5496 dev[0].request("REAUTHENTICATE")
5497 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5498 if ev is None:
5499 raise Exception("EAP success timed out")
5500 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5501 if ev is None:
5502 raise Exception("Key handshake with the AP timed out")
5503 if dev[0].get_status_field("tls_session_reused") != '1':
5504 raise Exception("Session resumption not used on the second connection")
5505
5506def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
5507 """EAP-TTLS/MSCHAPv2 session resumption"""
e78eb404 5508 check_domain_suffix_match(dev[0])
f9dd43ea
JM		 5509 check_eap_capa(dev[0], "MSCHAPV2")
5510 params = int_eap_server_params()
5511 params['tls_session_lifetime'] = '60'
8b8a1864 5512 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5513 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5514 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
f9dd43ea
JM		 5515 anonymous_identity="ttls", password="password",
5516 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5517 domain_suffix_match="server.w1.fi")
5518 if dev[0].get_status_field("tls_session_reused") != '0':
5519 raise Exception("Unexpected session resumption on the first connection")
5520
5521 dev[0].request("REAUTHENTICATE")
5522 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5523 if ev is None:
5524 raise Exception("EAP success timed out")
5525 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5526 if ev is None:
5527 raise Exception("Key handshake with the AP timed out")
5528 if dev[0].get_status_field("tls_session_reused") != '1':
5529 raise Exception("Session resumption not used on the second connection")
5530
5531def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
5532 """EAP-TTLS/EAP-GTC session resumption"""
5533 params = int_eap_server_params()
5534 params['tls_session_lifetime'] = '60'
8b8a1864 5535 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5536 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5537 eap_connect(dev[0], hapd, "TTLS", "user",
f9dd43ea
JM		 5538 anonymous_identity="ttls", password="password",
5539 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
5540 if dev[0].get_status_field("tls_session_reused") != '0':
5541 raise Exception("Unexpected session resumption on the first connection")
5542
5543 dev[0].request("REAUTHENTICATE")
5544 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5545 if ev is None:
5546 raise Exception("EAP success timed out")
5547 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5548 if ev is None:
5549 raise Exception("Key handshake with the AP timed out")
5550 if dev[0].get_status_field("tls_session_reused") != '1':
5551 raise Exception("Session resumption not used on the second connection")
5552
5553def test_eap_ttls_no_session_resumption(dev, apdev):
5554 """EAP-TTLS session resumption disabled on server"""
5555 params = int_eap_server_params()
5556 params['tls_session_lifetime'] = '0'
8b8a1864 5557 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5558 eap_connect(dev[0], hapd, "TTLS", "pap user",
f9dd43ea
JM		 5559 anonymous_identity="ttls", password="password",
5560 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5561 phase2="auth=PAP")
5562 if dev[0].get_status_field("tls_session_reused") != '0':
5563 raise Exception("Unexpected session resumption on the first connection")
5564
5565 dev[0].request("REAUTHENTICATE")
5566 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5567 if ev is None:
5568 raise Exception("EAP success timed out")
5569 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5570 if ev is None:
5571 raise Exception("Key handshake with the AP timed out")
5572 if dev[0].get_status_field("tls_session_reused") != '0':
5573 raise Exception("Unexpected session resumption on the second connection")
5574
5575def test_eap_peap_session_resumption(dev, apdev):
5576 """EAP-PEAP session resumption"""
ead550b9 5577 check_eap_capa(dev[0], "MSCHAPV2")
f9dd43ea
JM		 5578 params = int_eap_server_params()
5579 params['tls_session_lifetime'] = '60'
8b8a1864 5580 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5581 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5582 eap_connect(dev[0], hapd, "PEAP", "user",
f9dd43ea
JM		 5583 anonymous_identity="peap", password="password",
5584 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5585 if dev[0].get_status_field("tls_session_reused") != '0':
5586 raise Exception("Unexpected session resumption on the first connection")
5587
5588 dev[0].request("REAUTHENTICATE")
5589 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5590 if ev is None:
5591 raise Exception("EAP success timed out")
5592 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5593 if ev is None:
5594 raise Exception("Key handshake with the AP timed out")
5595 if dev[0].get_status_field("tls_session_reused") != '1':
5596 raise Exception("Session resumption not used on the second connection")
5597
81e1ab85
JM		 5598def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
5599 """EAP-PEAP session resumption with crypto binding"""
5600 params = int_eap_server_params()
5601 params['tls_session_lifetime'] = '60'
8b8a1864 5602 hapd = hostapd.add_ap(apdev[0], params)
81e1ab85 5603 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5604 eap_connect(dev[0], hapd, "PEAP", "user",
81e1ab85
JM		 5605 anonymous_identity="peap", password="password",
5606 phase1="peapver=0 crypto_binding=2",
5607 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5608 if dev[0].get_status_field("tls_session_reused") != '0':
5609 raise Exception("Unexpected session resumption on the first connection")
5610
5611 dev[0].request("REAUTHENTICATE")
5612 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5613 if ev is None:
5614 raise Exception("EAP success timed out")
5615 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5616 if ev is None:
