]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2019, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
20 import socketserver
as SocketServer
25 from hwsim
import HWSimRadio
27 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
, require_under_vm
28 from wpasupplicant
import WpaSupplicant
29 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
33 openssl_imported
= True
35 openssl_imported
= False
37 def check_hlr_auc_gw_support():
38 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
39 raise HwsimSkip("No hlr_auc_gw available")
41 def check_eap_capa(dev
, method
):
42 res
= dev
.get_capability("eap")
44 raise HwsimSkip("EAP method %s not supported in the build" % method
)
46 def check_subject_match_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
49 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
51 def check_check_cert_subject_support(dev
):
52 tls
= dev
.request("GET tls_library")
53 if not tls
.startswith("OpenSSL"):
54 raise HwsimSkip("check_cert_subject not supported with this TLS library: " + tls
)
56 def check_altsubject_match_support(dev
):
57 tls
= dev
.request("GET tls_library")
58 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
59 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
61 def check_domain_match(dev
):
62 tls
= dev
.request("GET tls_library")
63 if tls
.startswith("internal"):
64 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
66 def check_domain_suffix_match(dev
):
67 tls
= dev
.request("GET tls_library")
68 if tls
.startswith("internal"):
69 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
71 def check_domain_match_full(dev
):
72 tls
= dev
.request("GET tls_library")
73 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
74 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
76 def check_cert_probe_support(dev
):
77 tls
= dev
.request("GET tls_library")
78 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
79 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
81 def check_ext_cert_check_support(dev
):
82 tls
= dev
.request("GET tls_library")
83 if not tls
.startswith("OpenSSL"):
84 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
86 def check_ocsp_support(dev
):
87 tls
= dev
.request("GET tls_library")
88 #if tls.startswith("internal"):
89 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
90 #if "BoringSSL" in tls:
91 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
92 if tls
.startswith("wolfSSL"):
93 raise HwsimSkip("OCSP not supported with this TLS library: " + tls
)
95 def check_pkcs5_v15_support(dev
):
96 tls
= dev
.request("GET tls_library")
97 if "BoringSSL" in tls
or "GnuTLS" in tls
:
98 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
100 def check_ocsp_multi_support(dev
):
101 tls
= dev
.request("GET tls_library")
102 if not tls
.startswith("internal"):
103 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
104 as_hapd
= hostapd
.Hostapd("as")
105 res
= as_hapd
.request("GET tls_library")
107 if not res
.startswith("internal"):
108 raise HwsimSkip("Authentication server does not support ocsp_multi")
110 def check_pkcs12_support(dev
):
111 tls
= dev
.request("GET tls_library")
112 #if tls.startswith("internal"):
113 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
114 if tls
.startswith("wolfSSL"):
115 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls
)
117 def check_dh_dsa_support(dev
):
118 tls
= dev
.request("GET tls_library")
119 if tls
.startswith("internal"):
120 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
123 with
open(fname
, "r") as f
:
124 lines
= f
.readlines()
132 if "-----BEGIN" in l
:
134 return base64
.b64decode(cert
)
136 def eap_connect(dev
, hapd
, method
, identity
,
137 sha256
=False, expect_failure
=False, local_error_report
=False,
138 maybe_local_error
=False, report_failure
=False,
139 expect_cert_error
=None, **kwargs
):
140 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
141 eap
=method
, identity
=identity
,
142 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
144 eap_check_auth(dev
, method
, True, sha256
=sha256
,
145 expect_failure
=expect_failure
,
146 local_error_report
=local_error_report
,
147 maybe_local_error
=maybe_local_error
,
148 report_failure
=report_failure
,
149 expect_cert_error
=expect_cert_error
)
153 ev
= hapd
.wait_event(["AP-STA-CONNECTED"], timeout
=5)
155 raise Exception("No connection event received from hostapd")
158 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
159 expect_failure
=False, local_error_report
=False,
160 maybe_local_error
=False, report_failure
=False,
161 expect_cert_error
=None):
162 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
164 raise Exception("Association and EAP start timed out")
165 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
166 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
168 raise Exception("EAP method selection timed out")
169 if "CTRL-EVENT-EAP-FAILURE" in ev
:
170 if maybe_local_error
:
172 raise Exception("Could not select EAP method")
174 raise Exception("Unexpected EAP method")
175 if expect_cert_error
is not None:
176 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
177 "CTRL-EVENT-EAP-FAILURE",
178 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
179 if ev
is None or "reason=%d " % expect_cert_error
not in ev
:
180 raise Exception("Expected certificate error not reported")
182 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE",
183 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
185 raise Exception("EAP failure timed out")
186 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
187 raise Exception("Unexpected EAP success")
188 ev
= dev
.wait_disconnected(timeout
=10)
189 if maybe_local_error
and "locally_generated=1" in ev
:
191 if not local_error_report
:
192 if "reason=23" not in ev
:
193 raise Exception("Proper reason code for disconnection not reported")
196 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
197 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
199 raise Exception("EAP success timed out")
200 if "CTRL-EVENT-EAP-SUCCESS" not in ev
:
201 raise Exception("EAP failed")
203 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
205 raise Exception("EAP success timed out")
208 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
210 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
212 raise Exception("Association with the AP timed out")
213 status
= dev
.get_status()
214 if status
["wpa_state"] != "COMPLETED":
215 raise Exception("Connection not completed")
217 if status
["suppPortStatus"] != "Authorized":
218 raise Exception("Port not authorized")
219 if "selectedMethod" not in status
:
220 logger
.info("Status: " + str(status
))
221 raise Exception("No selectedMethod in status")
222 if method
not in status
["selectedMethod"]:
223 raise Exception("Incorrect EAP method status")
225 e
= "WPA2-EAP-SHA256"
227 e
= "WPA2/IEEE 802.1X/EAP"
229 e
= "WPA/IEEE 802.1X/EAP"
230 if status
["key_mgmt"] != e
:
231 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
234 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
235 dev
.request("REAUTHENTICATE")
236 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
237 expect_failure
=expect_failure
)
239 def test_ap_wpa2_eap_sim(dev
, apdev
):
240 """WPA2-Enterprise connection using EAP-SIM"""
241 check_hlr_auc_gw_support()
242 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
243 hapd
= hostapd
.add_ap(apdev
[0], params
)
244 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
245 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
246 hwsim_utils
.test_connectivity(dev
[0], hapd
)
247 eap_reauth(dev
[0], "SIM")
249 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
250 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
251 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
252 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
255 logger
.info("Negative test with incorrect key")
256 dev
[0].request("REMOVE_NETWORK all")
257 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
258 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
261 logger
.info("Invalid GSM-Milenage key")
262 dev
[0].request("REMOVE_NETWORK all")
263 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
264 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
267 logger
.info("Invalid GSM-Milenage key(2)")
268 dev
[0].request("REMOVE_NETWORK all")
269 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
270 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
273 logger
.info("Invalid GSM-Milenage key(3)")
274 dev
[0].request("REMOVE_NETWORK all")
275 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
276 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
279 logger
.info("Invalid GSM-Milenage key(4)")
280 dev
[0].request("REMOVE_NETWORK all")
281 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
282 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
285 logger
.info("Missing key configuration")
286 dev
[0].request("REMOVE_NETWORK all")
287 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
290 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
291 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
292 check_hlr_auc_gw_support()
296 raise HwsimSkip("No sqlite3 module available")
297 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
298 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
299 params
['auth_server_port'] = "1814"
300 hapd
= hostapd
.add_ap(apdev
[0], params
)
301 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
302 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
304 logger
.info("SIM fast re-authentication")
305 eap_reauth(dev
[0], "SIM")
307 logger
.info("SIM full auth with pseudonym")
310 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
311 eap_reauth(dev
[0], "SIM")
313 logger
.info("SIM full auth with permanent identity")
316 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
317 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
318 eap_reauth(dev
[0], "SIM")
320 logger
.info("SIM reauth with mismatching MK")
323 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
324 eap_reauth(dev
[0], "SIM", expect_failure
=True)
325 dev
[0].request("REMOVE_NETWORK all")
327 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
328 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
331 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
332 eap_reauth(dev
[0], "SIM")
335 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
336 logger
.info("SIM reauth with mismatching counter")
337 eap_reauth(dev
[0], "SIM")
338 dev
[0].request("REMOVE_NETWORK all")
340 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
341 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
344 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
345 logger
.info("SIM reauth with max reauth count reached")
346 eap_reauth(dev
[0], "SIM")
348 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
349 """EAP-SIM configuration options"""
350 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
351 hapd
= hostapd
.add_ap(apdev
[0], params
)
352 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
353 identity
="1232010000000000",
354 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
355 phase1
="sim_min_num_chal=1",
356 wait_connect
=False, scan_freq
="2412")
357 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
359 raise Exception("No EAP error message seen")
360 dev
[0].request("REMOVE_NETWORK all")
362 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
363 identity
="1232010000000000",
364 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
365 phase1
="sim_min_num_chal=4",
366 wait_connect
=False, scan_freq
="2412")
367 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
369 raise Exception("No EAP error message seen (2)")
370 dev
[0].request("REMOVE_NETWORK all")
372 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
373 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
374 phase1
="sim_min_num_chal=2")
375 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
376 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
377 anonymous_identity
="345678")
379 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
380 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
382 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
384 dev
[0].request("SET external_sim 0")
386 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
387 check_hlr_auc_gw_support()
388 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
389 hostapd
.add_ap(apdev
[0], params
)
390 dev
[0].request("SET external_sim 1")
391 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
392 identity
="1232010000000000",
393 wait_connect
=False, scan_freq
="2412")
394 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
396 raise Exception("Network connected timed out")
398 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
400 raise Exception("Wait for external SIM processing request timed out")
402 if p
[1] != "GSM-AUTH":
403 raise Exception("Unexpected CTRL-REQ-SIM type")
404 rid
= p
[0].split('-')[3]
407 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
408 # This will fail during processing, but the ctrl_iface command succeeds
409 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
410 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
412 raise Exception("EAP failure not reported")
413 dev
[0].request("DISCONNECT")
414 dev
[0].wait_disconnected()
417 dev
[0].select_network(id, freq
="2412")
418 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
420 raise Exception("Wait for external SIM processing request timed out")
422 if p
[1] != "GSM-AUTH":
423 raise Exception("Unexpected CTRL-REQ-SIM type")
424 rid
= p
[0].split('-')[3]
425 # This will fail during GSM auth validation
426 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
427 raise Exception("CTRL-RSP-SIM failed")
428 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
430 raise Exception("EAP failure not reported")
431 dev
[0].request("DISCONNECT")
432 dev
[0].wait_disconnected()
435 dev
[0].select_network(id, freq
="2412")
436 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
438 raise Exception("Wait for external SIM processing request timed out")
440 if p
[1] != "GSM-AUTH":
441 raise Exception("Unexpected CTRL-REQ-SIM type")
442 rid
= p
[0].split('-')[3]
443 # This will fail during GSM auth validation
444 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
445 raise Exception("CTRL-RSP-SIM failed")
446 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
448 raise Exception("EAP failure not reported")
449 dev
[0].request("DISCONNECT")
450 dev
[0].wait_disconnected()
453 dev
[0].select_network(id, freq
="2412")
454 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
456 raise Exception("Wait for external SIM processing request timed out")
458 if p
[1] != "GSM-AUTH":
459 raise Exception("Unexpected CTRL-REQ-SIM type")
460 rid
= p
[0].split('-')[3]
461 # This will fail during GSM auth validation
462 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
463 raise Exception("CTRL-RSP-SIM failed")
464 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
466 raise Exception("EAP failure not reported")
467 dev
[0].request("DISCONNECT")
468 dev
[0].wait_disconnected()
471 dev
[0].select_network(id, freq
="2412")
472 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
474 raise Exception("Wait for external SIM processing request timed out")
476 if p
[1] != "GSM-AUTH":
477 raise Exception("Unexpected CTRL-REQ-SIM type")
478 rid
= p
[0].split('-')[3]
479 # This will fail during GSM auth validation
480 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
481 raise Exception("CTRL-RSP-SIM failed")
482 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
484 raise Exception("EAP failure not reported")
485 dev
[0].request("DISCONNECT")
486 dev
[0].wait_disconnected()
489 dev
[0].select_network(id, freq
="2412")
490 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
492 raise Exception("Wait for external SIM processing request timed out")
494 if p
[1] != "GSM-AUTH":
495 raise Exception("Unexpected CTRL-REQ-SIM type")
496 rid
= p
[0].split('-')[3]
497 # This will fail during GSM auth validation
498 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
499 raise Exception("CTRL-RSP-SIM failed")
500 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
502 raise Exception("EAP failure not reported")
503 dev
[0].request("DISCONNECT")
504 dev
[0].wait_disconnected()
507 dev
[0].select_network(id, freq
="2412")
508 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
510 raise Exception("Wait for external SIM processing request timed out")
512 if p
[1] != "GSM-AUTH":
513 raise Exception("Unexpected CTRL-REQ-SIM type")
514 rid
= p
[0].split('-')[3]
515 # This will fail during GSM auth validation
516 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
517 raise Exception("CTRL-RSP-SIM failed")
518 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
520 raise Exception("EAP failure not reported")
522 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
523 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
525 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
527 dev
[0].request("SET external_sim 0")
529 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
530 check_hlr_auc_gw_support()
531 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
532 hostapd
.add_ap(apdev
[0], params
)
533 dev
[0].request("SET external_sim 1")
534 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
535 identity
="1232010000000000",
536 wait_connect
=False, scan_freq
="2412")
538 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
540 raise Exception("Wait for external SIM processing request timed out")
542 if p
[1] != "GSM-AUTH":
543 raise Exception("Unexpected CTRL-REQ-SIM type")
544 rid
= p
[0].split('-')[3]
545 rand
= p
[2].split(' ')[0]
547 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
549 "auth_serv/hlr_auc_gw.milenage_db",
550 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
551 if "GSM-AUTH-RESP" not in res
:
552 raise Exception("Unexpected hlr_auc_gw response")
553 resp
= res
.split(' ')[2].rstrip()
555 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
556 dev
[0].wait_connected(timeout
=15)
557 dev
[0].request("DISCONNECT")
558 dev
[0].wait_disconnected()
560 # Replace SIM, but forget to drop the previous pseudonym identity
561 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
562 dev
[0].select_network(id, freq
="2412")
564 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
566 raise Exception("Wait for external SIM processing request timed out")
568 if p
[1] != "GSM-AUTH":
569 raise Exception("Unexpected CTRL-REQ-SIM type")
570 rid
= p
[0].split('-')[3]
571 rand
= p
[2].split(' ')[0]
573 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
575 "auth_serv/hlr_auc_gw.milenage_db",
576 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
577 if "GSM-AUTH-RESP" not in res
:
578 raise Exception("Unexpected hlr_auc_gw response")
579 resp
= res
.split(' ')[2].rstrip()
581 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
582 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
584 raise Exception("EAP-Failure not reported")
585 dev
[0].request("DISCONNECT")
586 dev
[0].wait_disconnected()
588 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
589 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
591 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
593 dev
[0].request("SET external_sim 0")
595 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
596 check_hlr_auc_gw_support()
597 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
598 hostapd
.add_ap(apdev
[0], params
)
599 dev
[0].request("SET external_sim 1")
600 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
601 identity
="1232010000000000",
602 wait_connect
=False, scan_freq
="2412")
604 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
606 raise Exception("Wait for external SIM processing request timed out")
608 if p
[1] != "GSM-AUTH":
609 raise Exception("Unexpected CTRL-REQ-SIM type")
610 rid
= p
[0].split('-')[3]
611 rand
= p
[2].split(' ')[0]
613 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
615 "auth_serv/hlr_auc_gw.milenage_db",
616 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
617 if "GSM-AUTH-RESP" not in res
:
618 raise Exception("Unexpected hlr_auc_gw response")
619 resp
= res
.split(' ')[2].rstrip()
621 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
622 dev
[0].wait_connected(timeout
=15)
623 dev
[0].request("DISCONNECT")
624 dev
[0].wait_disconnected()
626 # Replace SIM and drop the previous pseudonym identity
627 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
628 dev
[0].set_network(id, "anonymous_identity", "NULL")
629 dev
[0].select_network(id, freq
="2412")
631 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
633 raise Exception("Wait for external SIM processing request timed out")
635 if p
[1] != "GSM-AUTH":
636 raise Exception("Unexpected CTRL-REQ-SIM type")
637 rid
= p
[0].split('-')[3]
638 rand
= p
[2].split(' ')[0]
640 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
642 "auth_serv/hlr_auc_gw.milenage_db",
643 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
644 if "GSM-AUTH-RESP" not in res
:
645 raise Exception("Unexpected hlr_auc_gw response")
646 resp
= res
.split(' ')[2].rstrip()
648 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
649 dev
[0].wait_connected()
650 dev
[0].request("DISCONNECT")
651 dev
[0].wait_disconnected()
653 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
654 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
656 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
658 dev
[0].request("SET external_sim 0")
660 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
661 check_hlr_auc_gw_support()
662 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
663 hostapd
.add_ap(apdev
[0], params
)
664 dev
[0].request("SET external_sim 1")
665 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
666 wait_connect
=False, scan_freq
="2412")
668 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
670 raise Exception("Request for identity timed out")
671 rid
= ev
.split(':')[0].split('-')[-1]
672 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
674 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
676 raise Exception("Wait for external SIM processing request timed out")
678 if p
[1] != "GSM-AUTH":
679 raise Exception("Unexpected CTRL-REQ-SIM type")
680 rid
= p
[0].split('-')[3]
681 rand
= p
[2].split(' ')[0]
683 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
685 "auth_serv/hlr_auc_gw.milenage_db",
686 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
687 if "GSM-AUTH-RESP" not in res
:
688 raise Exception("Unexpected hlr_auc_gw response")
689 resp
= res
.split(' ')[2].rstrip()
691 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
692 dev
[0].wait_connected(timeout
=15)
693 dev
[0].request("DISCONNECT")
694 dev
[0].wait_disconnected()
696 # Replace SIM and drop the previous permanent and pseudonym identities
697 dev
[0].set_network(id, "identity", "NULL")
698 dev
[0].set_network(id, "anonymous_identity", "NULL")
699 dev
[0].select_network(id, freq
="2412")
701 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
703 raise Exception("Request for identity timed out")
704 rid
= ev
.split(':')[0].split('-')[-1]
705 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
707 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
709 raise Exception("Wait for external SIM processing request timed out")
711 if p
[1] != "GSM-AUTH":
712 raise Exception("Unexpected CTRL-REQ-SIM type")
713 rid
= p
[0].split('-')[3]
714 rand
= p
[2].split(' ')[0]
716 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
718 "auth_serv/hlr_auc_gw.milenage_db",
719 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
720 if "GSM-AUTH-RESP" not in res
:
721 raise Exception("Unexpected hlr_auc_gw response")
722 resp
= res
.split(' ')[2].rstrip()
724 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
725 dev
[0].wait_connected()
726 dev
[0].request("DISCONNECT")
727 dev
[0].wait_disconnected()
729 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
730 """EAP-SIM with external GSM auth and auth failing"""
732 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
734 dev
[0].request("SET external_sim 0")
736 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
737 check_hlr_auc_gw_support()
738 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
739 hostapd
.add_ap(apdev
[0], params
)
740 dev
[0].request("SET external_sim 1")
741 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
742 identity
="1232010000000000",
743 wait_connect
=False, scan_freq
="2412")
745 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
747 raise Exception("Wait for external SIM processing request timed out")
749 rid
= p
[0].split('-')[3]
750 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
751 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
753 raise Exception("EAP failure not reported")
754 dev
[0].request("REMOVE_NETWORK all")
755 dev
[0].wait_disconnected()
757 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
758 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
760 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
762 dev
[0].request("SET external_sim 0")
764 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
765 check_hlr_auc_gw_support()
766 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
767 hostapd
.add_ap(apdev
[0], params
)
768 dev
[0].request("SET external_sim 1")
769 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
770 identity
="1232010000000000",
771 wait_connect
=False, scan_freq
="2412")
773 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
775 raise Exception("Wait for external SIM processing request timed out")
777 if p
[1] != "GSM-AUTH":
778 raise Exception("Unexpected CTRL-REQ-SIM type")
779 rid
= p
[0].split('-')[3]
780 rand
= p
[2].split(' ')[0]
782 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
784 "auth_serv/hlr_auc_gw.milenage_db",
785 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
786 if "GSM-AUTH-RESP" not in res
:
787 raise Exception("Unexpected hlr_auc_gw response")
788 resp
= res
.split(' ')[2].rstrip()
790 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
791 dev
[0].wait_connected(timeout
=15)
793 # Verify that EAP-SIM Reauthentication can be used after a profile change
794 # that does not affect EAP parameters.
