]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2019, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
20 import socketserver
as SocketServer
25 from hwsim
import HWSimRadio
27 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
, require_under_vm
28 from wpasupplicant
import WpaSupplicant
29 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
33 openssl_imported
= True
35 openssl_imported
= False
37 def check_hlr_auc_gw_support():
38 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
39 raise HwsimSkip("No hlr_auc_gw available")
41 def check_eap_capa(dev
, method
):
42 res
= dev
.get_capability("eap")
44 raise HwsimSkip("EAP method %s not supported in the build" % method
)
46 def check_subject_match_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
49 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
51 def check_check_cert_subject_support(dev
):
52 tls
= dev
.request("GET tls_library")
53 if not tls
.startswith("OpenSSL"):
54 raise HwsimSkip("check_cert_subject not supported with this TLS library: " + tls
)
56 def check_altsubject_match_support(dev
):
57 tls
= dev
.request("GET tls_library")
58 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
59 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
61 def check_domain_match(dev
):
62 tls
= dev
.request("GET tls_library")
63 if tls
.startswith("internal"):
64 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
66 def check_domain_suffix_match(dev
):
67 tls
= dev
.request("GET tls_library")
68 if tls
.startswith("internal"):
69 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
71 def check_domain_match_full(dev
):
72 tls
= dev
.request("GET tls_library")
73 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
74 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
76 def check_cert_probe_support(dev
):
77 tls
= dev
.request("GET tls_library")
78 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
79 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
81 def check_ext_cert_check_support(dev
):
82 tls
= dev
.request("GET tls_library")
83 if not tls
.startswith("OpenSSL"):
84 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
86 def check_ocsp_support(dev
):
87 tls
= dev
.request("GET tls_library")
88 #if tls.startswith("internal"):
89 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
90 #if "BoringSSL" in tls:
91 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
92 if tls
.startswith("wolfSSL"):
93 raise HwsimSkip("OCSP not supported with this TLS library: " + tls
)
95 def check_pkcs5_v15_support(dev
):
96 tls
= dev
.request("GET tls_library")
97 if "BoringSSL" in tls
or "GnuTLS" in tls
:
98 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
100 def check_ocsp_multi_support(dev
):
101 tls
= dev
.request("GET tls_library")
102 if not tls
.startswith("internal"):
103 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
104 as_hapd
= hostapd
.Hostapd("as")
105 res
= as_hapd
.request("GET tls_library")
107 if not res
.startswith("internal"):
108 raise HwsimSkip("Authentication server does not support ocsp_multi")
110 def check_pkcs12_support(dev
):
111 tls
= dev
.request("GET tls_library")
112 #if tls.startswith("internal"):
113 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
114 if tls
.startswith("wolfSSL"):
115 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls
)
117 def check_dh_dsa_support(dev
):
118 tls
= dev
.request("GET tls_library")
119 if tls
.startswith("internal"):
120 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
123 with
open(fname
, "r") as f
:
124 lines
= f
.readlines()
132 if "-----BEGIN" in l
:
134 return base64
.b64decode(cert
)
136 def eap_connect(dev
, hapd
, method
, identity
,
137 sha256
=False, expect_failure
=False, local_error_report
=False,
138 maybe_local_error
=False, report_failure
=False,
139 expect_cert_error
=None, **kwargs
):
140 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
141 eap
=method
, identity
=identity
,
142 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
144 eap_check_auth(dev
, method
, True, sha256
=sha256
,
145 expect_failure
=expect_failure
,
146 local_error_report
=local_error_report
,
147 maybe_local_error
=maybe_local_error
,
148 report_failure
=report_failure
,
149 expect_cert_error
=expect_cert_error
)
153 ev
= hapd
.wait_event(["AP-STA-CONNECTED"], timeout
=5)
155 raise Exception("No connection event received from hostapd")
158 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
159 expect_failure
=False, local_error_report
=False,
160 maybe_local_error
=False, report_failure
=False,
161 expect_cert_error
=None):
162 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
164 raise Exception("Association and EAP start timed out")
165 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
166 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
168 raise Exception("EAP method selection timed out")
169 if "CTRL-EVENT-EAP-FAILURE" in ev
:
170 if maybe_local_error
:
172 raise Exception("Could not select EAP method")
174 raise Exception("Unexpected EAP method")
175 if expect_cert_error
is not None:
176 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
177 "CTRL-EVENT-EAP-FAILURE",
178 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
179 if ev
is None or "reason=%d " % expect_cert_error
not in ev
:
180 raise Exception("Expected certificate error not reported")
182 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE",
183 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
185 raise Exception("EAP failure timed out")
186 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
187 raise Exception("Unexpected EAP success")
188 ev
= dev
.wait_disconnected(timeout
=10)
189 if maybe_local_error
and "locally_generated=1" in ev
:
191 if not local_error_report
:
192 if "reason=23" not in ev
:
193 raise Exception("Proper reason code for disconnection not reported")
196 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
197 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
199 raise Exception("EAP success timed out")
200 if "CTRL-EVENT-EAP-SUCCESS" not in ev
:
201 raise Exception("EAP failed")
203 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
205 raise Exception("EAP success timed out")
208 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
210 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
212 raise Exception("Association with the AP timed out")
213 status
= dev
.get_status()
214 if status
["wpa_state"] != "COMPLETED":
215 raise Exception("Connection not completed")
217 if status
["suppPortStatus"] != "Authorized":
218 raise Exception("Port not authorized")
219 if "selectedMethod" not in status
:
220 logger
.info("Status: " + str(status
))
221 raise Exception("No selectedMethod in status")
222 if method
not in status
["selectedMethod"]:
223 raise Exception("Incorrect EAP method status")
225 e
= "WPA2-EAP-SHA256"
227 e
= "WPA2/IEEE 802.1X/EAP"
229 e
= "WPA/IEEE 802.1X/EAP"
230 if status
["key_mgmt"] != e
:
231 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
234 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
235 dev
.request("REAUTHENTICATE")
236 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
237 expect_failure
=expect_failure
)
239 def test_ap_wpa2_eap_sim(dev
, apdev
):
240 """WPA2-Enterprise connection using EAP-SIM"""
241 check_hlr_auc_gw_support()
242 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
243 hapd
= hostapd
.add_ap(apdev
[0], params
)
244 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
245 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
246 hwsim_utils
.test_connectivity(dev
[0], hapd
)
247 eap_reauth(dev
[0], "SIM")
249 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
250 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
251 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
252 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
255 logger
.info("Negative test with incorrect key")
256 dev
[0].request("REMOVE_NETWORK all")
257 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
258 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
261 logger
.info("Invalid GSM-Milenage key")
262 dev
[0].request("REMOVE_NETWORK all")
263 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
264 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
267 logger
.info("Invalid GSM-Milenage key(2)")
268 dev
[0].request("REMOVE_NETWORK all")
269 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
270 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
273 logger
.info("Invalid GSM-Milenage key(3)")
274 dev
[0].request("REMOVE_NETWORK all")
275 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
276 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
279 logger
.info("Invalid GSM-Milenage key(4)")
280 dev
[0].request("REMOVE_NETWORK all")
281 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
282 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
285 logger
.info("Missing key configuration")
286 dev
[0].request("REMOVE_NETWORK all")
287 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
290 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
291 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
292 check_hlr_auc_gw_support()
296 raise HwsimSkip("No sqlite3 module available")
297 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
298 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
299 params
['auth_server_port'] = "1814"
300 hapd
= hostapd
.add_ap(apdev
[0], params
)
301 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
302 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
304 logger
.info("SIM fast re-authentication")
305 eap_reauth(dev
[0], "SIM")
307 logger
.info("SIM full auth with pseudonym")
310 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
311 eap_reauth(dev
[0], "SIM")
313 logger
.info("SIM full auth with permanent identity")
316 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
317 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
318 eap_reauth(dev
[0], "SIM")
320 logger
.info("SIM reauth with mismatching MK")
323 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
324 eap_reauth(dev
[0], "SIM", expect_failure
=True)
325 dev
[0].request("REMOVE_NETWORK all")
327 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
328 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
331 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
332 eap_reauth(dev
[0], "SIM")
335 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
336 logger
.info("SIM reauth with mismatching counter")
337 eap_reauth(dev
[0], "SIM")
338 dev
[0].request("REMOVE_NETWORK all")
340 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
341 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
344 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
345 logger
.info("SIM reauth with max reauth count reached")
346 eap_reauth(dev
[0], "SIM")
348 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
349 """EAP-SIM configuration options"""
350 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
351 hapd
= hostapd
.add_ap(apdev
[0], params
)
352 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
353 identity
="1232010000000000",
354 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
355 phase1
="sim_min_num_chal=1",
356 wait_connect
=False, scan_freq
="2412")
357 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
359 raise Exception("No EAP error message seen")
360 dev
[0].request("REMOVE_NETWORK all")
362 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
363 identity
="1232010000000000",
364 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
365 phase1
="sim_min_num_chal=4",
366 wait_connect
=False, scan_freq
="2412")
367 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
369 raise Exception("No EAP error message seen (2)")
370 dev
[0].request("REMOVE_NETWORK all")
372 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
373 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
374 phase1
="sim_min_num_chal=2")
375 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
376 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
377 anonymous_identity
="345678")
379 def test_ap_wpa2_eap_sim_id_0(dev
, apdev
):
380 """WPA2-Enterprise connection using EAP-SIM (no pseudonym or reauth)"""
381 run_ap_wpa2_eap_sim_id(dev
, apdev
, 0)
383 def test_ap_wpa2_eap_sim_id_1(dev
, apdev
):
384 """WPA2-Enterprise connection using EAP-SIM (pseudonym, no reauth)"""
385 run_ap_wpa2_eap_sim_id(dev
, apdev
, 1)
387 def test_ap_wpa2_eap_sim_id_2(dev
, apdev
):
388 """WPA2-Enterprise connection using EAP-SIM (no pseudonym, reauth)"""
389 run_ap_wpa2_eap_sim_id(dev
, apdev
, 2)
391 def test_ap_wpa2_eap_sim_id_3(dev
, apdev
):
392 """WPA2-Enterprise connection using EAP-SIM (pseudonym and reauth)"""
393 run_ap_wpa2_eap_sim_id(dev
, apdev
, 3)
395 def run_ap_wpa2_eap_sim_id(dev
, apdev
, eap_sim_id
):
396 check_hlr_auc_gw_support()
397 params
= int_eap_server_params()
398 params
['eap_sim_id'] = str(eap_sim_id
)
399 params
['eap_sim_db'] = 'unix:/tmp/hlr_auc_gw.sock'
400 hapd
= hostapd
.add_ap(apdev
[0], params
)
401 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
402 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
403 eap_reauth(dev
[0], "SIM")
405 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
406 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
408 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
410 dev
[0].request("SET external_sim 0")
412 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
413 check_hlr_auc_gw_support()
414 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
415 hostapd
.add_ap(apdev
[0], params
)
416 dev
[0].request("SET external_sim 1")
417 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
418 identity
="1232010000000000",
419 wait_connect
=False, scan_freq
="2412")
