]>
Commit | Line | Data |
---|---|---|
9626962d JM |
1 | #!/usr/bin/python |
2 | # | |
3 | # WPA2-Enterprise tests | |
bce774ad | 4 | # Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi> |
9626962d JM |
5 | # |
6 | # This software may be distributed under the terms of the BSD license. | |
7 | # See README for more details. | |
8 | ||
9 | import time | |
10 | import subprocess | |
11 | import logging | |
c9aa4308 | 12 | logger = logging.getLogger() |
0d4c5494 | 13 | import os.path |
9626962d JM |
14 | |
15 | import hwsim_utils | |
16 | import hostapd | |
17 | ||
cb33ee14 JM |
18 | def eap_connect(dev, ap, method, identity, anonymous_identity=None, |
19 | password=None, | |
72c052d5 | 20 | phase1=None, phase2=None, ca_cert=None, |
e114c49c | 21 | domain_suffix_match=None, password_hex=None, |
6daf5b9c | 22 | client_cert=None, private_key=None, sha256=False, |
f10ba3b2 | 23 | fragment_size=None, expect_failure=False, |
d0ce1050 | 24 | local_error_report=False, |
53a6f06a JM |
25 | ca_cert2=None, client_cert2=None, private_key2=None, |
26 | pac_file=None): | |
cb33ee14 | 27 | hapd = hostapd.Hostapd(ap['ifname']) |
2bb9e283 JM |
28 | id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256", |
29 | eap=method, identity=identity, | |
30 | anonymous_identity=anonymous_identity, | |
31 | password=password, phase1=phase1, phase2=phase2, | |
32 | ca_cert=ca_cert, domain_suffix_match=domain_suffix_match, | |
33 | wait_connect=False, scan_freq="2412", | |
34 | password_hex=password_hex, | |
35 | client_cert=client_cert, private_key=private_key, | |
d0ce1050 JM |
36 | ieee80211w="1", fragment_size=fragment_size, |
37 | ca_cert2=ca_cert2, client_cert2=client_cert2, | |
53a6f06a | 38 | private_key2=private_key2, pac_file=pac_file) |
f10ba3b2 JM |
39 | eap_check_auth(dev, method, True, sha256=sha256, |
40 | expect_failure=expect_failure, | |
41 | local_error_report=local_error_report) | |
42 | if expect_failure: | |
43 | return id | |
cb33ee14 JM |
44 | ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5) |
45 | if ev is None: | |
46 | raise Exception("No connection event received from hostapd") | |
2bb9e283 | 47 | return id |
75b2b9cf | 48 | |
f10ba3b2 JM |
49 | def eap_check_auth(dev, method, initial, rsn=True, sha256=False, |
50 | expect_failure=False, local_error_report=False): | |
9626962d JM |
51 | ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10) |
52 | if ev is None: | |
53 | raise Exception("Association and EAP start timed out") | |
54 | ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10) | |
55 | if ev is None: | |
56 | raise Exception("EAP method selection timed out") | |
57 | if method not in ev: | |
58 | raise Exception("Unexpected EAP method") | |
f10ba3b2 JM |
59 | if expect_failure: |
60 | ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"]) | |
61 | if ev is None: | |
62 | raise Exception("EAP failure timed out") | |
63 | ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED"]) | |
64 | if ev is None: | |
65 | raise Exception("Disconnection timed out") | |
66 | if not local_error_report: | |
67 | if "reason=23" not in ev: | |
68 | raise Exception("Proper reason code for disconnection not reported") | |
69 | return | |
9626962d JM |
70 | ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10) |
71 | if ev is None: | |
72 | raise Exception("EAP success timed out") | |
9626962d | 73 | |
75b2b9cf JM |
74 | if initial: |
75 | ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10) | |
75b2b9cf | 76 | else: |
bce774ad JM |
77 | ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10) |
78 | if ev is None: | |
79 | raise Exception("Association with the AP timed out") | |
80 | status = dev.get_status() | |
81 | if status["wpa_state"] != "COMPLETED": | |
82 | raise Exception("Connection not completed") | |
75b2b9cf | 83 | |
9626962d JM |
84 | if status["suppPortStatus"] != "Authorized": |
85 | raise Exception("Port not authorized") | |
86 | if method not in status["selectedMethod"]: | |
87 | raise Exception("Incorrect EAP method status") | |
2b005194 JM |
88 | if sha256: |
89 | e = "WPA2-EAP-SHA256" | |
90 | elif rsn: | |
71390dc8 JM |
91 | e = "WPA2/IEEE 802.1X/EAP" |
92 | else: | |
93 | e = "WPA/IEEE 802.1X/EAP" | |