795 dev
[0].set_network(id, "bssid", "any")
796 eap_reauth(dev
[0], "SIM")
798 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
799 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
801 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
803 dev
[0].request("SET external_sim 0")
805 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
806 check_hlr_auc_gw_support()
807 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
808 hostapd
.add_ap(apdev
[0], params
)
809 dev
[0].request("SET external_sim 1")
810 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
811 identity
="1232010000000000",
812 wait_connect
=False, scan_freq
="2412")
814 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
816 raise Exception("Wait for external SIM processing request timed out")
818 if p
[1] != "GSM-AUTH":
819 raise Exception("Unexpected CTRL-REQ-SIM type")
820 rid
= p
[0].split('-')[3]
821 rand
= p
[2].split(' ')[0]
823 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
825 "auth_serv/hlr_auc_gw.milenage_db",
826 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
827 if "GSM-AUTH-RESP" not in res
:
828 raise Exception("Unexpected hlr_auc_gw response")
829 resp
= res
.split(' ')[2].rstrip()
831 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
832 dev
[0].wait_connected(timeout
=15)
834 # Verify that EAP-SIM Reauthentication can be used after network profile
835 # SET_NETWORK commands that do not actually change previously set
837 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
838 dev
[0].set_network(id, "eap", "SIM")
839 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
840 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
841 eap_reauth(dev
[0], "SIM")
843 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
844 """EAP-SIM and OOM"""
845 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
846 hostapd
.add_ap(apdev
[0], params
)
847 tests
= [(1, "milenage_f2345"),
848 (2, "milenage_f2345"),
849 (3, "milenage_f2345"),
850 (4, "milenage_f2345"),
851 (5, "milenage_f2345"),
852 (6, "milenage_f2345"),
853 (7, "milenage_f2345"),
854 (8, "milenage_f2345"),
855 (9, "milenage_f2345"),
856 (10, "milenage_f2345"),
857 (11, "milenage_f2345"),
858 (12, "milenage_f2345")]
859 for count
, func
in tests
:
860 with
fail_test(dev
[0], count
, func
):
861 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
862 identity
="1232010000000000",
863 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
864 wait_connect
=False, scan_freq
="2412")
865 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
867 raise Exception("EAP method not selected")
868 dev
[0].wait_disconnected()
869 dev
[0].request("REMOVE_NETWORK all")
871 def test_ap_wpa2_eap_aka(dev
, apdev
):
872 """WPA2-Enterprise connection using EAP-AKA"""
873 check_hlr_auc_gw_support()
874 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
875 hapd
= hostapd
.add_ap(apdev
[0], params
)
876 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
877 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
878 hwsim_utils
.test_connectivity(dev
[0], hapd
)
879 eap_reauth(dev
[0], "AKA")
881 logger
.info("Negative test with incorrect key")
882 dev
[0].request("REMOVE_NETWORK all")
883 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
884 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
887 logger
.info("Invalid Milenage key")
888 dev
[0].request("REMOVE_NETWORK all")
889 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
890 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
893 logger
.info("Invalid Milenage key(2)")
894 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
895 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
898 logger
.info("Invalid Milenage key(3)")
899 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
900 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
903 logger
.info("Invalid Milenage key(4)")
904 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
905 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
908 logger
.info("Invalid Milenage key(5)")
909 dev
[0].request("REMOVE_NETWORK all")
910 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
911 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
914 logger
.info("Invalid Milenage key(6)")
915 dev
[0].request("REMOVE_NETWORK all")
916 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
917 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
920 logger
.info("Missing key configuration")
921 dev
[0].request("REMOVE_NETWORK all")
922 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
925 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
926 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
927 check_hlr_auc_gw_support()
931 raise HwsimSkip("No sqlite3 module available")
932 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
933 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
934 params
['auth_server_port'] = "1814"
935 hapd
= hostapd
.add_ap(apdev
[0], params
)
936 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
937 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
939 logger
.info("AKA fast re-authentication")
940 eap_reauth(dev
[0], "AKA")
942 logger
.info("AKA full auth with pseudonym")
945 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
946 eap_reauth(dev
[0], "AKA")
948 logger
.info("AKA full auth with permanent identity")
951 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
952 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
953 eap_reauth(dev
[0], "AKA")
955 logger
.info("AKA reauth with mismatching MK")
958 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
959 eap_reauth(dev
[0], "AKA", expect_failure
=True)
960 dev
[0].request("REMOVE_NETWORK all")
962 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
963 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
966 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
967 eap_reauth(dev
[0], "AKA")
970 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
971 logger
.info("AKA reauth with mismatching counter")
972 eap_reauth(dev
[0], "AKA")
973 dev
[0].request("REMOVE_NETWORK all")
975 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
976 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
979 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
980 logger
.info("AKA reauth with max reauth count reached")
981 eap_reauth(dev
[0], "AKA")
983 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
984 """EAP-AKA configuration options"""
985 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
986 hapd
= hostapd
.add_ap(apdev
[0], params
)
987 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
988 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
989 anonymous_identity
="2345678")
991 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
992 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
994 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
996 dev
[0].request("SET external_sim 0")
998 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
999 check_hlr_auc_gw_support()
1000 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1001 hostapd
.add_ap(apdev
[0], params
)
1002 dev
[0].request("SET external_sim 1")
1003 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1004 identity
="0232010000000000",
1005 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1006 wait_connect
=False, scan_freq
="2412")
1007 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1009 raise Exception("Network connected timed out")
1011 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1013 raise Exception("Wait for external SIM processing request timed out")
1014 p
= ev
.split(':', 2)
1015 if p
[1] != "UMTS-AUTH":
1016 raise Exception("Unexpected CTRL-REQ-SIM type")
1017 rid
= p
[0].split('-')[3]
1020 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
1021 # This will fail during processing, but the ctrl_iface command succeeds
1022 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1023 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1025 raise Exception("EAP failure not reported")
1026 dev
[0].request("DISCONNECT")
1027 dev
[0].wait_disconnected()
1029 dev
[0].dump_monitor()
1031 dev
[0].select_network(id, freq
="2412")
1032 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1034 raise Exception("Wait for external SIM processing request timed out")
1035 p
= ev
.split(':', 2)
1036 if p
[1] != "UMTS-AUTH":
1037 raise Exception("Unexpected CTRL-REQ-SIM type")
1038 rid
= p
[0].split('-')[3]
1039 # This will fail during UMTS auth validation
1040 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1041 raise Exception("CTRL-RSP-SIM failed")
1042 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1044 raise Exception("Wait for external SIM processing request timed out")
1045 p
= ev
.split(':', 2)
1046 if p
[1] != "UMTS-AUTH":
1047 raise Exception("Unexpected CTRL-REQ-SIM type")
1048 rid
= p
[0].split('-')[3]
1049 # This will fail during UMTS auth validation
1050 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1051 raise Exception("CTRL-RSP-SIM failed")
1052 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1054 raise Exception("EAP failure not reported")
1055 dev
[0].request("DISCONNECT")
1056 dev
[0].wait_disconnected()
1058 dev
[0].dump_monitor()
1060 tests
= [":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1062 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1063 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1064 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1065 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1066 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q"]
1068 dev
[0].select_network(id, freq
="2412")
1069 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1071 raise Exception("Wait for external SIM processing request timed out")
1072 p
= ev
.split(':', 2)
1073 if p
[1] != "UMTS-AUTH":
1074 raise Exception("Unexpected CTRL-REQ-SIM type")
1075 rid
= p
[0].split('-')[3]
1076 # This will fail during UMTS auth validation
1077 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1078 raise Exception("CTRL-RSP-SIM failed")
1079 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1081 raise Exception("EAP failure not reported")
1082 dev
[0].request("DISCONNECT")
1083 dev
[0].wait_disconnected()
1085 dev
[0].dump_monitor()
1087 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1088 """EAP-AKA with external UMTS auth and auth failing"""
1090 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1092 dev
[0].request("SET external_sim 0")
1094 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1095 check_hlr_auc_gw_support()
1096 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1097 hostapd
.add_ap(apdev
[0], params
)
1098 dev
[0].request("SET external_sim 1")
1099 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1100 identity
="0232010000000000",
1101 wait_connect
=False, scan_freq
="2412")
1103 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1105 raise Exception("Wait for external SIM processing request timed out")
1106 p
= ev
.split(':', 2)
1107 rid
= p
[0].split('-')[3]
1108 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1109 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1111 raise Exception("EAP failure not reported")
1112 dev
[0].request("REMOVE_NETWORK all")
1113 dev
[0].wait_disconnected()
1115 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1116 """WPA2-Enterprise connection using EAP-AKA'"""
1117 check_hlr_auc_gw_support()
1118 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1119 hapd
= hostapd
.add_ap(apdev
[0], params
)
1120 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1121 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1122 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1123 eap_reauth(dev
[0], "AKA'")
1125 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1126 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1127 identity
="6555444333222111@both",
1128 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1129 wait_connect
=False, scan_freq
="2412")
1130 dev
[1].wait_connected(timeout
=15)
1132 logger
.info("Negative test with incorrect key")
1133 dev
[0].request("REMOVE_NETWORK all")
1134 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1135 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1136 expect_failure
=True)
1138 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1139 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1140 check_hlr_auc_gw_support()
1144 raise HwsimSkip("No sqlite3 module available")
1145 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1146 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1147 params
['auth_server_port'] = "1814"
1148 hapd
= hostapd
.add_ap(apdev
[0], params
)
1149 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1150 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1152 logger
.info("AKA' fast re-authentication")
1153 eap_reauth(dev
[0], "AKA'")
1155 logger
.info("AKA' full auth with pseudonym")
1158 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1159 eap_reauth(dev
[0], "AKA'")
1161 logger
.info("AKA' full auth with permanent identity")
1164 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1165 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1166 eap_reauth(dev
[0], "AKA'")
1168 logger
.info("AKA' reauth with mismatching k_aut")
1171 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1172 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1173 dev
[0].request("REMOVE_NETWORK all")
1175 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1176 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1179 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1180 eap_reauth(dev
[0], "AKA'")
1183 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1184 logger
.info("AKA' reauth with mismatching counter")
1185 eap_reauth(dev
[0], "AKA'")
1186 dev
[0].request("REMOVE_NETWORK all")
1188 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1189 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1192 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1193 logger
.info("AKA' reauth with max reauth count reached")
1194 eap_reauth(dev
[0], "AKA'")
1196 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1197 """EAP-AKA' with external UMTS auth and auth failing"""
1199 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1201 dev
[0].request("SET external_sim 0")
1203 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1204 check_hlr_auc_gw_support()
1205 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1206 hostapd
.add_ap(apdev
[0], params
)
1207 dev
[0].request("SET external_sim 1")
1208 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1209 identity
="6555444333222111",
1210 wait_connect
=False, scan_freq
="2412")
1212 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1214 raise Exception("Wait for external SIM processing request timed out")
1215 p
= ev
.split(':', 2)
1216 rid
= p
[0].split('-')[3]
1217 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1218 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1220 raise Exception("EAP failure not reported")
1221 dev
[0].request("REMOVE_NETWORK all")
1222 dev
[0].wait_disconnected()
1224 def test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1225 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1227 _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
)
1229 dev
[0].request("SET external_sim 0")
1231 def _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1232 check_hlr_auc_gw_support()
1233 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1234 hostapd
.add_ap(apdev
[0], params
)
1235 dev
[0].request("SET external_sim 1")
1236 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1237 identity
="6555444333222111",
1238 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1239 wait_connect
=False, scan_freq
="2412")
1240 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1242 raise Exception("Network connected timed out")
1244 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1246 raise Exception("Wait for external SIM processing request timed out")
1247 p
= ev
.split(':', 2)
1248 if p
[1] != "UMTS-AUTH":
1249 raise Exception("Unexpected CTRL-REQ-SIM type")
1250 rid
= p
[0].split('-')[3]
1251 # This will fail during UMTS auth validation
1252 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1253 raise Exception("CTRL-RSP-SIM failed")
1254 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1256 raise Exception("Wait for external SIM processing request timed out")
1258 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1259 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1260 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1261 hapd
= hostapd
.add_ap(apdev
[0], params
)
1262 key_mgmt
= hapd
.get_config()['key_mgmt']
1263 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1264 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1265 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1266 anonymous_identity
="ttls", password
="password",
1267 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1268 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1269 eap_reauth(dev
[0], "TTLS")
1270 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1271 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1")])
1273 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1274 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1275 check_subject_match_support(dev
[0])
1276 check_altsubject_match_support(dev
[0])
1277 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1278 hapd
= hostapd
.add_ap(apdev
[0], params
)
1279 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1280 anonymous_identity
="ttls", password
="password",
1281 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1282 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1283 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1284 eap_reauth(dev
[0], "TTLS")
1286 def test_ap_wpa2_eap_ttls_pap_check_cert_subject(dev
, apdev
):
1287 """EAP-TTLS/PAP and check_cert_subject"""
1288 check_check_cert_subject_support(dev
[0])
1289 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1290 hapd
= hostapd
.add_ap(apdev
[0], params
)
1291 tests
= ["C=FI/O=w1.fi/CN=server.w1.fi",
1293 "C=FI/CN=server.w1.fi",
1294 "O=w1.fi/CN=server.w1.fi",
1301 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1302 anonymous_identity
="ttls", password
="password",
1303 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1304 check_cert_subject
=test
)
1305 dev
[0].request("REMOVE_NETWORK all")
1306 dev
[0].wait_disconnected()
1307 dev
[0].dump_monitor()
1309 def test_ap_wpa2_eap_ttls_pap_check_cert_subject_neg(dev
, apdev
):
1310 """EAP-TTLS/PAP and check_cert_subject (negative)"""
1311 check_check_cert_subject_support(dev
[0])
1312 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1313 hapd
= hostapd
.add_ap(apdev
[0], params
)
1323 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1324 anonymous_identity
="ttls", password
="password",
1325 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1326 expect_failure
=True, expect_cert_error
=12,
1327 check_cert_subject
=test
)
1328 dev
[0].request("REMOVE_NETWORK all")
1329 dev
[0].dump_monitor()
1331 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1332 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1333 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1334 hapd
= hostapd
.add_ap(apdev
[0], params
)
1335 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1336 anonymous_identity
="ttls", password
="wrong",
1337 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1338 expect_failure
=True)
1339 eap_connect(dev
[1], hapd
, "TTLS", "user",
1340 anonymous_identity
="ttls", password
="password",
1341 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1342 expect_failure
=True)
1344 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1345 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1346 skip_with_fips(dev
[0])
1347 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1348 hapd
= hostapd
.add_ap(apdev
[0], params
)
1349 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1350 anonymous_identity
="ttls", password
="password",
1351 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1352 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1353 eap_reauth(dev
[0], "TTLS")
1355 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1356 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1357 skip_with_fips(dev
[0])
1358 check_altsubject_match_support(dev
[0])
1359 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1360 hapd
= hostapd
.add_ap(apdev
[0], params
)
1361 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1362 anonymous_identity
="ttls", password
="password",
1363 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1364 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1365 eap_reauth(dev
[0], "TTLS")
1367 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1368 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1369 skip_with_fips(dev
[0])
1370 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1371 hapd
= hostapd
.add_ap(apdev
[0], params
)
1372 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1373 anonymous_identity
="ttls", password
="wrong",
1374 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1375 expect_failure
=True)
1376 eap_connect(dev
[1], hapd
, "TTLS", "user",
1377 anonymous_identity
="ttls", password
="password",
1378 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1379 expect_failure
=True)
1381 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1382 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1383 skip_with_fips(dev
[0])
1384 check_domain_suffix_match(dev
[0])
1385 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1386 hapd
= hostapd
.add_ap(apdev
[0], params
)
1387 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1388 anonymous_identity
="ttls", password
="password",
1389 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1390 domain_suffix_match
="server.w1.fi")
1391 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1392 eap_reauth(dev
[0], "TTLS")
1393 dev
[0].request("REMOVE_NETWORK all")
1394 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1395 anonymous_identity
="ttls", password
="password",
1396 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1397 fragment_size
="200")
1398 dev
[0].request("REMOVE_NETWORK all")
1399 dev
[0].wait_disconnected()
1400 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1401 anonymous_identity
="ttls",
1402 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1403 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1405 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1406 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1407 skip_with_fips(dev
[0])
1408 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1409 hapd
= hostapd
.add_ap(apdev
[0], params
)
1410 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1411 anonymous_identity
="ttls", password
="wrong",
1412 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1413 expect_failure
=True)
1414 eap_connect(dev
[1], hapd
, "TTLS", "user",
1415 anonymous_identity
="ttls", password
="password",
1416 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1417 expect_failure
=True)
1418 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1419 anonymous_identity
="ttls", password
="password",
1420 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1421 expect_failure
=True)
1423 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1424 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1425 check_domain_suffix_match(dev
[0])
1426 check_eap_capa(dev
[0], "MSCHAPV2")
1427 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1428 hapd
= hostapd
.add_ap(apdev
[0], params
)
1429 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1430 anonymous_identity
="ttls", password
="password",
1431 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1432 domain_suffix_match
="server.w1.fi")
1433 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1434 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1435 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1436 eap_reauth(dev
[0], "TTLS")
1437 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1438 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1439 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1440 raise Exception("dot1xAuthEapolFramesRx did not increase")
1441 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1442 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1443 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1444 raise Exception("backendAuthSuccesses did not increase")
1446 logger
.info("Password as hash value")
1447 dev
[0].request("REMOVE_NETWORK all")
1448 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1449 anonymous_identity
="ttls",
1450 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1451 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1453 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1454 """EAP-TTLS with invalid phase2 parameter values"""
1455 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1456 hostapd
.add_ap(apdev
[0], params
)
1457 tests
= ["auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1458 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1459 "autheap=MD5 autheap=FOO autheap=MSCHAPV2"]
1461 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1462 identity
="DOMAIN\mschapv2 user",
1463 anonymous_identity
="ttls", password
="password",
1464 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1465 wait_connect
=False, scan_freq
="2412")
1466 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1467 if ev
is None or "method=21" not in ev
:
1468 raise Exception("EAP-TTLS not started")
1469 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1470 "CTRL-EVENT-CONNECTED"], timeout
=5)
1471 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1472 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1473 dev
[0].request("REMOVE_NETWORK all")
1474 dev
[0].wait_disconnected()
1475 dev
[0].dump_monitor()
1477 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1478 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1479 check_domain_match_full(dev
[0])
1480 skip_with_fips(dev
[0])
1481 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1482 hapd
= hostapd
.add_ap(apdev
[0], params
)
1483 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1484 anonymous_identity
="ttls", password
="password",
1485 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1486 domain_suffix_match
="w1.fi")
1487 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1488 eap_reauth(dev
[0], "TTLS")
1490 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1491 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1492 check_domain_match(dev
[0])
1493 skip_with_fips(dev
[0])
1494 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1495 hapd
= hostapd
.add_ap(apdev
[0], params
)
1496 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1497 anonymous_identity
="ttls", password
="password",
1498 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1499 domain_match
="Server.w1.fi")
1500 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1501 eap_reauth(dev
[0], "TTLS")
1503 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1504 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1505 skip_with_fips(dev
[0])
1506 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1507 hapd
= hostapd
.add_ap(apdev
[0], params
)
1508 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1509 anonymous_identity
="ttls", password
="password1",
1510 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1511 expect_failure
=True)
1512 eap_connect(dev
[1], hapd
, "TTLS", "user",
1513 anonymous_identity
="ttls", password
="password",
1514 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1515 expect_failure
=True)
1517 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1518 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1519 skip_with_fips(dev
[0])
1520 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1521 hapd
= hostapd
.add_ap(apdev
[0], params
)
1522 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1523 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1524 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1525 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1526 anonymous_identity
="ttls",
1527 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1528 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1529 for p
in ["80", "41c041e04141e041", 257*"41"]:
1530 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1531 eap
="TTLS", identity
="utf8-user-hash",
1532 anonymous_identity
="ttls", password_hex
=p
,
1533 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1534 wait_connect
=False, scan_freq
="2412")
1535 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1537 raise Exception("No failure reported")
1538 dev
[2].request("REMOVE_NETWORK all")
1539 dev
[2].wait_disconnected()
1541 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1542 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1543 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1544 hapd
= hostapd
.add_ap(apdev
[0], params
)
1545 eap_connect(dev
[0], hapd
, "TTLS", "user",
1546 anonymous_identity
="ttls", password
="password",
1547 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1548 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1549 eap_reauth(dev
[0], "TTLS")
1551 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1552 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1553 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1554 hapd
= hostapd
.add_ap(apdev
[0], params
)
1555 eap_connect(dev
[0], hapd
, "TTLS", "user",
1556 anonymous_identity
="ttls", password
="wrong",
1557 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1558 expect_failure
=True)
1560 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1561 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1562 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1563 hapd
= hostapd
.add_ap(apdev
[0], params
)
1564 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1565 anonymous_identity
="ttls", password
="password",
1566 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1567 expect_failure
=True)
1569 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1570 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1571 params
= int_eap_server_params()
1572 hapd
= hostapd
.add_ap(apdev
[0], params
)
1573 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1574 eap_connect(dev
[0], hapd
, "TTLS", "user",
1575 anonymous_identity
="ttls", password
="password",
1576 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1577 expect_failure
=True)
1578 dev
[0].request("REMOVE_NETWORK all")
1580 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1581 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1582 eap
="TTLS", identity
="user",
1583 anonymous_identity
="ttls", password
="password",
1584 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1585 wait_connect
=False, scan_freq
="2412")
1586 # This would eventually time out, but we can stop after having reached
1587 # the allocation failure.
1590 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1593 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1594 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1595 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1596 hapd
= hostapd
.add_ap(apdev
[0], params
)
1598 tests
= ["eap_gtc_init",
1599 "eap_msg_alloc;eap_gtc_process"]
1601 with
alloc_fail(dev
[0], 1, func
):
1602 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1604 eap
="TTLS", identity
="user",
1605 anonymous_identity
="ttls", password
="password",
1606 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1608 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1609 dev
[0].request("REMOVE_NETWORK all")
1610 dev
[0].wait_disconnected()
1612 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1613 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1614 check_eap_capa(dev
[0], "MD5")
1615 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1616 hapd
= hostapd
.add_ap(apdev
[0], params
)
1617 eap_connect(dev
[0], hapd
, "TTLS", "user",
1618 anonymous_identity
="ttls", password
="password",
1619 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1620 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1621 eap_reauth(dev
[0], "TTLS")
1623 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1624 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1625 check_eap_capa(dev
[0], "MD5")
1626 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1627 hapd
= hostapd
.add_ap(apdev
[0], params
)
1628 eap_connect(dev
[0], hapd
, "TTLS", "user",
1629 anonymous_identity
="ttls", password
="wrong",
1630 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1631 expect_failure
=True)
1633 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1634 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1635 check_eap_capa(dev
[0], "MD5")
1636 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1637 hapd
= hostapd
.add_ap(apdev
[0], params
)
1638 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1639 anonymous_identity
="ttls", password
="password",
1640 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1641 expect_failure
=True)
1643 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1644 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1645 check_eap_capa(dev
[0], "MD5")
1646 params
= int_eap_server_params()
1647 hapd
= hostapd
.add_ap(apdev
[0], params
)
1648 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1649 eap_connect(dev
[0], hapd
, "TTLS", "user",
1650 anonymous_identity
="ttls", password
="password",
1651 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1652 expect_failure
=True)
1653 dev
[0].request("REMOVE_NETWORK all")
1655 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1656 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1657 eap
="TTLS", identity
="user",
1658 anonymous_identity
="ttls", password
="password",
1659 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1660 wait_connect
=False, scan_freq
="2412")
1661 # This would eventually time out, but we can stop after having reached
1662 # the allocation failure.
1665 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1668 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1669 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1670 check_eap_capa(dev
[0], "MSCHAPV2")
1671 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1672 hapd
= hostapd
.add_ap(apdev
[0], params
)
1673 eap_connect(dev
[0], hapd
, "TTLS", "user",
1674 anonymous_identity
="ttls", password
="password",
1675 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1676 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1677 eap_reauth(dev
[0], "TTLS")
1679 logger
.info("Negative test with incorrect password")
1680 dev
[0].request("REMOVE_NETWORK all")
1681 eap_connect(dev
[0], hapd
, "TTLS", "user",
1682 anonymous_identity
="ttls", password
="password1",
1683 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1684 expect_failure
=True)
1686 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1687 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1688 check_eap_capa(dev
[0], "MSCHAPV2")
1689 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1690 hapd
= hostapd
.add_ap(apdev
[0], params
)
1691 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1692 anonymous_identity
="ttls", password
="password",
1693 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1694 expect_failure
=True)
1696 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1697 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1698 check_eap_capa(dev
[0], "MSCHAPV2")
1699 params
= int_eap_server_params()
1700 hapd
= hostapd
.add_ap(apdev
[0], params
)
1701 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1702 eap_connect(dev
[0], hapd
, "TTLS", "user",
1703 anonymous_identity
="ttls", password
="password",
1704 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1705 expect_failure
=True)
1706 dev
[0].request("REMOVE_NETWORK all")
1708 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1709 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1710 eap
="TTLS", identity
="user",
1711 anonymous_identity
="ttls", password
="password",
1712 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1713 wait_connect
=False, scan_freq
="2412")
1714 # This would eventually time out, but we can stop after having reached
1715 # the allocation failure.
1718 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1720 dev
[0].request("REMOVE_NETWORK all")
1722 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1723 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1724 eap
="TTLS", identity
="user",
1725 anonymous_identity
="ttls", password
="password",
1726 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1727 wait_connect
=False, scan_freq
="2412")
1728 # This would eventually time out, but we can stop after having reached
1729 # the allocation failure.
1732 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1734 dev
[0].request("REMOVE_NETWORK all")
1736 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1737 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1738 eap
="TTLS", identity
="user",
1739 anonymous_identity
="ttls", password
="wrong",
1740 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1741 wait_connect
=False, scan_freq
="2412")
1742 # This would eventually time out, but we can stop after having reached
1743 # the allocation failure.
1746 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1748 dev
[0].request("REMOVE_NETWORK all")
1750 def test_ap_wpa2_eap_ttls_eap_sim(dev
, apdev
):
1751 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1752 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1753 hapd
= hostapd
.add_ap(apdev
[0], params
)
1754 eap_connect(dev
[0], hapd
, "TTLS", "1232010000000000",
1755 anonymous_identity
="1232010000000000@ttls",
1756 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1757 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM")
1758 eap_reauth(dev
[0], "TTLS")
1760 def run_ext_sim_auth(dev
):
1761 ev
= dev
.wait_event(["CTRL-REQ-SIM"], timeout
=15)
1763 raise Exception("Wait for external SIM processing request timed out")
1764 p
= ev
.split(':', 2)
1765 if p
[1] != "GSM-AUTH":
1766 raise Exception("Unexpected CTRL-REQ-SIM type")
1767 rid
= p
[0].split('-')[3]
1768 rand
= p
[2].split(' ')[0]
1770 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
1772 "auth_serv/hlr_auc_gw.milenage_db",
1773 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
1774 if "GSM-AUTH-RESP" not in res
:
1775 raise Exception("Unexpected hlr_auc_gw response")
1776 resp
= res
.split(' ')[2].rstrip()
1778 dev
.request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1779 dev
.wait_connected(timeout
=15)
1782 dev
.request("REAUTHENTICATE")
1783 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1785 raise Exception("EAP reauthentication did not succeed")
1786 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=5)
1788 raise Exception("Key negotiation did not complete")
1791 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1792 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1793 check_hlr_auc_gw_support()
1795 run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
)
1797 dev
[0].request("SET external_sim 0")
1799 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1800 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1801 hapd
= hostapd
.add_ap(apdev
[0], params
)
1802 dev
[0].request("SET external_sim 1")
1803 dev
[0].connect("test-wpa2-eap", eap
="TTLS", key_mgmt
="WPA-EAP",
1804 identity
="1232010000000000",
1805 anonymous_identity
="1232010000000000@ttls",
1806 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1807 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM",
1808 wait_connect
=False, scan_freq
="2412")
1809 run_ext_sim_auth(dev
[0])
1811 def test_ap_wpa2_eap_peap_eap_sim(dev
, apdev
):
1812 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1813 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1814 hapd
= hostapd
.add_ap(apdev
[0], params
)
1815 eap_connect(dev
[0], hapd
, "PEAP", "1232010000000000",
1816 anonymous_identity
="1232010000000000@peap",
1817 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1818 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1819 eap_reauth(dev
[0], "PEAP")
1821 def test_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1822 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1823 check_hlr_auc_gw_support()
1825 run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
)
1827 dev
[0].request("SET external_sim 0")
1829 def run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1830 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1831 hapd
= hostapd
.add_ap(apdev
[0], params
)
1832 dev
[0].request("SET external_sim 1")
1833 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1834 identity
="1232010000000000",
1835 anonymous_identity
="1232010000000000@peap",
1836 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1837 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1838 wait_connect
=False, scan_freq
="2412")
1839 run_ext_sim_auth(dev
[0])
1841 def test_ap_wpa2_eap_fast_eap_sim(dev
, apdev
):
1842 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1843 check_eap_capa(dev
[0], "FAST")
1844 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1845 hapd
= hostapd
.add_ap(apdev
[0], params
)
1846 eap_connect(dev
[0], hapd
, "FAST", "1232010000000000",
1847 anonymous_identity
="1232010000000000@fast",
1848 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1849 phase1
="fast_provisioning=2",
1850 pac_file
="blob://fast_pac_auth_sim",
1851 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1852 eap_reauth(dev
[0], "FAST")
1854 def test_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1855 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1856 check_hlr_auc_gw_support()
1858 run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
)
1860 dev
[0].request("SET external_sim 0")
1862 def run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1863 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1864 hapd
= hostapd
.add_ap(apdev
[0], params
)
1865 dev
[0].request("SET external_sim 1")
1866 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1867 identity
="1232010000000000",
1868 anonymous_identity
="1232010000000000@peap",
1869 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1870 phase1
="fast_provisioning=2",
1871 pac_file
="blob://fast_pac_auth_sim",
1872 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1873 wait_connect
=False, scan_freq
="2412")
1874 run_ext_sim_auth(dev
[0])
1876 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1877 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1878 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1879 hapd
= hostapd
.add_ap(apdev
[0], params
)
1880 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1881 anonymous_identity
="0232010000000000@ttls",
1882 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1883 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1884 eap_reauth(dev
[0], "TTLS")
1886 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1887 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1888 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1889 hapd
= hostapd
.add_ap(apdev
[0], params
)
1890 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1891 anonymous_identity
="0232010000000000@peap",
1892 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1893 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1894 eap_reauth(dev
[0], "PEAP")
1896 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1897 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1898 check_eap_capa(dev
[0], "FAST")
1899 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1900 hapd
= hostapd
.add_ap(apdev
[0], params
)
1901 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
1902 anonymous_identity
="0232010000000000@fast",
1903 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1904 phase1
="fast_provisioning=2",
1905 pac_file
="blob://fast_pac_auth_aka",
1906 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1907 eap_reauth(dev
[0], "FAST")
1909 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1910 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1911 check_eap_capa(dev
[0], "MSCHAPV2")
1912 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1913 hapd
= hostapd
.add_ap(apdev
[0], params
)
1914 eap_connect(dev
[0], hapd
, "PEAP", "user",
1915 anonymous_identity
="peap", password
="password",
1916 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1917 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1918 eap_reauth(dev
[0], "PEAP")
1919 dev
[0].request("REMOVE_NETWORK all")
1920 eap_connect(dev
[0], hapd
, "PEAP", "user",
1921 anonymous_identity
="peap", password
="password",
1922 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1923 fragment_size
="200")
1925 logger
.info("Password as hash value")
1926 dev
[0].request("REMOVE_NETWORK all")
1927 eap_connect(dev
[0], hapd
, "PEAP", "user",
1928 anonymous_identity
="peap",
1929 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1930 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1932 logger
.info("Negative test with incorrect password")
1933 dev
[0].request("REMOVE_NETWORK all")
1934 eap_connect(dev
[0], hapd
, "PEAP", "user",
1935 anonymous_identity
="peap", password
="password1",
1936 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1937 expect_failure
=True)
1939 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1940 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1941 check_eap_capa(dev
[0], "MSCHAPV2")
1942 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1943 hapd
= hostapd
.add_ap(apdev
[0], params
)
1944 eap_connect(dev
[0], hapd
, "PEAP", r
"DOMAIN\user3",
1945 anonymous_identity
="peap", password
="password",
1946 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1947 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1948 eap_reauth(dev
[0], "PEAP")
1950 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1951 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1952 check_eap_capa(dev
[0], "MSCHAPV2")
1953 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1954 hapd
= hostapd
.add_ap(apdev
[0], params
)
1955 eap_connect(dev
[0], hapd
, "PEAP", "user",
1956 anonymous_identity
="peap", password
="wrong",
1957 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1958 expect_failure
=True)
1960 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1961 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1962 check_eap_capa(dev
[0], "MSCHAPV2")
1963 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1964 hapd
= hostapd
.add_ap(apdev
[0], params
)
1965 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1966 ca_cert
="auth_serv/ca.pem",
1967 phase1
="peapver=0 crypto_binding=2",
1968 phase2
="auth=MSCHAPV2")
1969 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1970 eap_reauth(dev
[0], "PEAP")
1972 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1973 ca_cert
="auth_serv/ca.pem",
1974 phase1
="peapver=0 crypto_binding=1",
1975 phase2
="auth=MSCHAPV2")
1976 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1977 ca_cert
="auth_serv/ca.pem",
1978 phase1
="peapver=0 crypto_binding=0",
1979 phase2
="auth=MSCHAPV2")
1981 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1982 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1983 check_eap_capa(dev
[0], "MSCHAPV2")
1984 params
= int_eap_server_params()
1985 hapd
= hostapd
.add_ap(apdev
[0], params
)
1986 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1987 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1988 ca_cert
="auth_serv/ca.pem",
1989 phase1
="peapver=0 crypto_binding=2",
1990 phase2
="auth=MSCHAPV2",
1991 expect_failure
=True, local_error_report
=True)
1993 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1994 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1995 check_eap_capa(dev
[0], "MSCHAPV2")
1996 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1997 hapd
= hostapd
.add_ap(apdev
[0], params
)
1998 eap_connect(dev
[0], hapd
, "PEAP", "user",
1999 anonymous_identity
="peap", password
="password",
2000 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2001 phase1
="peapver=0 peaplabel=1",
2002 expect_failure
=True)
2003 dev
[0].request("REMOVE_NETWORK all")
2004 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2006 anonymous_identity
="peap", password
="password",
2007 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2008 phase1
="peap_outer_success=0",
2009 wait_connect
=False, scan_freq
="2412")
2010 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2012 raise Exception("No EAP success seen")
2013 # This won't succeed to connect with peap_outer_success=0, so stop here.