420 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
422 raise Exception("Network connected timed out")
424 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
426 raise Exception("Wait for external SIM processing request timed out")
428 if p
[1] != "GSM-AUTH":
429 raise Exception("Unexpected CTRL-REQ-SIM type")
430 rid
= p
[0].split('-')[3]
433 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
434 # This will fail during processing, but the ctrl_iface command succeeds
435 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
436 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
438 raise Exception("EAP failure not reported")
439 dev
[0].request("DISCONNECT")
440 dev
[0].wait_disconnected()
443 dev
[0].select_network(id, freq
="2412")
444 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
446 raise Exception("Wait for external SIM processing request timed out")
448 if p
[1] != "GSM-AUTH":
449 raise Exception("Unexpected CTRL-REQ-SIM type")
450 rid
= p
[0].split('-')[3]
451 # This will fail during GSM auth validation
452 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
453 raise Exception("CTRL-RSP-SIM failed")
454 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
456 raise Exception("EAP failure not reported")
457 dev
[0].request("DISCONNECT")
458 dev
[0].wait_disconnected()
461 dev
[0].select_network(id, freq
="2412")
462 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
464 raise Exception("Wait for external SIM processing request timed out")
466 if p
[1] != "GSM-AUTH":
467 raise Exception("Unexpected CTRL-REQ-SIM type")
468 rid
= p
[0].split('-')[3]
469 # This will fail during GSM auth validation
470 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
471 raise Exception("CTRL-RSP-SIM failed")
472 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
474 raise Exception("EAP failure not reported")
475 dev
[0].request("DISCONNECT")
476 dev
[0].wait_disconnected()
479 dev
[0].select_network(id, freq
="2412")
480 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
482 raise Exception("Wait for external SIM processing request timed out")
484 if p
[1] != "GSM-AUTH":
485 raise Exception("Unexpected CTRL-REQ-SIM type")
486 rid
= p
[0].split('-')[3]
487 # This will fail during GSM auth validation
488 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
489 raise Exception("CTRL-RSP-SIM failed")
490 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
492 raise Exception("EAP failure not reported")
493 dev
[0].request("DISCONNECT")
494 dev
[0].wait_disconnected()
497 dev
[0].select_network(id, freq
="2412")
498 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
500 raise Exception("Wait for external SIM processing request timed out")
502 if p
[1] != "GSM-AUTH":
503 raise Exception("Unexpected CTRL-REQ-SIM type")
504 rid
= p
[0].split('-')[3]
505 # This will fail during GSM auth validation
506 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
507 raise Exception("CTRL-RSP-SIM failed")
508 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
510 raise Exception("EAP failure not reported")
511 dev
[0].request("DISCONNECT")
512 dev
[0].wait_disconnected()
515 dev
[0].select_network(id, freq
="2412")
516 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
518 raise Exception("Wait for external SIM processing request timed out")
520 if p
[1] != "GSM-AUTH":
521 raise Exception("Unexpected CTRL-REQ-SIM type")
522 rid
= p
[0].split('-')[3]
523 # This will fail during GSM auth validation
524 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
525 raise Exception("CTRL-RSP-SIM failed")
526 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
528 raise Exception("EAP failure not reported")
529 dev
[0].request("DISCONNECT")
530 dev
[0].wait_disconnected()
533 dev
[0].select_network(id, freq
="2412")
534 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
536 raise Exception("Wait for external SIM processing request timed out")
538 if p
[1] != "GSM-AUTH":
539 raise Exception("Unexpected CTRL-REQ-SIM type")
540 rid
= p
[0].split('-')[3]
541 # This will fail during GSM auth validation
542 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
543 raise Exception("CTRL-RSP-SIM failed")
544 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
546 raise Exception("EAP failure not reported")
548 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
549 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
551 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
553 dev
[0].request("SET external_sim 0")
555 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
556 check_hlr_auc_gw_support()
557 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
558 hostapd
.add_ap(apdev
[0], params
)
559 dev
[0].request("SET external_sim 1")
560 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
561 identity
="1232010000000000",
562 wait_connect
=False, scan_freq
="2412")
564 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
566 raise Exception("Wait for external SIM processing request timed out")
568 if p
[1] != "GSM-AUTH":
569 raise Exception("Unexpected CTRL-REQ-SIM type")
570 rid
= p
[0].split('-')[3]
571 rand
= p
[2].split(' ')[0]
573 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
575 "auth_serv/hlr_auc_gw.milenage_db",
576 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
577 if "GSM-AUTH-RESP" not in res
:
578 raise Exception("Unexpected hlr_auc_gw response")
579 resp
= res
.split(' ')[2].rstrip()
581 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
582 dev
[0].wait_connected(timeout
=15)
583 dev
[0].request("DISCONNECT")
584 dev
[0].wait_disconnected()
586 # Replace SIM, but forget to drop the previous pseudonym identity
587 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
588 dev
[0].select_network(id, freq
="2412")
590 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
592 raise Exception("Wait for external SIM processing request timed out")
594 if p
[1] != "GSM-AUTH":
595 raise Exception("Unexpected CTRL-REQ-SIM type")
596 rid
= p
[0].split('-')[3]
597 rand
= p
[2].split(' ')[0]
599 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
601 "auth_serv/hlr_auc_gw.milenage_db",
602 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
603 if "GSM-AUTH-RESP" not in res
:
604 raise Exception("Unexpected hlr_auc_gw response")
605 resp
= res
.split(' ')[2].rstrip()
607 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
608 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
610 raise Exception("EAP-Failure not reported")
611 dev
[0].request("DISCONNECT")
612 dev
[0].wait_disconnected()
614 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
615 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
617 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
619 dev
[0].request("SET external_sim 0")
621 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
622 check_hlr_auc_gw_support()
623 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
624 hostapd
.add_ap(apdev
[0], params
)
625 dev
[0].request("SET external_sim 1")
626 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
627 identity
="1232010000000000",
628 wait_connect
=False, scan_freq
="2412")
630 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
632 raise Exception("Wait for external SIM processing request timed out")
634 if p
[1] != "GSM-AUTH":
635 raise Exception("Unexpected CTRL-REQ-SIM type")
636 rid
= p
[0].split('-')[3]
637 rand
= p
[2].split(' ')[0]
639 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
641 "auth_serv/hlr_auc_gw.milenage_db",
642 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
643 if "GSM-AUTH-RESP" not in res
:
644 raise Exception("Unexpected hlr_auc_gw response")
645 resp
= res
.split(' ')[2].rstrip()
647 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
648 dev
[0].wait_connected(timeout
=15)
649 dev
[0].request("DISCONNECT")
650 dev
[0].wait_disconnected()
652 # Replace SIM and drop the previous pseudonym identity
653 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
654 dev
[0].set_network(id, "anonymous_identity", "NULL")
655 dev
[0].select_network(id, freq
="2412")
657 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
659 raise Exception("Wait for external SIM processing request timed out")
661 if p
[1] != "GSM-AUTH":
662 raise Exception("Unexpected CTRL-REQ-SIM type")
663 rid
= p
[0].split('-')[3]
664 rand
= p
[2].split(' ')[0]
666 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
668 "auth_serv/hlr_auc_gw.milenage_db",
669 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
670 if "GSM-AUTH-RESP" not in res
:
671 raise Exception("Unexpected hlr_auc_gw response")
672 resp
= res
.split(' ')[2].rstrip()
674 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
675 dev
[0].wait_connected()
676 dev
[0].request("DISCONNECT")
677 dev
[0].wait_disconnected()
679 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
680 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
682 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
684 dev
[0].request("SET external_sim 0")
686 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
687 check_hlr_auc_gw_support()
688 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
689 hostapd
.add_ap(apdev
[0], params
)
690 dev
[0].request("SET external_sim 1")
691 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
692 wait_connect
=False, scan_freq
="2412")
694 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
696 raise Exception("Request for identity timed out")
697 rid
= ev
.split(':')[0].split('-')[-1]
698 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
700 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
702 raise Exception("Wait for external SIM processing request timed out")
704 if p
[1] != "GSM-AUTH":
705 raise Exception("Unexpected CTRL-REQ-SIM type")
706 rid
= p
[0].split('-')[3]
707 rand
= p
[2].split(' ')[0]
709 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
711 "auth_serv/hlr_auc_gw.milenage_db",
712 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
713 if "GSM-AUTH-RESP" not in res
:
714 raise Exception("Unexpected hlr_auc_gw response")
715 resp
= res
.split(' ')[2].rstrip()
717 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
718 dev
[0].wait_connected(timeout
=15)
719 dev
[0].request("DISCONNECT")
720 dev
[0].wait_disconnected()
722 # Replace SIM and drop the previous permanent and pseudonym identities
723 dev
[0].set_network(id, "identity", "NULL")
724 dev
[0].set_network(id, "anonymous_identity", "NULL")
725 dev
[0].select_network(id, freq
="2412")
727 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
729 raise Exception("Request for identity timed out")
730 rid
= ev
.split(':')[0].split('-')[-1]
731 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
733 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
735 raise Exception("Wait for external SIM processing request timed out")
737 if p
[1] != "GSM-AUTH":
738 raise Exception("Unexpected CTRL-REQ-SIM type")
739 rid
= p
[0].split('-')[3]
740 rand
= p
[2].split(' ')[0]
742 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
744 "auth_serv/hlr_auc_gw.milenage_db",
745 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
746 if "GSM-AUTH-RESP" not in res
:
747 raise Exception("Unexpected hlr_auc_gw response")
748 resp
= res
.split(' ')[2].rstrip()
750 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
751 dev
[0].wait_connected()
752 dev
[0].request("DISCONNECT")
753 dev
[0].wait_disconnected()
755 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
756 """EAP-SIM with external GSM auth and auth failing"""
758 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
760 dev
[0].request("SET external_sim 0")
762 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
763 check_hlr_auc_gw_support()
764 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
765 hostapd
.add_ap(apdev
[0], params
)
766 dev
[0].request("SET external_sim 1")
767 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
768 identity
="1232010000000000",
769 wait_connect
=False, scan_freq
="2412")
771 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
773 raise Exception("Wait for external SIM processing request timed out")
775 rid
= p
[0].split('-')[3]
776 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
777 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
779 raise Exception("EAP failure not reported")
780 dev
[0].request("REMOVE_NETWORK all")
781 dev
[0].wait_disconnected()
783 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
784 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
786 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
788 dev
[0].request("SET external_sim 0")
790 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
791 check_hlr_auc_gw_support()
792 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
793 hapd
= hostapd
.add_ap(apdev
[0], params
)
794 dev
[0].request("SET external_sim 1")
795 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
796 identity
="1232010000000000",
797 wait_connect
=False, scan_freq
="2412")
799 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
801 raise Exception("Wait for external SIM processing request timed out")
803 if p
[1] != "GSM-AUTH":
804 raise Exception("Unexpected CTRL-REQ-SIM type")
805 rid
= p
[0].split('-')[3]
806 rand
= p
[2].split(' ')[0]
808 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
810 "auth_serv/hlr_auc_gw.milenage_db",
811 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
812 if "GSM-AUTH-RESP" not in res
:
813 raise Exception("Unexpected hlr_auc_gw response")
814 resp
= res
.split(' ')[2].rstrip()
816 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
817 dev
[0].wait_connected(timeout
=15)
820 # Verify that EAP-SIM Reauthentication can be used after a profile change
821 # that does not affect EAP parameters.