5617 raise Exception("Key handshake with the AP timed out")
5618 if dev[0].get_status_field("tls_session_reused") != '1':
5619 raise Exception("Session resumption not used on the second connection")
5620
f9dd43ea
JM		 5621def test_eap_peap_no_session_resumption(dev, apdev):
5622 """EAP-PEAP session resumption disabled on server"""
5623 params = int_eap_server_params()
8b8a1864 5624 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5625 eap_connect(dev[0], hapd, "PEAP", "user",
f9dd43ea
JM		 5626 anonymous_identity="peap", password="password",
5627 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5628 if dev[0].get_status_field("tls_session_reused") != '0':
5629 raise Exception("Unexpected session resumption on the first connection")
5630
5631 dev[0].request("REAUTHENTICATE")
5632 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5633 if ev is None:
5634 raise Exception("EAP success timed out")
5635 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5636 if ev is None:
5637 raise Exception("Key handshake with the AP timed out")
5638 if dev[0].get_status_field("tls_session_reused") != '0':
5639 raise Exception("Unexpected session resumption on the second connection")
5640
5641def test_eap_tls_session_resumption(dev, apdev):
5642 """EAP-TLS session resumption"""
5643 params = int_eap_server_params()
5644 params['tls_session_lifetime'] = '60'
8b8a1864 5645 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5646 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5647 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5648 client_cert="auth_serv/user.pem",
5649 private_key="auth_serv/user.key")
5650 if dev[0].get_status_field("tls_session_reused") != '0':
5651 raise Exception("Unexpected session resumption on the first connection")
5652
5653 dev[0].request("REAUTHENTICATE")
5654 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5655 if ev is None:
5656 raise Exception("EAP success timed out")
5657 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5658 if ev is None:
5659 raise Exception("Key handshake with the AP timed out")
5660 if dev[0].get_status_field("tls_session_reused") != '1':
5661 raise Exception("Session resumption not used on the second connection")
5662
5663 dev[0].request("REAUTHENTICATE")
5664 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5665 if ev is None:
5666 raise Exception("EAP success timed out")
5667 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5668 if ev is None:
5669 raise Exception("Key handshake with the AP timed out")
5670 if dev[0].get_status_field("tls_session_reused") != '1':
5671 raise Exception("Session resumption not used on the third connection")
5672
5673def test_eap_tls_session_resumption_expiration(dev, apdev):
5674 """EAP-TLS session resumption"""
5675 params = int_eap_server_params()
5676 params['tls_session_lifetime'] = '1'
8b8a1864 5677 hapd = hostapd.add_ap(apdev[0], params)
f9dd43ea 5678 check_tls_session_resumption_capa(dev[0], hapd)
3b3e2687 5679 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5680 client_cert="auth_serv/user.pem",
5681 private_key="auth_serv/user.key")
5682 if dev[0].get_status_field("tls_session_reused") != '0':
5683 raise Exception("Unexpected session resumption on the first connection")
5684
5685 # Allow multiple attempts since OpenSSL may not expire the cached entry
5686 # immediately.
5687 for i in range(10):
5688 time.sleep(1.2)
5689
5690 dev[0].request("REAUTHENTICATE")
5691 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5692 if ev is None:
5693 raise Exception("EAP success timed out")
5694 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5695 if ev is None:
5696 raise Exception("Key handshake with the AP timed out")
5697 if dev[0].get_status_field("tls_session_reused") == '0':
5698 break
5699 if dev[0].get_status_field("tls_session_reused") != '0':
5700 raise Exception("Session resumption used after lifetime expiration")
5701
5702def test_eap_tls_no_session_resumption(dev, apdev):
5703 """EAP-TLS session resumption disabled on server"""
5704 params = int_eap_server_params()
8b8a1864 5705 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5706 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5707 client_cert="auth_serv/user.pem",
5708 private_key="auth_serv/user.key")
5709 if dev[0].get_status_field("tls_session_reused") != '0':
5710 raise Exception("Unexpected session resumption on the first connection")
5711
5712 dev[0].request("REAUTHENTICATE")
5713 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5714 if ev is None:
5715 raise Exception("EAP success timed out")
5716 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5717 if ev is None:
5718 raise Exception("Key handshake with the AP timed out")
5719 if dev[0].get_status_field("tls_session_reused") != '0':
5720 raise Exception("Unexpected session resumption on the second connection")
5721
5722def test_eap_tls_session_resumption_radius(dev, apdev):
5723 """EAP-TLS session resumption (RADIUS)"""
5724 params = { "ssid": "as", "beacon_int": "2000",
5725 "radius_server_clients": "auth_serv/radius_clients.conf",
5726 "radius_server_auth_port": '18128',
5727 "eap_server": "1",
5728 "eap_user_file": "auth_serv/eap_user.conf",
5729 "ca_cert": "auth_serv/ca.pem",
5730 "server_cert": "auth_serv/server.pem",
5731 "private_key": "auth_serv/server.key",
5732 "tls_session_lifetime": "60" }
8b8a1864 5733 authsrv = hostapd.add_ap(apdev[1], params)
f9dd43ea
JM		 5734 check_tls_session_resumption_capa(dev[0], authsrv)
5735
5736 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5737 params['auth_server_port'] = "18128"
8b8a1864 5738 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5739 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5740 client_cert="auth_serv/user.pem",
5741 private_key="auth_serv/user.key")
5742 if dev[0].get_status_field("tls_session_reused") != '0':