2014 dev
[0].request("REMOVE_NETWORK all")
2015 dev
[0].wait_disconnected()
2016 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
2017 ca_cert
="auth_serv/ca.pem",
2018 phase1
="peap_outer_success=1",
2019 phase2
="auth=MSCHAPV2")
2020 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
2021 ca_cert
="auth_serv/ca.pem",
2022 phase1
="peap_outer_success=2",
2023 phase2
="auth=MSCHAPV2")
2024 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2026 anonymous_identity
="peap", password
="password",
2027 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2028 phase1
="peapver=1 peaplabel=1",
2029 wait_connect
=False, scan_freq
="2412")
2030 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2032 raise Exception("No EAP success seen")
2033 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2034 "CTRL-EVENT-DISCONNECTED"], timeout
=1)
2035 if ev
and "CTRL-EVENT-CONNECTED" in ev
:
2036 raise Exception("Unexpected connection")
2037 dev
[0].request("REMOVE_NETWORK all")
2038 dev
[0].disconnect_and_stop_scan()
2040 tests
= [("peap-ver0", ""),
2042 ("peap-ver0", "peapver=0"),
2043 ("peap-ver1", "peapver=1")]
2044 for anon
, phase1
in tests
:
2045 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2046 identity
="user", anonymous_identity
=anon
,
2047 password
="password", phase1
=phase1
,
2048 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2050 dev
[0].request("REMOVE_NETWORK all")
2051 dev
[0].wait_disconnected()
2053 tests
= [("peap-ver0", "peapver=1"),
2054 ("peap-ver1", "peapver=0")]
2055 for anon
, phase1
in tests
:
2056 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2057 identity
="user", anonymous_identity
=anon
,
2058 password
="password", phase1
=phase1
,
2059 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2060 wait_connect
=False, scan_freq
="2412")
2061 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
2063 raise Exception("No EAP-Failure seen")
2064 dev
[0].request("REMOVE_NETWORK all")
2065 dev
[0].wait_disconnected()
2067 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2068 ca_cert
="auth_serv/ca.pem",
2069 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
2070 phase2
="auth=MSCHAPV2")
2072 def test_ap_wpa2_eap_peap_eap_gtc(dev
, apdev
, params
):
2073 """WPA2-Enterprise connection using EAP-PEAP/EAP-GTC"""
2074 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2075 hapd
= hostapd
.add_ap(apdev
[0], p
)
2076 eap_connect(dev
[0], hapd
, "PEAP", "user", phase1
="peapver=1",
2077 anonymous_identity
="peap", password
="password",
2078 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
2080 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
2081 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
2082 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2083 hapd
= hostapd
.add_ap(apdev
[0], params
)
2084 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
2085 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
2086 ca_cert2
="auth_serv/ca.pem",
2087 client_cert2
="auth_serv/user.pem",
2088 private_key2
="auth_serv/user.key")
2089 eap_reauth(dev
[0], "PEAP")
2091 def test_ap_wpa2_eap_tls(dev
, apdev
):
2092 """WPA2-Enterprise connection using EAP-TLS"""
2093 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2094 hapd
= hostapd
.add_ap(apdev
[0], params
)
2095 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2096 client_cert
="auth_serv/user.pem",
2097 private_key
="auth_serv/user.key")
2098 eap_reauth(dev
[0], "TLS")
2100 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
2101 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2102 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2103 hapd
= hostapd
.add_ap(apdev
[0], params
)
2104 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2105 client_cert
="auth_serv/user.pem",
2106 private_key
="auth_serv/user.key.pkcs8",
2107 private_key_passwd
="whatever")
2109 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
2110 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
2111 check_pkcs5_v15_support(dev
[0])
2112 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2113 hapd
= hostapd
.add_ap(apdev
[0], params
)
2114 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2115 client_cert
="auth_serv/user.pem",
2116 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
2117 private_key_passwd
="whatever")
2119 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
2120 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2121 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2122 hapd
= hostapd
.add_ap(apdev
[0], params
)
2123 cert
= read_pem("auth_serv/ca.pem")
2124 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2125 raise Exception("Could not set cacert blob")
2126 cert
= read_pem("auth_serv/user.pem")
2127 if "OK" not in dev
[0].request("SET blob usercert " + binascii
.hexlify(cert
).decode()):
2128 raise Exception("Could not set usercert blob")
2129 key
= read_pem("auth_serv/user.rsa-key")
2130 if "OK" not in dev
[0].request("SET blob userkey " + binascii
.hexlify(key
).decode()):
2131 raise Exception("Could not set cacert blob")
2132 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2133 client_cert
="blob://usercert",
2134 private_key
="blob://userkey")
2136 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
2137 """EAP-TLS and config blob missing"""
2138 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2139 hostapd
.add_ap(apdev
[0], params
)
2140 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2141 identity
="tls user",
2142 ca_cert
="blob://testing-blob-does-not-exist",
2143 client_cert
="blob://testing-blob-does-not-exist",
2144 private_key
="blob://testing-blob-does-not-exist",
2145 wait_connect
=False, scan_freq
="2412")
2146 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
2148 raise Exception("EAP failure not reported")
2149 dev
[0].request("REMOVE_NETWORK all")
2150 dev
[0].wait_disconnected()
2152 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
2153 """EAP-TLS and TLS Message Length in unfragmented packets"""
2154 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2155 hapd
= hostapd
.add_ap(apdev
[0], params
)
2156 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2157 phase1
="include_tls_length=1",
2158 client_cert
="auth_serv/user.pem",
2159 private_key
="auth_serv/user.key")
2161 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
2162 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2163 check_pkcs12_support(dev
[0])
2164 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2165 hapd
= hostapd
.add_ap(apdev
[0], params
)
2166 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2167 private_key
="auth_serv/user.pkcs12",
2168 private_key_passwd
="whatever")
2169 dev
[0].request("REMOVE_NETWORK all")
2170 dev
[0].wait_disconnected()
2172 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2173 identity
="tls user",
2174 ca_cert
="auth_serv/ca.pem",
2175 private_key
="auth_serv/user.pkcs12",
2176 wait_connect
=False, scan_freq
="2412")
2177 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2179 raise Exception("Request for private key passphrase timed out")
2180 id = ev
.split(':')[0].split('-')[-1]
2181 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2182 dev
[0].wait_connected(timeout
=10)
2183 dev
[0].request("REMOVE_NETWORK all")
2184 dev
[0].wait_disconnected()
2186 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2187 # different files to cover both cases of the extra certificate being the
2188 # one that signed the client certificate and it being unrelated to the
2189 # client certificate.
2190 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2192 eap_connect(dev
[0], hapd
, "TLS", "tls user",
2193 ca_cert
="auth_serv/ca.pem",
2195 private_key_passwd
="whatever")
2196 dev
[0].request("REMOVE_NETWORK all")
2197 dev
[0].wait_disconnected()
2199 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
2200 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2201 cert
= read_pem("auth_serv/ca.pem")
2202 cacert
= binascii
.hexlify(cert
).decode()
2203 run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
)
2205 def test_ap_wpa2_eap_tls_pkcs12_blob_pem(dev
, apdev
):
2206 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob and PEM ca_cert blob"""
2207 with
open("auth_serv/ca.pem", "r") as f
:
2208 lines
= f
.readlines()
2212 if "-----BEGIN" in l
:
2219 cacert
= binascii
.hexlify(cert
.encode()).decode()
2220 run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
)
2222 def run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
):
2223 check_pkcs12_support(dev
[0])
2224 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2225 hapd
= hostapd
.add_ap(apdev
[0], params
)
2226 if "OK" not in dev
[0].request("SET blob cacert " + cacert
):
2227 raise Exception("Could not set cacert blob")
2228 with
open("auth_serv/user.pkcs12", "rb") as f
:
2229 if "OK" not in dev
[0].request("SET blob pkcs12 " + binascii
.hexlify(f
.read()).decode()):
2230 raise Exception("Could not set pkcs12 blob")
2231 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2232 private_key
="blob://pkcs12",
2233 private_key_passwd
="whatever")
2235 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
2236 """WPA2-Enterprise negative test - incorrect trust root"""
2237 check_eap_capa(dev
[0], "MSCHAPV2")
2238 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2239 hostapd
.add_ap(apdev
[0], params
)
2240 cert
= read_pem("auth_serv/ca-incorrect.pem")
2241 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2242 raise Exception("Could not set cacert blob")
2243 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2244 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2245 password
="password", phase2
="auth=MSCHAPV2",
2246 ca_cert
="blob://cacert",
2247 wait_connect
=False, scan_freq
="2412")
2248 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2249 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2250 password
="password", phase2
="auth=MSCHAPV2",
2251 ca_cert
="auth_serv/ca-incorrect.pem",
2252 wait_connect
=False, scan_freq
="2412")
2254 for dev
in (dev
[0], dev
[1]):
2255 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2257 raise Exception("Association and EAP start timed out")
2259 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2261 raise Exception("EAP method selection timed out")
2262 if "TTLS" not in ev
:
2263 raise Exception("Unexpected EAP method")
2265 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2266 "CTRL-EVENT-EAP-SUCCESS",
2267 "CTRL-EVENT-EAP-FAILURE",
2268 "CTRL-EVENT-CONNECTED",
2269 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2271 raise Exception("EAP result timed out")
2272 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2273 raise Exception("TLS certificate error not reported")
2275 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2276 "CTRL-EVENT-EAP-FAILURE",
2277 "CTRL-EVENT-CONNECTED",
2278 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2280 raise Exception("EAP result(2) timed out")
2281 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2282 raise Exception("EAP failure not reported")
2284 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2285 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2287 raise Exception("EAP result(3) timed out")
2288 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2289 raise Exception("Disconnection not reported")
2291 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2293 raise Exception("Network block disabling not reported")
2295 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2296 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2297 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2298 hapd
= hostapd
.add_ap(apdev
[0], params
)
2299 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2300 identity
="pap user", anonymous_identity
="ttls",
2301 password
="password", phase2
="auth=PAP",
2302 ca_cert
="auth_serv/ca.pem",
2303 wait_connect
=True, scan_freq
="2412")
2304 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2305 identity
="pap user", anonymous_identity
="ttls",
2306 password
="password", phase2
="auth=PAP",
2307 ca_cert
="auth_serv/ca-incorrect.pem",
2308 only_add_network
=True, scan_freq
="2412")
2310 dev
[0].request("DISCONNECT")
2311 dev
[0].wait_disconnected()
2312 dev
[0].dump_monitor()
2313 dev
[0].select_network(id, freq
="2412")
2315 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2317 raise Exception("EAP-TTLS not re-started")
2319 ev
= dev
[0].wait_disconnected(timeout
=15)
2320 if "reason=23" not in ev
:
2321 raise Exception("Proper reason code for disconnection not reported")
2323 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2324 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2325 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2326 hapd
= hostapd
.add_ap(apdev
[0], params
)
2327 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2328 identity
="pap user", anonymous_identity
="ttls",
2329 password
="password", phase2
="auth=PAP",
2330 wait_connect
=True, scan_freq
="2412")
2331 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2332 identity
="pap user", anonymous_identity
="ttls",
2333 password
="password", phase2
="auth=PAP",
2334 ca_cert
="auth_serv/ca-incorrect.pem",
2335 only_add_network
=True, scan_freq
="2412")
2337 dev
[0].request("DISCONNECT")
2338 dev
[0].wait_disconnected()
2339 dev
[0].dump_monitor()
2340 dev
[0].select_network(id, freq
="2412")
2342 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2344 raise Exception("EAP-TTLS not re-started")
2346 ev
= dev
[0].wait_disconnected(timeout
=15)
2347 if "reason=23" not in ev
:
2348 raise Exception("Proper reason code for disconnection not reported")
2350 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2351 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2352 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2353 hapd
= hostapd
.add_ap(apdev
[0], params
)
2354 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2355 identity
="pap user", anonymous_identity
="ttls",
2356 password
="password", phase2
="auth=PAP",
2357 ca_cert
="auth_serv/ca.pem",
2358 wait_connect
=True, scan_freq
="2412")
2359 dev
[0].request("DISCONNECT")
2360 dev
[0].wait_disconnected()
2361 dev
[0].dump_monitor()
2362 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2363 dev
[0].select_network(id, freq
="2412")
2365 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2367 raise Exception("EAP-TTLS not re-started")
2369 ev
= dev
[0].wait_disconnected(timeout
=15)
2370 if "reason=23" not in ev
:
2371 raise Exception("Proper reason code for disconnection not reported")
2373 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2374 """WPA2-Enterprise negative test - domain suffix mismatch"""
2375 check_domain_suffix_match(dev
[0])
2376 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2377 hostapd
.add_ap(apdev
[0], params
)
2378 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2379 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2380 password
="password", phase2
="auth=MSCHAPV2",
2381 ca_cert
="auth_serv/ca.pem",
2382 domain_suffix_match
="incorrect.example.com",
2383 wait_connect
=False, scan_freq
="2412")
2385 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2387 raise Exception("Association and EAP start timed out")
2389 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2391 raise Exception("EAP method selection timed out")
2392 if "TTLS" not in ev
:
2393 raise Exception("Unexpected EAP method")
2395 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2396 "CTRL-EVENT-EAP-SUCCESS",
2397 "CTRL-EVENT-EAP-FAILURE",
2398 "CTRL-EVENT-CONNECTED",
2399 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2401 raise Exception("EAP result timed out")
2402 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2403 raise Exception("TLS certificate error not reported")
2404 if "Domain suffix mismatch" not in ev
:
2405 raise Exception("Domain suffix mismatch not reported")
2407 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2408 "CTRL-EVENT-EAP-FAILURE",
2409 "CTRL-EVENT-CONNECTED",
2410 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2412 raise Exception("EAP result(2) timed out")
2413 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2414 raise Exception("EAP failure not reported")
2416 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2417 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2419 raise Exception("EAP result(3) timed out")
2420 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2421 raise Exception("Disconnection not reported")
2423 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2425 raise Exception("Network block disabling not reported")
2427 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2428 """WPA2-Enterprise negative test - domain mismatch"""
2429 check_domain_match(dev
[0])
2430 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2431 hostapd
.add_ap(apdev
[0], params
)
2432 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2433 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2434 password
="password", phase2
="auth=MSCHAPV2",
2435 ca_cert
="auth_serv/ca.pem",
2436 domain_match
="w1.fi",
2437 wait_connect
=False, scan_freq
="2412")
2439 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2441 raise Exception("Association and EAP start timed out")
2443 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2445 raise Exception("EAP method selection timed out")
2446 if "TTLS" not in ev
:
2447 raise Exception("Unexpected EAP method")
2449 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2450 "CTRL-EVENT-EAP-SUCCESS",
2451 "CTRL-EVENT-EAP-FAILURE",
2452 "CTRL-EVENT-CONNECTED",
2453 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2455 raise Exception("EAP result timed out")
2456 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2457 raise Exception("TLS certificate error not reported")
2458 if "Domain mismatch" not in ev
:
2459 raise Exception("Domain mismatch not reported")
2461 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2462 "CTRL-EVENT-EAP-FAILURE",
2463 "CTRL-EVENT-CONNECTED",
2464 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2466 raise Exception("EAP result(2) timed out")
2467 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2468 raise Exception("EAP failure not reported")
2470 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2471 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2473 raise Exception("EAP result(3) timed out")
2474 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2475 raise Exception("Disconnection not reported")
2477 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2479 raise Exception("Network block disabling not reported")
2481 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2482 """WPA2-Enterprise negative test - subject mismatch"""
2483 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2484 hostapd
.add_ap(apdev
[0], params
)
2485 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2486 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2487 password
="password", phase2
="auth=MSCHAPV2",
2488 ca_cert
="auth_serv/ca.pem",
2489 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2490 wait_connect
=False, scan_freq
="2412")
2492 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2494 raise Exception("Association and EAP start timed out")
2496 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2497 "EAP: Failed to initialize EAP method"], timeout
=10)
2499 raise Exception("EAP method selection timed out")
2500 if "EAP: Failed to initialize EAP method" in ev
:
2501 tls
= dev
[0].request("GET tls_library")
2502 if tls
.startswith("OpenSSL"):
2503 raise Exception("Failed to select EAP method")
2504 logger
.info("subject_match not supported - connection failed, so test succeeded")
2506 if "TTLS" not in ev
:
2507 raise Exception("Unexpected EAP method")
2509 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2510 "CTRL-EVENT-EAP-SUCCESS",
2511 "CTRL-EVENT-EAP-FAILURE",
2512 "CTRL-EVENT-CONNECTED",
2513 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2515 raise Exception("EAP result timed out")
2516 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2517 raise Exception("TLS certificate error not reported")
2518 if "Subject mismatch" not in ev
:
2519 raise Exception("Subject mismatch not reported")
2521 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2522 "CTRL-EVENT-EAP-FAILURE",
2523 "CTRL-EVENT-CONNECTED",
2524 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2526 raise Exception("EAP result(2) timed out")
2527 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2528 raise Exception("EAP failure not reported")
2530 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2531 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2533 raise Exception("EAP result(3) timed out")
2534 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2535 raise Exception("Disconnection not reported")
2537 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2539 raise Exception("Network block disabling not reported")
2541 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2542 """WPA2-Enterprise negative test - altsubject mismatch"""
2543 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2544 hostapd
.add_ap(apdev
[0], params
)
2546 tests
= ["incorrect.example.com",
2547 "DNS:incorrect.example.com",
2551 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2553 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2554 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2555 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2556 password
="password", phase2
="auth=MSCHAPV2",
2557 ca_cert
="auth_serv/ca.pem",
2558 altsubject_match
=match
,
2559 wait_connect
=False, scan_freq
="2412")
2561 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2563 raise Exception("Association and EAP start timed out")
2565 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2566 "EAP: Failed to initialize EAP method"], timeout
=10)
2568 raise Exception("EAP method selection timed out")
2569 if "EAP: Failed to initialize EAP method" in ev
:
2570 tls
= dev
[0].request("GET tls_library")
2571 if tls
.startswith("OpenSSL"):
2572 raise Exception("Failed to select EAP method")
2573 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2575 if "TTLS" not in ev
:
2576 raise Exception("Unexpected EAP method")
2578 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2579 "CTRL-EVENT-EAP-SUCCESS",
2580 "CTRL-EVENT-EAP-FAILURE",
2581 "CTRL-EVENT-CONNECTED",
2582 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2584 raise Exception("EAP result timed out")
2585 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2586 raise Exception("TLS certificate error not reported")
2587 if "AltSubject mismatch" not in ev
:
2588 raise Exception("altsubject mismatch not reported")
2590 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2591 "CTRL-EVENT-EAP-FAILURE",
2592 "CTRL-EVENT-CONNECTED",
2593 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2595 raise Exception("EAP result(2) timed out")
2596 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2597 raise Exception("EAP failure not reported")
2599 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2600 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2602 raise Exception("EAP result(3) timed out")
2603 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2604 raise Exception("Disconnection not reported")
2606 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2608 raise Exception("Network block disabling not reported")
2610 dev
[0].request("REMOVE_NETWORK all")
2612 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2613 """WPA2-Enterprise connection using UNAUTH-TLS"""
2614 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2615 hapd
= hostapd
.add_ap(apdev
[0], params
)
2616 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2617 ca_cert
="auth_serv/ca.pem")
2618 eap_reauth(dev
[0], "UNAUTH-TLS")
2620 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2621 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2622 check_cert_probe_support(dev
[0])
2623 skip_with_fips(dev
[0])
2624 srv_cert_hash
= "4704e62784f36cc5fd964c6410402f4938773bb471dce9d42939bf22fdbdb2dd"
2625 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2626 hapd
= hostapd
.add_ap(apdev
[0], params
)
2627 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2628 identity
="probe", ca_cert
="probe://",
2629 wait_connect
=False, scan_freq
="2412")
2630 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2632 raise Exception("Association and EAP start timed out")
2633 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2635 raise Exception("No peer server certificate event seen")
2636 if "hash=" + srv_cert_hash
not in ev
:
2637 raise Exception("Expected server certificate hash not reported")
2638 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2640 raise Exception("EAP result timed out")
2641 if "Server certificate chain probe" not in ev
:
2642 raise Exception("Server certificate probe not reported")
2643 dev
[0].wait_disconnected(timeout
=10)
2644 dev
[0].request("REMOVE_NETWORK all")
2646 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2647 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2648 password
="password", phase2
="auth=MSCHAPV2",
2649 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2650 wait_connect
=False, scan_freq
="2412")
2651 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2653 raise Exception("Association and EAP start timed out")
2654 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2656 raise Exception("EAP result timed out")
2657 if "Server certificate mismatch" not in ev
:
2658 raise Exception("Server certificate mismatch not reported")
2659 dev
[0].wait_disconnected(timeout
=10)
2660 dev
[0].request("REMOVE_NETWORK all")
2662 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2663 anonymous_identity
="ttls", password
="password",
2664 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2665 phase2
="auth=MSCHAPV2")
2667 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2668 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2669 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2670 hostapd
.add_ap(apdev
[0], params
)
2671 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2672 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2673 password
="password", phase2
="auth=MSCHAPV2",
2674 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2675 wait_connect
=False, scan_freq
="2412")
2676 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2677 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2678 password
="password", phase2
="auth=MSCHAPV2",
2679 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2680 wait_connect
=False, scan_freq
="2412")
2681 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2682 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2683 password
="password", phase2
="auth=MSCHAPV2",
2684 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2685 wait_connect
=False, scan_freq
="2412")
2686 for i
in range(0, 3):
2687 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2689 raise Exception("Association and EAP start timed out")
2690 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2692 raise Exception("Did not report EAP method initialization failure")
2694 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2695 """WPA2-Enterprise connection using EAP-pwd"""
2696 check_eap_capa(dev
[0], "PWD")
2697 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2698 hapd
= hostapd
.add_ap(apdev
[0], params
)
2699 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2700 eap_reauth(dev
[0], "PWD")
2701 dev
[0].request("REMOVE_NETWORK all")
2703 eap_connect(dev
[1], hapd
, "PWD",
2704 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2705 password
="secret password",
2708 logger
.info("Negative test with incorrect password")
2709 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2710 expect_failure
=True, local_error_report
=True)
2712 eap_connect(dev
[0], hapd
, "PWD",
2713 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2714 password
="secret password",
2717 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2718 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2719 check_eap_capa(dev
[0], "PWD")
2720 skip_with_fips(dev
[0])
2721 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2722 hapd
= hostapd
.add_ap(apdev
[0], params
)
2723 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2724 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2725 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2726 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2727 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2728 expect_failure
=True, local_error_report
=True)
2730 def test_ap_wpa2_eap_pwd_salt_sha1(dev
, apdev
):
2731 """WPA2-Enterprise connection using EAP-pwd and salted password SHA-1"""
2732 check_eap_capa(dev
[0], "PWD")
2733 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2734 hapd
= hostapd
.add_ap(apdev
[0], params
)
2735 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha1",
2736 password
="secret password")
2738 def test_ap_wpa2_eap_pwd_salt_sha256(dev
, apdev
):
2739 """WPA2-Enterprise connection using EAP-pwd and salted password SHA256"""
2740 check_eap_capa(dev
[0], "PWD")
2741 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2742 hapd
= hostapd
.add_ap(apdev
[0], params
)
2743 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha256",
2744 password
="secret password")
2746 def test_ap_wpa2_eap_pwd_salt_sha512(dev
, apdev
):
2747 """WPA2-Enterprise connection using EAP-pwd and salted password SHA512"""
2748 check_eap_capa(dev
[0], "PWD")
2749 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2750 hapd
= hostapd
.add_ap(apdev
[0], params
)
2751 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha512",
2752 password
="secret password")
2754 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2755 """WPA2-Enterprise connection using various EAP-pwd groups"""
2756 check_eap_capa(dev
[0], "PWD")
2757 tls
= dev
[0].request("GET tls_library")
2758 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2759 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2760 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2761 groups
= [19, 20, 21]
2762 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2763 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2764 groups
+= [28, 29, 30]
2765 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.1" in tls
and "run=OpenSSL 1.1" in tls
:
2766 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2767 groups
+= [28, 29, 30]
2769 logger
.info("Group %d" % i
)
2770 params
['pwd_group'] = str(i
)
2771 hapd
= hostapd
.add_ap(apdev
[0], params
)
2772 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2773 password
="secret password")
2774 dev
[0].request("REMOVE_NETWORK all")
2775 dev
[0].wait_disconnected()
2776 dev
[0].dump_monitor()
2779 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2780 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2781 check_eap_capa(dev
[0], "PWD")
2782 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2783 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2784 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2785 for i
in [0, 25, 26, 27]:
2786 logger
.info("Group %d" % i
)
2787 params
['pwd_group'] = str(i
)
2788 hapd
= hostapd
.add_ap(apdev
[0], params
)
2789 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2790 identity
="pwd user", password
="secret password",
2791 scan_freq
="2412", wait_connect
=False)
2792 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2794 raise Exception("Timeout on EAP failure report (group %d)" % i
)
2795 dev
[0].request("REMOVE_NETWORK all")
2796 dev
[0].wait_disconnected()
2797 dev
[0].dump_monitor()
2800 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2801 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2802 check_eap_capa(dev
[0], "PWD")
2803 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2804 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2805 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2806 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2807 "pwd_group": "19", "fragment_size": "40"}
2808 hapd
= hostapd
.add_ap(apdev
[0], params
)
2809 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2811 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2812 """WPA2-Enterprise connection using EAP-GPSK"""
2813 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2814 hapd
= hostapd
.add_ap(apdev
[0], params
)
2815 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2816 password
="abcdefghijklmnop0123456789abcdef")
2817 eap_reauth(dev
[0], "GPSK")
2819 logger
.info("Test forced algorithm selection")
2820 for phase1
in ["cipher=1", "cipher=2"]:
2821 dev
[0].set_network_quoted(id, "phase1", phase1
)
2822 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2824 raise Exception("EAP success timed out")
2825 dev
[0].wait_connected(timeout
=10)
2827 logger
.info("Test failed algorithm negotiation")
2828 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2829 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2831 raise Exception("EAP failure timed out")
2833 logger
.info("Negative test with incorrect password")
2834 dev
[0].request("REMOVE_NETWORK all")
2835 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2836 password
="ffcdefghijklmnop0123456789abcdef",
2837 expect_failure
=True)
2839 def test_ap_wpa2_eap_sake(dev
, apdev
):
2840 """WPA2-Enterprise connection using EAP-SAKE"""
2841 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2842 hapd
= hostapd
.add_ap(apdev
[0], params
)
2843 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2844 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2845 eap_reauth(dev
[0], "SAKE")
2847 logger
.info("Negative test with incorrect password")
2848 dev
[0].request("REMOVE_NETWORK all")
2849 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2850 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2851 expect_failure
=True)
2853 def test_ap_wpa2_eap_eke(dev
, apdev
):
2854 """WPA2-Enterprise connection using EAP-EKE"""
2855 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2856 hapd
= hostapd
.add_ap(apdev
[0], params
)
2857 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2858 eap_reauth(dev
[0], "EKE")
2860 logger
.info("Test forced algorithm selection")
2861 for phase1
in ["dhgroup=5 encr=1 prf=2 mac=2",
2862 "dhgroup=4 encr=1 prf=2 mac=2",
2863 "dhgroup=3 encr=1 prf=2 mac=2",
2864 "dhgroup=3 encr=1 prf=1 mac=1"]:
2865 dev
[0].set_network_quoted(id, "phase1", phase1
)
2866 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2868 raise Exception("EAP success timed out")
2869 dev
[0].wait_connected(timeout
=10)
2870 dev
[0].dump_monitor()
2872 logger
.info("Test failed algorithm negotiation")
2873 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2874 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2876 raise Exception("EAP failure timed out")
2877 dev
[0].dump_monitor()
2879 logger
.info("Test unsupported algorithm proposals")
2880 dev
[0].request("REMOVE_NETWORK all")
2881 dev
[0].dump_monitor()
2882 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2883 phase1
="dhgroup=2 encr=1 prf=1 mac=1", expect_failure
=True)
2884 dev
[0].request("REMOVE_NETWORK all")
2885 dev
[0].dump_monitor()
2886 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2887 phase1
="dhgroup=1 encr=1 prf=1 mac=1", expect_failure
=True)
2889 logger
.info("Negative test with incorrect password")
2890 dev
[0].request("REMOVE_NETWORK all")
2891 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
2892 expect_failure
=True)
2894 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2895 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2896 if not params
['long']:
2897 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2898 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2899 hostapd
.add_ap(apdev
[0], params
)
2902 for i
in range(100):
2904 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2905 identity
="eke user", password
="hello",
2906 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2907 scan_freq
="2412", wait_connect
=False)
2909 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2910 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2912 raise Exception("No connected/disconnected event")
2913 if "CTRL-EVENT-DISCONNECTED" in ev
:
2915 # The RADIUS server limits on active sessions can be hit when
2916 # going through this test case, so try to give some more time
2917 # for the server to remove sessions.