822 dev
[0].set_network(id, "bssid", "any")
823 eap_reauth(dev
[0], "SIM")
825 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
826 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
828 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
830 dev
[0].request("SET external_sim 0")
832 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
833 check_hlr_auc_gw_support()
834 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
835 hapd
= hostapd
.add_ap(apdev
[0], params
)
836 dev
[0].request("SET external_sim 1")
837 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
838 identity
="1232010000000000",
839 wait_connect
=False, scan_freq
="2412")
841 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
843 raise Exception("Wait for external SIM processing request timed out")
845 if p
[1] != "GSM-AUTH":
846 raise Exception("Unexpected CTRL-REQ-SIM type")
847 rid
= p
[0].split('-')[3]
848 rand
= p
[2].split(' ')[0]
850 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
852 "auth_serv/hlr_auc_gw.milenage_db",
853 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
854 if "GSM-AUTH-RESP" not in res
:
855 raise Exception("Unexpected hlr_auc_gw response")
856 resp
= res
.split(' ')[2].rstrip()
858 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
859 dev
[0].wait_connected(timeout
=15)
862 # Verify that EAP-SIM Reauthentication can be used after network profile
863 # SET_NETWORK commands that do not actually change previously set
865 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
866 dev
[0].set_network(id, "eap", "SIM")
867 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
868 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
869 eap_reauth(dev
[0], "SIM")
871 def test_ap_wpa2_eap_sim_ext_anonymous(dev
, apdev
):
872 """EAP-SIM with external GSM auth and anonymous identity"""
873 check_hlr_auc_gw_support()
874 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
875 hostapd
.add_ap(apdev
[0], params
)
877 run_ap_wpa2_eap_sim_ext_anonymous(dev
, "anonymous@example.org")
878 run_ap_wpa2_eap_sim_ext_anonymous(dev
, "@example.org")
880 dev
[0].request("SET external_sim 0")
882 def test_ap_wpa2_eap_sim_ext_anonymous_no_pseudonym(dev
, apdev
):
883 """EAP-SIM with external GSM auth and anonymous identity without pseudonym update"""
884 check_hlr_auc_gw_support()
885 params
= int_eap_server_params()
886 params
['eap_sim_id'] = '0'
887 params
['eap_sim_db'] = 'unix:/tmp/hlr_auc_gw.sock'
888 hostapd
.add_ap(apdev
[0], params
)
890 run_ap_wpa2_eap_sim_ext_anonymous(dev
, "anonymous@example.org",
891 anon_id_change
=False)
892 run_ap_wpa2_eap_sim_ext_anonymous(dev
, "@example.org",
893 anon_id_change
=False)
895 dev
[0].request("SET external_sim 0")
897 def run_ap_wpa2_eap_sim_ext_anonymous(dev
, anon
, anon_id_change
=True):
898 dev
[0].request("SET external_sim 1")
899 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
900 identity
="1232010000000000",
901 anonymous_identity
=anon
,
902 wait_connect
=False, scan_freq
="2412")
904 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
906 raise Exception("Wait for external SIM processing request timed out")
908 if p
[1] != "GSM-AUTH":
909 raise Exception("Unexpected CTRL-REQ-SIM type")
910 rid
= p
[0].split('-')[3]
911 rand
= p
[2].split(' ')[0]
913 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
915 "auth_serv/hlr_auc_gw.milenage_db",
916 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
917 if "GSM-AUTH-RESP" not in res
:
918 raise Exception("Unexpected hlr_auc_gw response")
919 resp
= res
.split(' ')[2].rstrip()
921 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
922 dev
[0].wait_connected(timeout
=5)
923 anon_id
= dev
[0].get_network(id, "anonymous_identity").strip('"')
924 if anon_id_change
and anon
== anon_id
:
925 raise Exception("anonymous_identity did not change")
926 if not anon_id_change
and anon
!= anon_id
:
927 raise Exception("anonymous_identity changed")
928 dev
[0].request("REMOVE_NETWORK all")
929 dev
[0].wait_disconnected()
930 dev
[0].dump_monitor()
932 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
933 """EAP-SIM and OOM"""
934 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
935 hostapd
.add_ap(apdev
[0], params
)
936 tests
= [(1, "milenage_f2345"),
937 (2, "milenage_f2345"),
938 (3, "milenage_f2345"),
939 (4, "milenage_f2345"),
940 (5, "milenage_f2345"),
941 (6, "milenage_f2345"),
942 (7, "milenage_f2345"),
943 (8, "milenage_f2345"),
944 (9, "milenage_f2345"),
945 (10, "milenage_f2345"),
946 (11, "milenage_f2345"),
947 (12, "milenage_f2345")]
948 for count
, func
in tests
:
949 with
fail_test(dev
[0], count
, func
):
950 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
951 identity
="1232010000000000",
952 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
953 wait_connect
=False, scan_freq
="2412")
954 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
956 raise Exception("EAP method not selected")
957 dev
[0].wait_disconnected()
958 dev
[0].request("REMOVE_NETWORK all")
960 def test_ap_wpa2_eap_aka(dev
, apdev
):
961 """WPA2-Enterprise connection using EAP-AKA"""
962 check_hlr_auc_gw_support()
963 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
964 hapd
= hostapd
.add_ap(apdev
[0], params
)
965 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
966 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
967 hwsim_utils
.test_connectivity(dev
[0], hapd
)
968 eap_reauth(dev
[0], "AKA")
970 logger
.info("Negative test with incorrect key")
971 dev
[0].request("REMOVE_NETWORK all")
972 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
973 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
976 logger
.info("Invalid Milenage key")
977 dev
[0].request("REMOVE_NETWORK all")
978 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
979 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
982 logger
.info("Invalid Milenage key(2)")
983 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
984 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
987 logger
.info("Invalid Milenage key(3)")
988 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
989 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
992 logger
.info("Invalid Milenage key(4)")
993 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
994 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
997 logger
.info("Invalid Milenage key(5)")
998 dev
[0].request("REMOVE_NETWORK all")
999 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1000 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
1001 expect_failure
=True)
1003 logger
.info("Invalid Milenage key(6)")
1004 dev
[0].request("REMOVE_NETWORK all")
1005 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1006 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
1007 expect_failure
=True)
1009 logger
.info("Missing key configuration")
1010 dev
[0].request("REMOVE_NETWORK all")
1011 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1012 expect_failure
=True)
1014 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
1015 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
1016 check_hlr_auc_gw_support()
1020 raise HwsimSkip("No sqlite3 module available")
1021 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1022 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1023 params
['auth_server_port'] = "1814"
1024 hapd
= hostapd
.add_ap(apdev
[0], params
)
1025 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1026 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1028 logger
.info("AKA fast re-authentication")
1029 eap_reauth(dev
[0], "AKA")
1031 logger
.info("AKA full auth with pseudonym")
1034 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
1035 eap_reauth(dev
[0], "AKA")
1037 logger
.info("AKA full auth with permanent identity")
1040 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
1041 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
1042 eap_reauth(dev
[0], "AKA")
1044 logger
.info("AKA reauth with mismatching MK")
1047 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
1048 eap_reauth(dev
[0], "AKA", expect_failure
=True)
1049 dev
[0].request("REMOVE_NETWORK all")
1051 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1052 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1055 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
1056 eap_reauth(dev
[0], "AKA")
1059 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
1060 logger
.info("AKA reauth with mismatching counter")
1061 eap_reauth(dev
[0], "AKA")
1062 dev
[0].request("REMOVE_NETWORK all")
1064 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1065 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1068 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
1069 logger
.info("AKA reauth with max reauth count reached")
1070 eap_reauth(dev
[0], "AKA")
1072 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
1073 """EAP-AKA configuration options"""
1074 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1075 hapd
= hostapd
.add_ap(apdev
[0], params
)
1076 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1077 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1078 anonymous_identity
="2345678")
1080 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
1081 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
1083 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
1085 dev
[0].request("SET external_sim 0")
1087 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
1088 check_hlr_auc_gw_support()
1089 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1090 hostapd
.add_ap(apdev
[0], params
)
1091 dev
[0].request("SET external_sim 1")
1092 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1093 identity
="0232010000000000",
1094 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1095 wait_connect
=False, scan_freq
="2412")
1096 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1098 raise Exception("Network connected timed out")
1100 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1102 raise Exception("Wait for external SIM processing request timed out")
1103 p
= ev
.split(':', 2)
1104 if p
[1] != "UMTS-AUTH":
1105 raise Exception("Unexpected CTRL-REQ-SIM type")
1106 rid
= p
[0].split('-')[3]
1109 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
1110 # This will fail during processing, but the ctrl_iface command succeeds
1111 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1112 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1114 raise Exception("EAP failure not reported")
1115 dev
[0].request("DISCONNECT")
1116 dev
[0].wait_disconnected()
1118 dev
[0].dump_monitor()
1120 dev
[0].select_network(id, freq
="2412")
1121 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1123 raise Exception("Wait for external SIM processing request timed out")
1124 p
= ev
.split(':', 2)
1125 if p
[1] != "UMTS-AUTH":
1126 raise Exception("Unexpected CTRL-REQ-SIM type")
1127 rid
= p
[0].split('-')[3]
1128 # This will fail during UMTS auth validation
1129 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1130 raise Exception("CTRL-RSP-SIM failed")
1131 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1133 raise Exception("Wait for external SIM processing request timed out")
1134 p
= ev
.split(':', 2)
1135 if p
[1] != "UMTS-AUTH":
1136 raise Exception("Unexpected CTRL-REQ-SIM type")
1137 rid
= p
[0].split('-')[3]
1138 # This will fail during UMTS auth validation
1139 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1140 raise Exception("CTRL-RSP-SIM failed")
1141 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1143 raise Exception("EAP failure not reported")
1144 dev
[0].request("DISCONNECT")
1145 dev
[0].wait_disconnected()
1147 dev
[0].dump_monitor()
1149 tests
= [":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1151 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1152 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1153 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1154 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1155 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q"]
1157 dev
[0].select_network(id, freq
="2412")
1158 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1160 raise Exception("Wait for external SIM processing request timed out")
1161 p
= ev
.split(':', 2)
1162 if p
[1] != "UMTS-AUTH":
1163 raise Exception("Unexpected CTRL-REQ-SIM type")
1164 rid
= p
[0].split('-')[3]
1165 # This will fail during UMTS auth validation
1166 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1167 raise Exception("CTRL-RSP-SIM failed")
1168 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1170 raise Exception("EAP failure not reported")
1171 dev
[0].request("DISCONNECT")
1172 dev
[0].wait_disconnected()
1174 dev
[0].dump_monitor()
1176 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1177 """EAP-AKA with external UMTS auth and auth failing"""
1179 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1181 dev
[0].request("SET external_sim 0")
1183 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1184 check_hlr_auc_gw_support()
1185 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1186 hostapd
.add_ap(apdev
[0], params
)
1187 dev
[0].request("SET external_sim 1")
1188 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1189 identity
="0232010000000000",
1190 wait_connect
=False, scan_freq
="2412")
1192 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1194 raise Exception("Wait for external SIM processing request timed out")
1195 p
= ev
.split(':', 2)
1196 rid
= p
[0].split('-')[3]
1197 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1198 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1200 raise Exception("EAP failure not reported")
1201 dev
[0].request("REMOVE_NETWORK all")
1202 dev
[0].wait_disconnected()
1204 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1205 """WPA2-Enterprise connection using EAP-AKA'"""
1206 check_hlr_auc_gw_support()
1207 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1208 hapd
= hostapd
.add_ap(apdev
[0], params
)
1209 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1210 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1211 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1212 eap_reauth(dev
[0], "AKA'")
1214 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1215 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1216 identity
="6555444333222111@both",
1217 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1218 wait_connect
=False, scan_freq
="2412")
1219 dev
[1].wait_connected(timeout
=15)
1221 logger
.info("Negative test with incorrect key")
1222 dev
[0].request("REMOVE_NETWORK all")
1223 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1224 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1225 expect_failure
=True)
1227 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1228 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1229 check_hlr_auc_gw_support()
1233 raise HwsimSkip("No sqlite3 module available")
1234 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1235 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1236 params
['auth_server_port'] = "1814"
1237 hapd
= hostapd
.add_ap(apdev
[0], params
)
1238 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1239 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1241 logger
.info("AKA' fast re-authentication")
1242 eap_reauth(dev
[0], "AKA'")
1244 logger
.info("AKA' full auth with pseudonym")
1247 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1248 eap_reauth(dev
[0], "AKA'")
1250 logger
.info("AKA' full auth with permanent identity")
1253 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1254 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1255 eap_reauth(dev
[0], "AKA'")
1257 logger
.info("AKA' reauth with mismatching k_aut")
1260 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1261 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1262 dev
[0].request("REMOVE_NETWORK all")
1264 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1265 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1268 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1269 eap_reauth(dev
[0], "AKA'")
1272 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1273 logger
.info("AKA' reauth with mismatching counter")
1274 eap_reauth(dev
[0], "AKA'")
1275 dev
[0].request("REMOVE_NETWORK all")
1277 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1278 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1281 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1282 logger
.info("AKA' reauth with max reauth count reached")
1283 eap_reauth(dev
[0], "AKA'")
1285 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1286 """EAP-AKA' with external UMTS auth and auth failing"""
1288 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1290 dev
[0].request("SET external_sim 0")
1292 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1293 check_hlr_auc_gw_support()
1294 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1295 hostapd
.add_ap(apdev
[0], params
)
1296 dev
[0].request("SET external_sim 1")
1297 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1298 identity
="6555444333222111",
1299 wait_connect
=False, scan_freq
="2412")
1301 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1303 raise Exception("Wait for external SIM processing request timed out")
1304 p
= ev
.split(':', 2)
1305 rid
= p
[0].split('-')[3]
1306 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1307 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1309 raise Exception("EAP failure not reported")
1310 dev
[0].request("REMOVE_NETWORK all")
1311 dev
[0].wait_disconnected()
1313 def test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1314 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1316 _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
)
1318 dev
[0].request("SET external_sim 0")
1320 def _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1321 check_hlr_auc_gw_support()
1322 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1323 hostapd
.add_ap(apdev
[0], params
)
1324 dev
[0].request("SET external_sim 1")
1325 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1326 identity
="6555444333222111",
1327 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1328 wait_connect
=False, scan_freq
="2412")
1329 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1331 raise Exception("Network connected timed out")
1333 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1335 raise Exception("Wait for external SIM processing request timed out")
1336 p
= ev
.split(':', 2)
1337 if p
[1] != "UMTS-AUTH":
1338 raise Exception("Unexpected CTRL-REQ-SIM type")
1339 rid
= p
[0].split('-')[3]
1340 # This will fail during UMTS auth validation
1341 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1342 raise Exception("CTRL-RSP-SIM failed")
1343 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1345 raise Exception("Wait for external SIM processing request timed out")
1347 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1348 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1349 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1350 hapd
= hostapd
.add_ap(apdev
[0], params
)
1351 key_mgmt
= hapd
.get_config()['key_mgmt']
1352 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1353 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1354 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1355 anonymous_identity
="ttls", password
="password",
1356 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1357 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1358 eap_reauth(dev