5743 raise Exception("Unexpected session resumption on the first connection")
5744
5745 dev[0].request("REAUTHENTICATE")
5746 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5747 if ev is None:
5748 raise Exception("EAP success timed out")
5749 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5750 if ev is None:
5751 raise Exception("Key handshake with the AP timed out")
5752 if dev[0].get_status_field("tls_session_reused") != '1':
5753 raise Exception("Session resumption not used on the second connection")
5754
5755def test_eap_tls_no_session_resumption_radius(dev, apdev):
5756 """EAP-TLS session resumption disabled (RADIUS)"""
5757 params = { "ssid": "as", "beacon_int": "2000",
5758 "radius_server_clients": "auth_serv/radius_clients.conf",
5759 "radius_server_auth_port": '18128',
5760 "eap_server": "1",
5761 "eap_user_file": "auth_serv/eap_user.conf",
5762 "ca_cert": "auth_serv/ca.pem",
5763 "server_cert": "auth_serv/server.pem",
5764 "private_key": "auth_serv/server.key",
5765 "tls_session_lifetime": "0" }
8b8a1864 5766 hostapd.add_ap(apdev[1], params)
f9dd43ea
JM		 5767
5768 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5769 params['auth_server_port'] = "18128"
8b8a1864 5770 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 5771 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
f9dd43ea
JM		 5772 client_cert="auth_serv/user.pem",
5773 private_key="auth_serv/user.key")
5774 if dev[0].get_status_field("tls_session_reused") != '0':
5775 raise Exception("Unexpected session resumption on the first connection")
5776
5777 dev[0].request("REAUTHENTICATE")
5778 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5779 if ev is None:
5780 raise Exception("EAP success timed out")
5781 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5782 if ev is None:
5783 raise Exception("Key handshake with the AP timed out")
5784 if dev[0].get_status_field("tls_session_reused") != '0':
5785 raise Exception("Unexpected session resumption on the second connection")
7c0d66cf
JM		 5786
5787def test_eap_mschapv2_errors(dev, apdev):
5788 """EAP-MSCHAPv2 error cases"""
5789 check_eap_capa(dev[0], "MSCHAPV2")
5790 check_eap_capa(dev[0], "FAST")
5791
5792 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
8b8a1864 5793 hapd = hostapd.add_ap(apdev[0], params)
7c0d66cf
JM		 5794 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5795 identity="phase1-user", password="password",
5796 scan_freq="2412")
5797 dev[0].request("REMOVE_NETWORK all")
5798 dev[0].wait_disconnected()
5799
5800 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5801 (1, "nt_password_hash;mschapv2_derive_response"),
5802 (1, "nt_password_hash;=mschapv2_derive_response"),
5803 (1, "generate_nt_response;mschapv2_derive_response"),
5804 (1, "generate_authenticator_response;mschapv2_derive_response"),
5805 (1, "nt_password_hash;=mschapv2_derive_response"),
5806 (1, "get_master_key;mschapv2_derive_response"),
5807 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5808 for count, func in tests:
5809 with fail_test(dev[0], count, func):
5810 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5811 identity="phase1-user", password="password",
5812 wait_connect=False, scan_freq="2412")
5813 wait_fail_trigger(dev[0], "GET_FAIL")
5814 dev[0].request("REMOVE_NETWORK all")
5815 dev[0].wait_disconnected()
5816
5817 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5818 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5819 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5820 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5821 for count, func in tests:
5822 with fail_test(dev[0], count, func):
5823 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5824 identity="phase1-user",
5825 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
5826 wait_connect=False, scan_freq="2412")
5827 wait_fail_trigger(dev[0], "GET_FAIL")
5828 dev[0].request("REMOVE_NETWORK all")
5829 dev[0].wait_disconnected()
5830
5831 tests = [ (1, "eap_mschapv2_init"),
5832 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5833 (1, "eap_msg_alloc;eap_mschapv2_success"),
5834 (1, "eap_mschapv2_getKey") ]
5835 for count, func in tests:
5836 with alloc_fail(dev[0], count, func):
5837 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5838 identity="phase1-user", password="password",
5839 wait_connect=False, scan_freq="2412")
5840 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5841 dev[0].request("REMOVE_NETWORK all")
5842 dev[0].wait_disconnected()
5843
5844 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5845 for count, func in tests:
5846 with alloc_fail(dev[0], count, func):
5847 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5848 identity="phase1-user", password="wrong password",
5849 wait_connect=False, scan_freq="2412")
5850 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5851 dev[0].request("REMOVE_NETWORK all")
5852 dev[0].wait_disconnected()
5853
5854 tests = [ (2, "eap_mschapv2_init"),
5855 (3, "eap_mschapv2_init") ]
5856 for count, func in tests:
5857 with alloc_fail(dev[0], count, func):
5858 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
5859 anonymous_identity="FAST", identity="user",
5860 password="password",
5861 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5862 phase1="fast_provisioning=1",
5863 pac_file="blob://fast_pac",
5864 wait_connect=False, scan_freq="2412")
5865 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5866 dev[0].request("REMOVE_NETWORK all")
5867 dev[0].wait_disconnected()
bf0ec17a
JM		 5868
5869def test_eap_gpsk_errors(dev, apdev):
5870 """EAP-GPSK error cases"""
5871 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
8b8a1864 5872 hapd = hostapd.add_ap(apdev[0], params)
bf0ec17a
JM		 5873 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5874 identity="gpsk user",
5875 password="abcdefghijklmnop0123456789abcdef",
5876 scan_freq="2412")
