]> git.ipfire.org Git - thirdparty/hostap.git/blame - tests/hwsim/test_ap_eap.py
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Clear configuration blobs on FLUSH command
[thirdparty/hostap.git] / tests / hwsim / test_ap_eap.py
CommitLineData
9626962d
JM		 1#!/usr/bin/python
2#
3# WPA2-Enterprise tests
bce774ad 4# Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi>
9626962d
JM		 5#
6# This software may be distributed under the terms of the BSD license.
7# See README for more details.
8
9import time
10import subprocess
11import logging
c9aa4308 12logger = logging.getLogger()
0d4c5494 13import os.path
9626962d
JM		 14
15import hwsim_utils
16import hostapd
17
cb33ee14
JM		 18def eap_connect(dev, ap, method, identity, anonymous_identity=None,
19 password=None,
72c052d5 20 phase1=None, phase2=None, ca_cert=None,
e114c49c 21 domain_suffix_match=None, password_hex=None,
6daf5b9c 22 client_cert=None, private_key=None, sha256=False,
f10ba3b2 23 fragment_size=None, expect_failure=False,
d0ce1050 24 local_error_report=False,
53a6f06a
JM		 25 ca_cert2=None, client_cert2=None, private_key2=None,
26 pac_file=None):
cb33ee14 27 hapd = hostapd.Hostapd(ap['ifname'])
2bb9e283
JM		 28 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
29 eap=method, identity=identity,
30 anonymous_identity=anonymous_identity,
31 password=password, phase1=phase1, phase2=phase2,
32 ca_cert=ca_cert, domain_suffix_match=domain_suffix_match,
33 wait_connect=False, scan_freq="2412",
34 password_hex=password_hex,
35 client_cert=client_cert, private_key=private_key,
d0ce1050
JM		 36 ieee80211w="1", fragment_size=fragment_size,
37 ca_cert2=ca_cert2, client_cert2=client_cert2,
53a6f06a 38 private_key2=private_key2, pac_file=pac_file)
f10ba3b2
JM		 39 eap_check_auth(dev, method, True, sha256=sha256,
40 expect_failure=expect_failure,
41 local_error_report=local_error_report)
42 if expect_failure:
43 return id
cb33ee14
JM		 44 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
45 if ev is None:
46 raise Exception("No connection event received from hostapd")
2bb9e283 47 return id
75b2b9cf 48
f10ba3b2
JM		 49def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
50 expect_failure=False, local_error_report=False):
9626962d
JM		 51 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
52 if ev is None:
53 raise Exception("Association and EAP start timed out")
54 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
55 if ev is None:
56 raise Exception("EAP method selection timed out")
57 if method not in ev:
58 raise Exception("Unexpected EAP method")
f10ba3b2
JM		 59 if expect_failure:
60 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
61 if ev is None:
62 raise Exception("EAP failure timed out")
63 ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED"])
64 if ev is None:
65 raise Exception("Disconnection timed out")
66 if not local_error_report:
67 if "reason=23" not in ev:
68 raise Exception("Proper reason code for disconnection not reported")
69 return
9626962d
JM		 70 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
71 if ev is None:
72 raise Exception("EAP success timed out")
9626962d 73
75b2b9cf
JM		 74 if initial:
75 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
75b2b9cf 76 else:
bce774ad
JM		 77 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
78 if ev is None:
79 raise Exception("Association with the AP timed out")
80 status = dev.get_status()
81 if status["wpa_state"] != "COMPLETED":
82 raise Exception("Connection not completed")
75b2b9cf 83
9626962d
JM		 84 if status["suppPortStatus"] != "Authorized":
85 raise Exception("Port not authorized")
86 if method not in status["selectedMethod"]:
87 raise Exception("Incorrect EAP method status")
2b005194
JM		 88 if sha256:
89 e = "WPA2-EAP-SHA256"
90 elif rsn:
71390dc8
JM		 91 e = "WPA2/IEEE 802.1X/EAP"
92 else:
93 e = "WPA/IEEE 802.1X/EAP"
94 if status["key_mgmt"] != e:
95 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
9626962d 96
2b005194 97def eap_reauth(dev, method, rsn=True, sha256=False):
75b2b9cf 98 dev.request("REAUTHENTICATE")
2b005194 99 eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256)
75b2b9cf 100
9626962d
JM		 101def test_ap_wpa2_eap_sim(dev, apdev):
102 """WPA2-Enterprise connection using EAP-SIM"""
0d4c5494
JM		 103 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
104 logger.info("No hlr_auc_gw available");
105 return "skip"
9626962d
JM		 106 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
107 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 108 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
9626962d
JM		 109 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
110 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 111 eap_reauth(dev[0], "SIM")
9626962d 112
f10ba3b2
JM		 113 logger.info("Negative test with incorrect key")
114 dev[0].request("REMOVE_NETWORK all")
115 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
116 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
117 expect_failure=True)