[0], "TTLS")
1359 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1360 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1")])
1362 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1363 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1364 check_subject_match_support(dev
[0])
1365 check_altsubject_match_support(dev
[0])
1366 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1367 hapd
= hostapd
.add_ap(apdev
[0], params
)
1368 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1369 anonymous_identity
="ttls", password
="password",
1370 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1371 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1372 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1373 eap_reauth(dev
[0], "TTLS")
1375 def test_ap_wpa2_eap_ttls_pap_check_cert_subject(dev
, apdev
):
1376 """EAP-TTLS/PAP and check_cert_subject"""
1377 check_check_cert_subject_support(dev
[0])
1378 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1379 hapd
= hostapd
.add_ap(apdev
[0], params
)
1380 tests
= ["C=FI/O=w1.fi/CN=server.w1.fi",
1382 "C=FI/CN=server.w1.fi",
1383 "O=w1.fi/CN=server.w1.fi",
1390 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1391 anonymous_identity
="ttls", password
="password",
1392 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1393 check_cert_subject
=test
)
1394 dev
[0].request("REMOVE_NETWORK all")
1395 dev
[0].wait_disconnected()
1396 dev
[0].dump_monitor()
1398 def test_ap_wpa2_eap_ttls_pap_check_cert_subject_neg(dev
, apdev
):
1399 """EAP-TTLS/PAP and check_cert_subject (negative)"""
1400 check_check_cert_subject_support(dev
[0])
1401 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1402 hapd
= hostapd
.add_ap(apdev
[0], params
)
1412 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1413 anonymous_identity
="ttls", password
="password",
1414 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1415 expect_failure
=True, expect_cert_error
=12,
1416 check_cert_subject
=test
)
1417 dev
[0].request("REMOVE_NETWORK all")
1418 dev
[0].dump_monitor()
1420 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1421 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1422 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1423 hapd
= hostapd
.add_ap(apdev
[0], params
)
1424 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1425 anonymous_identity
="ttls", password
="wrong",
1426 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1427 expect_failure
=True)
1428 eap_connect(dev
[1], hapd
, "TTLS", "user",
1429 anonymous_identity
="ttls", password
="password",
1430 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1431 expect_failure
=True)
1433 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1434 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1435 skip_with_fips(dev
[0])
1436 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1437 hapd
= hostapd
.add_ap(apdev
[0], params
)
1438 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1439 anonymous_identity
="ttls", password
="password",
1440 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1441 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1442 eap_reauth(dev
[0], "TTLS")
1444 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1445 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1446 skip_with_fips(dev
[0])
1447 check_altsubject_match_support(dev
[0])
1448 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1449 hapd
= hostapd
.add_ap(apdev
[0], params
)
1450 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1451 anonymous_identity
="ttls", password
="password",
1452 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1453 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1454 eap_reauth(dev
[0], "TTLS")
1456 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1457 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1458 skip_with_fips(dev
[0])
1459 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1460 hapd
= hostapd
.add_ap(apdev
[0], params
)
1461 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1462 anonymous_identity
="ttls", password
="wrong",
1463 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1464 expect_failure
=True)
1465 eap_connect(dev
[1], hapd
, "TTLS", "user",
1466 anonymous_identity
="ttls", password
="password",
1467 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1468 expect_failure
=True)
1470 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1471 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1472 skip_with_fips(dev
[0])
1473 check_domain_suffix_match(dev
[0])
1474 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1475 hapd
= hostapd
.add_ap(apdev
[0], params
)
1476 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1477 anonymous_identity
="ttls", password
="password",
1478 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1479 domain_suffix_match
="server.w1.fi")
1480 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1481 eap_reauth(dev
[0], "TTLS")
1482 dev
[0].request("REMOVE_NETWORK all")
1483 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1484 anonymous_identity
="ttls", password
="password",
1485 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1486 fragment_size
="200")
1487 dev
[0].request("REMOVE_NETWORK all")
1488 dev
[0].wait_disconnected()
1489 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1490 anonymous_identity
="ttls",
1491 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1492 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1494 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1495 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1496 skip_with_fips(dev
[0])
1497 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1498 hapd
= hostapd
.add_ap(apdev
[0], params
)
1499 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1500 anonymous_identity
="ttls", password
="wrong",
1501 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1502 expect_failure
=True)
1503 eap_connect(dev
[1], hapd
, "TTLS", "user",
1504 anonymous_identity
="ttls", password
="password",
1505 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1506 expect_failure
=True)
1507 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1508 anonymous_identity
="ttls", password
="password",
1509 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1510 expect_failure
=True)
1512 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1513 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1514 check_domain_suffix_match(dev
[0])
1515 check_eap_capa(dev
[0], "MSCHAPV2")
1516 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1517 hapd
= hostapd
.add_ap(apdev
[0], params
)
1518 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1519 anonymous_identity
="ttls", password
="password",
1520 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1521 domain_suffix_match
="server.w1.fi")
1522 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1523 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1524 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1525 eap_reauth(dev
[0], "TTLS")
1526 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1527 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1528 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1529 raise Exception("dot1xAuthEapolFramesRx did not increase")
1530 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1531 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1532 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1533 raise Exception("backendAuthSuccesses did not increase")
1535 logger
.info("Password as hash value")
1536 dev
[0].request("REMOVE_NETWORK all")
1537 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1538 anonymous_identity
="ttls",
1539 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1540 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1542 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1543 """EAP-TTLS with invalid phase2 parameter values"""
1544 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1545 hostapd
.add_ap(apdev
[0], params
)
1546 tests
= ["auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1547 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1548 "autheap=MD5 autheap=FOO autheap=MSCHAPV2"]
1550 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1551 identity
="DOMAIN\mschapv2 user",
1552 anonymous_identity
="ttls", password
="password",
1553 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1554 wait_connect
=False, scan_freq
="2412")
1555 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1556 if ev
is None or "method=21" not in ev
:
1557 raise Exception("EAP-TTLS not started")
1558 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1559 "CTRL-EVENT-CONNECTED"], timeout
=5)
1560 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1561 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1562 dev
[0].request("REMOVE_NETWORK all")
1563 dev
[0].wait_disconnected()
1564 dev
[0].dump_monitor()
1566 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1567 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1568 check_domain_match_full(dev
[0])
1569 skip_with_fips(dev
[0])
1570 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1571 hapd
= hostapd
.add_ap(apdev
[0], params
)
1572 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1573 anonymous_identity
="ttls", password
="password",
1574 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1575 domain_suffix_match
="w1.fi")
1576 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1577 eap_reauth(dev
[0], "TTLS")
1579 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1580 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1581 check_domain_match(dev
[0])
1582 skip_with_fips(dev
[0])
1583 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1584 hapd
= hostapd
.add_ap(apdev
[0], params
)
1585 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1586 anonymous_identity
="ttls", password
="password",
1587 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1588 domain_match
="Server.w1.fi")
1589 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1590 eap_reauth(dev
[0], "TTLS")
1592 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1593 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1594 skip_with_fips(dev
[0])
1595 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1596 hapd
= hostapd
.add_ap(apdev
[0], params
)
1597 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1598 anonymous_identity
="ttls", password
="password1",
1599 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1600 expect_failure
=True)
1601 eap_connect(dev
[1], hapd
, "TTLS", "user",
1602 anonymous_identity
="ttls", password
="password",
1603 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1604 expect_failure
=True)
1606 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1607 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1608 skip_with_fips(dev
[0])
1609 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1610 hapd
= hostapd
.add_ap(apdev
[0], params
)
1611 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1612 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1613 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1614 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1615 anonymous_identity
="ttls",
1616 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1617 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1618 for p
in ["80", "41c041e04141e041", 257*"41"]:
1619 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1620 eap
="TTLS", identity
="utf8-user-hash",
1621 anonymous_identity
="ttls", password_hex
=p
,
1622 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1623 wait_connect
=False, scan_freq
="2412")
1624 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1626 raise Exception("No failure reported")
1627 dev
[2].request("REMOVE_NETWORK all")
1628 dev
[2].wait_disconnected()
1630 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1631 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1632 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1633 hapd
= hostapd
.add_ap(apdev
[0], params
)
1634 eap_connect(dev
[0], hapd
, "TTLS", "user",
1635 anonymous_identity
="ttls", password
="password",
1636 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1637 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1638 eap_reauth(dev
[0], "TTLS")
1640 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1641 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1642 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1643 hapd
= hostapd
.add_ap(apdev
[0], params
)
1644 eap_connect(dev
[0], hapd
, "TTLS", "user",
1645 anonymous_identity
="ttls", password
="wrong",
1646 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1647 expect_failure
=True)
1649 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1650 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1651 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1652 hapd
= hostapd
.add_ap(apdev
[0], params
)
1653 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1654 anonymous_identity
="ttls", password
="password",
1655 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1656 expect_failure
=True)
1658 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1659 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1660 params
= int_eap_server_params()
1661 hapd
= hostapd
.add_ap(apdev
[0], params
)
1662 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1663 eap_connect(dev
[0], hapd
, "TTLS", "user",
1664 anonymous_identity
="ttls", password
="password",
1665 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1666 expect_failure
=True)
1667 dev
[0].request("REMOVE_NETWORK all")
1669 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1670 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1671 eap
="TTLS", identity
="user",
1672 anonymous_identity
="ttls", password
="password",
1673 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1674 wait_connect
=False, scan_freq
="2412")
1675 # This would eventually time out, but we can stop after having reached
1676 # the allocation failure.
1679 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1682 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1683 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1684 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1685 hapd
= hostapd
.add_ap(apdev
[0], params
)
1687 tests
= ["eap_gtc_init",
1688 "eap_msg_alloc;eap_gtc_process"]
1690 with
alloc_fail(dev
[0], 1, func
):
1691 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1693 eap
="TTLS", identity
="user",
1694 anonymous_identity
="ttls", password
="password",
1695 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1697 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1698 dev
[0].request("REMOVE_NETWORK all")
1699 dev
[0].wait_disconnected()
1701 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1702 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1703 check_eap_capa(dev
[0], "MD5")
1704 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1705 hapd
= hostapd
.add_ap(apdev
[0], params
)
1706 eap_connect(dev
[0], hapd
, "TTLS", "user",
1707 anonymous_identity
="ttls", password
="password",
1708 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1709 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1710 eap_reauth(dev
[0], "TTLS")
1712 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1713 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1714 check_eap_capa(dev
[0], "MD5")
1715 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1716 hapd
= hostapd
.add_ap(apdev
[0], params
)
1717 eap_connect(dev
[0], hapd
, "TTLS", "user",
1718 anonymous_identity
="ttls", password
="wrong",
1719 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1720 expect_failure
=True)
1722 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1723 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1724 check_eap_capa(dev
[0], "MD5")
1725 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1726 hapd
= hostapd
.add_ap(apdev
[0], params
)
1727 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1728 anonymous_identity
="ttls", password
="password",
1729 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1730 expect_failure
=True)
1732 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1733 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1734 check_eap_capa(dev
[0], "MD5")
1735 params
= int_eap_server_params()
1736 hapd
= hostapd
.add_ap(apdev
[0], params
)
1737 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1738 eap_connect(dev
[0], hapd
, "TTLS", "user",
1739 anonymous_identity
="ttls", password
="password",
1740 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1741 expect_failure
=True)
1742 dev
[0].request("REMOVE_NETWORK all")
1744 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1745 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1746 eap
="TTLS", identity
="user",
1747 anonymous_identity
="ttls", password
="password",
1748 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1749 wait_connect
=False, scan_freq
="2412")
1750 # This would eventually time out, but we can stop after having reached
1751 # the allocation failure.
1754 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1757 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1758 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1759 check_eap_capa(dev
[0], "MSCHAPV2")
1760 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1761 hapd
= hostapd
.add_ap(apdev
[0], params
)
1762 eap_connect(dev
[0], hapd
, "TTLS", "user",
1763 anonymous_identity
="ttls", password
="password",
1764 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1765 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1766 eap_reauth(dev
[0], "TTLS")
1768 logger
.info("Negative test with incorrect password")
1769 dev
[0].request("REMOVE_NETWORK all")
1770 eap_connect(dev
[0], hapd
, "TTLS", "user",
1771 anonymous_identity
="ttls", password
="password1",
1772 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1773 expect_failure
=True)
1775 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1776 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1777 check_eap_capa(dev
[0], "MSCHAPV2")
1778 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1779 hapd
= hostapd
.add_ap(apdev
[0], params
)
1780 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1781 anonymous_identity
="ttls", password
="password",
1782 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1783 expect_failure
=True)
1785 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1786 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1787 check_eap_capa(dev
[0], "MSCHAPV2")
1788 params
= int_eap_server_params()
1789 hapd
= hostapd
.add_ap(apdev
[0], params
)
1790 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1791 eap_connect(dev
[0], hapd
, "TTLS", "user",
1792 anonymous_identity
="ttls", password
="password",
1793 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1794 expect_failure
=True)
1795 dev
[0].request("REMOVE_NETWORK all")
1797 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1798 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1799 eap
="TTLS", identity
="user",
1800 anonymous_identity
="ttls", password
="password",
1801 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1802 wait_connect
=False, scan_freq
="2412")
1803 # This would eventually time out, but we can stop after having reached
1804 # the allocation failure.