94 | if status["key_mgmt"] != e: | |
95 | raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"]) | |
9626962d | 96 | |
2b005194 | 97 | def eap_reauth(dev, method, rsn=True, sha256=False): |
75b2b9cf | 98 | dev.request("REAUTHENTICATE") |
2b005194 | 99 | eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256) |
75b2b9cf | 100 | |
9626962d JM |
101 | def test_ap_wpa2_eap_sim(dev, apdev): |
102 | """WPA2-Enterprise connection using EAP-SIM""" | |
0d4c5494 JM |
103 | if not os.path.exists("/tmp/hlr_auc_gw.sock"): |
104 | logger.info("No hlr_auc_gw available"); | |
105 | return "skip" | |
9626962d JM |
106 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") |
107 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 108 | eap_connect(dev[0], apdev[0], "SIM", "1232010000000000", |
9626962d JM |
109 | password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581") |
110 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 111 | eap_reauth(dev[0], "SIM") |
9626962d | 112 | |
f10ba3b2 JM |
113 | logger.info("Negative test with incorrect key") |
114 | dev[0].request("REMOVE_NETWORK all") | |
115 | eap_connect(dev[0], apdev[0], "SIM", "1232010000000000", | |
116 | password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581", | |
117 | expect_failure=True) | |
118 | ||
9626962d JM |
119 | def test_ap_wpa2_eap_aka(dev, apdev): |
120 | """WPA2-Enterprise connection using EAP-AKA""" | |
0d4c5494 JM |
121 | if not os.path.exists("/tmp/hlr_auc_gw.sock"): |
122 | logger.info("No hlr_auc_gw available"); | |
123 | return "skip" | |
9626962d JM |
124 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") |
125 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 126 | eap_connect(dev[0], apdev[0], "AKA", "0232010000000000", |
9626962d JM |
127 | password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123") |
128 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 129 | eap_reauth(dev[0], "AKA") |
9626962d | 130 | |
f10ba3b2 JM |
131 | logger.info("Negative test with incorrect key") |
132 | dev[0].request("REMOVE_NETWORK all") | |
133 | eap_connect(dev[0], apdev[0], "AKA", "0232010000000000", | |
134 | password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123", | |
135 | expect_failure=True) | |
136 | ||
9626962d JM |
137 | def test_ap_wpa2_eap_aka_prime(dev, apdev): |
138 | """WPA2-Enterprise connection using EAP-AKA'""" | |
0d4c5494 JM |
139 | if not os.path.exists("/tmp/hlr_auc_gw.sock"): |
140 | logger.info("No hlr_auc_gw available"); | |
141 | return "skip" | |
9626962d JM |
142 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") |
143 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 144 | eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111", |
9626962d JM |
145 | password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123") |
146 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 147 | eap_reauth(dev[0], "AKA'") |
9626962d | 148 | |
f10ba3b2 JM |
149 | logger.info("Negative test with incorrect key") |
150 | dev[0].request("REMOVE_NETWORK all") | |
151 | eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111", | |
152 | password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123", | |
153 | expect_failure=True) | |
154 | ||
9626962d JM |
155 | def test_ap_wpa2_eap_ttls_pap(dev, apdev): |
156 | """WPA2-Enterprise connection using EAP-TTLS/PAP""" | |
157 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
158 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 159 | eap_connect(dev[0], apdev[0], "TTLS", "pap user", |
9626962d JM |
160 | anonymous_identity="ttls", password="password", |
161 | ca_cert="auth_serv/ca.pem", phase2="auth=PAP") | |
162 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 163 | eap_reauth(dev[0], "TTLS") |
9626962d JM |
164 | |
165 | def test_ap_wpa2_eap_ttls_chap(dev, apdev): | |
166 | """WPA2-Enterprise connection using EAP-TTLS/CHAP""" | |
167 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
168 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 169 | eap_connect(dev[0], apdev[0], "TTLS", "chap user", |
9626962d JM |
170 | anonymous_identity="ttls", password="password", |
171 | ca_cert="auth_serv/ca.pem", phase2="auth=CHAP") | |