5877 dev[0].request("REMOVE_NETWORK all")
5878 dev[0].wait_disconnected()
5879
5880 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5881 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5882 "cipher=1"),
5883 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5884 "cipher=2"),
5885 (1, "eap_gpsk_derive_keys_helper", None),
5886 (2, "eap_gpsk_derive_keys_helper", None),
5887 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5888 "cipher=1"),
5889 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5890 "cipher=2"),
5891 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5892 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5893 (1, "eap_gpsk_derive_mid_helper", None) ]
5894 for count, func, phase1 in tests:
5895 with fail_test(dev[0], count, func):
5896 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5897 identity="gpsk user",
5898 password="abcdefghijklmnop0123456789abcdef",
5899 phase1=phase1,
5900 wait_connect=False, scan_freq="2412")
5901 wait_fail_trigger(dev[0], "GET_FAIL")
5902 dev[0].request("REMOVE_NETWORK all")
5903 dev[0].wait_disconnected()
5904
5905 tests = [ (1, "eap_gpsk_init"),
5906 (2, "eap_gpsk_init"),
5907 (3, "eap_gpsk_init"),
5908 (1, "eap_gpsk_process_id_server"),
5909 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5910 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5911 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5912 (1, "eap_gpsk_derive_keys"),
5913 (1, "eap_gpsk_derive_keys_helper"),
5914 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5915 (1, "eap_gpsk_getKey"),
5916 (1, "eap_gpsk_get_emsk"),
5917 (1, "eap_gpsk_get_session_id") ]
5918 for count, func in tests:
5919 with alloc_fail(dev[0], count, func):
5920 dev[0].request("ERP_FLUSH")
5921 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
0a0c4dc1 5922 identity="gpsk user@domain", erp="1",
bf0ec17a
JM		 5923 password="abcdefghijklmnop0123456789abcdef",
5924 wait_connect=False, scan_freq="2412")
5925 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5926 dev[0].request("REMOVE_NETWORK all")
5927 dev[0].wait_disconnected()
d4c3c055
JM		 5928
5929def test_ap_wpa2_eap_sim_db(dev, apdev, params):
5930 """EAP-SIM DB error cases"""
5931 sockpath = '/tmp/hlr_auc_gw.sock-test'
5932 try:
5933 os.remove(sockpath)
5934 except:
5935 pass
5936 hparams = int_eap_server_params()
5937 hparams['eap_sim_db'] = 'unix:' + sockpath
8b8a1864 5938 hapd = hostapd.add_ap(apdev[0], hparams)
d4c3c055
JM		 5939
5940 # Initial test with hlr_auc_gw socket not available
5941 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
5942 eap="SIM", identity="1232010000000000",
5943 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5944 scan_freq="2412", wait_connect=False)
5a30fcf5
JM		 5945 ev = dev[0].wait_event(["EAP-ERROR-CODE"], timeout=10)
5946 if ev is None:
5947 raise Exception("EAP method specific error code not reported")
5948 if int(ev.split()[1]) != 16384:
5949 raise Exception("Unexpected EAP method specific error code: " + ev)
d4c3c055
JM		 5950 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5951 if ev is None:
5952 raise Exception("EAP-Failure not reported")
5953 dev[0].wait_disconnected()
5954 dev[0].request("DISCONNECT")
5955
5956 # Test with invalid responses and response timeout
5957
5958 class test_handler(SocketServer.DatagramRequestHandler):
5959 def handle(self):
5960 data = self.request[0].strip()
5961 socket = self.request[1]
5962 logger.debug("Received hlr_auc_gw request: " + data)
5963 # EAP-SIM DB: Failed to parse response string
5964 socket.sendto("FOO", self.client_address)
5965 # EAP-SIM DB: Failed to parse response string
5966 socket.sendto("FOO 1", self.client_address)
5967 # EAP-SIM DB: Unknown external response
5968 socket.sendto("FOO 1 2", self.client_address)
5969 logger.info("No proper response - wait for pending eap_sim_db request timeout")
5970
5971 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
5972 server.timeout = 1
5973
5974 dev[0].select_network(id)
5975 server.handle_request()
5976 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5977 if ev is None:
5978 raise Exception("EAP-Failure not reported")
5979 dev[0].wait_disconnected()
5980 dev[0].request("DISCONNECT")
5981
5982 # Test with a valid response
5983
5984 class test_handler2(SocketServer.DatagramRequestHandler):
5985 def handle(self):
5986 data = self.request[0].strip()
5987 socket = self.request[1]
5988 logger.debug("Received hlr_auc_gw request: " + data)
5989 fname = os.path.join(params['logdir'],
5990 'hlr_auc_gw.milenage_db')
5991 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
5992 '-m', fname, data],
5993 stdout=subprocess.PIPE)
5994 res = cmd.stdout.read().strip()
5995 cmd.stdout.close()
5996 logger.debug("hlr_auc_gw response: " + res)
5997 socket.sendto(res, self.client_address)
5998
5999 server.RequestHandlerClass = test_handler2
6000
6001 dev[0].select_network(id)
6002 server.handle_request()
6003 dev[0].wait_connected()
6004 dev[0].request("DISCONNECT")
6005 dev[0].wait_disconnected()
d6ba709a
JM		 6006
6007def test_eap_tls_sha512(dev, apdev, params):
6008 """EAP-TLS with SHA512 signature"""
6009 params = int_eap_server_params()
6010 params["ca_cert"] = "auth_serv/sha512-ca.pem"
6011 params["server_cert"] = "auth_serv/sha512-server.pem"
6012 params["private_key"] = "auth_serv/sha512-server.key"
8b8a1864 6013 hostapd.add_ap(apdev[0], params)
d6ba709a
JM		 6014
6015 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6016 identity="tls user sha512",
6017 ca_cert="auth_serv/sha512-ca.pem",
6018 client_cert="auth_serv/sha512-user.pem",
6019 private_key="auth_serv/sha512-user.key",
6020 scan_freq="2412")
6021 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6022 identity="tls user sha512",
6023 ca_cert="auth_serv/sha512-ca.pem",
6024 client_cert="auth_serv/sha384-user.pem",
6025 private_key="auth_serv/sha384-user.key",
6026 scan_freq="2412")
6027