1807 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1809 dev
[0].request("REMOVE_NETWORK all")
1811 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1812 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1813 eap
="TTLS", identity
="user",
1814 anonymous_identity
="ttls", password
="password",
1815 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1816 wait_connect
=False, scan_freq
="2412")
1817 # This would eventually time out, but we can stop after having reached
1818 # the allocation failure.
1821 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1823 dev
[0].request("REMOVE_NETWORK all")
1825 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1826 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1827 eap
="TTLS", identity
="user",
1828 anonymous_identity
="ttls", password
="wrong",
1829 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1830 wait_connect
=False, scan_freq
="2412")
1831 # This would eventually time out, but we can stop after having reached
1832 # the allocation failure.
1835 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1837 dev
[0].request("REMOVE_NETWORK all")
1839 def test_ap_wpa2_eap_ttls_eap_sim(dev
, apdev
):
1840 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1841 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1842 hapd
= hostapd
.add_ap(apdev
[0], params
)
1843 eap_connect(dev
[0], hapd
, "TTLS", "1232010000000000",
1844 anonymous_identity
="1232010000000000@ttls",
1845 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1846 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM")
1847 eap_reauth(dev
[0], "TTLS")
1849 def run_ext_sim_auth(hapd
, dev
):
1850 ev
= dev
.wait_event(["CTRL-REQ-SIM"], timeout
=15)
1852 raise Exception("Wait for external SIM processing request timed out")
1853 p
= ev
.split(':', 2)
1854 if p
[1] != "GSM-AUTH":
1855 raise Exception("Unexpected CTRL-REQ-SIM type")
1856 rid
= p
[0].split('-')[3]
1857 rand
= p
[2].split(' ')[0]
1859 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
1861 "auth_serv/hlr_auc_gw.milenage_db",
1862 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
1863 if "GSM-AUTH-RESP" not in res
:
1864 raise Exception("Unexpected hlr_auc_gw response")
1865 resp
= res
.split(' ')[2].rstrip()
1867 dev
.request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1868 dev
.wait_connected(timeout
=15)
1872 dev
.request("REAUTHENTICATE")
1873 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1875 raise Exception("EAP reauthentication did not succeed")
1876 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=5)
1878 raise Exception("Key negotiation did not complete")
1881 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1882 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1883 check_hlr_auc_gw_support()
1885 run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
)
1887 dev
[0].request("SET external_sim 0")
1889 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1890 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1891 hapd
= hostapd
.add_ap(apdev
[0], params
)
1892 dev
[0].request("SET external_sim 1")
1893 dev
[0].connect("test-wpa2-eap", eap
="TTLS", key_mgmt
="WPA-EAP",
1894 identity
="1232010000000000",
1895 anonymous_identity
="1232010000000000@ttls",
1896 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1897 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM",
1898 wait_connect
=False, scan_freq
="2412")
1899 run_ext_sim_auth(hapd
, dev
[0])
1901 def test_ap_wpa2_eap_peap_eap_sim(dev
, apdev
):
1902 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1903 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1904 hapd
= hostapd
.add_ap(apdev
[0], params
)
1905 eap_connect(dev
[0], hapd
, "PEAP", "1232010000000000",
1906 anonymous_identity
="1232010000000000@peap",
1907 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1908 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1909 eap_reauth(dev
[0], "PEAP")
1911 def test_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1912 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1913 check_hlr_auc_gw_support()
1915 run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
)
1917 dev
[0].request("SET external_sim 0")
1919 def run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1920 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1921 hapd
= hostapd
.add_ap(apdev
[0], params
)
1922 dev
[0].request("SET external_sim 1")
1923 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1924 identity
="1232010000000000",
1925 anonymous_identity
="1232010000000000@peap",
1926 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1927 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1928 wait_connect
=False, scan_freq
="2412")
1929 run_ext_sim_auth(hapd
, dev
[0])
1931 def test_ap_wpa2_eap_fast_eap_sim(dev
, apdev
):
1932 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1933 check_eap_capa(dev
[0], "FAST")
1934 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1935 hapd
= hostapd
.add_ap(apdev
[0], params
)
1936 eap_connect(dev
[0], hapd
, "FAST", "1232010000000000",
1937 anonymous_identity
="1232010000000000@fast",
1938 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1939 phase1
="fast_provisioning=2",
1940 pac_file
="blob://fast_pac_auth_sim",
1941 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1942 eap_reauth(dev
[0], "FAST")
1944 def test_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1945 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1946 check_hlr_auc_gw_support()
1948 run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
)
1950 dev
[0].request("SET external_sim 0")
1952 def run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1953 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1954 hapd
= hostapd
.add_ap(apdev
[0], params
)
1955 dev
[0].request("SET external_sim 1")
1956 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1957 identity
="1232010000000000",
1958 anonymous_identity
="1232010000000000@peap",
1959 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1960 phase1
="fast_provisioning=2",
1961 pac_file
="blob://fast_pac_auth_sim",
1962 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1963 wait_connect
=False, scan_freq
="2412")
1964 run_ext_sim_auth(hapd
, dev
[0])
1966 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1967 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1968 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1969 hapd
= hostapd
.add_ap(apdev
[0], params
)
1970 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1971 anonymous_identity
="0232010000000000@ttls",
1972 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1973 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1974 eap_reauth(dev
[0], "TTLS")
1976 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1977 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1978 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1979 hapd
= hostapd
.add_ap(apdev
[0], params
)
1980 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1981 anonymous_identity
="0232010000000000@peap",
1982 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1983 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1984 eap_reauth(dev
[0], "PEAP")
1986 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1987 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1988 check_eap_capa(dev
[0], "FAST")
1989 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1990 hapd
= hostapd
.add_ap(apdev
[0], params
)
1991 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
1992 anonymous_identity
="0232010000000000@fast",
1993 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1994 phase1
="fast_provisioning=2",
1995 pac_file
="blob://fast_pac_auth_aka",
1996 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1997 eap_reauth(dev
[0], "FAST")
1999 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
2000 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2001 check_eap_capa(dev
[0], "MSCHAPV2")
2002 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2003 hapd
= hostapd
.add_ap(apdev
[0], params
)
2004 eap_connect(dev
[0], hapd
, "PEAP", "user",
2005 anonymous_identity
="peap", password
="password",
2006 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
2007 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2008 eap_reauth(dev
[0], "PEAP")
2009 dev
[0].request("REMOVE_NETWORK all")
2010 eap_connect(dev
[0], hapd
, "PEAP", "user",
2011 anonymous_identity
="peap", password
="password",
2012 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2013 fragment_size
="200")
2015 logger
.info("Password as hash value")
2016 dev
[0].request("REMOVE_NETWORK all")
2017 eap_connect(dev
[0], hapd
, "PEAP", "user",
2018 anonymous_identity
="peap",
2019 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
2020 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
2022 logger
.info("Negative test with incorrect password")
2023 dev
[0].request("REMOVE_NETWORK all")
2024 eap_connect(dev
[0], hapd
, "PEAP", "user",
2025 anonymous_identity
="peap", password
="password1",
2026 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2027 expect_failure
=True)
2029 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
2030 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
2031 check_eap_capa(dev
[0], "MSCHAPV2")
2032 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2033 hapd
= hostapd
.add_ap(apdev
[0], params
)
2034 eap_connect(dev
[0], hapd
, "PEAP", r
"DOMAIN\user3",
2035 anonymous_identity
="peap", password
="password",
2036 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
2037 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2038 eap_reauth(dev
[0], "PEAP")
2040 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
2041 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
2042 check_eap_capa(dev
[0], "MSCHAPV2")
2043 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2044 hapd
= hostapd
.add_ap(apdev
[0], params
)
2045 eap_connect(dev
[0], hapd
, "PEAP", "user",
2046 anonymous_identity
="peap", password
="wrong",
2047 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2048 expect_failure
=True)
2050 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
2051 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
2052 check_eap_capa(dev
[0], "MSCHAPV2")
2053 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2054 hapd
= hostapd
.add_ap(apdev
[0], params
)
2055 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2056 ca_cert
="auth_serv/ca.pem",
2057 phase1
="peapver=0 crypto_binding=2",
2058 phase2
="auth=MSCHAPV2")
2059 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2060 eap_reauth(dev
[0], "PEAP")
2062 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
2063 ca_cert
="auth_serv/ca.pem",
2064 phase1
="peapver=0 crypto_binding=1",
2065 phase2
="auth=MSCHAPV2")
2066 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
2067 ca_cert
="auth_serv/ca.pem",
2068 phase1
="peapver=0 crypto_binding=0",
2069 phase2
="auth=MSCHAPV2")
2071 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
2072 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
2073 check_eap_capa(dev
[0], "MSCHAPV2")
2074 params
= int_eap_server_params()
2075 hapd
= hostapd
.add_ap(apdev
[0], params
)
2076 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
2077 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2078 ca_cert
="auth_serv/ca.pem",
2079 phase1
="peapver=0 crypto_binding=2",
2080 phase2
="auth=MSCHAPV2",
2081 expect_failure
=True, local_error_report
=True)
2083 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
2084 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
2085 check_eap_capa(dev
[0], "MSCHAPV2")
2086 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2087 hapd
= hostapd
.add_ap(apdev
[0], params
)
2088 eap_connect(dev
[0], hapd
, "PEAP", "user",
2089 anonymous_identity
="peap", password
="password",
2090 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2091 phase1
="peapver=0 peaplabel=1",
2092 expect_failure
=True)
2093 dev
[0].request("REMOVE_NETWORK all")
2094 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2096 anonymous_identity
="peap", password
="password",
2097 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2098 phase1
="peap_outer_success=0",
2099 wait_connect
=False, scan_freq
="2412")
2100 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2102 raise Exception("No EAP success seen")
2103 # This won't succeed to connect with peap_outer_success=0, so stop here.