118
9626962d
JM		 119def test_ap_wpa2_eap_aka(dev, apdev):
120 """WPA2-Enterprise connection using EAP-AKA"""
0d4c5494
JM		 121 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
122 logger.info("No hlr_auc_gw available");
123 return "skip"
9626962d
JM		 124 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
125 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 126 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
9626962d
JM		 127 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
128 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 129 eap_reauth(dev[0], "AKA")
9626962d 130
f10ba3b2
JM		 131 logger.info("Negative test with incorrect key")
132 dev[0].request("REMOVE_NETWORK all")
133 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
134 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
135 expect_failure=True)
136
9626962d
JM		 137def test_ap_wpa2_eap_aka_prime(dev, apdev):
138 """WPA2-Enterprise connection using EAP-AKA'"""
0d4c5494
JM		 139 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
140 logger.info("No hlr_auc_gw available");
141 return "skip"
9626962d
JM		 142 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
143 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 144 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
9626962d
JM		 145 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
146 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 147 eap_reauth(dev[0], "AKA'")
9626962d 148
f10ba3b2
JM		 149 logger.info("Negative test with incorrect key")
150 dev[0].request("REMOVE_NETWORK all")
151 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
152 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
153 expect_failure=True)
154
9626962d
JM		 155def test_ap_wpa2_eap_ttls_pap(dev, apdev):
156 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
157 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
158 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 159 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
9626962d
JM		 160 anonymous_identity="ttls", password="password",
161 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
162 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 163 eap_reauth(dev[0], "TTLS")
9626962d
JM		 164
165def test_ap_wpa2_eap_ttls_chap(dev, apdev):
166 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
167 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
168 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 169 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
9626962d
JM		 170 anonymous_identity="ttls", password="password",
171 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
172 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 173 eap_reauth(dev[0], "TTLS")
9626962d
JM		 174
175def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
176 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
177 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
178 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 179 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
9626962d 180 anonymous_identity="ttls", password="password",
72c052d5
JM		 181 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
182 domain_suffix_match="server.w1.fi")
9626962d 183 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 184 eap_reauth(dev[0], "TTLS")
6daf5b9c
JM		 185 dev[0].request("REMOVE_NETWORK all")
186 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
187 anonymous_identity="ttls", password="password",
188 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
189 fragment_size="200")
9626962d
JM		 190
191def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
192 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
193 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
194 hostapd.add_ap(apdev[0]['ifname'], params)
5dec879d 195 hapd = hostapd.Hostapd(apdev[0]['ifname'])
cb33ee14 196 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
9626962d 197 anonymous_identity="ttls", password="password",
72c052d5
JM		 198 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
199 domain_suffix_match="w1.fi")
9626962d 200 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
5dec879d
JM		 201 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
202 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
75b2b9cf 203 eap_reauth(dev[0], "TTLS")
5dec879d
JM		 204 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
205 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
206 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
207 raise Exception("dot1xAuthEapolFramesRx did not increase")
208 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
209 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
210 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
211 raise Exception("backendAuthSuccesses did not increase")
9626962d 212
fa0ddb14
JM		 213 logger.info("Password as hash value")
214 dev[0].request("REMOVE_NETWORK all")
215 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