6028def test_eap_tls_sha384(dev, apdev, params):
6029 """EAP-TLS with SHA384 signature"""
6030 params = int_eap_server_params()
6031 params["ca_cert"] = "auth_serv/sha512-ca.pem"
6032 params["server_cert"] = "auth_serv/sha384-server.pem"
6033 params["private_key"] = "auth_serv/sha384-server.key"
8b8a1864 6034 hostapd.add_ap(apdev[0], params)
d6ba709a
JM		 6035
6036 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6037 identity="tls user sha512",
6038 ca_cert="auth_serv/sha512-ca.pem",
6039 client_cert="auth_serv/sha512-user.pem",
6040 private_key="auth_serv/sha512-user.key",
6041 scan_freq="2412")
6042 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6043 identity="tls user sha512",
6044 ca_cert="auth_serv/sha512-ca.pem",
6045 client_cert="auth_serv/sha384-user.pem",
6046 private_key="auth_serv/sha384-user.key",
6047 scan_freq="2412")
0ceff76e
JM		 6048
6049def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
6050 """WPA2-Enterprise AP and association request RSN IE differences"""
6051 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 6052 hostapd.add_ap(apdev[0], params)
0ceff76e
JM		 6053
6054 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
6055 params["ieee80211w"] = "2"
8b8a1864 6056 hostapd.add_ap(apdev[1], params)
0ceff76e
JM		 6057
6058 # Success cases with optional RSN IE fields removed one by one
6059 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
6060 "30140100000fac040100000fac040100000fac010000"),
6061 ("Extra PMKIDCount field in RSN IE",
6062 "30160100000fac040100000fac040100000fac0100000000"),
6063 ("Extra Group Management Cipher Suite in RSN IE",
6064 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6065 ("Extra undefined extension field in RSN IE",
6066 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6067 ("RSN IE without RSN Capabilities",
6068 "30120100000fac040100000fac040100000fac01"),
6069 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6070 ("RSN IE without pairwise", "30060100000fac04"),
6071 ("RSN IE without group", "30020100") ]
6072 for title, ie in tests:
6073 logger.info(title)
6074 set_test_assoc_ie(dev[0], ie)
6075 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
6076 identity="gpsk user",
6077 password="abcdefghijklmnop0123456789abcdef",
6078 scan_freq="2412")
6079 dev[0].request("REMOVE_NETWORK all")
6080 dev[0].wait_disconnected()
6081
6082 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
6083 "30140100000fac040100000fac040100000fac01cc00"),
6084 ("Group management cipher included in assoc req RSN IE",
6085 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
6086 for title, ie in tests:
6087 logger.info(title)
6088 set_test_assoc_ie(dev[0], ie)
6089 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
6090 eap="GPSK", identity="gpsk user",
6091 password="abcdefghijklmnop0123456789abcdef",
6092 scan_freq="2412")
6093 dev[0].request("REMOVE_NETWORK all")
6094 dev[0].wait_disconnected()
6095
6096 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
6097 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
6098 for title, ie, status in tests:
6099 logger.info(title)
6100 set_test_assoc_ie(dev[0], ie)
6101 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
6102 identity="gpsk user",
6103 password="abcdefghijklmnop0123456789abcdef",
6104 scan_freq="2412", wait_connect=False)
6105 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6106 if ev is None:
6107 raise Exception("Association rejection not reported")
6108 if "status_code=" + str(status) not in ev:
6109 raise Exception("Unexpected status code: " + ev)
6110 dev[0].request("REMOVE_NETWORK all")
6111 dev[0].dump_monitor()
6112
6113 tests = [ ("Management frame protection not enabled",
6114 "30140100000fac040100000fac040100000fac010000", 31),
6115 ("Unsupported management group cipher",
80ad0680 6116 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46) ]
0ceff76e
JM		 6117 for title, ie, status in tests:
6118 logger.info(title)
6119 set_test_assoc_ie(dev[0], ie)
6120 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
6121 eap="GPSK", identity="gpsk user",
6122 password="abcdefghijklmnop0123456789abcdef",
6123 scan_freq="2412", wait_connect=False)
6124 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6125 if ev is None:
6126 raise Exception("Association rejection not reported")
6127 if "status_code=" + str(status) not in ev:
6128 raise Exception("Unexpected status code: " + ev)
6129 dev[0].request("REMOVE_NETWORK all")
6130 dev[0].dump_monitor()
ca27ee09
JM		 6131
6132def test_eap_tls_ext_cert_check(dev, apdev):
6133 """EAP-TLS and external server certification validation"""
6134 # With internal server certificate chain validation
6135 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6136 identity="tls user",
6137 ca_cert="auth_serv/ca.pem",
6138 client_cert="auth_serv/user.pem",
6139 private_key="auth_serv/user.key",
6140 phase1="tls_ext_cert_check=1", scan_freq="2412",
6141 only_add_network=True)
6142 run_ext_cert_check(dev, apdev, id)
6143
6144def test_eap_ttls_ext_cert_check(dev, apdev):
6145 """EAP-TTLS and external server certification validation"""
6146 # Without internal server certificate chain validation
6147 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
6148 identity="pap user", anonymous_identity="ttls",
6149 password="password", phase2="auth=PAP",
6150 phase1="tls_ext_cert_check=1", scan_freq="2412",
6151 only_add_network=True)
6152 run_ext_cert_check(dev, apdev, id)
6153
6154def test_eap_peap_ext_cert_check(dev, apdev):
6155 """EAP-PEAP and external server certification validation"""
6156 # With internal server certificate chain validation
6157 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
6158 identity="user", anonymous_identity="peap",
6159 ca_cert="auth_serv/ca.pem",
6160 password="password", phase2="auth=MSCHAPV2",
6161 phase1="tls_ext_cert_check=1", scan_freq="2412",