2918 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2919 dev
[j
].request("REMOVE_NETWORK all")
2923 dev
[j
].request("REMOVE_NETWORK all")
2924 dev
[j
].wait_disconnected()
2925 dev
[j
].dump_monitor()
2926 logger
.info("Total success=%d failure=%d" % (success
, fail
))
2928 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2929 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2930 params
= int_eap_server_params()
2931 params
['server_id'] = 'example.server@w1.fi'
2932 hapd
= hostapd
.add_ap(apdev
[0], params
)
2933 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2935 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2936 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2937 params
= int_eap_server_params()
2938 hapd
= hostapd
.add_ap(apdev
[0], params
)
2939 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2941 for count
, func
in [(1, "eap_eke_build_commit"),
2942 (2, "eap_eke_build_commit"),
2943 (3, "eap_eke_build_commit"),
2944 (1, "eap_eke_build_confirm"),
2945 (2, "eap_eke_build_confirm"),
2946 (1, "eap_eke_process_commit"),
2947 (2, "eap_eke_process_commit"),
2948 (1, "eap_eke_process_confirm"),
2949 (1, "eap_eke_process_identity"),
2950 (2, "eap_eke_process_identity"),
2951 (3, "eap_eke_process_identity"),
2952 (4, "eap_eke_process_identity")]:
2953 with
alloc_fail(hapd
, count
, func
):
2954 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2955 expect_failure
=True)
2956 dev
[0].request("REMOVE_NETWORK all")
2958 for count
, func
, pw
in [(1, "eap_eke_init", "hello"),
2959 (1, "eap_eke_get_session_id", "hello"),
2960 (1, "eap_eke_getKey", "hello"),
2961 (1, "eap_eke_build_msg", "hello"),
2962 (1, "eap_eke_build_failure", "wrong"),
2963 (1, "eap_eke_build_identity", "hello"),
2964 (2, "eap_eke_build_identity", "hello")]:
2965 with
alloc_fail(hapd
, count
, func
):
2966 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2967 eap
="EKE", identity
="eke user", password
=pw
,
2968 wait_connect
=False, scan_freq
="2412")
2969 # This would eventually time out, but we can stop after having
2970 # reached the allocation failure.
2973 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2975 dev
[0].request("REMOVE_NETWORK all")
2977 for count
in range(1, 1000):
2979 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2980 dev
[0].connect("test-wpa2-eap",
2981 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2982 eap
="EKE", identity
="eke user", password
=pw
,
2983 wait_connect
=False, scan_freq
="2412")
2984 # This would eventually time out, but we can stop after having
2985 # reached the allocation failure.
2988 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2990 dev
[0].request("REMOVE_NETWORK all")
2991 except Exception as e
:
2992 if str(e
) == "Allocation failure did not trigger":
2994 raise Exception("Too few allocation failures")
2995 logger
.info("%d allocation failures tested" % (count
- 1))
2999 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
3000 """WPA2-Enterprise connection using EAP-IKEv2"""
3001 check_eap_capa(dev
[0], "IKEV2")
3002 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3003 hapd
= hostapd
.add_ap(apdev
[0], params
)
3004 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3005 password
="ike password")
3006 eap_reauth(dev
[0], "IKEV2")
3007 dev
[0].request("REMOVE_NETWORK all")
3008 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3009 password
="ike password", fragment_size
="50")
3011 logger
.info("Negative test with incorrect password")
3012 dev
[0].request("REMOVE_NETWORK all")
3013 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3014 password
="ike-password", expect_failure
=True)
3015 dev
[0].request("REMOVE_NETWORK all")
3017 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3018 password
="ike password", fragment_size
="0")
3019 dev
[0].request("REMOVE_NETWORK all")
3020 dev
[0].wait_disconnected()
3022 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
3023 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
3024 check_eap_capa(dev
[0], "IKEV2")
3025 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3026 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3027 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3028 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3029 "fragment_size": "50"}
3030 hapd
= hostapd
.add_ap(apdev
[0], params
)
3031 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3032 password
="ike password")
3033 eap_reauth(dev
[0], "IKEV2")
3035 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
3036 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
3037 check_eap_capa(dev
[0], "IKEV2")
3038 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3039 hostapd
.add_ap(apdev
[0], params
)
3041 tests
= [(1, "dh_init"),
3043 (1, "dh_derive_shared")]
3044 for count
, func
in tests
:
3045 with
alloc_fail(dev
[0], count
, func
):
3046 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3047 identity
="ikev2 user", password
="ike password",
3048 wait_connect
=False, scan_freq
="2412")
3049 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3051 raise Exception("EAP method not selected")
3053 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
3056 dev
[0].request("REMOVE_NETWORK all")
3058 tls
= dev
[0].request("GET tls_library")
3059 if not tls
.startswith("wolfSSL"):
3060 tests
= [(1, "os_get_random;dh_init")]
3062 tests
= [(1, "crypto_dh_init;dh_init")]
3063 for count
, func
in tests
:
3064 with
fail_test(dev
[0], count
, func
):
3065 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3066 identity
="ikev2 user", password
="ike password",
3067 wait_connect
=False, scan_freq
="2412")
3068 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3070 raise Exception("EAP method not selected")
3072 if "0:" in dev
[0].request("GET_FAIL"):
3075 dev
[0].request("REMOVE_NETWORK all")
3077 def test_ap_wpa2_eap_pax(dev
, apdev
):
3078 """WPA2-Enterprise connection using EAP-PAX"""
3079 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3080 hapd
= hostapd
.add_ap(apdev
[0], params
)
3081 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3082 password_hex
="0123456789abcdef0123456789abcdef")
3083 eap_reauth(dev
[0], "PAX")
3085 logger
.info("Negative test with incorrect password")
3086 dev
[0].request("REMOVE_NETWORK all")
3087 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3088 password_hex
="ff23456789abcdef0123456789abcdef",
3089 expect_failure
=True)
3091 def test_ap_wpa2_eap_psk(dev
, apdev
):
3092 """WPA2-Enterprise connection using EAP-PSK"""
3093 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3094 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
3095 params
["ieee80211w"] = "2"
3096 hapd
= hostapd
.add_ap(apdev
[0], params
)
3097 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3098 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
3099 eap_reauth(dev
[0], "PSK", sha256
=True)
3100 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
3101 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5")])
3103 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
3104 if 'flags' not in bss
:
3105 raise Exception("Could not get BSS flags from BSS table")
3106 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
3107 raise Exception("Unexpected BSS flags: " + bss
['flags'])
3109 logger
.info("Negative test with incorrect password")
3110 dev
[0].request("REMOVE_NETWORK all")
3111 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3112 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
3113 expect_failure
=True)
3115 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
3116 """WPA2-Enterprise connection using EAP-PSK and OOM"""
3117 skip_with_fips(dev
[0])
3118 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3119 hostapd
.add_ap(apdev
[0], params
)
3120 tests
= [(1, "=aes_128_eax_encrypt"),
3121 (1, "=aes_128_eax_decrypt")]
3122 for count
, func
in tests
:
3123 with
alloc_fail(dev
[0], count
, func
):
3124 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3125 identity
="psk.user@example.com",
3126 password_hex
="0123456789abcdef0123456789abcdef",
3127 wait_connect
=False, scan_freq
="2412")
3128 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3130 raise Exception("EAP method not selected")
3131 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
3132 note
="Failure not triggered: %d:%s" % (count
, func
))
3133 dev
[0].request("REMOVE_NETWORK all")
3134 dev
[0].wait_disconnected()
3136 tests
= [(1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
3137 (1, "omac1_aes_128;aes_128_eax_encrypt"),
3138 (2, "omac1_aes_128;aes_128_eax_encrypt"),
3139 (3, "omac1_aes_128;aes_128_eax_encrypt"),
3140 (1, "omac1_aes_vector"),
3141 (1, "omac1_aes_128;aes_128_eax_decrypt"),
3142 (2, "omac1_aes_128;aes_128_eax_decrypt"),
3143 (3, "omac1_aes_128;aes_128_eax_decrypt"),
3144 (1, "aes_ctr_encrypt;aes_128_eax_decrypt")]
3145 for count
, func
in tests
:
3146 with
fail_test(dev
[0], count
, func
):
3147 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3148 identity
="psk.user@example.com",
3149 password_hex
="0123456789abcdef0123456789abcdef",
3150 wait_connect
=False, scan_freq
="2412")
3151 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3153 raise Exception("EAP method not selected")
3154 wait_fail_trigger(dev
[0], "GET_FAIL",
3155 note
="Failure not triggered: %d:%s" % (count
, func
))
3156 dev
[0].request("REMOVE_NETWORK all")
3157 dev
[0].wait_disconnected()
3159 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
3160 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3161 identity
="psk.user@example.com",
3162 password_hex
="0123456789abcdef0123456789abcdef",
3163 wait_connect
=False, scan_freq
="2412")
3164 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3166 raise Exception("EAP method failure not reported")
3167 dev
[0].request("REMOVE_NETWORK all")
3168 dev
[0].wait_disconnected()
3170 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
3171 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
3172 check_eap_capa(dev
[0], "MSCHAPV2")
3173 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
3174 hapd
= hostapd
.add_ap(apdev
[0], params
)
3175 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
3176 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
3177 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
3179 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
3180 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3181 eap_reauth(dev
[0], "PEAP", rsn
=False)
3182 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3183 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1")])
3184 status
= dev
[0].get_status(extra
="VERBOSE")
3185 if 'portControl' not in status
:
3186 raise Exception("portControl missing from STATUS-VERBOSE")
3187 if status
['portControl'] != 'Auto':
3188 raise Exception("Unexpected portControl value: " + status
['portControl'])
3189 if 'eap_session_id' not in status
:
3190 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3191 if not status
['eap_session_id'].startswith("19"):
3192 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
3194 def test_ap_wpa2_eap_interactive(dev
, apdev
):
3195 """WPA2-Enterprise connection using interactive identity/password entry"""
3196 check_eap_capa(dev
[0], "MSCHAPV2")
3197 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3198 hapd
= hostapd
.add_ap(apdev
[0], params
)
3200 tests
= [("Connection with dynamic TTLS/MSCHAPv2 password entry",
3201 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3203 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3204 "TTLS", "ttls", None, "auth=MSCHAPV2",
3205 "DOMAIN\mschapv2 user", "password"),
3206 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3207 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3208 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3209 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3210 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3211 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3212 ("Connection with dynamic PEAP/EAP-GTC password entry",
3213 "PEAP", None, "user", "auth=GTC", None, "password")]
3214 for [desc
, eap
, anon
, identity
, phase2
, req_id
, req_pw
] in tests
:
3216 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
3217 anonymous_identity
=anon
, identity
=identity
,
3218 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
3219 wait_connect
=False, scan_freq
="2412")
3221 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3223 raise Exception("Request for identity timed out")
3224 id = ev
.split(':')[0].split('-')[-1]
3225 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3226 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD", "CTRL-REQ-OTP"])
3228 raise Exception("Request for password timed out")
3229 id = ev
.split(':')[0].split('-')[-1]
3230 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
3231 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
3232 dev
[0].wait_connected(timeout
=10)
3233 dev
[0].request("REMOVE_NETWORK all")
3235 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
3236 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3237 check_eap_capa(dev
[0], "MSCHAPV2")
3238 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3239 hapd
= hostapd
.add_ap(apdev
[0], params
)
3241 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
3242 only_add_network
=True)
3244 req_id
= "DOMAIN\mschapv2 user"
3245 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3246 anonymous_identity
="ttls", identity
=None,
3247 password
="password",
3248 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3249 wait_connect
=False, scan_freq
="2412")
3250 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3252 raise Exception("Request for identity timed out")
3253 id = ev
.split(':')[0].split('-')[-1]
3254 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3255 dev
[0].wait_connected(timeout
=10)
3257 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
3258 raise Exception("Failed to enable network")
3259 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
3261 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3262 dev
[0].request("REMOVE_NETWORK all")
3264 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
3265 """WPA2-Enterprise connection using EAP vendor test"""
3266 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3267 hapd
= hostapd
.add_ap(apdev
[0], params
)
3268 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
3269 eap_reauth(dev
[0], "VENDOR-TEST")
3270 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
3273 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
3274 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3275 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3276 hostapd
.add_ap(apdev
[0], params
)
3278 tests
= ["eap_vendor_test_init",
3279 "eap_msg_alloc;eap_vendor_test_process",
3280 "eap_vendor_test_getKey"]
3282 with
alloc_fail(dev
[0], 1, func
):
3283 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
3285 eap
="VENDOR-TEST", identity
="vendor-test",
3287 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3288 dev
[0].request("REMOVE_NETWORK all")
3289 dev
[0].wait_disconnected()
3291 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
3292 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3293 check_eap_capa(dev
[0], "FAST")
3294 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3295 hapd
= hostapd
.add_ap(apdev
[0], params
)
3296 eap_connect(dev
[0], hapd
, "FAST", "user",
3297 anonymous_identity
="FAST", password
="password",
3298 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3299 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
3300 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3301 res
= eap_reauth(dev
[0], "FAST")
3302 if res
['tls_session_reused'] != '1':
3303 raise Exception("EAP-FAST could not use PAC session ticket")
3305 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
3306 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3307 check_eap_capa(dev
[0], "FAST")
3308 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
3309 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
3310 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3311 hapd
= hostapd
.add_ap(apdev
[0], params
)
3314 eap_connect(dev
[0], hapd
, "FAST", "user",
3315 anonymous_identity
="FAST", password
="password",
3316 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3317 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3318 with
open(pac_file
, "r") as f
:
3320 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3321 raise Exception("PAC file header missing")
3322 if "PAC-Key=" not in data
:
3323 raise Exception("PAC-Key missing from PAC file")
3324 dev
[0].request("REMOVE_NETWORK all")
3325 eap_connect(dev
[0], hapd
, "FAST", "user",
3326 anonymous_identity
="FAST", password
="password",
3327 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3330 eap_connect(dev
[1], hapd
, "FAST", "user",
3331 anonymous_identity
="FAST", password
="password",
3332 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3333 phase1
="fast_provisioning=1 fast_pac_format=binary",
3335 dev
[1].request("REMOVE_NETWORK all")
3336 eap_connect(dev
[1], hapd
, "FAST", "user",
3337 anonymous_identity
="FAST", password
="password",
3338 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3339 phase1
="fast_pac_format=binary",
3347 os
.remove(pac_file2
)
3351 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3352 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3353 check_eap_capa(dev
[0], "FAST")
3354 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3355 hapd
= hostapd
.add_ap(apdev
[0], params
)
3356 eap_connect(dev
[0], hapd
, "FAST", "user",
3357 anonymous_identity
="FAST", password
="password",
3358 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3359 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3360 pac_file
="blob://fast_pac_bin")
3361 res
= eap_reauth(dev
[0], "FAST")
3362 if res
['tls_session_reused'] != '1':
3363 raise Exception("EAP-FAST could not use PAC session ticket")
3365 # Verify fast_max_pac_list_len=0 special case
3366 dev
[0].request("REMOVE_NETWORK all")
3367 dev
[0].wait_disconnected()
3368 eap_connect(dev
[0], hapd
, "FAST", "user",
3369 anonymous_identity
="FAST", password
="password",
3370 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3371 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3372 pac_file
="blob://fast_pac_bin")
3374 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3375 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3376 check_eap_capa(dev
[0], "FAST")
3377 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3378 hostapd
.add_ap(apdev
[0], params
)
3380 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3381 identity
="user", anonymous_identity
="FAST",
3382 password
="password",
3383 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3384 pac_file
="blob://fast_pac_not_in_use",
3385 wait_connect
=False, scan_freq
="2412")
3386 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3388 raise Exception("Timeout on EAP failure report")
3389 dev
[0].request("REMOVE_NETWORK all")
3391 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3392 identity
="user", anonymous_identity
="FAST",
3393 password
="password",
3394 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3395 wait_connect
=False, scan_freq
="2412")
3396 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3398 raise Exception("Timeout on EAP failure report")
3400 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3401 """EAP-FAST and binary PAC errors"""
3402 check_eap_capa(dev
[0], "FAST")
3403 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3404 hapd
= hostapd
.add_ap(apdev
[0], params
)
3406 tests
= [(1, "=eap_fast_save_pac_bin"),
3407 (1, "eap_fast_write_pac"),
3408 (2, "eap_fast_write_pac"),]
3409 for count
, func
in tests
:
3410 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3411 raise Exception("Could not set blob")
3413 with
alloc_fail(dev
[0], count
, func
):
3414 eap_connect(dev
[0], hapd
, "FAST", "user",
3415 anonymous_identity
="FAST", password
="password",
3416 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3417 phase1
="fast_provisioning=1 fast_pac_format=binary",
3418 pac_file
="blob://fast_pac_bin_errors")
3419 dev
[0].request("REMOVE_NETWORK all")
3420 dev
[0].wait_disconnected()
3422 tests
= ["00", "000000000000", "6ae4920c0001",
3424 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3425 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3426 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3427 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3429 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3430 raise Exception("Could not set blob")
3432 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3433 identity
="user", anonymous_identity
="FAST",
3434 password
="password",
3435 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3436 phase1
="fast_provisioning=1 fast_pac_format=binary",
3437 pac_file
="blob://fast_pac_bin_errors",
3438 scan_freq
="2412", wait_connect
=False)
3439 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3442 raise Exception("Failure not reported")
3443 dev
[0].request("REMOVE_NETWORK all")
3444 dev
[0].wait_disconnected()
3446 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3447 tests
= [(1, "eap_fast_load_pac_bin"),
3448 (2, "eap_fast_load_pac_bin"),
3449 (3, "eap_fast_load_pac_bin")]
3450 for count
, func
in tests
:
3451 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3452 raise Exception("Could not set blob")
3454 with
alloc_fail(dev
[0], count
, func
):
3455 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3456 identity
="user", anonymous_identity
="FAST",
3457 password
="password",
3458 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3459 phase1
="fast_provisioning=1 fast_pac_format=binary",
3460 pac_file
="blob://fast_pac_bin_errors",
3461 scan_freq
="2412", wait_connect
=False)
3462 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3465 raise Exception("Failure not reported")
3466 dev
[0].request("REMOVE_NETWORK all")
3467 dev
[0].wait_disconnected()
3469 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3470 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3471 raise Exception("Could not set blob")
3473 eap_connect(dev
[0], hapd
, "FAST", "user",
3474 anonymous_identity
="FAST", password
="password",
3475 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3476 phase1
="fast_provisioning=1 fast_pac_format=binary",
3477 pac_file
="blob://fast_pac_bin_errors")
3478 dev
[0].request("REMOVE_NETWORK all")
3479 dev
[0].wait_disconnected()
3481 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3482 tests
= [(1, "eap_fast_pac_get_a_id"),
3483 (2, "eap_fast_pac_get_a_id")]
3484 for count
, func
in tests
:
3485 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3486 raise Exception("Could not set blob")
3487 with
alloc_fail(dev
[0], count
, func
):
3488 eap_connect(dev
[0], hapd
, "FAST", "user",
3489 anonymous_identity
="FAST", password
="password",
3490 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3491 phase1
="fast_provisioning=1 fast_pac_format=binary",
3492 pac_file
="blob://fast_pac_bin_errors")
3493 dev
[0].request("REMOVE_NETWORK all")
3494 dev
[0].wait_disconnected()
3496 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3497 """EAP-FAST and text PAC errors"""
3498 check_eap_capa(dev
[0], "FAST")
3499 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3500 hostapd
.add_ap(apdev
[0], params
)
3502 tests
= [(1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3503 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3504 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3505 (1, "eap_fast_parse_start"),
3506 (1, "eap_fast_save_pac")]
3507 for count
, func
in tests
:
3508 dev
[0].request("FLUSH")
3509 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3510 raise Exception("Could not set blob")
3512 with
alloc_fail(dev
[0], count
, func
):
3513 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3514 identity
="user", anonymous_identity
="FAST",
3515 password
="password",
3516 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3517 phase1
="fast_provisioning=1",
3518 pac_file
="blob://fast_pac_text_errors",
3519 scan_freq
="2412", wait_connect
=False)
3520 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3521 dev
[0].request("REMOVE_NETWORK all")
3522 dev
[0].wait_disconnected()
3524 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3528 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + binascii
.hexlify(pac
.encode()).decode()):
3529 raise Exception("Could not set blob")
3531 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3532 identity
="user", anonymous_identity
="FAST",
3533 password
="password",
3534 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3535 phase1
="fast_provisioning=1",
3536 pac_file
="blob://fast_pac_text_errors",
3537 scan_freq
="2412", wait_connect
=False)
3538 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3540 raise Exception("Failure not reported")
3541 dev
[0].request("REMOVE_NETWORK all")
3542 dev
[0].wait_disconnected()
3544 dev
[0].request("FLUSH")
3545 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3546 raise Exception("Could not set blob")
3548 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3550 params
= int_eap_server_params()
3551 params
['ssid'] = "test-wpa2-eap-2"
3552 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3553 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3554 params
['eap_fast_a_id_info'] = "test server %d" % i
3556 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3558 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3559 identity
="user", anonymous_identity
="FAST",
3560 password
="password",
3561 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3562 phase1
="fast_provisioning=1",
3563 pac_file
="blob://fast_pac_text_errors",
3564 scan_freq
="2412", wait_connect
=False)
3565 dev
[0].wait_connected()
3566 dev
[0].request("REMOVE_NETWORK all")
3567 dev
[0].wait_disconnected()
3571 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3572 """EAP-FAST and PAC list truncation"""
3573 check_eap_capa(dev
[0], "FAST")
3574 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3575 raise Exception("Could not set blob")
3577 params
= int_eap_server_params()
3578 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3579 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3580 params
['eap_fast_a_id_info'] = "test server %d" % i
3581 hapd
= hostapd
.add_ap(apdev
[0], params
)
3583 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3584 identity
="user", anonymous_identity
="FAST",
3585 password
="password",
3586 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3587 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3588 pac_file
="blob://fast_pac_truncate",
3589 scan_freq
="2412", wait_connect
=False)
3590 dev
[0].wait_connected()
3591 dev
[0].request("REMOVE_NETWORK all")
3592 dev
[0].wait_disconnected()
3596 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3597 """EAP-FAST and PAC refresh"""
3598 check_eap_capa(dev
[0], "FAST")
3599 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3600 raise Exception("Could not set blob")
3602 params
= int_eap_server_params()
3603 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3604 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3605 params
['eap_fast_a_id_info'] = "test server %d" % i
3606 params
['pac_key_refresh_time'] = "1"
3607 params
['pac_key_lifetime'] = "10"
3608 hapd
= hostapd
.add_ap(apdev
[0], params
)
3610 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3611 identity
="user", anonymous_identity
="FAST",
3612 password
="password",
3613 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3614 phase1
="fast_provisioning=1",
3615 pac_file
="blob://fast_pac_refresh",
3616 scan_freq
="2412", wait_connect
=False)
3617 dev
[0].wait_connected()
3618 dev
[0].request("REMOVE_NETWORK all")
3619 dev
[0].wait_disconnected()
3624 params
= int_eap_server_params()
3625 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3626 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3627 params
['eap_fast_a_id_info'] = "test server %d" % i
3628 params
['pac_key_refresh_time'] = "10"
3629 params
['pac_key_lifetime'] = "10"
3630 hapd
= hostapd
.add_ap(apdev
[0], params
)
3632 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3633 identity
="user", anonymous_identity
="FAST",
3634 password
="password",
3635 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3636 phase1
="fast_provisioning=1",
3637 pac_file
="blob://fast_pac_refresh",
3638 scan_freq
="2412", wait_connect
=False)
3639 dev
[0].wait_connected()
3640 dev
[0].request("REMOVE_NETWORK all")
3641 dev
[0].wait_disconnected()
3645 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3646 """EAP-FAST and PAC lifetime"""
3647 check_eap_capa(dev
[0], "FAST")
3648 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3649 raise Exception("Could not set blob")
3652 params
= int_eap_server_params()
3653 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3654 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3655 params
['eap_fast_a_id_info'] = "test server %d" % i
3656 params
['pac_key_refresh_time'] = "0"
3657 params
['pac_key_lifetime'] = "2"
3658 hapd
= hostapd
.add_ap(apdev
[0], params
)
3660 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3661 identity
="user", anonymous_identity
="FAST",
3662 password
="password",
3663 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3664 phase1
="fast_provisioning=2",
3665 pac_file
="blob://fast_pac_refresh",
3666 scan_freq
="2412", wait_connect
=False)
3667 dev
[0].wait_connected()
3668 dev
[0].request("DISCONNECT")
3669 dev
[0].wait_disconnected()
3672 dev
[0].request("PMKSA_FLUSH")
3673 dev
[0].request("RECONNECT")
3674 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3676 raise Exception("No EAP-Failure seen after expired PAC")
3677 dev
[0].request("DISCONNECT")
3678 dev
[0].wait_disconnected()
3680 dev
[0].select_network(id)
3681 dev
[0].wait_connected()
3682 dev
[0].request("REMOVE_NETWORK all")
3683 dev
[0].wait_disconnected()
3685 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3686 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3687 check_eap_capa(dev
[0], "FAST")
3688 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3689 hapd
= hostapd
.add_ap(apdev
[0], params
)
3690 eap_connect(dev
[0], hapd
, "FAST", "user",
3691 anonymous_identity
="FAST", password
="password",
3692 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3693 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3694 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3695 res