172 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 173 | eap_reauth(dev[0], "TTLS") |
9626962d JM |
174 | |
175 | def test_ap_wpa2_eap_ttls_mschap(dev, apdev): | |
176 | """WPA2-Enterprise connection using EAP-TTLS/MSCHAP""" | |
177 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
178 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 179 | eap_connect(dev[0], apdev[0], "TTLS", "mschap user", |
9626962d | 180 | anonymous_identity="ttls", password="password", |
72c052d5 JM |
181 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP", |
182 | domain_suffix_match="server.w1.fi") | |
9626962d | 183 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) |
75b2b9cf | 184 | eap_reauth(dev[0], "TTLS") |
6daf5b9c JM |
185 | dev[0].request("REMOVE_NETWORK all") |
186 | eap_connect(dev[0], apdev[0], "TTLS", "mschap user", | |
187 | anonymous_identity="ttls", password="password", | |
188 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP", | |
189 | fragment_size="200") | |
9626962d JM |
190 | |
191 | def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev): | |
192 | """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2""" | |
193 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
194 | hostapd.add_ap(apdev[0]['ifname'], params) | |
5dec879d | 195 | hapd = hostapd.Hostapd(apdev[0]['ifname']) |
cb33ee14 | 196 | eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user", |
9626962d | 197 | anonymous_identity="ttls", password="password", |
72c052d5 JM |
198 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", |
199 | domain_suffix_match="w1.fi") | |
9626962d | 200 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) |
5dec879d JM |
201 | sta1 = hapd.get_sta(dev[0].p2p_interface_addr()) |
202 | eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol") | |
75b2b9cf | 203 | eap_reauth(dev[0], "TTLS") |
5dec879d JM |
204 | sta2 = hapd.get_sta(dev[0].p2p_interface_addr()) |
205 | eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol") | |
206 | if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']): | |
207 | raise Exception("dot1xAuthEapolFramesRx did not increase") | |
208 | if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1: | |
209 | raise Exception("authAuthEapStartsWhileAuthenticated did not increase") | |
210 | if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']): | |
211 | raise Exception("backendAuthSuccesses did not increase") | |
9626962d | 212 | |
fa0ddb14 JM |
213 | logger.info("Password as hash value") |
214 | dev[0].request("REMOVE_NETWORK all") | |
215 | eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user", | |
216 | anonymous_identity="ttls", | |
217 | password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c", | |
218 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") | |
219 | ||
f10ba3b2 JM |
220 | logger.info("Negative test with incorrect password") |
221 | dev[0].request("REMOVE_NETWORK all") | |
222 | eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user", | |
223 | anonymous_identity="ttls", password="password1", | |
224 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
225 | expect_failure=True) | |
226 | ||
9626962d JM |
227 | def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev): |
228 | """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC""" | |
229 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
230 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 231 | eap_connect(dev[0], apdev[0], "TTLS", "user", |
9626962d JM |
232 | anonymous_identity="ttls", password="password", |
233 | ca_cert="auth_serv/ca.pem", phase2="autheap=GTC") | |
234 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 235 | eap_reauth(dev[0], "TTLS") |
9626962d JM |
236 | |
237 | def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev): | |
238 | """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5""" | |
239 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
240 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 241 | eap_connect(dev[0], apdev[0], "TTLS", "user", |
9626962d JM |
242 | anonymous_identity="ttls", password="password", |
243 | ca_cert="auth_serv/ca.pem", phase2="autheap=MD5") | |