6162 only_add_network=True)
6163 run_ext_cert_check(dev, apdev, id)
6164
6165def test_eap_fast_ext_cert_check(dev, apdev):
6166 """EAP-FAST and external server certification validation"""
6167 check_eap_capa(dev[0], "FAST")
6168 # With internal server certificate chain validation
6169 dev[0].request("SET blob fast_pac_auth_ext ")
6170 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
6171 identity="user", anonymous_identity="FAST",
6172 ca_cert="auth_serv/ca.pem",
6173 password="password", phase2="auth=GTC",
6174 phase1="tls_ext_cert_check=1 fast_provisioning=2",
6175 pac_file="blob://fast_pac_auth_ext",
6176 scan_freq="2412",
6177 only_add_network=True)
6178 run_ext_cert_check(dev, apdev, id)
6179
6180def run_ext_cert_check(dev, apdev, net_id):
6181 check_ext_cert_check_support(dev[0])
6182 if not openssl_imported:
6183 raise HwsimSkip("OpenSSL python method not available")
6184
6185 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 6186 hapd = hostapd.add_ap(apdev[0], params)
ca27ee09
JM		 6187
6188 dev[0].select_network(net_id)
6189 certs = {}
6190 while True:
6191 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6192 "CTRL-REQ-EXT_CERT_CHECK",
6193 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
6194 if ev is None:
6195 raise Exception("No peer server certificate event seen")
6196 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
6197 depth = None
6198 cert = None
6199 vals = ev.split(' ')
6200 for v in vals:
6201 if v.startswith("depth="):
6202 depth = int(v.split('=')[1])
6203 elif v.startswith("cert="):
6204 cert = v.split('=')[1]
6205 if depth is not None and cert:
6206 certs[depth] = binascii.unhexlify(cert)
6207 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
6208 raise Exception("Unexpected EAP-Success")
6209 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
6210 id = ev.split(':')[0].split('-')[-1]
6211 break
6212 if 0 not in certs:
6213 raise Exception("Server certificate not received")
6214 if 1 not in certs:
6215 raise Exception("Server certificate issuer not received")
6216
6217 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
6218 certs[0])
6219 cn = cert.get_subject().commonName
6220 logger.info("Server certificate CN=" + cn)
6221
6222 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
6223 certs[1])
6224 icn = issuer.get_subject().commonName
6225 logger.info("Issuer certificate CN=" + icn)
6226
6227 if cn != "server.w1.fi":
6228 raise Exception("Unexpected server certificate CN: " + cn)
6229 if icn != "Root CA":
6230 raise Exception("Unexpected server certificate issuer CN: " + icn)
6231
6232 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
6233 if ev:
6234 raise Exception("Unexpected EAP-Success before external check result indication")
6235
6236 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6237 dev[0].wait_connected()
6238
6239 dev[0].request("DISCONNECT")
6240 dev[0].wait_disconnected()
6241 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
6242 raise Exception("PMKSA_FLUSH failed")
6243 dev[0].request("SET blob fast_pac_auth_ext ")
6244 dev[0].request("RECONNECT")
6245
6246 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
6247 if ev is None:
6248 raise Exception("No peer server certificate event seen (2)")
6249 id = ev.split(':')[0].split('-')[-1]
6250 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6251 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
6252 if ev is None:
6253 raise Exception("EAP-Failure not reported")
6254 dev[0].request("REMOVE_NETWORK all")
6255 dev[0].wait_disconnected()
a89faedc
JM		 6256
6257def test_eap_tls_errors(dev, apdev):
6258 """EAP-TLS error cases"""
6259 params = int_eap_server_params()
6260 params['fragment_size'] = '100'
8b8a1864 6261 hostapd.add_ap(apdev[0], params)
a89faedc
JM		 6262 with alloc_fail(dev[0], 1,
6263 "eap_peer_tls_reassemble_fragment"):
6264 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6265 identity="tls user", ca_cert="auth_serv/ca.pem",
6266 client_cert="auth_serv/user.pem",
6267 private_key="auth_serv/user.key",
6268 wait_connect=False, scan_freq="2412")
6269 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6270 dev[0].request("REMOVE_NETWORK all")
6271 dev[0].wait_disconnected()
6272
6273 with alloc_fail(dev[0], 1, "eap_tls_init"):
6274 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6275 identity="tls user", ca_cert="auth_serv/ca.pem",
6276 client_cert="auth_serv/user.pem",
6277 private_key="auth_serv/user.key",
6278 wait_connect=False, scan_freq="2412")
6279 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6280 dev[0].request("REMOVE_NETWORK all")
6281 dev[0].wait_disconnected()
6282
6283 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init"):
6284 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6285 identity="tls user", ca_cert="auth_serv/ca.pem",
6286 client_cert="auth_serv/user.pem",
6287 private_key="auth_serv/user.key",
6288 engine="1",
6289 wait_connect=False, scan_freq="2412")
6290 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6291 ev = dev[0].wait_event(["CTRL-REQ-PIN"], timeout=5)
6292 if ev is None:
6293 raise Exception("No CTRL-REQ-PIN seen")
6294 dev[0].request("REMOVE_NETWORK all")
6295 dev[0].wait_disconnected()
6296
6297 tests = [ "eap_peer_tls_derive_key;eap_tls_success",
6298 "eap_peer_tls_derive_session_id;eap_tls_success",
6299 "eap_tls_getKey",
6300 "eap_tls_get_emsk",
6301 "eap_tls_get_session_id" ]
6302 for func in tests:
6303 with alloc_fail(dev[0], 1, func):
6304 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
0a0c4dc1
JM		 6305 identity="tls user@domain",
6306 ca_cert="auth_serv/ca.pem",
a89faedc
JM		 6307 client_cert="auth_serv/user.pem",
6308 private_key="auth_serv/user.key",
6309 erp="1",
6310 wait_connect=False, scan_freq="2412")
6311 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6312 dev[0].request("REMOVE_NETWORK all")
6313 dev[0].wait_disconnected()