= eap_reauth(dev
[0], "FAST")
3696 if res
['tls_session_reused'] != '1':
3697 raise Exception("EAP-FAST could not use PAC session ticket")
3699 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3700 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3701 check_eap_capa(dev
[0], "FAST")
3702 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3703 hapd
= hostapd
.add_ap(apdev
[0], params
)
3704 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3705 anonymous_identity
="FAST", password
="password",
3706 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3707 phase1
="fast_provisioning=2",
3708 pac_file
="blob://fast_pac_auth")
3709 dev
[0].set_network_quoted(id, "identity", "user2")
3710 dev
[0].wait_disconnected()
3711 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3713 raise Exception("EAP-FAST not started")
3714 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3716 raise Exception("EAP failure not reported")
3717 dev
[0].wait_disconnected()
3719 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3720 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3721 check_eap_capa(dev
[0], "FAST")
3722 tls
= dev
[0].request("GET tls_library")
3723 if tls
.startswith("OpenSSL"):
3724 func
= "tls_connection_get_eap_fast_key"
3726 elif tls
.startswith("internal"):
3727 func
= "tls_connection_prf"
3730 raise HwsimSkip("Unsupported TLS library")
3731 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3732 hapd
= hostapd
.add_ap(apdev
[0], params
)
3733 with
alloc_fail(dev
[0], count
, func
):
3734 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3735 identity
="user", anonymous_identity
="FAST",
3736 password
="password", ca_cert
="auth_serv/ca.pem",
3738 phase1
="fast_provisioning=2",
3739 pac_file
="blob://fast_pac_auth",
3740 wait_connect
=False, scan_freq
="2412")
3741 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3743 raise Exception("EAP failure not reported")
3744 dev
[0].request("DISCONNECT")
3746 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3747 """EAP-FAST/MSCHAPv2 and server OOM"""
3748 check_eap_capa(dev
[0], "FAST")
3750 params
= int_eap_server_params()
3751 params
['dh_file'] = 'auth_serv/dh.conf'
3752 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3753 params
['eap_fast_a_id'] = '1011'
3754 params
['eap_fast_a_id_info'] = 'another test server'
3755 hapd
= hostapd
.add_ap(apdev
[0], params
)
3757 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3758 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3759 anonymous_identity
="FAST", password
="password",
3760 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3761 phase1
="fast_provisioning=1",
3762 pac_file
="blob://fast_pac",
3763 expect_failure
=True)
3764 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3766 raise Exception("No EAP failure reported")
3767 dev
[0].wait_disconnected()
3768 dev
[0].request("DISCONNECT")
3770 dev
[0].select_network(id, freq
="2412")
3772 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3773 """EAP-FAST and different TLS cipher suites"""
3774 check_eap_capa(dev
[0], "FAST")
3775 tls
= dev
[0].request("GET tls_library")
3776 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
3777 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls
)
3779 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3780 hapd
= hostapd
.add_ap(apdev
[0], params
)
3782 dev
[0].request("SET blob fast_pac_ciphers ")
3783 eap_connect(dev
[0], hapd
, "FAST", "user",
3784 anonymous_identity
="FAST", password
="password",
3785 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3786 phase1
="fast_provisioning=2",
3787 pac_file
="blob://fast_pac_ciphers")
3788 res
= dev
[0].get_status_field('EAP TLS cipher')
3789 dev
[0].request("REMOVE_NETWORK all")
3790 dev
[0].wait_disconnected()
3791 if res
!= "DHE-RSA-AES256-SHA":
3792 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3794 tests
= ["DHE-RSA-AES128-SHA",
3798 "DHE-RSA-AES256-SHA"]
3799 for cipher
in tests
:
3800 dev
[0].dump_monitor()
3801 logger
.info("Testing " + cipher
)
3803 eap_connect(dev
[0], hapd
, "FAST", "user",
3804 openssl_ciphers
=cipher
,
3805 anonymous_identity
="FAST", password
="password",
3806 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3807 pac_file
="blob://fast_pac_ciphers",
3808 report_failure
=True)
3809 except Exception as e
:
3810 if cipher
== "RC4-SHA" and \
3811 ("Could not select EAP method" in str(e
) or \
3812 "EAP failed" in str(e
)):
3813 if "run=OpenSSL 1.1" in tls
:
3814 logger
.info("Allow failure due to missing TLS library support")
3815 dev
[0].request("REMOVE_NETWORK all")
3816 dev
[0].wait_disconnected()
3819 res
= dev
[0].get_status_field('EAP TLS cipher')
3820 dev
[0].request("REMOVE_NETWORK all")
3821 dev
[0].wait_disconnected()
3823 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3825 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3826 """EAP-FAST and provisioning options"""
3827 check_eap_capa(dev
[0], "FAST")
3828 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3829 raise Exception("Could not set blob")
3832 params
= int_eap_server_params()
3833 params
['disable_pmksa_caching'] = '1'
3834 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3835 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3836 params
['eap_fast_a_id_info'] = "test server %d" % i
3837 params
['eap_fast_prov'] = "0"
3838 hapd
= hostapd
.add_ap(apdev
[0], params
)
3840 logger
.info("Provisioning attempt while server has provisioning disabled")
3841 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3842 identity
="user", anonymous_identity
="FAST",
3843 password
="password",
3844 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3845 phase1
="fast_provisioning=2",
3846 pac_file
="blob://fast_pac_prov",
3847 scan_freq
="2412", wait_connect
=False)
3848 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3851 raise Exception("EAP result not reported")
3852 if "parameter='failure'" not in ev
:
3853 raise Exception("Unexpected EAP result: " + ev
)
3854 dev
[0].wait_disconnected()
3855 dev
[0].request("DISCONNECT")
3856 dev
[0].dump_monitor()
3859 logger
.info("Authenticated provisioning")
3860 hapd
.set("eap_fast_prov", "2")
3863 dev
[0].select_network(id, freq
="2412")
3864 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3867 raise Exception("EAP result not reported")
3868 if "parameter='success'" not in ev
:
3869 raise Exception("Unexpected EAP result: " + ev
)
3870 dev
[0].wait_connected()
3871 dev
[0].request("DISCONNECT")
3872 dev
[0].wait_disconnected()
3873 dev
[0].dump_monitor()
3876 logger
.info("Provisioning disabled - using previously provisioned PAC")
3877 hapd
.set("eap_fast_prov", "0")
3880 dev
[0].select_network(id, freq
="2412")
3881 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3884 raise Exception("EAP result not reported")
3885 if "parameter='success'" not in ev
:
3886 raise Exception("Unexpected EAP result: " + ev
)
3887 dev
[0].wait_connected()
3888 dev
[0].request("DISCONNECT")
3889 dev
[0].wait_disconnected()
3890 dev
[0].dump_monitor()
3892 logger
.info("Drop PAC and verify connection failure")
3893 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3894 raise Exception("Could not set blob")
3896 dev
[0].select_network(id, freq
="2412")
3897 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3900 raise Exception("EAP result not reported")
3901 if "parameter='failure'" not in ev
:
3902 raise Exception("Unexpected EAP result: " + ev
)
3903 dev
[0].wait_disconnected()
3904 dev
[0].request("DISCONNECT")
3905 dev
[0].dump_monitor()
3908 logger
.info("Anonymous provisioning")
3909 hapd
.set("eap_fast_prov", "1")
3911 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3912 dev
[0].select_network(id, freq
="2412")
3913 # Anonymous provisioning results in EAP-Failure first
3914 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3917 raise Exception("EAP result not reported")
3918 if "parameter='failure'" not in ev
:
3919 raise Exception("Unexpected EAP result: " + ev
)
3920 dev
[0].wait_disconnected()
3921 # And then the actual data connection
3922 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3925 raise Exception("EAP result not reported")
3926 if "parameter='success'" not in ev
:
3927 raise Exception("Unexpected EAP result: " + ev
)
3928 dev
[0].wait_connected()
3929 dev
[0].request("DISCONNECT")
3930 dev
[0].wait_disconnected()
3931 dev
[0].dump_monitor()
3934 logger
.info("Provisioning disabled - using previously provisioned PAC")
3935 hapd
.set("eap_fast_prov", "0")
3938 dev
[0].select_network(id, freq
="2412")
3939 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3942 raise Exception("EAP result not reported")
3943 if "parameter='success'" not in ev
:
3944 raise Exception("Unexpected EAP result: " + ev
)
3945 dev
[0].wait_connected()
3946 dev
[0].request("DISCONNECT")
3947 dev
[0].wait_disconnected()
3948 dev
[0].dump_monitor()
3950 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
3951 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3952 check_ocsp_support(dev
[0])
3953 check_pkcs12_support(dev
[0])
3954 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3955 hapd
= hostapd
.add_ap(apdev
[0], params
)
3956 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3957 private_key
="auth_serv/user.pkcs12",
3958 private_key_passwd
="whatever", ocsp
=2)
3960 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
3961 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3962 check_ocsp_multi_support(dev
[0])
3963 check_pkcs12_support(dev
[0])
3965 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3966 hapd
= hostapd
.add_ap(apdev
[0], params
)
3967 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3968 private_key
="auth_serv/user.pkcs12",
3969 private_key_passwd
="whatever", ocsp
=2)
3971 def int_eap_server_params():
3972 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3973 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3974 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3975 "ca_cert": "auth_serv/ca.pem",
3976 "server_cert": "auth_serv/server.pem",
3977 "private_key": "auth_serv/server.key",
3978 "dh_file": "auth_serv/dh.conf"}
3981 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
3982 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3983 check_ocsp_support(dev
[0])
3984 check_pkcs12_support(dev
[0])
3985 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
3986 if not os
.path
.exists(ocsp
):
3987 raise HwsimSkip("No OCSP response available")
3988 params
= int_eap_server_params()
3989 params
["ocsp_stapling_response"] = ocsp
3990 hostapd
.add_ap(apdev
[0], params
)
3991 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3992 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3993 private_key
="auth_serv/user.pkcs12",
3994 private_key_passwd
="whatever", ocsp
=2,
3997 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
3998 """EAP-TLS and CA signed OCSP response (good)"""
3999 check_ocsp_support(dev
[0])
4000 check_pkcs12_support(dev
[0])
4001 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
4002 if not os
.path
.exists(ocsp
):
4003 raise HwsimSkip("No OCSP response available")
4004 params
= int_eap_server_params()
4005 params
["ocsp_stapling_response"] = ocsp
4006 hostapd
.add_ap(apdev
[0], params
)
4007 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4008 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4009 private_key
="auth_serv/user.pkcs12",
4010 private_key_passwd
="whatever", ocsp
=2,
4013 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
4014 """EAP-TLS and CA signed OCSP response (revoked)"""
4015 check_ocsp_support(dev
[0])
4016 check_pkcs12_support(dev
[0])
4017 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
4018 if not os
.path
.exists(ocsp
):
4019 raise HwsimSkip("No OCSP response available")
4020 params
= int_eap_server_params()
4021 params
["ocsp_stapling_response"] = ocsp
4022 hostapd
.add_ap(apdev
[0], params
)
4023 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4024 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4025 private_key
="auth_serv/user.pkcs12",
4026 private_key_passwd
="whatever", ocsp
=2,
4027 wait_connect
=False, scan_freq
="2412")
4030 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4032 raise Exception("Timeout on EAP status")
4033 if 'bad certificate status response' in ev
:
4035 if 'certificate revoked' in ev
:
4039 raise Exception("Unexpected number of EAP status messages")
4041 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4043 raise Exception("Timeout on EAP failure report")
4045 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
4046 """EAP-TLS and CA signed OCSP response (unknown)"""
4047 check_ocsp_support(dev
[0])
4048 check_pkcs12_support(dev
[0])
4049 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
4050 if not os
.path
.exists(ocsp
):
4051 raise HwsimSkip("No OCSP response available")
4052 params
= int_eap_server_params()
4053 params
["ocsp_stapling_response"] = ocsp
4054 hostapd
.add_ap(apdev
[0], params
)
4055 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4056 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4057 private_key
="auth_serv/user.pkcs12",
4058 private_key_passwd
="whatever", ocsp
=2,
4059 wait_connect
=False, scan_freq
="2412")
4062 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4064 raise Exception("Timeout on EAP status")
4065 if 'bad certificate status response' in ev
:
4069 raise Exception("Unexpected number of EAP status messages")
4071 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4073 raise Exception("Timeout on EAP failure report")
4075 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
4076 """EAP-TLS and server signed OCSP response"""
4077 check_ocsp_support(dev
[0])
4078 check_pkcs12_support(dev
[0])
4079 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
4080 if not os
.path
.exists(ocsp
):
4081 raise HwsimSkip("No OCSP response available")
4082 params
= int_eap_server_params()
4083 params
["ocsp_stapling_response"] = ocsp
4084 hostapd
.add_ap(apdev
[0], params
)
4085 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4086 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4087 private_key
="auth_serv/user.pkcs12",
4088 private_key_passwd
="whatever", ocsp
=2,
4089 wait_connect
=False, scan_freq
="2412")
4092 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4094 raise Exception("Timeout on EAP status")
4095 if 'bad certificate status response' in ev
:
4099 raise Exception("Unexpected number of EAP status messages")
4101 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4103 raise Exception("Timeout on EAP failure report")
4105 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
4106 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
4107 check_ocsp_support(dev
[0])
4108 check_pkcs12_support(dev
[0])
4109 params
= int_eap_server_params()
4110 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
4111 hostapd
.add_ap(apdev
[0], params
)
4112 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4113 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4114 private_key
="auth_serv/user.pkcs12",
4115 private_key_passwd
="whatever", ocsp
=2,
4116 wait_connect
=False, scan_freq
="2412")
4119 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4121 raise Exception("Timeout on EAP status")
4122 if 'bad certificate status response' in ev
:
4126 raise Exception("Unexpected number of EAP status messages")
4128 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4130 raise Exception("Timeout on EAP failure report")
4132 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
4133 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
4134 check_ocsp_support(dev
[0])
4135 check_pkcs12_support(dev
[0])
4136 params
= int_eap_server_params()
4137 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
4138 hostapd
.add_ap(apdev
[0], params
)
4139 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4140 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4141 private_key
="auth_serv/user.pkcs12",
4142 private_key_passwd
="whatever", ocsp
=2,
4143 wait_connect
=False, scan_freq
="2412")
4146 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4148 raise Exception("Timeout on EAP status")
4149 if 'bad certificate status response' in ev
:
4153 raise Exception("Unexpected number of EAP status messages")
4155 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4157 raise Exception("Timeout on EAP failure report")
4159 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
4160 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
4161 check_ocsp_support(dev
[0])
4162 check_pkcs12_support(dev
[0])
4163 params
= int_eap_server_params()
4164 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
4165 hostapd
.add_ap(apdev
[0], params
)
4166 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4167 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4168 private_key
="auth_serv/user.pkcs12",
4169 private_key_passwd
="whatever", ocsp
=2,
4170 wait_connect
=False, scan_freq
="2412")
4173 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4175 raise Exception("Timeout on EAP status")
4176 if 'bad certificate status response' in ev
:
4180 raise Exception("Unexpected number of EAP status messages")
4182 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4184 raise Exception("Timeout on EAP failure report")
4186 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
4187 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4188 check_ocsp_support(dev
[0])
4189 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
4190 if not os
.path
.exists(ocsp
):
4191 raise HwsimSkip("No OCSP response available")
4192 params
= int_eap_server_params()
4193 params
["ocsp_stapling_response"] = ocsp
4194 hostapd
.add_ap(apdev
[0], params
)
4195 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4196 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4197 anonymous_identity
="ttls", password
="password",
4198 phase2
="auth=PAP", ocsp
=2,
4199 wait_connect
=False, scan_freq
="2412")
4202 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4204 raise Exception("Timeout on EAP status")
4205 if 'bad certificate status response' in ev
:
4207 if 'certificate revoked' in ev
:
4211 raise Exception("Unexpected number of EAP status messages")
4213 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4215 raise Exception("Timeout on EAP failure report")
4217 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
4218 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4219 check_ocsp_support(dev
[0])
4220 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4221 if not os
.path
.exists(ocsp
):
4222 raise HwsimSkip("No OCSP response available")
4223 params
= int_eap_server_params()
4224 params
["ocsp_stapling_response"] = ocsp
4225 hostapd
.add_ap(apdev
[0], params
)
4226 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4227 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4228 anonymous_identity
="ttls", password
="password",
4229 phase2
="auth=PAP", ocsp
=2,
4230 wait_connect
=False, scan_freq
="2412")
4233 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4235 raise Exception("Timeout on EAP status")
4236 if 'bad certificate status response' in ev
:
4240 raise Exception("Unexpected number of EAP status messages")
4242 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4244 raise Exception("Timeout on EAP failure report")
4246 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
4247 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4248 check_ocsp_support(dev
[0])
4249 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4250 if not os
.path
.exists(ocsp
):
4251 raise HwsimSkip("No OCSP response available")
4252 params
= int_eap_server_params()
4253 params
["ocsp_stapling_response"] = ocsp
4254 hostapd
.add_ap(apdev
[0], params
)
4255 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4256 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4257 anonymous_identity
="ttls", password
="password",
4258 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
4260 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
4261 """EAP-TLS with intermediate server/user CA"""
4262 params
= int_eap_server_params()
4263 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4264 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4265 params
["private_key"] = "auth_serv/iCA-server/server.key"
4266 hostapd
.add_ap(apdev
[0], params
)
4267 tls
= dev
[0].request("GET tls_library")
4268 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4269 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4270 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4272 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4273 client_cert
= "auth_serv/iCA-user/user.pem"
4274 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4275 identity
="tls user",
4277 client_cert
=client_cert
,
4278 private_key
="auth_serv/iCA-user/user.key",
4281 def root_ocsp(cert
):
4282 ca
= "auth_serv/ca.pem"
4284 fd2
, fn2
= tempfile
.mkstemp()
4287 arg
= ["openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-sha256",
4288 "-cert", cert
, "-no_nonce", "-text"]
4289 logger
.info(' '.join(arg
))
4290 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4291 stderr
=subprocess
.PIPE
)
4292 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4296 if cmd
.returncode
!= 0:
4297 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4298 logger
.info("OCSP request:\n" + res
)
4300 fd
, fn
= tempfile
.mkstemp()
4302 arg
= ["openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4303 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
4304 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4305 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4307 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4308 stderr
=subprocess
.PIPE
)
4309 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4313 if cmd
.returncode
!= 0:
4314 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4315 logger
.info("OCSP response:\n" + res
)
4319 def ica_ocsp(cert
, md
="-sha256"):
4320 prefix
= "auth_serv/iCA-server/"
4321 ca
= prefix
+ "cacert.pem"
4322 cert
= prefix
+ cert
4324 fd2
, fn2
= tempfile
.mkstemp()
4327 arg
= ["openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, md
,
4328 "-cert", cert
, "-no_nonce", "-text"]
4329 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4330 stderr
=subprocess
.PIPE
)
4331 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4335 if cmd
.returncode
!= 0:
4336 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4337 logger
.info("OCSP request:\n" + res
)
4339 fd
, fn
= tempfile
.mkstemp()
4341 arg
= ["openssl", "ocsp", "-index", prefix
+ "index.txt",
4342 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
4343 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4344 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4346 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4347 stderr
=subprocess
.PIPE
)
4348 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4352 if cmd
.returncode
!= 0:
4353 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4354 logger
.info("OCSP response:\n" + res
)
4358 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4359 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4360 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha256")
4362 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev
, apdev
, params
):
4363 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4364 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha1")
4366 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, md
):
4367 params
= int_eap_server_params()
4368 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4369 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4370 params
["private_key"] = "auth_serv/iCA-server/server.key"
4371 fn
= ica_ocsp("server.pem", md
)
4372 params
["ocsp_stapling_response"] = fn
4374 hostapd
.add_ap(apdev
[0], params
)
4375 tls
= dev
[0].request("GET tls_library")
4376 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4377 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4378 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4380 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4381 client_cert
= "auth_serv/iCA-user/user.pem"
4382 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4383 identity
="tls user",
4385 client_cert
=client_cert
,
4386 private_key
="auth_serv/iCA-user/user.key",
4387 scan_freq
="2412", ocsp
=2)
4391 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4392 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4393 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4396 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev
, apdev
, params
):
4397 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4398 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4401 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
, md
):
4402 check_ocsp_support(dev
[0])
4403 params
= int_eap_server_params()
4404 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4405 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4406 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4407 fn
= ica_ocsp("server-revoked.pem", md
)
4408 params
["ocsp_stapling_response"] = fn
4410 hostapd
.add_ap(apdev
[0], params
)
4411 tls
= dev
[0].request("GET tls_library")
4412 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4413 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4414 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4416 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4417 client_cert
= "auth_serv/iCA-user/user.pem"
4418 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4419 identity
="tls user",
4421 client_cert
=client_cert
,
4422 private_key
="auth_serv/iCA-user/user.key",
4423 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4426 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4427 "CTRL-EVENT-EAP-SUCCESS"])
4429 raise Exception("Timeout on EAP status")
4430 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4431 raise Exception("Unexpected EAP-Success")
4432 if 'bad certificate status response' in ev
:
4434 if 'certificate revoked' in ev
:
4438 raise Exception("Unexpected number of EAP status messages")
4440 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4442 raise Exception("Timeout on EAP failure report")
4443 dev
[0].request("REMOVE_NETWORK all")
4444 dev
[0].wait_disconnected()
4448 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4449 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4450 check_ocsp_support(dev
[0])
4451 check_ocsp_multi_support(dev
[0])
4453 params
= int_eap_server_params()
4454 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4455 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4456 params
["private_key"] = "auth_serv/iCA-server/server.key"
4457 fn
= ica_ocsp("server.pem")
4458 params
["ocsp_stapling_response"] = fn
4460 hostapd
.add_ap(apdev
[0], params
)
4461 tls
= dev
[0].request("GET tls_library")
4462 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4463 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4464 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4466 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4467 client_cert
= "auth_serv/iCA-user/user.pem"
4468 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4469 identity
="tls user",
4471 client_cert
=client_cert
,
4472 private_key
="auth_serv/iCA-user/user.key",
4473 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4476 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4477 "CTRL-EVENT-EAP-SUCCESS"])
4479 raise Exception("Timeout on EAP status")
4480 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4481 raise Exception("Unexpected EAP-Success")
4482 if 'bad certificate status response' in ev
:
4484 if 'certificate revoked' in ev
:
4488 raise Exception("Unexpected number of EAP status messages")
4490 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4492 raise Exception("Timeout on EAP failure report")
4493 dev
[0].request("REMOVE_NETWORK all")
4494 dev
[0].wait_disconnected()
4498 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4499 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4500 check_ocsp_support(dev
[0])
4501 check_ocsp_multi_support(dev
[0])
4503 params
= int_eap_server_params()
4504 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4505 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4506 params
["private_key"] = "auth_serv/iCA-server/server.key"
4507 fn
= ica_ocsp("server.pem")
4508 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4509 params
["ocsp_stapling_response"] = fn
4511 with
open(fn
, "rb") as f
:
4512 resp_server
= f
.read()
4513 with
open(fn2
, "rb") as f
:
4516 fd3
, fn3
= tempfile
.mkstemp()
4518 f
= os
.fdopen(fd3
, 'wb')
4519 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4520 f
.write(resp_server
)
4521 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4525 params
["ocsp_stapling_response_multi"] = fn3
4527 hostapd
.add_ap(apdev
[0], params
)
4528 tls
= dev
[0].request("GET tls_library")
4529 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4530 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4531 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4533 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4534 client_cert
= "auth_serv/iCA-user/user.pem"
4535 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4536 identity
="tls user",
4538 client_cert
=client_cert
,
4539 private_key
="auth_serv/iCA-user/user.key",
4540 scan_freq
="2412", ocsp
=3)
4541 dev
[0].request("REMOVE_NETWORK all")
4542 dev
[0].wait_disconnected()
4548 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4549 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4550 check_ocsp_support(dev
[0])
4551 check_ocsp_multi_support(dev
[0])
4552 check_pkcs12_support(dev
[0])
4554 ocsp_revoked
= os
.path
.join(params
['logdir'],
4555 "ocsp-resp-ca-signed-revoked.der")
4556 if not os
.path
.exists(ocsp_revoked
):
4557 raise HwsimSkip("No OCSP response (revoked) available")
4558 ocsp_unknown
= os
.path
.join(params
['logdir'],
4559 "ocsp-resp-ca-signed-unknown.der")
4560 if not os
.path
.exists(ocsp_unknown
):
4561 raise HwsimSkip("No OCSP response(unknown) available")
4563 with
open(ocsp_revoked
, "rb") as f
:
4564 resp_revoked
= f
.read()
4565 with
open(ocsp_unknown
, "rb") as f
:
4566 resp_unknown
= f
.read()
4568 fd
, fn
= tempfile
.mkstemp()
4570 # This is not really a valid order of the OCSPResponse items in the
4571 # list, but this works for now to verify parsing and processing of
4572 # multiple responses.