244 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 245 | eap_reauth(dev[0], "TTLS") |
9626962d JM |
246 | |
247 | def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev): | |
248 | """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2""" | |
249 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
250 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 251 | eap_connect(dev[0], apdev[0], "TTLS", "user", |
9626962d JM |
252 | anonymous_identity="ttls", password="password", |
253 | ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2") | |
254 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 255 | eap_reauth(dev[0], "TTLS") |
9626962d | 256 | |
f10ba3b2 JM |
257 | logger.info("Negative test with incorrect password") |
258 | dev[0].request("REMOVE_NETWORK all") | |
259 | eap_connect(dev[0], apdev[0], "TTLS", "user", | |
260 | anonymous_identity="ttls", password="password1", | |
261 | ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2", | |
262 | expect_failure=True) | |
263 | ||
9626962d JM |
264 | def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev): |
265 | """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2""" | |
266 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
267 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 268 | eap_connect(dev[0], apdev[0], "PEAP", "user", |
698f8324 | 269 | anonymous_identity="peap", password="password", |
9626962d JM |
270 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") |
271 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 272 | eap_reauth(dev[0], "PEAP") |
6daf5b9c JM |
273 | dev[0].request("REMOVE_NETWORK all") |
274 | eap_connect(dev[0], apdev[0], "PEAP", "user", | |
275 | anonymous_identity="peap", password="password", | |
276 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
277 | fragment_size="200") | |
c7afc078 | 278 | |
fa0ddb14 JM |
279 | logger.info("Password as hash value") |
280 | dev[0].request("REMOVE_NETWORK all") | |
281 | eap_connect(dev[0], apdev[0], "PEAP", "user", | |
282 | anonymous_identity="peap", | |
283 | password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c", | |
284 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") | |
285 | ||
f10ba3b2 JM |
286 | logger.info("Negative test with incorrect password") |
287 | dev[0].request("REMOVE_NETWORK all") | |
288 | eap_connect(dev[0], apdev[0], "PEAP", "user", | |
289 | anonymous_identity="peap", password="password1", | |
290 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
291 | expect_failure=True) | |
292 | ||
698f8324 JM |
293 | def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev): |
294 | """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding""" | |
295 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
296 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 297 | eap_connect(dev[0], apdev[0], "PEAP", "user", password="password", |
698f8324 JM |
298 | ca_cert="auth_serv/ca.pem", |
299 | phase1="peapver=0 crypto_binding=2", | |
300 | phase2="auth=MSCHAPV2") | |
301 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
75b2b9cf | 302 | eap_reauth(dev[0], "PEAP") |
698f8324 | 303 | |
d0ce1050 JM |
304 | def test_ap_wpa2_eap_peap_eap_tls(dev, apdev): |
305 | """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS""" | |
306 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
307 | hostapd.add_ap(apdev[0]['ifname'], params) | |
308 | eap_connect(dev[0], apdev[0], "PEAP", "cert user", | |
309 | ca_cert="auth_serv/ca.pem", phase2="auth=TLS", | |
310 | ca_cert2="auth_serv/ca.pem", | |
311 | client_cert2="auth_serv/user.pem", | |
312 | private_key2="auth_serv/user.key") | |
313 | eap_reauth(dev[0], "PEAP") | |
314 | ||
e114c49c JM |
315 | def test_ap_wpa2_eap_tls(dev, apdev): |
316 | """WPA2-Enterprise connection using EAP-TLS""" | |
317 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
318 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 319 | eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem", |
e114c49c JM |
320 | client_cert="auth_serv/user.pem", |
321 | private_key="auth_serv/user.key") | |
75b2b9cf | 322 | eap_reauth(dev[0], "TLS") |
e114c49c | 323 | |
c7afc078 JM |
324 | def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev): |