2104 dev
[0].request("REMOVE_NETWORK all")
2105 dev
[0].wait_disconnected()
2106 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
2107 ca_cert
="auth_serv/ca.pem",
2108 phase1
="peap_outer_success=1",
2109 phase2
="auth=MSCHAPV2")
2110 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
2111 ca_cert
="auth_serv/ca.pem",
2112 phase1
="peap_outer_success=2",
2113 phase2
="auth=MSCHAPV2")
2114 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2116 anonymous_identity
="peap", password
="password",
2117 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2118 phase1
="peapver=1 peaplabel=1",
2119 wait_connect
=False, scan_freq
="2412")
2120 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2122 raise Exception("No EAP success seen")
2123 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2124 "CTRL-EVENT-DISCONNECTED"], timeout
=1)
2125 if ev
and "CTRL-EVENT-CONNECTED" in ev
:
2126 raise Exception("Unexpected connection")
2127 dev
[0].request("REMOVE_NETWORK all")
2128 dev
[0].disconnect_and_stop_scan()
2130 tests
= [("peap-ver0", ""),
2132 ("peap-ver0", "peapver=0"),
2133 ("peap-ver1", "peapver=1")]
2134 for anon
, phase1
in tests
:
2135 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2136 identity
="user", anonymous_identity
=anon
,
2137 password
="password", phase1
=phase1
,
2138 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2140 dev
[0].request("REMOVE_NETWORK all")
2141 dev
[0].wait_disconnected()
2143 tests
= [("peap-ver0", "peapver=1"),
2144 ("peap-ver1", "peapver=0")]
2145 for anon
, phase1
in tests
:
2146 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2147 identity
="user", anonymous_identity
=anon
,
2148 password
="password", phase1
=phase1
,
2149 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2150 wait_connect
=False, scan_freq
="2412")
2151 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
2153 raise Exception("No EAP-Failure seen")
2154 dev
[0].request("REMOVE_NETWORK all")
2155 dev
[0].wait_disconnected()
2157 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2158 ca_cert
="auth_serv/ca.pem",
2159 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
2160 phase2
="auth=MSCHAPV2")
2162 def test_ap_wpa2_eap_peap_eap_gtc(dev
, apdev
, params
):
2163 """WPA2-Enterprise connection using EAP-PEAP/EAP-GTC"""
2164 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2165 hapd
= hostapd
.add_ap(apdev
[0], p
)
2166 eap_connect(dev
[0], hapd
, "PEAP", "user", phase1
="peapver=1",
2167 anonymous_identity
="peap", password
="password",
2168 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
2170 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
2171 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
2172 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2173 hapd
= hostapd
.add_ap(apdev
[0], params
)
2174 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
2175 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
2176 ca_cert2
="auth_serv/ca.pem",
2177 client_cert2
="auth_serv/user.pem",
2178 private_key2
="auth_serv/user.key")
2179 eap_reauth(dev
[0], "PEAP")
2181 def test_ap_wpa2_eap_tls(dev
, apdev
):
2182 """WPA2-Enterprise connection using EAP-TLS"""
2183 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2184 hapd
= hostapd
.add_ap(apdev
[0], params
)
2185 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2186 client_cert
="auth_serv/user.pem",
2187 private_key
="auth_serv/user.key")
2188 eap_reauth(dev
[0], "TLS")
2190 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
2191 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2192 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2193 hapd
= hostapd
.add_ap(apdev
[0], params
)
2194 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2195 client_cert
="auth_serv/user.pem",
2196 private_key
="auth_serv/user.key.pkcs8",
2197 private_key_passwd
="whatever")
2199 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
2200 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
2201 check_pkcs5_v15_support(dev
[0])
2202 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2203 hapd
= hostapd
.add_ap(apdev
[0], params
)
2204 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2205 client_cert
="auth_serv/user.pem",
2206 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
2207 private_key_passwd
="whatever")
2209 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
2210 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2211 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2212 hapd
= hostapd
.add_ap(apdev
[0], params
)
2213 cert
= read_pem("auth_serv/ca.pem")
2214 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2215 raise Exception("Could not set cacert blob")
2216 cert
= read_pem("auth_serv/user.pem")
2217 if "OK" not in dev
[0].request("SET blob usercert " + binascii
.hexlify(cert
).decode()):
2218 raise Exception("Could not set usercert blob")
2219 key
= read_pem("auth_serv/user.rsa-key")
2220 if "OK" not in dev
[0].request("SET blob userkey " + binascii
.hexlify(key
).decode()):
2221 raise Exception("Could not set cacert blob")
2222 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2223 client_cert
="blob://usercert",
2224 private_key
="blob://userkey")
2226 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
2227 """EAP-TLS and config blob missing"""
2228 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2229 hostapd
.add_ap(apdev
[0], params
)
2230 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2231 identity
="tls user",
2232 ca_cert
="blob://testing-blob-does-not-exist",
2233 client_cert
="blob://testing-blob-does-not-exist",
2234 private_key
="blob://testing-blob-does-not-exist",
2235 wait_connect
=False, scan_freq
="2412")
2236 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
2238 raise Exception("EAP failure not reported")
2239 dev
[0].request("REMOVE_NETWORK all")
2240 dev
[0].wait_disconnected()
2242 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
2243 """EAP-TLS and TLS Message Length in unfragmented packets"""
2244 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2245 hapd
= hostapd
.add_ap(apdev
[0], params
)
2246 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2247 phase1
="include_tls_length=1",
2248 client_cert
="auth_serv/user.pem",
2249 private_key
="auth_serv/user.key")
2251 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
2252 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2253 check_pkcs12_support(dev
[0])
2254 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2255 hapd
= hostapd
.add_ap(apdev
[0], params
)
2256 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2257 private_key
="auth_serv/user.pkcs12",
2258 private_key_passwd
="whatever")
2259 dev
[0].request("REMOVE_NETWORK all")
2260 dev
[0].wait_disconnected()
2262 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2263 identity
="tls user",
2264 ca_cert
="auth_serv/ca.pem",
2265 private_key
="auth_serv/user.pkcs12",
2266 wait_connect
=False, scan_freq
="2412")
2267 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2269 raise Exception("Request for private key passphrase timed out")
2270 id = ev
.split(':')[0].split('-')[-1]
2271 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2272 dev
[0].wait_connected(timeout
=10)
2273 dev
[0].request("REMOVE_NETWORK all")
2274 dev
[0].wait_disconnected()
2276 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2277 # different files to cover both cases of the extra certificate being the
2278 # one that signed the client certificate and it being unrelated to the
2279 # client certificate.
2280 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2282 eap_connect(dev
[0], hapd
, "TLS", "tls user",
2283 ca_cert
="auth_serv/ca.pem",
2285 private_key_passwd
="whatever")
2286 dev
[0].request("REMOVE_NETWORK all")
2287 dev
[0].wait_disconnected()
2289 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
2290 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2291 cert
= read_pem("auth_serv/ca.pem")
2292 cacert
= binascii
.hexlify(cert
).decode()
2293 run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
)
2295 def test_ap_wpa2_eap_tls_pkcs12_blob_pem(dev
, apdev
):
2296 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob and PEM ca_cert blob"""
2297 with
open("auth_serv/ca.pem", "r") as f
:
2298 lines
= f
.readlines()
2302 if "-----BEGIN" in l
:
2309 cacert
= binascii
.hexlify(cert
.encode()).decode()
2310 run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
)
2312 def run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
):
2313 check_pkcs12_support(dev
[0])
2314 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2315 hapd
= hostapd
.add_ap(apdev
[0], params
)
2316 if "OK" not in dev
[0].request("SET blob cacert " + cacert
):
2317 raise Exception("Could not set cacert blob")
2318 with
open("auth_serv/user.pkcs12", "rb") as f
:
2319 if "OK" not in dev
[0].request("SET blob pkcs12 " + binascii
.hexlify(f
.read()).decode()):
2320 raise Exception("Could not set pkcs12 blob")
2321 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2322 private_key
="blob://pkcs12",
2323 private_key_passwd
="whatever")
2325 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
2326 """WPA2-Enterprise negative test - incorrect trust root"""
2327 check_eap_capa(dev
[0], "MSCHAPV2")
2328 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2329 hostapd
.add_ap(apdev
[0], params
)
2330 cert
= read_pem("auth_serv/ca-incorrect.pem")
2331 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2332 raise Exception("Could not set cacert blob")
2333 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2334 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2335 password
="password", phase2
="auth=MSCHAPV2",
2336 ca_cert
="blob://cacert",
2337 wait_connect
=False, scan_freq
="2412")
2338 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2339 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2340 password
="password", phase2
="auth=MSCHAPV2",
2341 ca_cert
="auth_serv/ca-incorrect.pem",
2342 wait_connect
=False, scan_freq
="2412")
2344 for dev
in (dev
[0], dev
[1]):
2345 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2347 raise Exception("Association and EAP start timed out")
2349 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2351 raise Exception("EAP method selection timed out")
2352 if "TTLS" not in ev
:
2353 raise Exception("Unexpected EAP method")
2355 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2356 "CTRL-EVENT-EAP-SUCCESS",
2357 "CTRL-EVENT-EAP-FAILURE",
2358 "CTRL-EVENT-CONNECTED",
2359 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2361 raise Exception("EAP result timed out")
2362 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2363 raise Exception("TLS certificate error not reported")
2365 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2366 "CTRL-EVENT-EAP-FAILURE",
2367 "CTRL-EVENT-CONNECTED",
2368 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2370 raise Exception("EAP result(2) timed out")
2371 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2372 raise Exception("EAP failure not reported")
2374 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2375 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2377 raise Exception("EAP result(3) timed out")
2378 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2379 raise Exception("Disconnection not reported")
2381 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2383 raise Exception("Network block disabling not reported")
2385 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2386 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2387 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2388 hapd
= hostapd
.add_ap(apdev
[0], params
)
2389 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2390 identity
="pap user", anonymous_identity
="ttls",
2391 password
="password", phase2
="auth=PAP",
2392 ca_cert
="auth_serv/ca.pem",
2393 wait_connect
=True, scan_freq
="2412")
2394 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2395 identity
="pap user", anonymous_identity
="ttls",
2396 password
="password", phase2
="auth=PAP",
2397 ca_cert
="auth_serv/ca-incorrect.pem",
2398 only_add_network
=True, scan_freq
="2412")
2400 dev
[0].request("DISCONNECT")
2401 dev
[0].wait_disconnected()
2402 dev
[0].dump_monitor()
2403 dev
[0].select_network(id, freq
="2412")
2405 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2407 raise Exception("EAP-TTLS not re-started")
2409 ev
= dev
[0].wait_disconnected(timeout
=15)
2410 if "reason=23" not in ev
:
2411 raise Exception("Proper reason code for disconnection not reported")
2413 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2414 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2415 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2416 hapd
= hostapd
.add_ap(apdev
[0], params
)
2417 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2418 identity
="pap user", anonymous_identity
="ttls",
2419 password
="password", phase2
="auth=PAP",
2420 wait_connect
=True, scan_freq
="2412")
2421 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2422 identity
="pap user", anonymous_identity
="ttls",
2423 password
="password", phase2
="auth=PAP",
2424 ca_cert
="auth_serv/ca-incorrect.pem",
2425 only_add_network
=True, scan_freq
="2412")
2427 dev
[0].request("DISCONNECT")
2428 dev
[0].wait_disconnected()
2429 dev
[0].dump_monitor()
2430 dev
[0].select_network(id, freq
="2412")
2432 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2434 raise Exception("EAP-TTLS not re-started")
2436 ev
= dev
[0].wait_disconnected(timeout
=15)
2437 if "reason=23" not in ev
:
2438 raise Exception("Proper reason code for disconnection not reported")
2440 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2441 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2442 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2443 hapd
= hostapd
.add_ap(apdev
[0], params
)
2444 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2445 identity
="pap user", anonymous_identity
="ttls",
2446 password
="password", phase2
="auth=PAP",
2447 ca_cert
="auth_serv/ca.pem",
2448 wait_connect
=True, scan_freq
="2412")
2449 dev
[0].request("DISCONNECT")
2450 dev
[0].wait_disconnected()
2451 dev
[0].dump_monitor()
2452 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2453 dev
[0].select_network(id, freq
="2412")
2455 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2457 raise Exception("EAP-TTLS not re-started")
2459 ev
= dev
[0].wait_disconnected(timeout
=15)
2460 if "reason=23" not in ev
:
2461 raise Exception("Proper reason code for disconnection not reported")
2463 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2464 """WPA2-Enterprise negative test - domain suffix mismatch"""
2465 check_domain_suffix_match(dev
[0])
2466 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2467 hostapd
.add_ap(apdev
[0], params
)
2468 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2469 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2470 password
="password", phase2
="auth=MSCHAPV2",
2471 ca_cert
="auth_serv/ca.pem",
2472 domain_suffix_match
="incorrect.example.com",
2473 wait_connect
=False, scan_freq
="2412")
2475 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2477 raise Exception("Association and EAP start timed out")
2479 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2481 raise Exception("EAP method selection timed out")
2482 if "TTLS" not in ev
:
2483 raise Exception("Unexpected EAP method")
2485 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2486 "CTRL-EVENT-EAP-SUCCESS",
2487 "CTRL-EVENT-EAP-FAILURE",
2488 "CTRL-EVENT-CONNECTED",
2489 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2491 raise Exception("EAP result timed out")
2492 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2493 raise Exception("TLS certificate error not reported")
2494 if "Domain suffix mismatch" not in ev
:
2495 raise Exception("Domain suffix mismatch not reported")
2497 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2498 "CTRL-EVENT-EAP-FAILURE",
2499 "CTRL-EVENT-CONNECTED",
2500 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2502 raise Exception("EAP result(2) timed out")
2503 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2504 raise Exception("EAP failure not reported")
2506 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2507 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2509 raise Exception("EAP result(3) timed out")
2510 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2511 raise Exception("Disconnection not reported")
2513 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2515 raise Exception("Network block disabling not reported")
2517 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2518 """WPA2-Enterprise negative test - domain mismatch"""
2519 check_domain_match(dev
[0])
2520 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2521 hostapd
.add_ap(apdev
[0], params
)
2522 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2523 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2524 password
="password", phase2
="auth=MSCHAPV2",
2525 ca_cert
="auth_serv/ca.pem",
2526 domain_match
="w1.fi",
2527 wait_connect
=False, scan_freq
="2412")
2529 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2531 raise Exception("Association and EAP start timed out")
2533 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2535 raise Exception("EAP method selection timed out")
2536 if "TTLS" not in ev
:
2537 raise Exception("Unexpected EAP method")
2539 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2540 "CTRL-EVENT-EAP-SUCCESS",
2541 "CTRL-EVENT-EAP-FAILURE",
2542 "CTRL-EVENT-CONNECTED",
2543 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2545 raise Exception("EAP result timed out")
2546 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2547 raise Exception("TLS certificate error not reported")
2548 if "Domain mismatch" not in ev
:
2549 raise Exception("Domain mismatch not reported")
2551 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2552 "CTRL-EVENT-EAP-FAILURE",
2553 "CTRL-EVENT-CONNECTED",
2554 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2556 raise Exception("EAP result(2) timed out")
2557 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2558 raise Exception("EAP failure not reported")
2560 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2561 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2563 raise Exception("EAP result(3) timed out")
2564 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2565 raise Exception("Disconnection not reported")
2567 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2569 raise Exception("Network block disabling not reported")
2571 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2572 """WPA2-Enterprise negative test - subject mismatch"""