4573 f
= os
.fdopen(fd
, 'wb')
4574 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4575 f
.write(resp_unknown
)
4576 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4577 f
.write(resp_revoked
)
4578 f
.write(struct
.pack(">L", 0)[1:4])
4579 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4580 f
.write(resp_unknown
)
4583 params
= int_eap_server_params()
4584 params
["ocsp_stapling_response_multi"] = fn
4585 hostapd
.add_ap(apdev
[0], params
)
4586 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4587 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4588 private_key
="auth_serv/user.pkcs12",
4589 private_key_passwd
="whatever", ocsp
=1,
4590 wait_connect
=False, scan_freq
="2412")
4593 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4594 "CTRL-EVENT-EAP-SUCCESS"])
4596 raise Exception("Timeout on EAP status")
4597 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4598 raise Exception("Unexpected EAP-Success")
4599 if 'bad certificate status response' in ev
:
4601 if 'certificate revoked' in ev
:
4605 raise Exception("Unexpected number of EAP status messages")
4609 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4610 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4611 check_domain_match_full(dev
[0])
4612 check_pkcs12_support(dev
[0])
4613 params
= int_eap_server_params()
4614 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4615 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4616 hostapd
.add_ap(apdev
[0], params
)
4617 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4618 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4619 private_key
="auth_serv/user.pkcs12",
4620 private_key_passwd
="whatever",
4621 domain_suffix_match
="server3.w1.fi",
4624 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4625 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4626 check_domain_match(dev
[0])
4627 check_pkcs12_support(dev
[0])
4628 params
= int_eap_server_params()
4629 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4630 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4631 hostapd
.add_ap(apdev
[0], params
)
4632 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4633 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4634 private_key
="auth_serv/user.pkcs12",
4635 private_key_passwd
="whatever",
4636 domain_match
="server3.w1.fi",
4639 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4640 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4641 check_domain_match_full(dev
[0])
4642 check_pkcs12_support(dev
[0])
4643 params
= int_eap_server_params()
4644 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4645 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4646 hostapd
.add_ap(apdev
[0], params
)
4647 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4648 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4649 private_key
="auth_serv/user.pkcs12",
4650 private_key_passwd
="whatever",
4651 domain_suffix_match
="w1.fi",
4654 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4655 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4656 check_domain_suffix_match(dev
[0])
4657 check_pkcs12_support(dev
[0])
4658 params
= int_eap_server_params()
4659 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4660 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4661 hostapd
.add_ap(apdev
[0], params
)
4662 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4663 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4664 private_key
="auth_serv/user.pkcs12",
4665 private_key_passwd
="whatever",
4666 domain_suffix_match
="example.com",
4669 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4670 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4671 private_key
="auth_serv/user.pkcs12",
4672 private_key_passwd
="whatever",
4673 domain_suffix_match
="erver3.w1.fi",
4676 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4678 raise Exception("Timeout on EAP failure report")
4679 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4681 raise Exception("Timeout on EAP failure report (2)")
4683 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4684 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4685 check_domain_match(dev
[0])
4686 check_pkcs12_support(dev
[0])
4687 params
= int_eap_server_params()
4688 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4689 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4690 hostapd
.add_ap(apdev
[0], params
)
4691 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4692 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4693 private_key
="auth_serv/user.pkcs12",
4694 private_key_passwd
="whatever",
4695 domain_match
="example.com",
4698 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4699 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4700 private_key
="auth_serv/user.pkcs12",
4701 private_key_passwd
="whatever",
4702 domain_match
="w1.fi",
4705 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4707 raise Exception("Timeout on EAP failure report")
4708 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4710 raise Exception("Timeout on EAP failure report (2)")
4712 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4713 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4714 skip_with_fips(dev
[0])
4715 params
= int_eap_server_params()
4716 params
["server_cert"] = "auth_serv/server-expired.pem"
4717 params
["private_key"] = "auth_serv/server-expired.key"
4718 hostapd
.add_ap(apdev
[0], params
)
4719 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4720 identity
="mschap user", password
="password",
4721 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4724 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4726 raise Exception("Timeout on EAP certificate error report")
4727 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4728 raise Exception("Unexpected failure reason: " + ev
)
4729 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4731 raise Exception("Timeout on EAP failure report")
4733 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4734 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4735 skip_with_fips(dev
[0])
4736 params
= int_eap_server_params()
4737 params
["server_cert"] = "auth_serv/server-expired.pem"
4738 params
["private_key"] = "auth_serv/server-expired.key"
4739 hostapd
.add_ap(apdev
[0], params
)
4740 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4741 identity
="mschap user", password
="password",
4742 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4743 phase1
="tls_disable_time_checks=1",
4746 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4747 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4748 skip_with_fips(dev
[0])
4749 params
= int_eap_server_params()
4750 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4751 params
["private_key"] = "auth_serv/server-long-duration.key"
4752 hostapd
.add_ap(apdev
[0], params
)
4753 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4754 identity
="mschap user", password
="password",
4755 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4758 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4759 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4760 skip_with_fips(dev
[0])
4761 params
= int_eap_server_params()
4762 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4763 params
["private_key"] = "auth_serv/server-eku-client.key"
4764 hostapd
.add_ap(apdev
[0], params
)
4765 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4766 identity
="mschap user", password
="password",
4767 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4770 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4772 raise Exception("Timeout on EAP failure report")
4774 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4775 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4776 skip_with_fips(dev
[0])
4777 params
= int_eap_server_params()
4778 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4779 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4780 hostapd
.add_ap(apdev
[0], params
)
4781 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4782 identity
="mschap user", password
="password",
4783 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4786 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4787 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4788 skip_with_fips(dev
[0])
4789 params
= int_eap_server_params()
4790 del params
["server_cert"]
4791 params
["private_key"] = "auth_serv/server.pkcs12"
4792 hostapd
.add_ap(apdev
[0], params
)
4793 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4794 identity
="mschap user", password
="password",
4795 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4798 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
4799 """EAP-TTLS and server PKCS#12 file with extra certs"""
4800 skip_with_fips(dev
[0])
4801 params
= int_eap_server_params()
4802 del params
["server_cert"]
4803 params
["private_key"] = "auth_serv/server-extra.pkcs12"
4804 params
["private_key_passwd"] = "whatever"
4805 hostapd
.add_ap(apdev
[0], params
)
4806 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4807 identity
="mschap user", password
="password",
4808 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4811 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
4812 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4813 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4814 hapd
= hostapd
.add_ap(apdev
[0], params
)
4815 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4816 anonymous_identity
="ttls", password
="password",
4817 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4818 dh_file
="auth_serv/dh.conf")
4820 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
4821 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4822 check_dh_dsa_support(dev
[0])
4823 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4824 hapd
= hostapd
.add_ap(apdev
[0], params
)
4825 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4826 anonymous_identity
="ttls", password
="password",
4827 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4828 dh_file
="auth_serv/dsaparam.pem")
4830 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4831 """EAP-TTLS and DH params file not found"""
4832 skip_with_fips(dev
[0])
4833 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4834 hostapd
.add_ap(apdev
[0], params
)
4835 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4836 identity
="mschap user", password
="password",
4837 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4838 dh_file
="auth_serv/dh-no-such-file.conf",
4839 scan_freq
="2412", wait_connect
=False)
4840 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4842 raise Exception("EAP failure timed out")
4843 dev
[0].request("REMOVE_NETWORK all")
4844 dev
[0].wait_disconnected()
4846 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4847 """EAP-TTLS and invalid DH params file"""
4848 skip_with_fips(dev
[0])
4849 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4850 hostapd
.add_ap(apdev
[0], params
)
4851 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4852 identity
="mschap user", password
="password",
4853 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4854 dh_file
="auth_serv/ca.pem",
4855 scan_freq
="2412", wait_connect
=False)
4856 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4858 raise Exception("EAP failure timed out")
4859 dev
[0].request("REMOVE_NETWORK all")
4860 dev
[0].wait_disconnected()
4862 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
4863 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4864 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4865 hapd
= hostapd
.add_ap(apdev
[0], params
)
4866 dh
= read_pem("auth_serv/dh2.conf")
4867 if "OK" not in dev
[0].request("SET blob dhparams " + binascii
.hexlify(dh
).decode()):
4868 raise Exception("Could not set dhparams blob")
4869 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4870 anonymous_identity
="ttls", password
="password",
4871 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4872 dh_file
="blob://dhparams")
4874 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
4875 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4876 params
= int_eap_server_params()
4877 params
["dh_file"] = "auth_serv/dh2.conf"
4878 hapd
= hostapd
.add_ap(apdev
[0], params
)
4879 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4880 anonymous_identity
="ttls", password
="password",
4881 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4883 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
4884 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4885 params
= int_eap_server_params()
4886 params
["dh_file"] = "auth_serv/dsaparam.pem"
4887 hapd
= hostapd
.add_ap(apdev
[0], params
)
4888 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4889 anonymous_identity
="ttls", password
="password",
4890 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4892 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4893 """EAP-TLS server and dhparams file not found"""
4894 params
= int_eap_server_params()
4895 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
4896 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4897 if "FAIL" not in hapd
.request("ENABLE"):
4898 raise Exception("Invalid configuration accepted")
4900 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4901 """EAP-TLS server and invalid dhparams file"""
4902 params
= int_eap_server_params()
4903 params
["dh_file"] = "auth_serv/ca.pem"
4904 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4905 if "FAIL" not in hapd
.request("ENABLE"):
4906 raise Exception("Invalid configuration accepted")
4908 def test_ap_wpa2_eap_reauth(dev
, apdev
):
4909 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4910 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4911 params
['eap_reauth_period'] = '2'
4912 hapd
= hostapd
.add_ap(apdev
[0], params
)
4913 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4914 password_hex
="0123456789abcdef0123456789abcdef")
4915 logger
.info("Wait for reauthentication")
4916 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
4918 raise Exception("Timeout on reauthentication")
4919 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4921 raise Exception("Timeout on reauthentication")
4922 for i
in range(0, 20):
4923 state
= dev
[0].get_status_field("wpa_state")
4924 if state
== "COMPLETED":
4927 if state
!= "COMPLETED":
4928 raise Exception("Reauthentication did not complete")
4930 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
4931 """Optional displayable message in EAP Request-Identity"""
4932 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4933 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4934 hapd
= hostapd
.add_ap(apdev
[0], params
)
4935 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4936 password_hex
="0123456789abcdef0123456789abcdef")
4938 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
4939 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4940 check_hlr_auc_gw_support()
4941 params
= int_eap_server_params()
4942 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4943 params
['eap_sim_aka_result_ind'] = "1"
4944 hapd
= hostapd
.add_ap(apdev
[0], params
)
4946 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
4947 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4948 phase1
="result_ind=1")
4949 eap_reauth(dev
[0], "SIM")
4950 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
4951 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4953 dev
[0].request("REMOVE_NETWORK all")
4954 dev
[1].request("REMOVE_NETWORK all")
4956 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
4957 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4958 phase1
="result_ind=1")
4959 eap_reauth(dev
[0], "AKA")
4960 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
4961 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4963 dev
[0].request("REMOVE_NETWORK all")
4964 dev
[1].request("REMOVE_NETWORK all")
4966 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
4967 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4968 phase1
="result_ind=1")
4969 eap_reauth(dev
[0], "AKA'")
4970 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
4971 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4973 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
4974 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4975 check_hlr_auc_gw_support()
4976 params
= int_eap_server_params()
4977 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4978 params
['eap_sim_db_timeout'] = "0"
4979 params
['disable_pmksa_caching'] = '1'
4980 hapd
= hostapd
.add_ap(apdev
[0], params
)
4982 # Run multiple iterations to make it more likely to hit the case where the
4983 # DB request times out and response is lost.
4985 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
4986 identity
="1232010000000000",
4987 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4988 wait_connect
=False, scan_freq
="2412")
4989 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
4990 "CTRL-EVENT-DISCONNECTED"],
4993 raise Exception("No connection result")
4994 dev
[0].request("REMOVE_NETWORK all")
4995 if "CTRL-EVENT-DISCONNECTED" in ev
:
4997 dev
[0].wait_disconnected()
5000 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
5001 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
5002 skip_with_fips(dev
[0])
5003 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5004 hostapd
.add_ap(apdev
[0], params
)
5005 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5006 eap
="TTLS", identity
="mschap user",
5007 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
5008 anonymous_identity
="ttls", password
="password",
5009 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5011 ev
= dev
[0].wait_event(["EAP: more than",
5012 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
5013 if ev
is None or "EAP: more than" not in ev
:
5014 raise Exception("EAP roundtrip limit not reached")
5016 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
5017 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
5018 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5019 hostapd
.add_ap(apdev
[0], params
)
5020 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5021 eap
="PSK", identity
="vendor-test",
5022 password_hex
="ff23456789abcdef0123456789abcdef",
5026 for i
in range(0, 5):
5027 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
5029 raise Exception("Association and EAP start timed out")
5030 if "refuse proposed method" in ev
:
5034 raise Exception("Unexpected EAP status: " + ev
)
5036 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
5038 raise Exception("EAP failure timed out")
5040 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
5041 """WPA2-Enterprise connection using SQLite for user DB"""
5042 skip_with_fips(dev
[0])
5046 raise HwsimSkip("No sqlite3 module available")
5047 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
5052 con
= sqlite3
.connect(dbfile
)
5055 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
5056 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
5057 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
5058 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
5059 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
5060 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
5061 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
5062 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
5065 params
= int_eap_server_params()
5066 params
["eap_user_file"] = "sqlite:" + dbfile
5067 hapd
= hostapd
.add_ap(apdev
[0], params
)
5068 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
5069 anonymous_identity
="ttls", password
="password",
5070 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5071 dev
[0].request("REMOVE_NETWORK all")
5072 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
5073 anonymous_identity
="ttls", password
="password",
5074 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
5075 dev
[1].request("REMOVE_NETWORK all")
5076 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
5077 anonymous_identity
="ttls", password
="password",
5078 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
5079 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
5080 anonymous_identity
="ttls", password
="password",
5081 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5085 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
5086 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5087 params
= int_eap_server_params()
5088 hostapd
.add_ap(apdev
[0], params
)
5089 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5090 identity
="\x80", password
="password", wait_connect
=False)
5091 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5092 identity
="a\x80", password
="password", wait_connect
=False)
5093 for i
in range(0, 2):
5094 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5096 raise Exception("Association and EAP start timed out")
5097 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5099 raise Exception("EAP method selection timed out")
5101 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
5102 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5103 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5104 hostapd
.add_ap(apdev
[0], params
)
5105 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5106 identity
="\x80", password
="password", wait_connect
=False)
5107 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5108 identity
="a\x80", password
="password", wait_connect
=False)
5109 for i
in range(0, 2):
5110 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5112 raise Exception("Association and EAP start timed out")
5113 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5115 raise Exception("EAP method selection timed out")
5117 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
5118 """OpenSSL cipher suite configuration on wpa_supplicant"""
5119 tls
= dev
[0].request("GET tls_library")
5120 if not tls
.startswith("OpenSSL"):
5121 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
5122 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5123 hapd
= hostapd
.add_ap(apdev
[0], params
)
5124 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5125 anonymous_identity
="ttls", password
="password",
5126 openssl_ciphers
="AES128",
5127 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5128 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5129 anonymous_identity
="ttls", password
="password",
5130 openssl_ciphers
="EXPORT",
5131 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5132 expect_failure
=True, maybe_local_error
=True)
5133 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5134 identity
="pap user", anonymous_identity
="ttls",
5135 password
="password",
5136 openssl_ciphers
="FOO",
5137 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5139 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5141 raise Exception("EAP failure after invalid openssl_ciphers not reported")
5142 dev
[2].request("DISCONNECT")
5144 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
5145 """OpenSSL cipher suite configuration on hostapd"""
5146 tls
= dev
[0].request("GET tls_library")
5147 if not tls
.startswith("OpenSSL"):
5148 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
5149 params
= int_eap_server_params()
5150 params
['openssl_ciphers'] = "AES256"
5151 hapd
= hostapd
.add_ap(apdev
[0], params
)
5152 tls
= hapd
.request("GET tls_library")
5153 if not tls
.startswith("OpenSSL"):
5154 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5155 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5156 anonymous_identity
="ttls", password
="password",
5157 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5158 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5159 anonymous_identity
="ttls", password
="password",
5160 openssl_ciphers
="AES128",
5161 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5162 expect_failure
=True)
5163 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
5164 anonymous_identity
="ttls", password
="password",
5165 openssl_ciphers
="HIGH:!ADH",
5166 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5168 params
['openssl_ciphers'] = "FOO"
5169 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
5170 if "FAIL" not in hapd2
.request("ENABLE"):
5171 if "run=OpenSSL 1.1.1" in tls
:
5172 logger
.info("Ignore acceptance of an invalid openssl_ciphers value with OpenSSL 1.1.1")
5174 raise Exception("Invalid openssl_ciphers value accepted")
5176 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
5177 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5178 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5179 hapd
= hostapd
.add_ap(apdev
[0], p
)
5180 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5181 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
5182 anonymous_identity
="ttls", password
=password
,
5183 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5184 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5186 def test_wpa2_eap_peap_gtc_key_lifetime_in_memory(dev
, apdev
, params
):
5187 """Key lifetime in memory with WPA2-Enterprise using PEAP/GTC"""
5188 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5189 hapd
= hostapd
.add_ap(apdev
[0], p
)
5190 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5191 id = eap_connect(dev
[0], hapd
, "PEAP", "user-secret",
5192 anonymous_identity
="peap", password
=password
,
5193 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
5194 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5196 def run_eap_key_lifetime_in_memory(dev
, params
, id, password
):
5197 pid
= find_wpas_process(dev
[0])
5199 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5200 # event has been delivered, so verify that wpa_supplicant has returned to
5201 # eloop before reading process memory.