216 anonymous_identity="ttls",
217 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
218 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
219
f10ba3b2
JM		 220 logger.info("Negative test with incorrect password")
221 dev[0].request("REMOVE_NETWORK all")
222 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
223 anonymous_identity="ttls", password="password1",
224 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
225 expect_failure=True)
226
9626962d
JM		 227def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
228 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
229 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
230 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 231 eap_connect(dev[0], apdev[0], "TTLS", "user",
9626962d
JM		 232 anonymous_identity="ttls", password="password",
233 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
234 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 235 eap_reauth(dev[0], "TTLS")
9626962d
JM		 236
237def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
238 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
239 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
240 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 241 eap_connect(dev[0], apdev[0], "TTLS", "user",
9626962d
JM		 242 anonymous_identity="ttls", password="password",
243 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
244 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 245 eap_reauth(dev[0], "TTLS")
9626962d
JM		 246
247def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
248 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
249 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
250 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 251 eap_connect(dev[0], apdev[0], "TTLS", "user",
9626962d
JM		 252 anonymous_identity="ttls", password="password",
253 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
254 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 255 eap_reauth(dev[0], "TTLS")
9626962d 256
f10ba3b2
JM		 257 logger.info("Negative test with incorrect password")
258 dev[0].request("REMOVE_NETWORK all")
259 eap_connect(dev[0], apdev[0], "TTLS", "user",
260 anonymous_identity="ttls", password="password1",
261 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
262 expect_failure=True)
263
9626962d
JM		 264def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
265 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
266 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
267 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 268 eap_connect(dev[0], apdev[0], "PEAP", "user",
698f8324 269 anonymous_identity="peap", password="password",
9626962d
JM		 270 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
271 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 272 eap_reauth(dev[0], "PEAP")
6daf5b9c
JM		 273 dev[0].request("REMOVE_NETWORK all")
274 eap_connect(dev[0], apdev[0], "PEAP", "user",
275 anonymous_identity="peap", password="password",
276 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
277 fragment_size="200")
c7afc078 278
fa0ddb14
JM		 279 logger.info("Password as hash value")
280 dev[0].request("REMOVE_NETWORK all")
281 eap_connect(dev[0], apdev[0], "PEAP", "user",
282 anonymous_identity="peap",
283 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
284 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
285
f10ba3b2
JM		 286 logger.info("Negative test with incorrect password")
287 dev[0].request("REMOVE_NETWORK all")
288 eap_connect(dev[0], apdev[0], "PEAP", "user",
289 anonymous_identity="peap", password="password1",
290 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
291 expect_failure=True)
292
698f8324
JM		 293def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
294 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
296 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 297 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
698f8324
JM		 298 ca_cert="auth_serv/ca.pem",
299 phase1="peapver=0 crypto_binding=2",
300 phase2="auth=MSCHAPV2")
301 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
75b2b9cf 302 eap_reauth(dev[0], "PEAP")
698f8324 303
d0ce1050
JM		 304def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
305 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
306 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
307 hostapd.add_ap(apdev[0]['ifname'], params)
308 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
309 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
310 ca_cert2="auth_serv/ca.pem",
311 client_cert2="auth_serv/user.pem",
312 private_key2="auth_serv/user.key")
313 eap_reauth(dev[0], "PEAP")
314
e114c49c
JM		 315def test_ap_wpa2_eap_tls(dev, apdev):
316 """WPA2-Enterprise connection using EAP-TLS"""
317 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
318 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 319 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
e114c49c
JM		 320 client_cert="auth_serv/user.pem",