6314
6315 with alloc_fail(dev[0], 1, "eap_unauth_tls_init"):
6316 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
6317 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
6318 wait_connect=False, scan_freq="2412")
6319 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6320 dev[0].request("REMOVE_NETWORK all")
6321 dev[0].wait_disconnected()
6322
6323 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6324 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
6325 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
6326 wait_connect=False, scan_freq="2412")
6327 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6328 dev[0].request("REMOVE_NETWORK all")
6329 dev[0].wait_disconnected()
6330
6331 with alloc_fail(dev[0], 1, "eap_wfa_unauth_tls_init"):
6332 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
6333 eap="WFA-UNAUTH-TLS",
6334 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
6335 wait_connect=False, scan_freq="2412")
6336 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6337 dev[0].request("REMOVE_NETWORK all")
6338 dev[0].wait_disconnected()
6339
6340 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6341 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
6342 eap="WFA-UNAUTH-TLS",
6343 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
6344 wait_connect=False, scan_freq="2412")
6345 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6346 dev[0].request("REMOVE_NETWORK all")
6347 dev[0].wait_disconnected()
0918fe4d
JM		 6348
6349def test_ap_wpa2_eap_status(dev, apdev):
6350 """EAP state machine status information"""
6351 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
8b8a1864 6352 hostapd.add_ap(apdev[0], params)
0918fe4d
JM		 6353 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
6354 identity="cert user",
6355 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
6356 ca_cert2="auth_serv/ca.pem",
6357 client_cert2="auth_serv/user.pem",
6358 private_key2="auth_serv/user.key",
6359 scan_freq="2412", wait_connect=False)
6360 success = False
6361 states = []
6362 method_states = []
6363 decisions = []
6364 req_methods = []
6365 selected_methods = []
6366 for i in range(100000):
6367 s = dev[0].get_status(extra="VERBOSE")
6368 if 'EAP state' in s:
6369 state = s['EAP state']
6370 if state:
6371 if state not in states:
6372 states.append(state)
6373 if state == "SUCCESS":
6374 success = True
6375 break
6376 if 'methodState' in s:
6377 val = s['methodState']
6378 if val not in method_states:
6379 method_states.append(val)
6380 if 'decision' in s:
6381 val = s['decision']
6382 if val not in decisions:
6383 decisions.append(val)
6384 if 'reqMethod' in s:
6385 val = s['reqMethod']
6386 if val not in req_methods:
6387 req_methods.append(val)
6388 if 'selectedMethod' in s:
6389 val = s['selectedMethod']
6390 if val not in selected_methods:
6391 selected_methods.append(val)
6392 logger.info("Iterations: %d" % i)
6393 logger.info("EAP states: " + str(states))
6394 logger.info("methodStates: " + str(method_states))
6395 logger.info("decisions: " + str(decisions))
6396 logger.info("reqMethods: " + str(req_methods))
6397 logger.info("selectedMethods: " + str(selected_methods))
6398 if not success:
6399 raise Exception("EAP did not succeed")
6400 dev[0].wait_connected()
6401 dev[0].request("REMOVE_NETWORK all")
6402 dev[0].wait_disconnected()
29b508e7
JM		 6403
6404def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev, apdev):
6405 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6406 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6407 params['wpa_ptk_rekey'] = '2'
8b8a1864 6408 hapd = hostapd.add_ap(apdev[0], params)
3b3e2687 6409 id = eap_connect(dev[0], hapd, "GPSK", "gpsk user",
29b508e7
JM		 6410 password="abcdefghijklmnop0123456789abcdef")
6411 ev = dev[0].wait_event(["WPA: Key negotiation completed"])
6412 if ev is None:
6413 raise Exception("PTK rekey timed out")
6414 hwsim_utils.test_connectivity(dev[0], hapd)
2833743d
JM		 6415
6416def test_ap_wpa2_eap_wildcard_ssid(dev, apdev):
6417 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6418 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6419 hapd = hostapd.add_ap(apdev[0], params)
6420 dev[0].connect(bssid=apdev[0]['bssid'], key_mgmt="WPA-EAP", eap="GPSK",
6421 identity="gpsk user",
6422 password="abcdefghijklmnop0123456789abcdef",
6423 scan_freq="2412")
c9aba19b
JM		 6424
6425def test_ap_wpa2_eap_psk_mac_addr_change(dev, apdev):
6426 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
6427 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6428 hapd = hostapd.add_ap(apdev[0], params)
6429
6430 cmd = subprocess.Popen(['ps', '-eo', 'pid,command'], stdout=subprocess.PIPE)
6431 res = cmd.stdout.read()
6432 cmd.stdout.close()
6433 pid = 0
6434 for p in res.splitlines():
6435 if "wpa_supplicant" not in p:
6436 continue
6437 if dev[0].ifname not in p:
6438 continue
6439 pid = int(p.strip().split(' ')[0])
6440 if pid == 0:
6441 logger.info("Could not find wpa_supplicant PID")
6442 else:
6443 logger.info("wpa_supplicant PID %d" % pid)
6444
6445 addr = dev[0].get_status_field("address")
6446 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'down'])
6447 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'address',
6448 '02:11:22:33:44:55'])
6449 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'up'])
6450 addr1 = dev[0].get_status_field("address")
6451 if addr1 != '02:11:22:33:44:55':
6452 raise Exception("Failed to change MAC address")
6453
6454 # Scan using the externally set MAC address, stop the wpa_supplicant
6455 # process to avoid it from processing the ifdown event before the interface
6456 # is already UP, change the MAC address back, allow the wpa_supplicant
6457 # process to continue. This will result in the ifdown + ifup sequence of
6458 # RTM_NEWLINK events to be processed while the interface is already UP.