5204 password
= password
.encode()
5205 buf
= read_process_memory(pid
, password
)
5207 dev
[0].request("DISCONNECT")
5208 dev
[0].wait_disconnected()
5216 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
5217 for l
in f
.readlines():
5218 if "EAP-TTLS: Derived key - hexdump" in l
or \
5219 "EAP-PEAP: Derived key - hexdump" in l
:
5220 val
= l
.strip().split(':')[3].replace(' ', '')
5221 msk
= binascii
.unhexlify(val
)
5222 if "EAP-TTLS: Derived EMSK - hexdump" in l
or \
5223 "EAP-PEAP: Derived EMSK - hexdump" in l
:
5224 val
= l
.strip().split(':')[3].replace(' ', '')
5225 emsk
= binascii
.unhexlify(val
)
5226 if "WPA: PMK - hexdump" in l
:
5227 val
= l
.strip().split(':')[3].replace(' ', '')
5228 pmk
= binascii
.unhexlify(val
)
5229 if "WPA: PTK - hexdump" in l
:
5230 val
= l
.strip().split(':')[3].replace(' ', '')
5231 ptk
= binascii
.unhexlify(val
)
5232 if "WPA: Group Key - hexdump" in l
:
5233 val
= l
.strip().split(':')[3].replace(' ', '')
5234 gtk
= binascii
.unhexlify(val
)
5235 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
5236 raise Exception("Could not find keys from debug log")
5238 raise Exception("Unexpected GTK length")
5244 fname
= os
.path
.join(params
['logdir'],
5245 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5247 logger
.info("Checking keys in memory while associated")
5248 get_key_locations(buf
, password
, "Password")
5249 get_key_locations(buf
, pmk
, "PMK")
5250 get_key_locations(buf
, msk
, "MSK")
5251 get_key_locations(buf
, emsk
, "EMSK")
5252 if password
not in buf
:
5253 raise HwsimSkip("Password not found while associated")
5255 raise HwsimSkip("PMK not found while associated")
5257 raise Exception("KCK not found while associated")
5259 raise Exception("KEK not found while associated")
5261 # raise Exception("TK found from memory")
5263 logger
.info("Checking keys in memory after disassociation")
5264 buf
= read_process_memory(pid
, password
)
5266 # Note: Password is still present in network configuration
5267 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5269 get_key_locations(buf
, password
, "Password")
5270 get_key_locations(buf
, pmk
, "PMK")
5271 get_key_locations(buf
, msk
, "MSK")
5272 get_key_locations(buf
, emsk
, "EMSK")
5273 verify_not_present(buf
, kck
, fname
, "KCK")
5274 verify_not_present(buf
, kek
, fname
, "KEK")
5275 verify_not_present(buf
, tk
, fname
, "TK")
5277 get_key_locations(buf
, gtk
, "GTK")
5278 verify_not_present(buf
, gtk
, fname
, "GTK")
5280 dev
[0].request("PMKSA_FLUSH")
5281 dev
[0].set_network_quoted(id, "identity", "foo")
5282 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5283 buf
= read_process_memory(pid
, password
)
5284 get_key_locations(buf
, password
, "Password")
5285 get_key_locations(buf
, pmk
, "PMK")
5286 get_key_locations(buf
, msk
, "MSK")
5287 get_key_locations(buf
, emsk
, "EMSK")
5288 verify_not_present(buf
, pmk
, fname
, "PMK")
5290 dev
[0].request("REMOVE_NETWORK all")
5292 logger
.info("Checking keys in memory after network profile removal")
5293 buf
= read_process_memory(pid
, password
)
5295 get_key_locations(buf
, password
, "Password")
5296 get_key_locations(buf
, pmk
, "PMK")
5297 get_key_locations(buf
, msk
, "MSK")
5298 get_key_locations(buf
, emsk
, "EMSK")
5299 verify_not_present(buf
, password
, fname
, "password")
5300 verify_not_present(buf
, pmk
, fname
, "PMK")
5301 verify_not_present(buf
, kck
, fname
, "KCK")
5302 verify_not_present(buf
, kek
, fname
, "KEK")
5303 verify_not_present(buf
, tk
, fname
, "TK")
5304 verify_not_present(buf
, gtk
, fname
, "GTK")
5305 verify_not_present(buf
, msk
, fname
, "MSK")
5306 verify_not_present(buf
, emsk
, fname
, "EMSK")
5308 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
5309 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5310 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5311 hapd
= hostapd
.add_ap(apdev
[0], params
)
5312 bssid
= apdev
[0]['bssid']
5313 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5314 anonymous_identity
="ttls", password
="password",
5315 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5317 # Send unexpected WEP EAPOL-Key; this gets dropped
5318 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5320 raise Exception("EAPOL_RX to wpa_supplicant failed")
5322 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5323 """WPA2-EAP and wpas interface in a bridge"""
5324 br_ifname
= 'sta-br0'
5327 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
5329 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
5330 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
5331 subprocess
.call(['brctl', 'delbr', br_ifname
])
5332 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
5334 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5335 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5336 hapd
= hostapd
.add_ap(apdev
[0], params
)
5338 br_ifname
= 'sta-br0'
5340 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
5341 subprocess
.call(['brctl', 'addbr', br_ifname
])
5342 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
5343 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
5344 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
5345 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
5346 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
5349 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
5350 password_hex
="0123456789abcdef0123456789abcdef")
5352 eap_reauth(wpas
, "PAX")
5354 # Try again as a regression test for packet socket workaround
5355 eap_reauth(wpas
, "PAX")
5357 wpas
.request("DISCONNECT")
5358 wpas
.wait_disconnected()
5360 wpas
.request("RECONNECT")
5361 wpas
.wait_connected()
5364 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
5365 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5366 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5367 hapd
= hostapd
.add_ap(apdev
[0], params
)
5368 key_mgmt
= hapd
.get_config()['key_mgmt']
5369 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5370 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5371 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5372 anonymous_identity
="ttls", password
="password",
5373 ca_cert
="auth_serv/ca.pem",
5374 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
5375 eap_reauth(dev
[0], "TTLS")
5377 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
5378 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5379 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5380 hapd
= hostapd
.add_ap(apdev
[0], params
)
5381 key_mgmt
= hapd
.get_config()['key_mgmt']
5382 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5383 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5384 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5385 anonymous_identity
="ttls", password
="password",
5386 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5388 eap_reauth(dev
[0], "TTLS")
5390 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
5391 """EAP-TLS and server checking CRL"""
5392 params
= int_eap_server_params()
5393 params
['check_crl'] = '1'
5394 hapd
= hostapd
.add_ap(apdev
[0], params
)
5396 # check_crl=1 and no CRL available --> reject connection
5397 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5398 client_cert
="auth_serv/user.pem",
5399 private_key
="auth_serv/user.key", expect_failure
=True)
5400 dev
[0].request("REMOVE_NETWORK all")
5403 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
5406 # check_crl=1 and valid CRL --> accept
5407 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5408 client_cert
="auth_serv/user.pem",
5409 private_key
="auth_serv/user.key")
5410 dev
[0].request("REMOVE_NETWORK all")
5413 hapd
.set("check_crl", "2")
5416 # check_crl=2 and valid CRL --> accept
5417 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5418 client_cert
="auth_serv/user.pem",
5419 private_key
="auth_serv/user.key")
5420 dev
[0].request("REMOVE_NETWORK all")
5422 def test_ap_wpa2_eap_tls_crl_reload(dev
, apdev
, params
):
5423 """EAP-TLS and server reloading CRL from ca_cert"""
5424 ca_cert
= os
.path
.join(params
['logdir'],
5425 "ap_wpa2_eap_tls_crl_reload.ca_cert")
5426 with
open('auth_serv/ca.pem', 'r') as f
:
5427 only_cert
= f
.read()
5428 with
open('auth_serv/ca-and-crl.pem', 'r') as f
:
5429 cert_and_crl
= f
.read()
5430 with
open(ca_cert
, 'w') as f
:
5432 params
= int_eap_server_params()
5433 params
['ca_cert'] = ca_cert
5434 params
['check_crl'] = '1'
5435 params
['crl_reload_interval'] = '1'
5436 hapd
= hostapd
.add_ap(apdev
[0], params
)
5438 # check_crl=1 and no CRL available --> reject connection
5439 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5440 client_cert
="auth_serv/user.pem",
5441 private_key
="auth_serv/user.key", expect_failure
=True)
5442 dev
[0].request("REMOVE_NETWORK all")
5443 dev
[0].dump_monitor()
5445 with
open(ca_cert
, 'w') as f
:
5446 f
.write(cert_and_crl
)
5449 # check_crl=1 and valid CRL --> accept
5450 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5451 client_cert
="auth_serv/user.pem",
5452 private_key
="auth_serv/user.key")
5453 dev
[0].request("REMOVE_NETWORK all")
5454 dev
[0].wait_disconnected()
5456 def test_ap_wpa2_eap_tls_check_cert_subject(dev
, apdev
):
5457 """EAP-TLS and server checking client subject name"""
5458 params
= int_eap_server_params()
5459 params
['check_cert_subject'] = 'C=FI/O=w1.fi/CN=Test User'
5460 hapd
= hostapd
.add_ap(apdev
[0], params
)
5461 check_check_cert_subject_support(hapd
)
5463 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5464 client_cert
="auth_serv/user.pem",
5465 private_key
="auth_serv/user.key")
5467 def test_ap_wpa2_eap_tls_check_cert_subject_neg(dev
, apdev
):
5468 """EAP-TLS and server checking client subject name (negative)"""
5469 params
= int_eap_server_params()
5470 params
['check_cert_subject'] = 'C=FI/O=example'
5471 hapd
= hostapd
.add_ap(apdev
[0], params
)
5472 check_check_cert_subject_support(hapd
)
5474 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5475 client_cert
="auth_serv/user.pem",
5476 private_key
="auth_serv/user.key", expect_failure
=True)
5478 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5479 """EAP-TLS and OOM"""
5480 check_subject_match_support(dev
[0])
5481 check_altsubject_match_support(dev
[0])
5482 check_domain_match(dev
[0])
5483 check_domain_match_full(dev
[0])
5485 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5486 hostapd
.add_ap(apdev
[0], params
)
5488 tests
= [(1, "tls_connection_set_subject_match"),
5489 (2, "tls_connection_set_subject_match"),
5490 (3, "tls_connection_set_subject_match"),
5491 (4, "tls_connection_set_subject_match")]
5492 for count
, func
in tests
:
5493 with
alloc_fail(dev
[0], count
, func
):
5494 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5495 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5496 client_cert
="auth_serv/user.pem",
5497 private_key
="auth_serv/user.key",
5498 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5499 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5500 domain_suffix_match
="server.w1.fi",
5501 domain_match
="server.w1.fi",
5502 wait_connect
=False, scan_freq
="2412")
5503 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5504 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5506 raise Exception("No passphrase request")
5507 dev
[0].request("REMOVE_NETWORK all")
5508 dev
[0].wait_disconnected()
5510 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5511 """WPA2-Enterprise connection using MAC ACL"""
5512 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5513 params
["macaddr_acl"] = "2"
5514 hapd
= hostapd
.add_ap(apdev
[0], params
)
5515 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5516 client_cert
="auth_serv/user.pem",
5517 private_key
="auth_serv/user.key")
5519 def test_ap_wpa2_eap_oom(dev
, apdev
):
5520 """EAP server and OOM"""
5521 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5522 hapd
= hostapd
.add_ap(apdev
[0], params
)
5523 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5525 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5526 # The first attempt fails, but STA will send EAPOL-Start to retry and
5528 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5529 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5530 client_cert
="auth_serv/user.pem",
5531 private_key
="auth_serv/user.key",
5534 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5535 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5536 client_cert
="auth_serv/user.pem",
5537 private_key
="auth_serv/user.key",
5539 ver
= dev
.get_status_field("eap_tls_version")
5541 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5543 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5544 """EAP-TLS and TLS version configuration"""
5545 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5546 hapd
= hostapd
.add_ap(apdev
[0], params
)
5548 tls
= dev
[0].request("GET tls_library")
5549 if tls
.startswith("OpenSSL"):
5550 if "build=OpenSSL 1.0.1" not in tls
and "run=OpenSSL 1.0.1" not in tls
:
5551 check_tls_ver(dev
[0], hapd
,
5552 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5554 if tls
.startswith("wolfSSL"):
5555 if ("build=3.10.0" in tls
and "run=3.10.0" in tls
) or \
5556 ("build=3.13.0" in tls
and "run=3.13.0" in tls
):
5557 check_tls_ver(dev
[0], hapd
,
5558 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5560 elif tls
.startswith("internal"):
5561 check_tls_ver(dev
[0], hapd
,
5562 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5563 check_tls_ver(dev
[1], hapd
,
5564 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5565 check_tls_ver(dev
[2], hapd
,
5566 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5567 if "run=OpenSSL 1.1.1" in tls
:
5568 check_tls_ver(dev
[0], hapd
,
5569 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
5571 def test_ap_wpa2_eap_tls_13(dev
, apdev
):
5572 """EAP-TLS and TLS 1.3"""
5573 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5574 hapd
= hostapd
.add_ap(apdev
[0], params
)
5576 tls
= dev
[0].request("GET tls_library")
5577 if "run=OpenSSL 1.1.1" not in tls
:
5578 raise HwsimSkip("TLS v1.3 not supported")
5579 id = eap_connect(dev
[0], hapd
, "TLS", "tls user",
5580 ca_cert
="auth_serv/ca.pem",
5581 client_cert
="auth_serv/user.pem",
5582 private_key
="auth_serv/user.key",
5583 phase1
="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0")
5584 ver
= dev
[0].get_status_field("eap_tls_version")
5585 if ver
!= "TLSv1.3":
5586 raise Exception("Unexpected TLS version")
5588 eap_reauth(dev
[0], "TLS")
5589 dev
[0].request("DISCONNECT")
5590 dev
[0].wait_disconnected()
5591 dev
[0].request("PMKSA_FLUSH")
5592 dev
[0].request("RECONNECT")
5593 dev
[0].wait_connected()
5595 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
5596 """RSN element protocol testing for EAP cases on STA side"""
5597 bssid
= apdev
[0]['bssid']
5598 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5599 # This is the RSN element used normally by hostapd
5600 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5601 hapd
= hostapd
.add_ap(apdev
[0], params
)
5602 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5603 identity
="gpsk user",
5604 password
="abcdefghijklmnop0123456789abcdef",
5607 tests
= [('No RSN Capabilities field',
5608 '30120100000fac040100000fac040100000fac01'),
5609 ('No AKM Suite fields',
5610 '300c0100000fac040100000fac04'),
5611 ('No Pairwise Cipher Suite fields',
5612 '30060100000fac04'),
5613 ('No Group Data Cipher Suite field',
5615 for txt
, ie
in tests
:
5616 dev
[0].request("DISCONNECT")
5617 dev
[0].wait_disconnected()
5620 hapd
.set('own_ie_override', ie
)
5622 dev
[0].request("BSS_FLUSH 0")
5623 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
5624 dev
[0].select_network(id, freq
=2412)
5625 dev
[0].wait_connected()
5627 dev
[0].request("DISCONNECT")
5628 dev
[0].wait_disconnected()
5629 dev
[0].flush_scan_cache()
5631 def check_tls_session_resumption_capa(dev
, hapd
):
5632 tls
= hapd
.request("GET tls_library")
5633 if not tls
.startswith("OpenSSL"):
5634 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls
)
5636 tls
= dev
.request("GET tls_library")
5637 if not tls
.startswith("OpenSSL"):
5638 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
5640 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
5641 """EAP-TTLS/PAP session resumption"""
5642 params
= int_eap_server_params()
5643 params
['tls_session_lifetime'] = '60'
5644 hapd
= hostapd
.add_ap(apdev
[0], params
)
5645 check_tls_session_resumption_capa(dev
[0], hapd
)
5646 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5647 anonymous_identity
="ttls", password
="password",
5648 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5650 if dev
[0].get_status_field("tls_session_reused") != '0':
5651 raise Exception("Unexpected session resumption on the first connection")
5653 dev
[0].request("REAUTHENTICATE")
5654 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5656 raise Exception("EAP success timed out")
5657 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5659 raise Exception("Key handshake with the AP timed out")
5660 if dev
[0].get_status_field("tls_session_reused") != '1':
5661 raise Exception("Session resumption not used on the second connection")
5662 hwsim_utils
.test_connectivity(dev
[0], hapd
)
5664 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
5665 """EAP-TTLS/CHAP session resumption"""
5666 params
= int_eap_server_params()
5667 params
['tls_session_lifetime'] = '60'
5668 hapd
= hostapd
.add_ap(apdev
[0], params
)
5669 check_tls_session_resumption_capa(dev
[0], hapd
)
5670 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
5671 anonymous_identity
="ttls", password
="password",
5672 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
5673 if dev
[0].get_status_field("tls_session_reused") != '0':
5674 raise Exception("Unexpected session resumption on the first connection")
5676 dev
[0].request("REAUTHENTICATE")
5677 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5679 raise Exception("EAP success timed out")
5680 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5682 raise Exception("Key handshake with the AP timed out")
5683 if dev
[0].get_status_field("tls_session_reused") != '1':
5684 raise Exception("Session resumption not used on the second connection")
5686 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
5687 """EAP-TTLS/MSCHAP session resumption"""
5688 check_domain_suffix_match(dev
[0])
5689 params
= int_eap_server_params()
5690 params
['tls_session_lifetime'] = '60'
5691 hapd
= hostapd
.add_ap(apdev
[0], params
)
5692 check_tls_session_resumption_capa(dev
[0], hapd
)
5693 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
5694 anonymous_identity
="ttls", password
="password",
5695 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5696 domain_suffix_match
="server.w1.fi")
5697 if dev
[0].get_status_field("tls_session_reused") != '0':
5698 raise Exception("Unexpected session resumption on the first connection")
5700 dev
[0].request("REAUTHENTICATE")
5701 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5703 raise Exception("EAP success timed out")
5704 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5706 raise Exception("Key handshake with the AP timed out")
5707 if dev
[0].get_status_field("tls_session_reused") != '1':
5708 raise Exception("Session resumption not used on the second connection")
5710 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
5711 """EAP-TTLS/MSCHAPv2 session resumption"""
5712 check_domain_suffix_match(dev
[0])
5713 check_eap_capa(dev
[0], "MSCHAPV2")
5714 params
= int_eap_server_params()
5715 params
['tls_session_lifetime'] = '60'
5716 hapd
= hostapd
.add_ap(apdev
[0], params
)
5717 check_tls_session_resumption_capa(dev
[0], hapd
)
5718 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
5719 anonymous_identity
="ttls", password
="password",
5720 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5721 domain_suffix_match
="server.w1.fi")
5722 if dev
[0].get_status_field("tls_session_reused") != '0':
5723 raise Exception("Unexpected session resumption on the first connection")
5725 dev
[0].request("REAUTHENTICATE")
5726 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5728 raise Exception("EAP success timed out")
5729 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5731 raise Exception("Key handshake with the AP timed out")
5732 if dev
[0].get_status_field("tls_session_reused") != '1':
5733 raise Exception("Session resumption not used on the second connection")
5735 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
5736 """EAP-TTLS/EAP-GTC session resumption"""
5737 params
= int_eap_server_params()
5738 params
['tls_session_lifetime'] = '60'
5739 hapd
= hostapd
.add_ap(apdev
[0], params
)
5740 check_tls_session_resumption_capa(dev
[0], hapd
)
5741 eap_connect(dev
[0], hapd
, "TTLS", "user",
5742 anonymous_identity
="ttls", password
="password",
5743 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
5744 if dev
[0].get_status_field("tls_session_reused") != '0':
5745 raise Exception("Unexpected session resumption on the first connection")
5747 dev
[0].request("REAUTHENTICATE")
5748 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5750 raise Exception("EAP success timed out")
5751 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5753 raise Exception("Key handshake with the AP timed out")
5754 if dev
[0].get_status_field("tls_session_reused") != '1':
5755 raise Exception("Session resumption not used on the second connection")
5757 def test_eap_ttls_no_session_resumption(dev
, apdev
):
5758 """EAP-TTLS session resumption disabled on server"""
5759 params
= int_eap_server_params()
5760 params
['tls_session_lifetime'] = '0'
5761 hapd
= hostapd
.add_ap(apdev
[0], params
)
5762 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5763 anonymous_identity
="ttls", password
="password",
5764 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5766 if dev
[0].get_status_field("tls_session_reused") != '0':
5767 raise Exception("Unexpected session resumption on the first connection")
5769 dev
[0].request("REAUTHENTICATE")
5770 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5772 raise Exception("EAP success timed out")
5773 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5775 raise Exception("Key handshake with the AP timed out")
5776 if dev
[0].get_status_field("tls_session_reused") != '0':
5777 raise Exception("Unexpected session resumption on the second connection")
5779 def test_eap_peap_session_resumption(dev
, apdev
):
5780 """EAP-PEAP session resumption"""
5781 check_eap_capa(dev
[0], "MSCHAPV2")
5782 params
= int_eap_server_params()
5783 params
['tls_session_lifetime'] = '60'
5784 hapd
= hostapd
.add_ap(apdev
[0], params
)
5785 check_tls_session_resumption_capa(dev
[0], hapd
)
5786 eap_connect(dev
[0], hapd
, "PEAP", "user",
5787 anonymous_identity
="peap", password
="password",
5788 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5789 if dev
[0].get_status_field("tls_session_reused") != '0':
5790 raise Exception("Unexpected session resumption on the first connection")
5792 dev
[0].request("REAUTHENTICATE")
5793 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5795 raise Exception("EAP success timed out")
5796 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5798 raise Exception("Key handshake with the AP timed out")
5799 if dev
[0].get_status_field("tls_session_reused") != '1':
5800 raise Exception("Session resumption not used on the second connection")
5802 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
5803 """EAP-PEAP session resumption with crypto binding"""
5804 params
= int_eap_server_params()
5805 params
['tls_session_lifetime'] = '60'
5806 hapd
= hostapd
.add_ap(apdev
[0], params
)
5807 check_tls_session_resumption_capa(dev
[0], hapd
)
5808 eap_connect(dev
[0], hapd
, "PEAP", "user",
5809 anonymous_identity
="peap", password
="password",
5810 phase1
="peapver=0 crypto_binding=2",
5811 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5812 if dev
[0].get_status_field("tls_session_reused") != '0':
5813 raise Exception("Unexpected session resumption on the first connection")
5815 dev
[0].request("REAUTHENTICATE")
5816 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5818 raise Exception("EAP success timed out")
5819 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5821 raise Exception("Key handshake with the AP timed out")
5822 if dev
[0].get_status_field("tls_session_reused") != '1':
5823 raise Exception("Session resumption not used on the second connection")
5825 def test_eap_peap_no_session_resumption(dev
, apdev
):
5826 """EAP-PEAP session resumption disabled on server"""
5827 params
= int_eap_server_params()
5828 hapd
= hostapd
.add_ap(apdev
[0], params
)
5829 eap_connect(dev
[0], hapd
, "PEAP", "user",
5830 anonymous_identity
="peap", password
="password",
5831 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5832 if dev
[0].get_status_field("tls_session_reused") != '0':
5833 raise Exception("Unexpected session resumption on the first connection")
5835 dev
[0].request("REAUTHENTICATE")
5836 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5838 raise Exception("EAP success timed out")
5839 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5841 raise Exception("Key handshake with the AP timed out")
5842 if dev
[0].get_status_field("tls_session_reused") != '0':
5843 raise Exception("Unexpected session resumption on the second connection")
5845 def test_eap_tls_session_resumption(dev
, apdev
):
5846 """EAP-TLS session resumption"""
5847 params
= int_eap_server_params()
5848 params
['tls_session_lifetime'] = '60'
5849 hapd
= hostapd
.add_ap(apdev
[0], params
)
5850 check_tls_session_resumption_capa(dev
[0], hapd
)
5851 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5852 client_cert
="auth_serv/user.pem",
5853 private_key
="auth_serv/user.key")
5854 if dev
[0].get_status_field("tls_session_reused") != '0':
5855 raise Exception("Unexpected session resumption on the first connection")
5857 dev
[0].request("REAUTHENTICATE")
5858 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5860 raise Exception("EAP success timed out")
5861 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5863 raise Exception("Key handshake with the AP timed out")
5864 if dev
[0].get_status_field("tls_session_reused") != '1':
5865 raise Exception("Session resumption not used on the second connection")
5867 dev
[0].request("REAUTHENTICATE")
5868 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5870 raise Exception("EAP success timed out")
5871 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5873 raise Exception("Key handshake with the AP timed out")
5874 if dev
[0].get_status_field("tls_session_reused") != '1':
5875 raise Exception("Session resumption not used on the third connection")
5877 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
5878 """EAP-TLS session resumption"""
5879 params
= int_eap_server_params()
5880 params
['tls_session_lifetime'] = '1'
5881 hapd
= hostapd
.add_ap(apdev
[0], params
)
5882 check_tls_session_resumption_capa(dev
[0], hapd
)
5883 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5884 client_cert
="auth_serv/user.pem",
5885 private_key
="auth_serv/user.key")
5886 if dev
[0].get_status_field("tls_session_reused") != '0':
5887 raise Exception("Unexpected session resumption on the first connection")
5889 # Allow multiple attempts since OpenSSL may not expire the cached entry
5894 dev
[0].request("REAUTHENTICATE")
5895 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5897 raise Exception("EAP success timed out")
5898 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5900 raise Exception("Key handshake with the AP timed out")
5901 if dev
[0].get_status_field("tls_session_reused") == '0':
5903 if dev
[0].get_status_field("tls_session_reused") != '0':
5904 raise Exception("Session resumption used after lifetime expiration")
5906 def test_eap_tls_no_session_resumption(dev
, apdev
):
5907 """EAP-TLS session resumption disabled on server"""
5908 params
= int_eap_server_params()
5909 hapd
= hostapd
.add_ap(apdev
[0], params
)
5910 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5911 client_cert
="auth_serv/user.pem",
5912 private_key
="auth_serv/user.key")
5913 if dev
[0].get_status_field("tls_session_reused") != '0':
5914 raise Exception("Unexpected session resumption on the first connection")
5916 dev
[0].request("REAUTHENTICATE")
5917 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5919 raise Exception("EAP success timed out")
5920 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5922 raise Exception("Key handshake with the AP timed out")
5923 if dev
[0].get_status_field("tls_session_reused") != '0':
5924 raise Exception("Unexpected session resumption on the second connection")
5926 def test_eap_tls_session_resumption_radius(dev
, apdev
):
5927 """EAP-TLS session resumption (RADIUS)"""
5928 params
= {"ssid": "as", "beacon_int": "2000",
5929 "radius_server_clients": "auth_serv/radius_clients.conf",
5930 "radius_server_auth_port": '18128',
5932 "eap_user_file": "auth_serv/eap_user.conf",
5933 "ca_cert": "auth_serv/ca.pem",
5934 "server_cert": "auth_serv/server.pem",
5935 "private_key": "auth_serv/server.key",
5936 "tls_session_lifetime": "60"}
5937 authsrv
= hostapd
.add_ap(apdev
[1], params
)
5938 check_tls_session_resumption_capa(dev
[0], authsrv
)
5940 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5941 params
['auth_server_port'] = "18128"
5942 hapd
= hostapd
.add_ap(apdev
[0], params
)
5943 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5944 client_cert
="auth_serv/user.pem",
5945 private_key
="auth_serv/user.key")
5946 if dev
[0].get_status_field("tls_session_reused") != '0':
5947 raise Exception("Unexpected session resumption on the first connection")
5949 dev
[0].request("REAUTHENTICATE")
5950 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5952 raise Exception("EAP success timed out")
5953 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5955 raise Exception("Key handshake with the AP timed out")
5956 if dev
[0].get_status_field("tls_session_reused") != '1':
5957 raise Exception("Session resumption not used on the second connection")
5959 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
5960 """EAP-TLS session resumption disabled (RADIUS)"""
5961 params
= {"ssid": "as", "beacon_int": "2000",
5962 "radius_server_clients": "auth_serv/radius_clients.conf",
5963 "radius_server_auth_port": '18128',
5965 "eap_user_file": "auth_serv/eap_user.conf",
5966 "ca_cert": "auth_serv/ca.pem",
5967 "server_cert": "auth_serv/server.pem",
5968 "private_key": "auth_serv/server.key",
5969 "tls_session_lifetime": "0"}
5970 hostapd
.add_ap(apdev
[1], params
)
5972 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5973 params
['auth_server_port'] = "18128"
5974 hapd
= hostapd
.add_ap(apdev
[0], params
)
5975 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5976 client_cert
="auth_serv/user.pem",
5977 private_key
="auth_serv/user.key")
5978 if dev
[0].get_status_field("tls_session_reused") != '0':
5979 raise Exception("Unexpected session resumption on the first connection")
5981 dev
[0].request("REAUTHENTICATE")
5982 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5984 raise Exception("EAP success timed out")