321 private_key="auth_serv/user.key")
75b2b9cf 322 eap_reauth(dev[0], "TLS")
e114c49c 323
c7afc078
JM		 324def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
325 """WPA2-Enterprise negative test - incorrect trust root"""
326 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
327 hostapd.add_ap(apdev[0]['ifname'], params)
328 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
329 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
330 password="password", phase2="auth=MSCHAPV2",
331 ca_cert="auth_serv/ca-incorrect.pem",
c65f23ab 332 wait_connect=False, scan_freq="2412")
c7afc078
JM		 333
334 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
335 if ev is None:
336 raise Exception("Association and EAP start timed out")
337
338 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
339 if ev is None:
340 raise Exception("EAP method selection timed out")
341 if "TTLS" not in ev:
342 raise Exception("Unexpected EAP method")
343
344 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
345 "CTRL-EVENT-EAP-SUCCESS",
346 "CTRL-EVENT-EAP-FAILURE",
347 "CTRL-EVENT-CONNECTED",
348 "CTRL-EVENT-DISCONNECTED"], timeout=10)
349 if ev is None:
350 raise Exception("EAP result timed out")
351 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
352 raise Exception("TLS certificate error not reported")
353
354 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
355 "CTRL-EVENT-EAP-FAILURE",
356 "CTRL-EVENT-CONNECTED",
357 "CTRL-EVENT-DISCONNECTED"], timeout=10)
358 if ev is None:
359 raise Exception("EAP result(2) timed out")
360 if "CTRL-EVENT-EAP-FAILURE" not in ev:
361 raise Exception("EAP failure not reported")
362
363 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
364 "CTRL-EVENT-DISCONNECTED"], timeout=10)
365 if ev is None:
366 raise Exception("EAP result(3) timed out")
367 if "CTRL-EVENT-DISCONNECTED" not in ev:
368 raise Exception("Disconnection not reported")
369
370 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
371 if ev is None:
372 raise Exception("Network block disabling not reported")
72c052d5
JM		 373
374def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
375 """WPA2-Enterprise negative test - domain suffix mismatch"""
376 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
377 hostapd.add_ap(apdev[0]['ifname'], params)
378 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
379 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
380 password="password", phase2="auth=MSCHAPV2",
381 ca_cert="auth_serv/ca.pem",
382 domain_suffix_match="incorrect.example.com",
c65f23ab 383 wait_connect=False, scan_freq="2412")
72c052d5
JM		 384
385 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
386 if ev is None:
387 raise Exception("Association and EAP start timed out")
388
389 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
390 if ev is None:
391 raise Exception("EAP method selection timed out")
392 if "TTLS" not in ev:
393 raise Exception("Unexpected EAP method")
394
395 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
396 "CTRL-EVENT-EAP-SUCCESS",
397 "CTRL-EVENT-EAP-FAILURE",
398 "CTRL-EVENT-CONNECTED",
399 "CTRL-EVENT-DISCONNECTED"], timeout=10)
400 if ev is None:
401 raise Exception("EAP result timed out")
402 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
403 raise Exception("TLS certificate error not reported")
404 if "Domain suffix mismatch" not in ev:
405 raise Exception("Domain suffix mismatch not reported")
406
407 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
408 "CTRL-EVENT-EAP-FAILURE",
409 "CTRL-EVENT-CONNECTED",
410 "CTRL-EVENT-DISCONNECTED"], timeout=10)
411 if ev is None:
412 raise Exception("EAP result(2) timed out")
413 if "CTRL-EVENT-EAP-FAILURE" not in ev:
414 raise Exception("EAP failure not reported")
415
416 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
417 "CTRL-EVENT-DISCONNECTED"], timeout=10)
418 if ev is None:
419 raise Exception("EAP result(3) timed out")
420 if "CTRL-EVENT-DISCONNECTED" not in ev:
421 raise Exception("Disconnection not reported")
422
423 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
424 if ev is None:
425 raise Exception("Network block disabling not reported")
22b99086
JM		 426
427def test_ap_wpa2_eap_pwd(dev, apdev):
428 """WPA2-Enterprise connection using EAP-pwd"""
429 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
430 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 431 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
75b2b9cf 432 eap_reauth(dev[0], "PWD")
22b99086 433
6daf5b9c
JM		 434 dev[0].request("REMOVE_NETWORK all")
435 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password",
436 fragment_size="90")
437
f10ba3b2
JM		 438 logger.info("Negative test with incorrect password")
439 dev[0].request("REMOVE_NETWORK all")
440 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret-password",
441 expect_failure=True, local_error_report=True)
442
c075f040
JM		 443def test_ap_wpa2_eap_pwd_groups(dev, apdev):