325 | """WPA2-Enterprise negative test - incorrect trust root""" | |
326 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
327 | hostapd.add_ap(apdev[0]['ifname'], params) | |
328 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", | |
329 | identity="DOMAIN\mschapv2 user", anonymous_identity="ttls", | |
330 | password="password", phase2="auth=MSCHAPV2", | |
331 | ca_cert="auth_serv/ca-incorrect.pem", | |
c65f23ab | 332 | wait_connect=False, scan_freq="2412") |
c7afc078 JM |
333 | |
334 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10) | |
335 | if ev is None: | |
336 | raise Exception("Association and EAP start timed out") | |
337 | ||
338 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10) | |
339 | if ev is None: | |
340 | raise Exception("EAP method selection timed out") | |
341 | if "TTLS" not in ev: | |
342 | raise Exception("Unexpected EAP method") | |
343 | ||
344 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR", | |
345 | "CTRL-EVENT-EAP-SUCCESS", | |
346 | "CTRL-EVENT-EAP-FAILURE", | |
347 | "CTRL-EVENT-CONNECTED", | |
348 | "CTRL-EVENT-DISCONNECTED"], timeout=10) | |
349 | if ev is None: | |
350 | raise Exception("EAP result timed out") | |
351 | if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev: | |
352 | raise Exception("TLS certificate error not reported") | |
353 | ||
354 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS", | |
355 | "CTRL-EVENT-EAP-FAILURE", | |
356 | "CTRL-EVENT-CONNECTED", | |
357 | "CTRL-EVENT-DISCONNECTED"], timeout=10) | |
358 | if ev is None: | |
359 | raise Exception("EAP result(2) timed out") | |
360 | if "CTRL-EVENT-EAP-FAILURE" not in ev: | |
361 | raise Exception("EAP failure not reported") | |
362 | ||
363 | ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED", | |
364 | "CTRL-EVENT-DISCONNECTED"], timeout=10) | |
365 | if ev is None: | |
366 | raise Exception("EAP result(3) timed out") | |
367 | if "CTRL-EVENT-DISCONNECTED" not in ev: | |
368 | raise Exception("Disconnection not reported") | |
369 | ||
370 | ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10) | |
371 | if ev is None: | |
372 | raise Exception("Network block disabling not reported") | |
72c052d5 JM |
373 | |
374 | def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev): | |
375 | """WPA2-Enterprise negative test - domain suffix mismatch""" | |
376 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
377 | hostapd.add_ap(apdev[0]['ifname'], params) | |
378 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", | |
379 | identity="DOMAIN\mschapv2 user", anonymous_identity="ttls", | |
380 | password="password", phase2="auth=MSCHAPV2", | |
381 | ca_cert="auth_serv/ca.pem", | |
382 | domain_suffix_match="incorrect.example.com", | |
c65f23ab | 383 | wait_connect=False, scan_freq="2412") |
72c052d5 JM |
384 | |
385 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10) | |
386 | if ev is None: | |
387 | raise Exception("Association and EAP start timed out") | |
388 | ||
389 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10) | |
390 | if ev is None: | |
391 | raise Exception("EAP method selection timed out") | |
392 | if "TTLS" not in ev: | |
393 | raise Exception("Unexpected EAP method") | |
394 | ||
395 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR", | |
396 | "CTRL-EVENT-EAP-SUCCESS", | |
397 | "CTRL-EVENT-EAP-FAILURE", | |
398 | "CTRL-EVENT-CONNECTED", | |
399 | "CTRL-EVENT-DISCONNECTED"], timeout=10) | |
400 | if ev is None: | |
401 | raise Exception("EAP result timed out") | |
402 | if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev: | |
403 | raise Exception("TLS certificate error not reported") | |
404 | if "Domain suffix mismatch" not in ev: | |
405 | raise Exception("Domain suffix mismatch not reported") | |
406 | ||
407 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS", | |
408 | "CTRL-EVENT-EAP-FAILURE", | |
409 | "CTRL-EVENT-CONNECTED", | |
410 | "CTRL-EVENT-DISCONNECTED"], timeout=10) | |
411 | if ev is None: | |
412 | raise Exception("EAP result(2) timed out") | |
413 | if "CTRL-EVENT-EAP-FAILURE" not in ev: | |
414 | raise Exception("EAP failure not reported") | |
415 | ||
416 | ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED", | |