2573 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2574 hostapd
.add_ap(apdev
[0], params
)
2575 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2576 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2577 password
="password", phase2
="auth=MSCHAPV2",
2578 ca_cert
="auth_serv/ca.pem",
2579 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2580 wait_connect
=False, scan_freq
="2412")
2582 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2584 raise Exception("Association and EAP start timed out")
2586 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2587 "EAP: Failed to initialize EAP method"], timeout
=10)
2589 raise Exception("EAP method selection timed out")
2590 if "EAP: Failed to initialize EAP method" in ev
:
2591 tls
= dev
[0].request("GET tls_library")
2592 if tls
.startswith("OpenSSL"):
2593 raise Exception("Failed to select EAP method")
2594 logger
.info("subject_match not supported - connection failed, so test succeeded")
2596 if "TTLS" not in ev
:
2597 raise Exception("Unexpected EAP method")
2599 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2600 "CTRL-EVENT-EAP-SUCCESS",
2601 "CTRL-EVENT-EAP-FAILURE",
2602 "CTRL-EVENT-CONNECTED",
2603 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2605 raise Exception("EAP result timed out")
2606 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2607 raise Exception("TLS certificate error not reported")
2608 if "Subject mismatch" not in ev
:
2609 raise Exception("Subject mismatch not reported")
2611 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2612 "CTRL-EVENT-EAP-FAILURE",
2613 "CTRL-EVENT-CONNECTED",
2614 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2616 raise Exception("EAP result(2) timed out")
2617 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2618 raise Exception("EAP failure not reported")
2620 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2621 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2623 raise Exception("EAP result(3) timed out")
2624 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2625 raise Exception("Disconnection not reported")
2627 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2629 raise Exception("Network block disabling not reported")
2631 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2632 """WPA2-Enterprise negative test - altsubject mismatch"""
2633 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2634 hostapd
.add_ap(apdev
[0], params
)
2636 tests
= ["incorrect.example.com",
2637 "DNS:incorrect.example.com",
2641 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2643 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2644 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2645 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2646 password
="password", phase2
="auth=MSCHAPV2",
2647 ca_cert
="auth_serv/ca.pem",
2648 altsubject_match
=match
,
2649 wait_connect
=False, scan_freq
="2412")
2651 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2653 raise Exception("Association and EAP start timed out")
2655 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2656 "EAP: Failed to initialize EAP method"], timeout
=10)
2658 raise Exception("EAP method selection timed out")
2659 if "EAP: Failed to initialize EAP method" in ev
:
2660 tls
= dev
[0].request("GET tls_library")
2661 if tls
.startswith("OpenSSL"):
2662 raise Exception("Failed to select EAP method")
2663 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2665 if "TTLS" not in ev
:
2666 raise Exception("Unexpected EAP method")
2668 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2669 "CTRL-EVENT-EAP-SUCCESS",
2670 "CTRL-EVENT-EAP-FAILURE",
2671 "CTRL-EVENT-CONNECTED",
2672 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2674 raise Exception("EAP result timed out")
2675 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2676 raise Exception("TLS certificate error not reported")
2677 if "AltSubject mismatch" not in ev
:
2678 raise Exception("altsubject mismatch not reported")
2680 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2681 "CTRL-EVENT-EAP-FAILURE",
2682 "CTRL-EVENT-CONNECTED",
2683 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2685 raise Exception("EAP result(2) timed out")
2686 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2687 raise Exception("EAP failure not reported")
2689 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2690 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2692 raise Exception("EAP result(3) timed out")
2693 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2694 raise Exception("Disconnection not reported")
2696 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2698 raise Exception("Network block disabling not reported")
2700 dev
[0].request("REMOVE_NETWORK all")
2702 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2703 """WPA2-Enterprise connection using UNAUTH-TLS"""
2704 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2705 hapd
= hostapd
.add_ap(apdev
[0], params
)
2706 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2707 ca_cert
="auth_serv/ca.pem")
2708 eap_reauth(dev
[0], "UNAUTH-TLS")
2710 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2711 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2712 check_cert_probe_support(dev
[0])
2713 skip_with_fips(dev
[0])
2714 srv_cert_hash
= "4704e62784f36cc5fd964c6410402f4938773bb471dce9d42939bf22fdbdb2dd"
2715 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2716 hapd
= hostapd
.add_ap(apdev
[0], params
)
2717 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2718 identity
="probe", ca_cert
="probe://",
2719 wait_connect
=False, scan_freq
="2412")
2720 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2722 raise Exception("Association and EAP start timed out")
2723 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2725 raise Exception("No peer server certificate event seen")
2726 if "hash=" + srv_cert_hash
not in ev
:
2727 raise Exception("Expected server certificate hash not reported")
2728 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2730 raise Exception("EAP result timed out")
2731 if "Server certificate chain probe" not in ev
:
2732 raise Exception("Server certificate probe not reported")
2733 dev
[0].wait_disconnected(timeout
=10)
2734 dev
[0].request("REMOVE_NETWORK all")
2736 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2737 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2738 password
="password", phase2
="auth=MSCHAPV2",
2739 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2740 wait_connect
=False, scan_freq
="2412")
2741 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2743 raise Exception("Association and EAP start timed out")
2744 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2746 raise Exception("EAP result timed out")
2747 if "Server certificate mismatch" not in ev
:
2748 raise Exception("Server certificate mismatch not reported")
2749 dev
[0].wait_disconnected(timeout
=10)
2750 dev
[0].request("REMOVE_NETWORK all")
2752 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2753 anonymous_identity
="ttls", password
="password",
2754 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2755 phase2
="auth=MSCHAPV2")
2757 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2758 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2759 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2760 hostapd
.add_ap(apdev
[0], params
)
2761 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2762 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2763 password
="password", phase2
="auth=MSCHAPV2",
2764 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2765 wait_connect
=False, scan_freq
="2412")
2766 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2767 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2768 password
="password", phase2
="auth=MSCHAPV2",
2769 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2770 wait_connect
=False, scan_freq
="2412")
2771 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2772 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2773 password
="password", phase2
="auth=MSCHAPV2",
2774 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2775 wait_connect
=False, scan_freq
="2412")
2776 for i
in range(0, 3):
2777 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2779 raise Exception("Association and EAP start timed out")
2780 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2782 raise Exception("Did not report EAP method initialization failure")
2784 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2785 """WPA2-Enterprise connection using EAP-pwd"""
2786 check_eap_capa(dev
[0], "PWD")
2787 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2788 hapd
= hostapd
.add_ap(apdev
[0], params
)
2789 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2790 eap_reauth(dev
[0], "PWD")
2791 dev
[0].request("REMOVE_NETWORK all")
2793 eap_connect(dev
[1], hapd
, "PWD",
2794 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2795 password
="secret password",
2798 logger
.info("Negative test with incorrect password")
2799 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2800 expect_failure
=True, local_error_report
=True)
2802 eap_connect(dev
[0], hapd
, "PWD",
2803 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2804 password
="secret password",
2807 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2808 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2809 check_eap_capa(dev
[0], "PWD")
2810 skip_with_fips(dev
[0])
2811 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2812 hapd
= hostapd
.add_ap(apdev
[0], params
)
2813 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2814 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2815 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2816 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2817 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2818 expect_failure
=True, local_error_report
=True)
2820 def test_ap_wpa2_eap_pwd_salt_sha1(dev
, apdev
):
2821 """WPA2-Enterprise connection using EAP-pwd and salted password SHA-1"""
2822 check_eap_capa(dev
[0], "PWD")
2823 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2824 hapd
= hostapd
.add_ap(apdev
[0], params
)
2825 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha1",
2826 password
="secret password")
2828 def test_ap_wpa2_eap_pwd_salt_sha256(dev
, apdev
):
2829 """WPA2-Enterprise connection using EAP-pwd and salted password SHA256"""
2830 check_eap_capa(dev
[0], "PWD")
2831 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2832 hapd
= hostapd
.add_ap(apdev
[0], params
)
2833 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha256",
2834 password
="secret password")
2836 def test_ap_wpa2_eap_pwd_salt_sha512(dev
, apdev
):
2837 """WPA2-Enterprise connection using EAP-pwd and salted password SHA512"""
2838 check_eap_capa(dev
[0], "PWD")
2839 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2840 hapd
= hostapd
.add_ap(apdev
[0], params
)
2841 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha512",
2842 password
="secret password")
2844 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2845 """WPA2-Enterprise connection using various EAP-pwd groups"""
2846 check_eap_capa(dev
[0], "PWD")
2847 tls
= dev
[0].request("GET tls_library")
2848 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2849 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2850 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2851 groups
= [19, 20, 21]
2853 logger
.info("Group %d" % i
)
2854 params
['pwd_group'] = str(i
)
2855 hapd
= hostapd
.add_ap(apdev
[0], params
)
2856 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2857 password
="secret password",
2858 phase1
="eap_pwd_groups=0-65535")
2859 dev
[0].request("REMOVE_NETWORK all")
2860 dev
[0].wait_disconnected()
2861 dev
[0].dump_monitor()
2864 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2865 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2866 check_eap_capa(dev
[0], "PWD")
2867 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2868 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2869 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2870 for i
in [0, 25, 26, 27]:
2871 logger
.info("Group %d" % i
)
2872 params
['pwd_group'] = str(i
)
2873 hapd
= hostapd
.add_ap(apdev
[0], params
)
2874 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2875 identity
="pwd user", password
="secret password",
2876 phase1
="eap_pwd_groups=0-65535",
2877 scan_freq
="2412", wait_connect
=False)
2878 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2880 raise Exception("Timeout on EAP failure report (group %d)" % i
)
2881 dev
[0].request("REMOVE_NETWORK all")
2882 dev
[0].wait_disconnected()
2883 dev
[0].dump_monitor()
2886 def test_ap_wpa2_eap_pwd_disabled_group(dev
, apdev
):
2887 """WPA2-Enterprise connection using disabled EAP-pwd group"""
2888 check_eap_capa(dev
[0], "PWD")
2889 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2890 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2891 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2893 logger
.info("Group %d" % i
)
2894 params
['pwd_group'] = str(i
)
2895 hapd
= hostapd
.add_ap(apdev
[0], params
)
2896 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2897 identity
="pwd user", password
="secret password",
2898 phase1
="eap_pwd_groups=20",
2899 scan_freq
="2412", wait_connect
=False)
2900 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2902 raise Exception("Timeout on EAP failure report (group %d)" % i
)
2903 dev
[0].request("REMOVE_NETWORK all")
2904 dev
[0].wait_disconnected()
2905 dev
[0].dump_monitor()
2908 params
['pwd_group'] = "20"
2909 hapd
= hostapd
.add_ap(apdev
[0], params
)
2910 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2911 identity
="pwd user", password
="secret password",
2912 phase1
="eap_pwd_groups=20",
2915 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2916 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2917 check_eap_capa(dev
[0], "PWD")
2918 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2919 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2920 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2921 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2922 "pwd_group": "19", "fragment_size": "40"}
2923 hapd
= hostapd
.add_ap(apdev
[0], params
)
2924 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2926 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2927 """WPA2-Enterprise connection using EAP-GPSK"""
2928 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2929 hapd
= hostapd
.add_ap(apdev
[0], params
)
2930 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2931 password
="abcdefghijklmnop0123456789abcdef")
2932 eap_reauth(dev
[0], "GPSK")
2934 logger
.info("Test forced algorithm selection")
2935 for phase1
in ["cipher=1", "cipher=2"]:
2936 dev
[0].set_network_quoted(id, "phase1", phase1
)
2937 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2939 raise Exception("EAP success timed out")
2940 dev
[0].wait_connected(timeout
=10)
2942 logger
.info("Test failed algorithm negotiation")
2943 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2944 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2946 raise Exception("EAP failure timed out")
2948 logger
.info("Negative test with incorrect password")
2949 dev
[0].request("REMOVE_NETWORK all")
2950 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2951 password
="ffcdefghijklmnop0123456789abcdef",
2952 expect_failure
=True)
2954 def test_ap_wpa2_eap_sake(dev
, apdev
):
2955 """WPA2-Enterprise connection using EAP-SAKE"""
2956 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2957 hapd
= hostapd
.add_ap(apdev
[0], params
)
2958 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2959 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2960 eap_reauth(dev
[0], "SAKE")
2962 logger
.info("Negative test with incorrect password")
2963 dev
[0].request("REMOVE_NETWORK all")
2964 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2965 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2966 expect_failure
=True)
2968 def test_ap_wpa2_eap_eke(dev
, apdev
):
2969 """WPA2-Enterprise connection using EAP-EKE"""
2970 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2971 hapd
= hostapd
.add_ap(apdev
[0], params
)
2972 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2973 eap_reauth(dev
[0], "EKE")
2975 logger
.info("Test forced algorithm selection")
2976 for phase1
in ["dhgroup=5 encr=1 prf=2 mac=2",
2977 "dhgroup=4 encr=1 prf=2 mac=2",
2978 "dhgroup=3 encr=1 prf=2 mac=2",
2979 "dhgroup=3 encr=1 prf=1 mac=1"]:
2980 dev
[0].set_network_quoted(id, "phase1", phase1
)
2981 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2983 raise Exception("EAP success timed out")
2984 dev
[0].wait_connected(timeout
=10)
2985 dev
[0].dump_monitor()
2987 logger
.info("Test failed algorithm negotiation")
2988 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2989 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2991 raise Exception("EAP failure timed out")
2992 dev
[0].dump_monitor()
2994 logger
.info("Test unsupported algorithm proposals")
2995 dev
[0].request("REMOVE_NETWORK all")
2996 dev
[0].dump_monitor()
2997 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2998 phase1
="dhgroup=2 encr=1 prf=1 mac=1", expect_failure
=True)
2999 dev
[0].request("REMOVE_NETWORK all")
3000 dev
[0].dump_monitor()
3001 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
3002 phase1
="dhgroup=1 encr=1 prf=1 mac=1", expect_failure
=True)
3004 logger
.info("Negative test with incorrect password")
3005 dev
[0].request("REMOVE_NETWORK all")
3006 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
3007 expect_failure
=True)
3009 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
3010 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
3011 if not params
['long']:
3012 raise HwsimSkip("Skip test case with long duration due to --long not specified")
3013 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3014 hostapd
.add_ap(apdev
[0], params
)
3017 for i
in range(100):
3019 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
3020 identity
="eke user", password
="hello",
3021 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
3022 scan_freq
="2412", wait_connect
=False)
3024 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
3025 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
3027 raise Exception("No connected/disconnected event")
3028 if "CTRL-EVENT-DISCONNECTED" in ev
:
3030 # The RADIUS server limits on active sessions can be hit when
3031 # going through this test case, so try to give some more time
3032 # for the server to remove sessions.