444 """WPA2-Enterprise connection using various EAP-pwd groups"""
445 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
446 "rsn_pairwise": "CCMP", "ieee8021x": "1",
447 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
448 for i in [ 19, 20, 21, 25, 26 ]:
449 params['pwd_group'] = str(i)
450 hostapd.add_ap(apdev[0]['ifname'], params)
451 dev[0].request("REMOVE_NETWORK all")
452 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
453
22b99086
JM		 454def test_ap_wpa2_eap_gpsk(dev, apdev):
455 """WPA2-Enterprise connection using EAP-GPSK"""
456 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
457 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 458 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
369f9c20 459 password="abcdefghijklmnop0123456789abcdef")
75b2b9cf 460 eap_reauth(dev[0], "GPSK")
22b99086 461
369f9c20
JM		 462 logger.info("Test forced algorithm selection")
463 for phase1 in [ "cipher=1", "cipher=2" ]:
464 dev[0].set_network_quoted(id, "phase1", phase1)
465 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
466 if ev is None:
467 raise Exception("EAP success timed out")
468 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
469 if ev is None:
470 raise Exception("Association with the AP timed out")
471
472 logger.info("Test failed algorithm negotiation")
473 dev[0].set_network_quoted(id, "phase1", "cipher=9")
474 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
475 if ev is None:
476 raise Exception("EAP failure timed out")
477
f10ba3b2
JM		 478 logger.info("Negative test with incorrect password")
479 dev[0].request("REMOVE_NETWORK all")
480 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
481 password="ffcdefghijklmnop0123456789abcdef",
482 expect_failure=True)
483
22b99086
JM		 484def test_ap_wpa2_eap_sake(dev, apdev):
485 """WPA2-Enterprise connection using EAP-SAKE"""
486 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
487 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 488 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
22b99086 489 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
75b2b9cf 490 eap_reauth(dev[0], "SAKE")
22b99086 491
f10ba3b2
JM		 492 logger.info("Negative test with incorrect password")
493 dev[0].request("REMOVE_NETWORK all")
494 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
495 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
496 expect_failure=True)
497
22b99086
JM		 498def test_ap_wpa2_eap_eke(dev, apdev):
499 """WPA2-Enterprise connection using EAP-EKE"""
500 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
501 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 502 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
75b2b9cf 503 eap_reauth(dev[0], "EKE")
22b99086 504
2bb9e283
JM		 505 logger.info("Test forced algorithm selection")
506 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
507 "dhgroup=4 encr=1 prf=2 mac=2",
508 "dhgroup=3 encr=1 prf=2 mac=2",
509 "dhgroup=3 encr=1 prf=1 mac=1" ]:
510 dev[0].set_network_quoted(id, "phase1", phase1)
511 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
512 if ev is None:
513 raise Exception("EAP success timed out")
514 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
515 if ev is None:
516 raise Exception("Association with the AP timed out")
517
518 logger.info("Test failed algorithm negotiation")
519 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
520 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
521 if ev is None:
522 raise Exception("EAP failure timed out")
523
f10ba3b2
JM		 524 logger.info("Negative test with incorrect password")
525 dev[0].request("REMOVE_NETWORK all")
526 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
527 expect_failure=True)
528
22b99086
JM		 529def test_ap_wpa2_eap_ikev2(dev, apdev):
530 """WPA2-Enterprise connection using EAP-IKEv2"""
531 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
532 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14
JM		 533 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
534 password="ike password")
75b2b9cf 535 eap_reauth(dev[0], "IKEV2")
6daf5b9c
JM		 536 dev[0].request("REMOVE_NETWORK all")
537 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
538 password="ike password", fragment_size="250")
22b99086 539
f10ba3b2
JM		 540 logger.info("Negative test with incorrect password")
541 dev[0].request("REMOVE_NETWORK all")
542 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
543 password="ike-password", expect_failure=True)
544
22b99086
JM		 545def test_ap_wpa2_eap_pax(dev, apdev):
546 """WPA2-Enterprise connection using EAP-PAX"""
547 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
548 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 549 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
22b99086 550 password_hex="0123456789abcdef0123456789abcdef")
75b2b9cf 551 eap_reauth(dev[0], "PAX")
22b99086 552
f10ba3b2
JM		 553 logger.info("Negative test with incorrect password")
554 dev[0].request("REMOVE_NETWORK all")