417 | "CTRL-EVENT-DISCONNECTED"], timeout=10) | |
418 | if ev is None: | |
419 | raise Exception("EAP result(3) timed out") | |
420 | if "CTRL-EVENT-DISCONNECTED" not in ev: | |
421 | raise Exception("Disconnection not reported") | |
422 | ||
423 | ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10) | |
424 | if ev is None: | |
425 | raise Exception("Network block disabling not reported") | |
22b99086 JM |
426 | |
427 | def test_ap_wpa2_eap_pwd(dev, apdev): | |
428 | """WPA2-Enterprise connection using EAP-pwd""" | |
429 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
430 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 431 | eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password") |
75b2b9cf | 432 | eap_reauth(dev[0], "PWD") |
22b99086 | 433 | |
6daf5b9c JM |
434 | dev[0].request("REMOVE_NETWORK all") |
435 | eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password", | |
436 | fragment_size="90") | |
437 | ||
f10ba3b2 JM |
438 | logger.info("Negative test with incorrect password") |
439 | dev[0].request("REMOVE_NETWORK all") | |
440 | eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret-password", | |
441 | expect_failure=True, local_error_report=True) | |
442 | ||
c075f040 JM |
443 | def test_ap_wpa2_eap_pwd_groups(dev, apdev): |
444 | """WPA2-Enterprise connection using various EAP-pwd groups""" | |
445 | params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP", | |
446 | "rsn_pairwise": "CCMP", "ieee8021x": "1", | |
447 | "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" } | |
448 | for i in [ 19, 20, 21, 25, 26 ]: | |
449 | params['pwd_group'] = str(i) | |
450 | hostapd.add_ap(apdev[0]['ifname'], params) | |
451 | dev[0].request("REMOVE_NETWORK all") | |
452 | eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password") | |
453 | ||
22b99086 JM |
454 | def test_ap_wpa2_eap_gpsk(dev, apdev): |
455 | """WPA2-Enterprise connection using EAP-GPSK""" | |
456 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
457 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 458 | id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user", |
369f9c20 | 459 | password="abcdefghijklmnop0123456789abcdef") |
75b2b9cf | 460 | eap_reauth(dev[0], "GPSK") |
22b99086 | 461 | |
369f9c20 JM |
462 | logger.info("Test forced algorithm selection") |
463 | for phase1 in [ "cipher=1", "cipher=2" ]: | |
464 | dev[0].set_network_quoted(id, "phase1", phase1) | |
465 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10) | |
466 | if ev is None: | |
467 | raise Exception("EAP success timed out") | |
468 | ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10) | |
469 | if ev is None: | |
470 | raise Exception("Association with the AP timed out") | |
471 | ||
472 | logger.info("Test failed algorithm negotiation") | |
473 | dev[0].set_network_quoted(id, "phase1", "cipher=9") | |
474 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) | |
475 | if ev is None: | |
476 | raise Exception("EAP failure timed out") | |
477 | ||
f10ba3b2 JM |
478 | logger.info("Negative test with incorrect password") |
479 | dev[0].request("REMOVE_NETWORK all") | |
480 | eap_connect(dev[0], apdev[0], "GPSK", "gpsk user", | |
481 | password="ffcdefghijklmnop0123456789abcdef", | |
482 | expect_failure=True) | |
483 | ||
22b99086 JM |
484 | def test_ap_wpa2_eap_sake(dev, apdev): |
485 | """WPA2-Enterprise connection using EAP-SAKE""" | |
486 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
487 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 488 | eap_connect(dev[0], apdev[0], "SAKE", "sake user", |
22b99086 | 489 | password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef") |
75b2b9cf | 490 | eap_reauth(dev[0], "SAKE") |
22b99086 | 491 | |
f10ba3b2 JM |
492 | logger.info("Negative test with incorrect password") |
493 | dev[0].request("REMOVE_NETWORK all") | |
494 | eap_connect(dev[0], apdev[0], "SAKE", "sake user", | |
495 | password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", | |
496 | expect_failure=True) | |
497 | ||
22b99086 JM |
498 | def test_ap_wpa2_eap_eke(dev, apdev): |
499 | """WPA2-Enterprise connection using EAP-EKE""" | |