5985 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5987 raise Exception("Key handshake with the AP timed out")
5988 if dev
[0].get_status_field("tls_session_reused") != '0':
5989 raise Exception("Unexpected session resumption on the second connection")
5991 def test_eap_mschapv2_errors(dev
, apdev
):
5992 """EAP-MSCHAPv2 error cases"""
5993 check_eap_capa(dev
[0], "MSCHAPV2")
5994 check_eap_capa(dev
[0], "FAST")
5996 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5997 hapd
= hostapd
.add_ap(apdev
[0], params
)
5998 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5999 identity
="phase1-user", password
="password",
6001 dev
[0].request("REMOVE_NETWORK all")
6002 dev
[0].wait_disconnected()
6004 tests
= [(1, "hash_nt_password_hash;mschapv2_derive_response"),
6005 (1, "nt_password_hash;mschapv2_derive_response"),
6006 (1, "nt_password_hash;=mschapv2_derive_response"),
6007 (1, "generate_nt_response;mschapv2_derive_response"),
6008 (1, "generate_authenticator_response;mschapv2_derive_response"),
6009 (1, "nt_password_hash;=mschapv2_derive_response"),
6010 (1, "get_master_key;mschapv2_derive_response"),
6011 (1, "os_get_random;eap_mschapv2_challenge_reply")]
6012 for count
, func
in tests
:
6013 with
fail_test(dev
[0], count
, func
):
6014 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6015 identity
="phase1-user", password
="password",
6016 wait_connect
=False, scan_freq
="2412")
6017 wait_fail_trigger(dev
[0], "GET_FAIL")
6018 dev
[0].request("REMOVE_NETWORK all")
6019 dev
[0].wait_disconnected()
6021 tests
= [(1, "hash_nt_password_hash;mschapv2_derive_response"),
6022 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
6023 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
6024 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response")]
6025 for count
, func
in tests
:
6026 with
fail_test(dev
[0], count
, func
):
6027 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6028 identity
="phase1-user",
6029 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
6030 wait_connect
=False, scan_freq
="2412")
6031 wait_fail_trigger(dev
[0], "GET_FAIL")
6032 dev
[0].request("REMOVE_NETWORK all")
6033 dev
[0].wait_disconnected()
6035 tests
= [(1, "eap_mschapv2_init"),
6036 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
6037 (1, "eap_msg_alloc;eap_mschapv2_success"),
6038 (1, "eap_mschapv2_getKey")]
6039 for count
, func
in tests
:
6040 with
alloc_fail(dev
[0], count
, func
):
6041 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6042 identity
="phase1-user", password
="password",
6043 wait_connect
=False, scan_freq
="2412")
6044 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6045 dev
[0].request("REMOVE_NETWORK all")
6046 dev
[0].wait_disconnected()
6048 tests
= [(1, "eap_msg_alloc;eap_mschapv2_failure")]
6049 for count
, func
in tests
:
6050 with
alloc_fail(dev
[0], count
, func
):
6051 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6052 identity
="phase1-user", password
="wrong password",
6053 wait_connect
=False, scan_freq
="2412")
6054 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6055 dev
[0].request("REMOVE_NETWORK all")
6056 dev
[0].wait_disconnected()
6058 tests
= [(2, "eap_mschapv2_init"),
6059 (3, "eap_mschapv2_init")]
6060 for count
, func
in tests
:
6061 with
alloc_fail(dev
[0], count
, func
):
6062 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6063 anonymous_identity
="FAST", identity
="user",
6064 password
="password",
6065 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
6066 phase1
="fast_provisioning=1",
6067 pac_file
="blob://fast_pac",
6068 wait_connect
=False, scan_freq
="2412")
6069 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6070 dev
[0].request("REMOVE_NETWORK all")
6071 dev
[0].wait_disconnected()
6073 def test_eap_gpsk_errors(dev
, apdev
):
6074 """EAP-GPSK error cases"""
6075 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
6076 hapd
= hostapd
.add_ap(apdev
[0], params
)
6077 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6078 identity
="gpsk user",
6079 password
="abcdefghijklmnop0123456789abcdef",
6081 dev
[0].request("REMOVE_NETWORK all")
6082 dev
[0].wait_disconnected()
6084 tests
= [(1, "os_get_random;eap_gpsk_send_gpsk_2", None),
6085 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6087 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6089 (1, "eap_gpsk_derive_keys_helper", None),
6090 (2, "eap_gpsk_derive_keys_helper", None),
6091 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6093 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6095 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
6096 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
6097 (1, "eap_gpsk_derive_mid_helper", None)]
6098 for count
, func
, phase1
in tests
:
6099 with
fail_test(dev
[0], count
, func
):
6100 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6101 identity
="gpsk user",
6102 password
="abcdefghijklmnop0123456789abcdef",
6104 wait_connect
=False, scan_freq
="2412")
6105 wait_fail_trigger(dev
[0], "GET_FAIL")
6106 dev
[0].request("REMOVE_NETWORK all")
6107 dev
[0].wait_disconnected()
6109 tests
= [(1, "eap_gpsk_init"),
6110 (2, "eap_gpsk_init"),
6111 (3, "eap_gpsk_init"),
6112 (1, "eap_gpsk_process_id_server"),
6113 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
6114 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6115 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6116 (1, "eap_gpsk_derive_keys"),
6117 (1, "eap_gpsk_derive_keys_helper"),
6118 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
6119 (1, "eap_gpsk_getKey"),
6120 (1, "eap_gpsk_get_emsk"),
6121 (1, "eap_gpsk_get_session_id")]
6122 for count
, func
in tests
:
6123 with
alloc_fail(dev
[0], count
, func
):
6124 dev
[0].request("ERP_FLUSH")
6125 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6126 identity
="gpsk user@domain", erp
="1",
6127 password
="abcdefghijklmnop0123456789abcdef",
6128 wait_connect
=False, scan_freq
="2412")
6129 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6130 dev
[0].request("REMOVE_NETWORK all")
6131 dev
[0].wait_disconnected()
6133 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
6134 """EAP-SIM DB error cases"""
6135 sockpath
= '/tmp/hlr_auc_gw.sock-test'
6140 hparams
= int_eap_server_params()
6141 hparams
['eap_sim_db'] = 'unix:' + sockpath
6142 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
6144 # Initial test with hlr_auc_gw socket not available
6145 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
6146 eap
="SIM", identity
="1232010000000000",
6147 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
6148 scan_freq
="2412", wait_connect
=False)
6149 ev
= dev
[0].wait_event(["EAP-ERROR-CODE"], timeout
=10)
6151 raise Exception("EAP method specific error code not reported")
6152 if int(ev
.split()[1]) != 16384:
6153 raise Exception("Unexpected EAP method specific error code: " + ev
)
6154 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6156 raise Exception("EAP-Failure not reported")
6157 dev
[0].wait_disconnected()
6158 dev
[0].request("DISCONNECT")
6160 # Test with invalid responses and response timeout
6162 class test_handler(SocketServer
.DatagramRequestHandler
):
6164 data
= self
.request
[0].decode().strip()
6165 socket
= self
.request
[1]
6166 logger
.debug("Received hlr_auc_gw request: " + data
)
6167 # EAP-SIM DB: Failed to parse response string
6168 socket
.sendto(b
"FOO", self
.client_address
)
6169 # EAP-SIM DB: Failed to parse response string
6170 socket
.sendto(b
"FOO 1", self
.client_address
)
6171 # EAP-SIM DB: Unknown external response
6172 socket
.sendto(b
"FOO 1 2", self
.client_address
)
6173 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
6175 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
6178 dev
[0].select_network(id)
6179 server
.handle_request()
6180 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6182 raise Exception("EAP-Failure not reported")
6183 dev
[0].wait_disconnected()
6184 dev
[0].request("DISCONNECT")
6186 # Test with a valid response
6188 class test_handler2(SocketServer
.DatagramRequestHandler
):
6190 data
= self
.request
[0].decode().strip()
6191 socket
= self
.request
[1]
6192 logger
.debug("Received hlr_auc_gw request: " + data
)
6193 fname
= os
.path
.join(params
['logdir'],
6194 'hlr_auc_gw.milenage_db')
6195 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
6197 stdout
=subprocess
.PIPE
)
6198 res
= cmd
.stdout
.read().decode().strip()
6200 logger
.debug("hlr_auc_gw response: " + res
)
6201 socket
.sendto(res
.encode(), self
.client_address
)
6203 server
.RequestHandlerClass
= test_handler2
6205 dev
[0].select_network(id)
6206 server
.handle_request()
6207 dev
[0].wait_connected()
6208 dev
[0].request("DISCONNECT")
6209 dev
[0].wait_disconnected()
6211 def test_eap_tls_sha512(dev
, apdev
, params
):
6212 """EAP-TLS with SHA512 signature"""
6213 params
= int_eap_server_params()
6214 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6215 params
["server_cert"] = "auth_serv/sha512-server.pem"
6216 params
["private_key"] = "auth_serv/sha512-server.key"
6217 hostapd
.add_ap(apdev
[0], params
)
6219 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6220 identity
="tls user sha512",
6221 ca_cert
="auth_serv/sha512-ca.pem",
6222 client_cert
="auth_serv/sha512-user.pem",
6223 private_key
="auth_serv/sha512-user.key",
6225 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6226 identity
="tls user sha512",
6227 ca_cert
="auth_serv/sha512-ca.pem",
6228 client_cert
="auth_serv/sha384-user.pem",
6229 private_key
="auth_serv/sha384-user.key",
6232 def test_eap_tls_sha384(dev
, apdev
, params
):
6233 """EAP-TLS with SHA384 signature"""
6234 params
= int_eap_server_params()
6235 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6236 params
["server_cert"] = "auth_serv/sha384-server.pem"
6237 params
["private_key"] = "auth_serv/sha384-server.key"
6238 hostapd
.add_ap(apdev
[0], params
)
6240 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6241 identity
="tls user sha512",
6242 ca_cert
="auth_serv/sha512-ca.pem",
6243 client_cert
="auth_serv/sha512-user.pem",
6244 private_key
="auth_serv/sha512-user.key",
6246 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6247 identity
="tls user sha512",
6248 ca_cert
="auth_serv/sha512-ca.pem",
6249 client_cert
="auth_serv/sha384-user.pem",
6250 private_key
="auth_serv/sha384-user.key",
6253 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
6254 """WPA2-Enterprise AP and association request RSN IE differences"""
6255 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6256 hostapd
.add_ap(apdev
[0], params
)
6258 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
6259 params
["ieee80211w"] = "2"
6260 hostapd
.add_ap(apdev
[1], params
)
6262 # Success cases with optional RSN IE fields removed one by one
6263 tests
= [("Normal wpa_supplicant assoc req RSN IE",
6264 "30140100000fac040100000fac040100000fac010000"),
6265 ("Extra PMKIDCount field in RSN IE",
6266 "30160100000fac040100000fac040100000fac0100000000"),
6267 ("Extra Group Management Cipher Suite in RSN IE",
6268 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6269 ("Extra undefined extension field in RSN IE",
6270 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6271 ("RSN IE without RSN Capabilities",
6272 "30120100000fac040100000fac040100000fac01"),
6273 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6274 ("RSN IE without pairwise", "30060100000fac04"),
6275 ("RSN IE without group", "30020100")]
6276 for title
, ie
in tests
:
6278 set_test_assoc_ie(dev
[0], ie
)
6279 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6280 identity
="gpsk user",
6281 password
="abcdefghijklmnop0123456789abcdef",
6283 dev
[0].request("REMOVE_NETWORK all")
6284 dev
[0].wait_disconnected()
6286 tests
= [("Normal wpa_supplicant assoc req RSN IE",
6287 "30140100000fac040100000fac040100000fac01cc00"),
6288 ("Group management cipher included in assoc req RSN IE",
6289 "301a0100000fac040100000fac040100000fac01cc000000000fac06")]
6290 for title
, ie
in tests
:
6292 set_test_assoc_ie(dev
[0], ie
)
6293 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6294 eap
="GPSK", identity
="gpsk user",
6295 password
="abcdefghijklmnop0123456789abcdef",
6297 dev
[0].request("REMOVE_NETWORK all")
6298 dev
[0].wait_disconnected()
6300 tests
= [("Invalid group cipher", "30060100000fac02", 41),
6301 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42)]
6302 for title
, ie
, status
in tests
:
6304 set_test_assoc_ie(dev
[0], ie
)
6305 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6306 identity
="gpsk user",
6307 password
="abcdefghijklmnop0123456789abcdef",
6308 scan_freq
="2412", wait_connect
=False)
6309 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6311 raise Exception("Association rejection not reported")
6312 if "status_code=" + str(status
) not in ev
:
6313 raise Exception("Unexpected status code: " + ev
)
6314 dev
[0].request("REMOVE_NETWORK all")
6315 dev
[0].dump_monitor()
6317 tests
= [("Management frame protection not enabled",
6318 "30140100000fac040100000fac040100000fac010000", 31),
6319 ("Unsupported management group cipher",
6320 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46)]
6321 for title
, ie
, status
in tests
:
6323 set_test_assoc_ie(dev
[0], ie
)
6324 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6325 eap
="GPSK", identity
="gpsk user",
6326 password
="abcdefghijklmnop0123456789abcdef",
6327 scan_freq
="2412", wait_connect
=False)
6328 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6330 raise Exception("Association rejection not reported")
6331 if "status_code=" + str(status
) not in ev
:
6332 raise Exception("Unexpected status code: " + ev
)
6333 dev
[0].request("REMOVE_NETWORK all")
6334 dev
[0].dump_monitor()
6336 def test_eap_tls_ext_cert_check(dev
, apdev
):
6337 """EAP-TLS and external server certification validation"""
6338 # With internal server certificate chain validation
6339 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6340 identity
="tls user",
6341 ca_cert
="auth_serv/ca.pem",
6342 client_cert
="auth_serv/user.pem",
6343 private_key
="auth_serv/user.key",
6344 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6345 only_add_network
=True)
6346 run_ext_cert_check(dev
, apdev
, id)
6348 def test_eap_ttls_ext_cert_check(dev
, apdev
):
6349 """EAP-TTLS and external server certification validation"""
6350 # Without internal server certificate chain validation
6351 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6352 identity
="pap user", anonymous_identity
="ttls",
6353 password
="password", phase2
="auth=PAP",
6354 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6355 only_add_network
=True)
6356 run_ext_cert_check(dev
, apdev
, id)
6358 def test_eap_peap_ext_cert_check(dev
, apdev
):
6359 """EAP-PEAP and external server certification validation"""
6360 # With internal server certificate chain validation
6361 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6362 identity
="user", anonymous_identity
="peap",
6363 ca_cert
="auth_serv/ca.pem",
6364 password
="password", phase2
="auth=MSCHAPV2",
6365 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6366 only_add_network
=True)
6367 run_ext_cert_check(dev
, apdev
, id)
6369 def test_eap_fast_ext_cert_check(dev
, apdev
):
6370 """EAP-FAST and external server certification validation"""
6371 check_eap_capa(dev
[0], "FAST")
6372 # With internal server certificate chain validation
6373 dev
[0].request("SET blob fast_pac_auth_ext ")
6374 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6375 identity
="user", anonymous_identity
="FAST",
6376 ca_cert
="auth_serv/ca.pem",
6377 password
="password", phase2
="auth=GTC",
6378 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
6379 pac_file
="blob://fast_pac_auth_ext",
6381 only_add_network
=True)
6382 run_ext_cert_check(dev
, apdev
, id)
6384 def run_ext_cert_check(dev
, apdev
, net_id
):
6385 check_ext_cert_check_support(dev
[0])
6386 if not openssl_imported
:
6387 raise HwsimSkip("OpenSSL python method not available")
6389 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6390 hapd
= hostapd
.add_ap(apdev
[0], params
)
6392 dev
[0].select_network(net_id
)
6395 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6396 "CTRL-REQ-EXT_CERT_CHECK",
6397 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6399 raise Exception("No peer server certificate event seen")
6400 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
6403 vals
= ev
.split(' ')
6405 if v
.startswith("depth="):
6406 depth
= int(v
.split('=')[1])
6407 elif v
.startswith("cert="):
6408 cert
= v
.split('=')[1]
6409 if depth
is not None and cert
:
6410 certs
[depth
] = binascii
.unhexlify(cert
)
6411 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
6412 raise Exception("Unexpected EAP-Success")
6413 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
6414 id = ev
.split(':')[0].split('-')[-1]
6417 raise Exception("Server certificate not received")
6419 raise Exception("Server certificate issuer not received")
6421 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6423 cn
= cert
.get_subject().commonName
6424 logger
.info("Server certificate CN=" + cn
)
6426 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6428 icn
= issuer
.get_subject().commonName
6429 logger
.info("Issuer certificate CN=" + icn
)
6431 if cn
!= "server.w1.fi":
6432 raise Exception("Unexpected server certificate CN: " + cn
)
6433 if icn
!= "Root CA":
6434 raise Exception("Unexpected server certificate issuer CN: " + icn
)
6436 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
6438 raise Exception("Unexpected EAP-Success before external check result indication")
6440 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6441 dev
[0].wait_connected()
6443 dev
[0].request("DISCONNECT")
6444 dev
[0].wait_disconnected()
6445 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
6446 raise Exception("PMKSA_FLUSH failed")
6447 dev
[0].request("SET blob fast_pac_auth_ext ")
6448 dev
[0].request("RECONNECT")
6450 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
6452 raise Exception("No peer server certificate event seen (2)")
6453 id = ev
.split(':')[0].split('-')[-1]
6454 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6455 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
6457 raise Exception("EAP-Failure not reported")
6458 dev
[0].request("REMOVE_NETWORK all")
6459 dev
[0].wait_disconnected()
6461 def test_eap_tls_errors(dev
, apdev
):
6462 """EAP-TLS error cases"""
6463 params
= int_eap_server_params()
6464 params
['fragment_size'] = '100'
6465 hostapd
.add_ap(apdev
[0], params
)
6466 with
alloc_fail(dev
[0], 1,
6467 "eap_peer_tls_reassemble_fragment"):
6468 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6469 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6470 client_cert
="auth_serv/user.pem",
6471 private_key
="auth_serv/user.key",
6472 wait_connect
=False, scan_freq
="2412")
6473 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6474 dev
[0].request("REMOVE_NETWORK all")
6475 dev
[0].wait_disconnected()
6477 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
6478 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6479 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6480 client_cert
="auth_serv/user.pem",
6481 private_key
="auth_serv/user.key",
6482 wait_connect
=False, scan_freq
="2412")
6483 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6484 dev
[0].request("REMOVE_NETWORK all")
6485 dev
[0].wait_disconnected()
6487 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
6488 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6489 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6490 client_cert
="auth_serv/user.pem",
6491 private_key
="auth_serv/user.key",
6493 wait_connect
=False, scan_freq
="2412")
6494 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6495 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
6497 raise Exception("No CTRL-REQ-PIN seen")
6498 dev
[0].request("REMOVE_NETWORK all")
6499 dev
[0].wait_disconnected()
6501 tests
= ["eap_peer_tls_derive_key;eap_tls_success",
6502 "eap_peer_tls_derive_session_id;eap_tls_success",
6505 "eap_tls_get_session_id"]
6507 with
alloc_fail(dev
[0], 1, func
):
6508 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6509 identity
="tls user@domain",
6510 ca_cert
="auth_serv/ca.pem",
6511 client_cert
="auth_serv/user.pem",
6512 private_key
="auth_serv/user.key",
6514 wait_connect
=False, scan_freq
="2412")
6515 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6516 dev
[0].request("REMOVE_NETWORK all")
6517 dev
[0].wait_disconnected()
6519 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6520 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6521 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6522 wait_connect
=False, scan_freq
="2412")
6523 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6524 dev
[0].request("REMOVE_NETWORK all")
6525 dev
[0].wait_disconnected()
6527 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6528 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6529 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6530 wait_connect
=False, scan_freq
="2412")
6531 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6532 dev
[0].request("REMOVE_NETWORK all")
6533 dev
[0].wait_disconnected()
6535 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6536 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6537 eap
="WFA-UNAUTH-TLS",
6538 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6539 wait_connect
=False, scan_freq
="2412")
6540 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6541 dev
[0].request("REMOVE_NETWORK all")
6542 dev
[0].wait_disconnected()
6544 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6545 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6546 eap
="WFA-UNAUTH-TLS",
6547 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6548 wait_connect
=False, scan_freq
="2412")
6549 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6550 dev
[0].request("REMOVE_NETWORK all")
6551 dev
[0].wait_disconnected()
6553 def test_ap_wpa2_eap_status(dev
, apdev
):
6554 """EAP state machine status information"""
6555 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6556 hostapd
.add_ap(apdev
[0], params
)
6557 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6558 identity
="cert user",
6559 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6560 ca_cert2
="auth_serv/ca.pem",
6561 client_cert2
="auth_serv/user.pem",
6562 private_key2
="auth_serv/user.key",
6563 scan_freq
="2412", wait_connect
=False)
6569 selected_methods
= []
6571 for i
in range(100000):
6572 if not connected
and i
% 10 == 9:
6573 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=0.0001)
6576 s
= dev
[0].get_status(extra
="VERBOSE")
6577 if 'EAP state' in s
:
6578 state
= s
['EAP state']
6580 if state
not in states
:
6581 states
.append(state
)
6582 if state
== "SUCCESS":
6585 if 'methodState' in s
:
6586 val
= s
['methodState']
6587 if val
not in method_states
:
6588 method_states
.append(val
)
6591 if val
not in decisions
:
6592 decisions
.append(val
)
6593 if 'reqMethod' in s
:
6594 val
= s
['reqMethod']
6595 if val
not in req_methods
:
6596 req_methods
.append(val
)
6597 if 'selectedMethod' in s
:
6598 val
= s
['selectedMethod']
6599 if val
not in selected_methods
:
6600 selected_methods
.append(val
)
6601 logger
.info("Iterations: %d" % i
)
6602 logger
.info("EAP states: " + str(states
))
6603 logger
.info("methodStates: " + str(method_states
))
6604 logger
.info("decisions: " + str(decisions
))
6605 logger
.info("reqMethods: " + str(req_methods
))
6606 logger
.info("selectedMethods: " + str(selected_methods
))
6608 raise Exception("EAP did not succeed")
6610 dev
[0].wait_connected()
6611 dev
[0].request("REMOVE_NETWORK all")
6612 dev
[0].wait_disconnected()
6614 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
6615 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6616 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6617 params
['wpa_ptk_rekey'] = '2'
6618 hapd
= hostapd
.add_ap(apdev
[0], params
)
6619 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
6620 password
="abcdefghijklmnop0123456789abcdef")
6621 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
6623 raise Exception("PTK rekey timed out")
6624 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6626 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
6627 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6628 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6629 hapd
= hostapd
.add_ap(apdev
[0], params
)
6630 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
6631 identity
="gpsk user",
6632 password
="abcdefghijklmnop0123456789abcdef",
6635 def test_ap_wpa2_eap_psk_mac_addr_change(dev
, apdev
):
6636 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
6637 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6638 hapd
= hostapd
.add_ap(apdev
[0], params
)
6640 cmd
= subprocess
.Popen(['ps', '-eo', 'pid,command'], stdout
=subprocess
.PIPE
)
6641 res
= cmd
.stdout
.read().decode()
6644 for p
in res
.splitlines():
6645 if "wpa_supplicant" not in p
:
6647 if dev
[0].ifname
not in p
:
6649 pid
= int(p
.strip().split(' ')[0])
6651 logger
.info("Could not find wpa_supplicant PID")
6653 logger
.info("wpa_supplicant PID %d" % pid
)
6655 addr
= dev
[0].get_status_field("address")
6656 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6657 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6658 '02:11:22:33:44:55'])
6659 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6660 addr1
= dev
[0].get_status_field("address")
6661 if addr1
!= '02:11:22:33:44:55':
6662 raise Exception("Failed to change MAC address")
6664 # Scan using the externally set MAC address, stop the wpa_supplicant
6665 # process to avoid it from processing the ifdown event before the interface
6666 # is already UP, change the MAC address back, allow the wpa_supplicant
6667 # process to continue. This will result in the ifdown + ifup sequence of
6668 # RTM_NEWLINK events to be processed while the interface is already UP.
6670 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
6671 os
.kill(pid
, signal
.SIGSTOP
)
6674 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6675 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6677 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6679 os
.kill(pid
, signal
.SIGCONT
)
6681 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
6682 password_hex
="0123456789abcdef0123456789abcdef")
6684 addr2
= dev
[0].get_status_field("address")
6686 raise Exception("Failed to restore MAC address")
6688 def test_ap_wpa2_eap_server_get_id(dev
, apdev
):
6689 """Internal EAP server and dot1xAuthSessionUserName"""
6690 params
= int_eap_server_params()
6691 hapd
= hostapd
.add_ap(apdev
[0], params
)
6692 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6693 client_cert
="auth_serv/user.pem",
6694 private_key
="auth_serv/user.key")
6695 sta
= hapd
.get_sta(dev
[0].own_addr())
6696 if 'dot1xAuthSessionUserName' not in sta
:
6697 raise Exception("No dot1xAuthSessionUserName included")
6698 user
= sta
['dot1xAuthSessionUserName']
6699 if user
!= "tls user":
6700 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6702 def test_ap_wpa2_radius_server_get_id(dev
, apdev
):
6703 """External RADIUS server and dot1xAuthSessionUserName"""
6704 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6705 hapd
= hostapd
.add_ap(apdev
[0], params
)
6706 eap_connect(dev
[0], hapd
, "TTLS", "test-user",
6707 anonymous_identity
="ttls", password
="password",
6708 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
6709 sta
= hapd
.get_sta(dev
[0].own_addr())
6710 if 'dot1xAuthSessionUserName' not in sta
:
6711 raise Exception("No dot1xAuthSessionUserName included")
6712 user
= sta
['dot1xAuthSessionUserName']
6713 if user
!= "real-user":
6714 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6716 def test_openssl_systemwide_policy(dev
, apdev
, test_params
):
6717 """OpenSSL systemwide policy and overrides"""
6718 prefix
= "openssl_systemwide_policy"
6719 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
6721 with
HWSimRadio() as (radio
, iface
):
6722 run_openssl_systemwide_policy(iface
, apdev
, test_params
)
6724 if os
.path
.exists(pidfile
):
6725 with
open(pidfile
, 'r') as f
:
6726 pid
= int(f
.read().strip())
6727 os
.kill(pid
, signal
.SIGTERM
)
6729 def write_openssl_cnf(cnf
, MinProtocol
=None, CipherString
=None):
6730 with
open(cnf
, "w") as f
:
6731 f
.write("""openssl_conf = default_conf
6735 system_default = system_default_sect
6736 [system_default_sect]
6739 f
.write("MinProtocol = %s\n" % MinProtocol
)
6741 f
.write("CipherString = %s\n" % CipherString
)
6743 def run_openssl_systemwide_policy(iface
, apdev
, test_params
):
6744 prefix
= "openssl_systemwide_policy"
6745 logfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.log-wpas')
6746 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
6747 conffile
= os
.path
.join(test_params
['logdir'], prefix
+ '.conf')
6748 openssl_cnf
= os
.path
.join(test_params
['logdir'], prefix
+ '.openssl.cnf')
6750 write_openssl_cnf(openssl_cnf
, "TLSv1.2", "DEFAULT@SECLEVEL=2")
6752 with
open(conffile
, 'w') as f
:
6753 f
.write("ctrl_interface=DIR=/var/run/wpa_supplicant\n")
6755 params
= int_eap_server_params()
6756 params
['tls_flags'] = "[DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"
6758 hapd
= hostapd
.add_ap(apdev
[0], params
)
6760 prg
= os
.path
.join(test_params
['logdir'],
6761 'alt-wpa_supplicant/wpa_supplicant/wpa_supplicant')
6762 if not os
.path
.exists(prg
):
6763 prg
= '../../wpa_supplicant/wpa_supplicant'
6764 arg
= [prg
, '-BddtK', '-P', pidfile
, '-f', logfile
,
6765 '-Dnl80211', '-c', conffile
, '-i', iface
]
6766 logger
.info("Start wpa_supplicant: " + str(arg
))
6767 subprocess
.call(arg
, env
={'OPENSSL_CONF': openssl_cnf
})
6768 wpas
= WpaSupplicant(ifname
=iface
)
6769 if "PONG" not in wpas
.request("PING"):
6770 raise Exception("Could not PING wpa_supplicant")
6771 tls
= wpas
.request("GET tls_library")
6772 if not tls
.startswith("OpenSSL"):
6773 raise HwsimSkip("Not using OpenSSL")
6775 # Use default configuration without any TLS version overrides. This should
6776 # end up using OpenSSL systemwide policy and result in failure to find a
6777 # compatible protocol version.
6778 ca_file
= os
.path
.join(os
.getcwd(), "auth_serv/ca.pem")
6779 id = wpas
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6780 identity
="pap user", anonymous_identity
="ttls",
6781 password
="password", phase2
="auth=PAP",
6783 scan_freq
="2412", wait_connect
=False)
6784 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
6786 raise Exception("EAP not started")
6787 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'"],
6790 raise HwsimSkip("OpenSSL systemwide policy not supported")
6791 wpas
.request("DISCONNECT")
6792 wpas
.wait_disconnected()
6795 # Explicitly allow TLSv1.0 to be used to override OpenSSL systemwide policy
6796 wpas
.set_network_quoted(id, "openssl_ciphers", "DEFAULT@SECLEVEL=1")
6797 wpas
.set_network_quoted(id, "phase1", "tls_disable_tlsv1_0=0")
6798 wpas
.select_network(id, freq
="2412")
6799 wpas
.wait_connected()
6801 wpas
.request("TERMINATE")