555 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
556 password_hex="ff23456789abcdef0123456789abcdef",
557 expect_failure=True)
558
22b99086
JM		 559def test_ap_wpa2_eap_psk(dev, apdev):
560 """WPA2-Enterprise connection using EAP-PSK"""
561 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2b005194
JM		 562 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
563 params["ieee80211w"] = "2"
22b99086 564 hostapd.add_ap(apdev[0]['ifname'], params)
cb33ee14 565 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2b005194
JM		 566 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
567 eap_reauth(dev[0], "PSK", sha256=True)
71390dc8 568
f10ba3b2
JM		 569 logger.info("Negative test with incorrect password")
570 dev[0].request("REMOVE_NETWORK all")
571 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
572 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
573 expect_failure=True)
574
71390dc8
JM		 575def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
576 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
577 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
578 hostapd.add_ap(apdev[0]['ifname'], params)
579 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
580 identity="user", password="password", phase2="auth=MSCHAPV2",
581 ca_cert="auth_serv/ca.pem", wait_connect=False,
582 scan_freq="2412")
583 eap_check_auth(dev[0], "PEAP", True, rsn=False)
584 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
585 eap_reauth(dev[0], "PEAP", rsn=False)
40759604
JM		 586
587def test_ap_wpa2_eap_interactive(dev, apdev):
588 """WPA2-Enterprise connection using interactive identity/password entry"""
589 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
590 hostapd.add_ap(apdev[0]['ifname'], params)
591 hapd = hostapd.Hostapd(apdev[0]['ifname'])
592
593 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
594 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
595 None, "password"),
596 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
597 "TTLS", "ttls", None, "auth=MSCHAPV2",
598 "DOMAIN\mschapv2 user", "password"),
599 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
600 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
601 ("Connection with dynamic TTLS/EAP-MD5 password entry",
602 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
603 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
604 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
605 ("Connection with dynamic PEAP/EAP-GTC password entry",
606 "PEAP", None, "user", "auth=GTC", None, "password") ]
607 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
608 logger.info(desc)
609 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
610 anonymous_identity=anon, identity=identity,
611 ca_cert="auth_serv/ca.pem", phase2=phase2,
612 wait_connect=False, scan_freq="2412")
613 if req_id:
614 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
615 if ev is None:
616 raise Exception("Request for identity timed out")
617 id = ev.split(':')[0].split('-')[-1]
618 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
619 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
620 if ev is None:
621 raise Exception("Request for password timed out")
622 id = ev.split(':')[0].split('-')[-1]
623 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
624 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
625 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
626 if ev is None:
627 raise Exception("Connection timed out")
628 dev[0].request("REMOVE_NETWORK all")
e745c811
JM		 629
630def test_ap_wpa2_eap_vendor_test(dev, apdev):
631 """WPA2-Enterprise connection using EAP vendor test"""
632 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
633 hostapd.add_ap(apdev[0]['ifname'], params)
634 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
635 eap_reauth(dev[0], "VENDOR-TEST")
53a6f06a
JM		 636
637def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
638 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
639 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
640 hostapd.add_ap(apdev[0]['ifname'], params)
641 eap_connect(dev[0], apdev[0], "FAST", "user",
642 anonymous_identity="FAST", password="password",
643 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
644 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
645 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
646 eap_reauth(dev[0], "FAST")
647
648def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
649 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
650 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
651 hostapd.add_ap(apdev[0]['ifname'], params)
652 eap_connect(dev[0], apdev[0], "FAST", "user",
653 anonymous_identity="FAST", password="password",
654 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
655 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
656 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
657 eap_reauth(dev[0], "FAST")
Unnamed repository; edit this file 'description' to name the repository.