500 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
501 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 502 | id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello") |
75b2b9cf | 503 | eap_reauth(dev[0], "EKE") |
22b99086 | 504 | |
2bb9e283 JM |
505 | logger.info("Test forced algorithm selection") |
506 | for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2", | |
507 | "dhgroup=4 encr=1 prf=2 mac=2", | |
508 | "dhgroup=3 encr=1 prf=2 mac=2", | |
509 | "dhgroup=3 encr=1 prf=1 mac=1" ]: | |
510 | dev[0].set_network_quoted(id, "phase1", phase1) | |
511 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10) | |
512 | if ev is None: | |
513 | raise Exception("EAP success timed out") | |
514 | ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10) | |
515 | if ev is None: | |
516 | raise Exception("Association with the AP timed out") | |
517 | ||
518 | logger.info("Test failed algorithm negotiation") | |
519 | dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9") | |
520 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) | |
521 | if ev is None: | |
522 | raise Exception("EAP failure timed out") | |
523 | ||
f10ba3b2 JM |
524 | logger.info("Negative test with incorrect password") |
525 | dev[0].request("REMOVE_NETWORK all") | |
526 | eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1", | |
527 | expect_failure=True) | |
528 | ||
22b99086 JM |
529 | def test_ap_wpa2_eap_ikev2(dev, apdev): |
530 | """WPA2-Enterprise connection using EAP-IKEv2""" | |
531 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
532 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 JM |
533 | eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user", |
534 | password="ike password") | |
75b2b9cf | 535 | eap_reauth(dev[0], "IKEV2") |
6daf5b9c JM |
536 | dev[0].request("REMOVE_NETWORK all") |
537 | eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user", | |
538 | password="ike password", fragment_size="250") | |
22b99086 | 539 | |
f10ba3b2 JM |
540 | logger.info("Negative test with incorrect password") |
541 | dev[0].request("REMOVE_NETWORK all") | |
542 | eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user", | |
543 | password="ike-password", expect_failure=True) | |
544 | ||
22b99086 JM |
545 | def test_ap_wpa2_eap_pax(dev, apdev): |
546 | """WPA2-Enterprise connection using EAP-PAX""" | |
547 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
548 | hostapd.add_ap(apdev[0]['ifname'], params) | |
cb33ee14 | 549 | eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com", |
22b99086 | 550 | password_hex="0123456789abcdef0123456789abcdef") |
75b2b9cf | 551 | eap_reauth(dev[0], "PAX") |
22b99086 | 552 | |
f10ba3b2 JM |
553 | logger.info("Negative test with incorrect password") |
554 | dev[0].request("REMOVE_NETWORK all") | |
555 | eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com", | |
556 | password_hex="ff23456789abcdef0123456789abcdef", | |
557 | expect_failure=True) | |
558 | ||
22b99086 JM |
559 | def test_ap_wpa2_eap_psk(dev, apdev): |
560 | """WPA2-Enterprise connection using EAP-PSK""" | |
561 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
2b005194 JM |
562 | params["wpa_key_mgmt"] = "WPA-EAP-SHA256" |
563 | params["ieee80211w"] = "2" | |
22b99086 | 564 | hostapd.add_ap(apdev[0]['ifname'], params) |
cb33ee14 | 565 | eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com", |
2b005194 JM |
566 | password_hex="0123456789abcdef0123456789abcdef", sha256=True) |
567 | eap_reauth(dev[0], "PSK", sha256=True) | |
71390dc8 | 568 | |
f10ba3b2 JM |
569 | logger.info("Negative test with incorrect password") |
570 | dev[0].request("REMOVE_NETWORK all") | |
571 | eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com", | |
572 | password_hex="ff23456789abcdef0123456789abcdef", sha256=True, | |
573 | expect_failure=True) | |
574 | ||
71390dc8 JM |
575 | def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev): |
576 | """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2""" | |
577 | params = hostapd.wpa_eap_params(ssid="test-wpa-eap") | |
578 | hostapd.add_ap(apdev[0]['ifname'], params) | |
579 | dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP", | |
580 | identity="user", password="password", phase2="auth=MSCHAPV2", | |