6459 try:
6460 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
6461 os.kill(pid, signal.SIGSTOP)
6462 time.sleep(0.1)
6463 finally:
6464 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'down'])
6465 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'address',
6466 addr])
6467 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'up'])
6468 time.sleep(0.1)
6469 os.kill(pid, signal.SIGCONT)
6470
6471 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
6472 password_hex="0123456789abcdef0123456789abcdef")
6473
6474 addr2 = dev[0].get_status_field("address")
6475 if addr != addr2:
6476 raise Exception("Failed to restore MAC address")
fb643190
JM		 6477
6478def test_ap_wpa2_eap_server_get_id(dev, apdev):
6479 """Internal EAP server and dot1xAuthSessionUserName"""
6480 params = int_eap_server_params()
6481 hapd = hostapd.add_ap(apdev[0], params)
6482 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
6483 client_cert="auth_serv/user.pem",
6484 private_key="auth_serv/user.key")
6485 sta = hapd.get_sta(dev[0].own_addr())
6486 if 'dot1xAuthSessionUserName' not in sta:
6487 raise Exception("No dot1xAuthSessionUserName included")
6488 user = sta['dot1xAuthSessionUserName']
6489 if user != "tls user":
6490 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user)
6491
6492def test_ap_wpa2_radius_server_get_id(dev, apdev):
6493 """External RADIUS server and dot1xAuthSessionUserName"""
6494 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6495 hapd = hostapd.add_ap(apdev[0], params)
6496 eap_connect(dev[0], hapd, "TTLS", "test-user",
6497 anonymous_identity="ttls", password="password",
6498 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
6499 sta = hapd.get_sta(dev[0].own_addr())
6500 if 'dot1xAuthSessionUserName' not in sta:
6501 raise Exception("No dot1xAuthSessionUserName included")
6502 user = sta['dot1xAuthSessionUserName']
6503 if user != "real-user":
6504 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user)
67e34a28
JM		 6505
6506def test_openssl_systemwide_policy(dev, apdev, test_params):
6507 """OpenSSL systemwide policy and overrides"""
6508 prefix = "openssl_systemwide_policy"
6509 pidfile = os.path.join(test_params['logdir'], prefix + '.pid-wpas')
6510 try:
6511 with HWSimRadio() as (radio, iface):
6512 run_openssl_systemwide_policy(iface, apdev, test_params)
6513 finally:
6514 if os.path.exists(pidfile):
6515 with open(pidfile, 'r') as f:
6516 pid = int(f.read().strip())
6517 os.kill(pid, signal.SIGTERM)
6518
6519def write_openssl_cnf(cnf, MinProtocol=None, CipherString=None):
6520 with open(cnf, "w") as f:
6521 f.write("""openssl_conf = default_conf
6522[default_conf]
6523ssl_conf = ssl_sect
6524[ssl_sect]
6525system_default = system_default_sect
6526[system_default_sect]
6527""")
6528 if MinProtocol:
6529 f.write("MinProtocol = %s\n" % MinProtocol)
6530 if CipherString:
6531 f.write("CipherString = %s\n" % CipherString)
6532
6533def run_openssl_systemwide_policy(iface, apdev, test_params):
6534 prefix = "openssl_systemwide_policy"
6535 logfile = os.path.join(test_params['logdir'], prefix + '.log-wpas')
6536 pidfile = os.path.join(test_params['logdir'], prefix + '.pid-wpas')
6537 conffile = os.path.join(test_params['logdir'], prefix + '.conf')
6538 openssl_cnf = os.path.join(test_params['logdir'], prefix + '.openssl.cnf')
6539
6540 write_openssl_cnf(openssl_cnf, "TLSv1.2", "DEFAULT@SECLEVEL=2")
6541
6542 with open(conffile, 'w') as f:
6543 f.write("ctrl_interface=DIR=/var/run/wpa_supplicant\n")
6544
6545 params = int_eap_server_params()
6546 params['tls_flags'] = "[DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"
6547
6548 hapd = hostapd.add_ap(apdev[0], params)
6549
6550 prg = os.path.join(test_params['logdir'],
6551 'alt-wpa_supplicant/wpa_supplicant/wpa_supplicant')
6552 if not os.path.exists(prg):
6553 prg = '../../wpa_supplicant/wpa_supplicant'
6554 arg = [ prg, '-BddtK', '-P', pidfile, '-f', logfile,
6555 '-Dnl80211', '-c', conffile, '-i', iface ]
6556 logger.info("Start wpa_supplicant: " + str(arg))
6557 subprocess.call(arg, env={'OPENSSL_CONF': openssl_cnf})
6558 wpas = WpaSupplicant(ifname=iface)
6559 if "PONG" not in wpas.request("PING"):
6560 raise Exception("Could not PING wpa_supplicant")
6561 tls = wpas.request("GET tls_library")
6562 if not tls.startswith("OpenSSL"):
6563 raise HwsimSkip("Not using OpenSSL")
6564
6565 # Use default configuration without any TLS version overrides. This should
6566 # end up using OpenSSL systemwide policy and result in failure to find a
6567 # compatible protocol version.
6568 ca_file = os.path.join(os.getcwd(), "auth_serv/ca.pem")
6569 id = wpas.connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
6570 identity="pap user", anonymous_identity="ttls",
6571 password="password", phase2="auth=PAP",
6572 ca_cert=ca_file,
6573 scan_freq="2412", wait_connect=False)
6574 ev = wpas.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
6575 if ev is None:
6576 raise Exception("EAP not started")
6577 ev = wpas.wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'"],
6578 timeout=1)
6579 if ev is None:
6580 raise HwsimSkip("OpenSSL systemwide policy not supported")
6581 wpas.request("DISCONNECT")
6582 wpas.wait_disconnected()
6583 wpas.dump_monitor()
6584
6585 # Explicitly allow TLSv1.0 to be used to override OpenSSL systemwide policy
6586 wpas.set_network_quoted(id, "openssl_ciphers", "DEFAULT@SECLEVEL=1")
6587 wpas.set_network_quoted(id, "phase1", "tls_disable_tlsv1_0=0")
6588 wpas.select_network(id, freq="2412")
6589 wpas.wait_connected()
6590
6591 wpas.request("TERMINATE")
Unnamed repository; edit this file 'description' to name the repository.