581 | ca_cert="auth_serv/ca.pem", wait_connect=False, | |
582 | scan_freq="2412") | |
583 | eap_check_auth(dev[0], "PEAP", True, rsn=False) | |
584 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
585 | eap_reauth(dev[0], "PEAP", rsn=False) | |
40759604 JM |
586 | |
587 | def test_ap_wpa2_eap_interactive(dev, apdev): | |
588 | """WPA2-Enterprise connection using interactive identity/password entry""" | |
589 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
590 | hostapd.add_ap(apdev[0]['ifname'], params) | |
591 | hapd = hostapd.Hostapd(apdev[0]['ifname']) | |
592 | ||
593 | tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry", | |
594 | "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2", | |
595 | None, "password"), | |
596 | ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry", | |
597 | "TTLS", "ttls", None, "auth=MSCHAPV2", | |
598 | "DOMAIN\mschapv2 user", "password"), | |
599 | ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry", | |
600 | "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"), | |
601 | ("Connection with dynamic TTLS/EAP-MD5 password entry", | |
602 | "TTLS", "ttls", "user", "autheap=MD5", None, "password"), | |
603 | ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry", | |
604 | "PEAP", None, "user", "auth=MSCHAPV2", None, "password"), | |
605 | ("Connection with dynamic PEAP/EAP-GTC password entry", | |
606 | "PEAP", None, "user", "auth=GTC", None, "password") ] | |
607 | for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests: | |
608 | logger.info(desc) | |
609 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap, | |
610 | anonymous_identity=anon, identity=identity, | |
611 | ca_cert="auth_serv/ca.pem", phase2=phase2, | |
612 | wait_connect=False, scan_freq="2412") | |
613 | if req_id: | |
614 | ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"]) | |
615 | if ev is None: | |
616 | raise Exception("Request for identity timed out") | |
617 | id = ev.split(':')[0].split('-')[-1] | |
618 | dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id) | |
619 | ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"]) | |
620 | if ev is None: | |
621 | raise Exception("Request for password timed out") | |
622 | id = ev.split(':')[0].split('-')[-1] | |
623 | type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD" | |
624 | dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw) | |
625 | ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10) | |
626 | if ev is None: | |
627 | raise Exception("Connection timed out") | |
628 | dev[0].request("REMOVE_NETWORK all") | |
e745c811 JM |
629 | |
630 | def test_ap_wpa2_eap_vendor_test(dev, apdev): | |
631 | """WPA2-Enterprise connection using EAP vendor test""" | |
632 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
633 | hostapd.add_ap(apdev[0]['ifname'], params) | |
634 | eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test") | |
635 | eap_reauth(dev[0], "VENDOR-TEST") | |
53a6f06a JM |
636 | |
637 | def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev): | |
638 | """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning""" | |
639 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
640 | hostapd.add_ap(apdev[0]['ifname'], params) | |
641 | eap_connect(dev[0], apdev[0], "FAST", "user", | |
642 | anonymous_identity="FAST", password="password", | |
643 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
644 | phase1="fast_provisioning=1", pac_file="blob://fast_pac") | |
645 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
646 | eap_reauth(dev[0], "FAST") | |
647 | ||
648 | def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev): | |
649 | """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning""" | |
650 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
651 | hostapd.add_ap(apdev[0]['ifname'], params) | |
652 | eap_connect(dev[0], apdev[0], "FAST", "user", | |
653 | anonymous_identity="FAST", password="password", | |
654 | ca_cert="auth_serv/ca.pem", phase2="auth=GTC", | |
655 | phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth") | |
656 | hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) | |
657 | eap_reauth(dev[0], "FAST") |