3033 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
3034 dev
[j
].request("REMOVE_NETWORK all")
3038 dev
[j
].request("REMOVE_NETWORK all")
3039 dev
[j
].wait_disconnected()
3040 dev
[j
].dump_monitor()
3041 logger
.info("Total success=%d failure=%d" % (success
, fail
))
3043 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
3044 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
3045 params
= int_eap_server_params()
3046 params
['server_id'] = 'example.server@w1.fi'
3047 hapd
= hostapd
.add_ap(apdev
[0], params
)
3048 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
3050 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
3051 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
3052 params
= int_eap_server_params()
3053 hapd
= hostapd
.add_ap(apdev
[0], params
)
3054 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
3056 for count
, func
in [(1, "eap_eke_build_commit"),
3057 (2, "eap_eke_build_commit"),
3058 (3, "eap_eke_build_commit"),
3059 (1, "eap_eke_build_confirm"),
3060 (2, "eap_eke_build_confirm"),
3061 (1, "eap_eke_process_commit"),
3062 (2, "eap_eke_process_commit"),
3063 (1, "eap_eke_process_confirm"),
3064 (1, "eap_eke_process_identity"),
3065 (2, "eap_eke_process_identity"),
3066 (3, "eap_eke_process_identity"),
3067 (4, "eap_eke_process_identity")]:
3068 with
alloc_fail(hapd
, count
, func
):
3069 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
3070 expect_failure
=True)
3071 dev
[0].request("REMOVE_NETWORK all")
3073 for count
, func
, pw
in [(1, "eap_eke_init", "hello"),
3074 (1, "eap_eke_get_session_id", "hello"),
3075 (1, "eap_eke_getKey", "hello"),
3076 (1, "eap_eke_build_msg", "hello"),
3077 (1, "eap_eke_build_failure", "wrong"),
3078 (1, "eap_eke_build_identity", "hello"),
3079 (2, "eap_eke_build_identity", "hello")]:
3080 with
alloc_fail(hapd
, count
, func
):
3081 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3082 eap
="EKE", identity
="eke user", password
=pw
,
3083 wait_connect
=False, scan_freq
="2412")
3084 # This would eventually time out, but we can stop after having
3085 # reached the allocation failure.
3088 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
3090 dev
[0].request("REMOVE_NETWORK all")
3092 for count
in range(1, 1000):
3094 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
3095 dev
[0].connect("test-wpa2-eap",
3096 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3097 eap
="EKE", identity
="eke user", password
=pw
,
3098 wait_connect
=False, scan_freq
="2412")
3099 # This would eventually time out, but we can stop after having
3100 # reached the allocation failure.
3103 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
3105 dev
[0].request("REMOVE_NETWORK all")
3106 except Exception as e
:
3107 if str(e
) == "Allocation failure did not trigger":
3109 raise Exception("Too few allocation failures")
3110 logger
.info("%d allocation failures tested" % (count
- 1))
3114 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
3115 """WPA2-Enterprise connection using EAP-IKEv2"""
3116 check_eap_capa(dev
[0], "IKEV2")
3117 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3118 hapd
= hostapd
.add_ap(apdev
[0], params
)
3119 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3120 password
="ike password")
3121 eap_reauth(dev
[0], "IKEV2")
3122 dev
[0].request("REMOVE_NETWORK all")
3123 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3124 password
="ike password", fragment_size
="50")
3126 logger
.info("Negative test with incorrect password")
3127 dev
[0].request("REMOVE_NETWORK all")
3128 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3129 password
="ike-password", expect_failure
=True)
3130 dev
[0].request("REMOVE_NETWORK all")
3132 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3133 password
="ike password", fragment_size
="0")
3134 dev
[0].request("REMOVE_NETWORK all")
3135 dev
[0].wait_disconnected()
3137 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
3138 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
3139 check_eap_capa(dev
[0], "IKEV2")
3140 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3141 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3142 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3143 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3144 "fragment_size": "50"}
3145 hapd
= hostapd
.add_ap(apdev
[0], params
)
3146 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3147 password
="ike password")
3148 eap_reauth(dev
[0], "IKEV2")
3150 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
3151 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
3152 check_eap_capa(dev
[0], "IKEV2")
3153 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3154 hostapd
.add_ap(apdev
[0], params
)
3156 tests
= [(1, "dh_init"),
3158 (1, "dh_derive_shared")]
3159 for count
, func
in tests
:
3160 with
alloc_fail(dev
[0], count
, func
):
3161 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3162 identity
="ikev2 user", password
="ike password",
3163 wait_connect
=False, scan_freq
="2412")
3164 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3166 raise Exception("EAP method not selected")
3168 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
3171 dev
[0].request("REMOVE_NETWORK all")
3173 tls
= dev
[0].request("GET tls_library")
3174 if not tls
.startswith("wolfSSL"):
3175 tests
= [(1, "os_get_random;dh_init")]
3177 tests
= [(1, "crypto_dh_init;dh_init")]
3178 for count
, func
in tests
:
3179 with
fail_test(dev
[0], count
, func
):
3180 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3181 identity
="ikev2 user", password
="ike password",
3182 wait_connect
=False, scan_freq
="2412")
3183 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3185 raise Exception("EAP method not selected")
3187 if "0:" in dev
[0].request("GET_FAIL"):
3190 dev
[0].request("REMOVE_NETWORK all")
3192 def test_ap_wpa2_eap_pax(dev
, apdev
):
3193 """WPA2-Enterprise connection using EAP-PAX"""
3194 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3195 hapd
= hostapd
.add_ap(apdev
[0], params
)
3196 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3197 password_hex
="0123456789abcdef0123456789abcdef")
3198 eap_reauth(dev
[0], "PAX")
3200 logger
.info("Negative test with incorrect password")
3201 dev
[0].request("REMOVE_NETWORK all")
3202 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3203 password_hex
="ff23456789abcdef0123456789abcdef",
3204 expect_failure
=True)
3206 def test_ap_wpa2_eap_psk(dev
, apdev
):
3207 """WPA2-Enterprise connection using EAP-PSK"""
3208 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3209 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
3210 params
["ieee80211w"] = "2"
3211 hapd
= hostapd
.add_ap(apdev
[0], params
)
3212 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3213 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
3214 eap_reauth(dev
[0], "PSK", sha256
=True)
3215 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
3216 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5")])
3218 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
3219 if 'flags' not in bss
:
3220 raise Exception("Could not get BSS flags from BSS table")
3221 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
3222 raise Exception("Unexpected BSS flags: " + bss
['flags'])
3224 logger
.info("Negative test with incorrect password")
3225 dev
[0].request("REMOVE_NETWORK all")
3226 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3227 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
3228 expect_failure
=True)
3230 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
3231 """WPA2-Enterprise connection using EAP-PSK and OOM"""
3232 skip_with_fips(dev
[0])
3233 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3234 hostapd
.add_ap(apdev
[0], params
)
3235 tests
= [(1, "=aes_128_eax_encrypt"),
3236 (1, "=aes_128_eax_decrypt")]
3237 for count
, func
in tests
:
3238 with
alloc_fail(dev
[0], count
, func
):
3239 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3240 identity
="psk.user@example.com",
3241 password_hex
="0123456789abcdef0123456789abcdef",
3242 wait_connect
=False, scan_freq
="2412")
3243 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3245 raise Exception("EAP method not selected")
3246 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
3247 note
="Failure not triggered: %d:%s" % (count
, func
))
3248 dev
[0].request("REMOVE_NETWORK all")
3249 dev
[0].wait_disconnected()
3251 tests
= [(1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
3252 (1, "omac1_aes_128;aes_128_eax_encrypt"),
3253 (2, "omac1_aes_128;aes_128_eax_encrypt"),
3254 (3, "omac1_aes_128;aes_128_eax_encrypt"),
3255 (1, "omac1_aes_vector"),
3256 (1, "omac1_aes_128;aes_128_eax_decrypt"),
3257 (2, "omac1_aes_128;aes_128_eax_decrypt"),
3258 (3, "omac1_aes_128;aes_128_eax_decrypt"),
3259 (1, "aes_ctr_encrypt;aes_128_eax_decrypt")]
3260 for count
, func
in tests
:
3261 with
fail_test(dev
[0], count
, func
):
3262 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3263 identity
="psk.user@example.com",
3264 password_hex
="0123456789abcdef0123456789abcdef",
3265 wait_connect
=False, scan_freq
="2412")
3266 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3268 raise Exception("EAP method not selected")
3269 wait_fail_trigger(dev
[0], "GET_FAIL",
3270 note
="Failure not triggered: %d:%s" % (count
, func
))
3271 dev
[0].request("REMOVE_NETWORK all")
3272 dev
[0].wait_disconnected()
3274 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
3275 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3276 identity
="psk.user@example.com",
3277 password_hex
="0123456789abcdef0123456789abcdef",
3278 wait_connect
=False, scan_freq
="2412")
3279 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3281 raise Exception("EAP method failure not reported")
3282 dev
[0].request("REMOVE_NETWORK all")
3283 dev
[0].wait_disconnected()
3285 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
3286 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
3287 check_eap_capa(dev
[0], "MSCHAPV2")
3288 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
3289 hapd
= hostapd
.add_ap(apdev
[0], params
)
3290 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
3291 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
3292 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
3294 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
3296 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3297 eap_reauth(dev
[0], "PEAP", rsn
=False)
3298 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3299 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1")])
3300 status
= dev
[0].get_status(extra
="VERBOSE")
3301 if 'portControl' not in status
:
3302 raise Exception("portControl missing from STATUS-VERBOSE")
3303 if status
['portControl'] != 'Auto':
3304 raise Exception("Unexpected portControl value: " + status
['portControl'])
3305 if 'eap_session_id' not in status
:
3306 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3307 if not status
['eap_session_id'].startswith("19"):
3308 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
3310 def test_ap_wpa2_eap_interactive(dev
, apdev
):
3311 """WPA2-Enterprise connection using interactive identity/password entry"""
3312 check_eap_capa(dev
[0], "MSCHAPV2")
3313 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3314 hapd
= hostapd
.add_ap(apdev
[0], params
)
3316 tests
= [("Connection with dynamic TTLS/MSCHAPv2 password entry",
3317 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3319 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3320 "TTLS", "ttls", None, "auth=MSCHAPV2",
3321 "DOMAIN\mschapv2 user", "password"),
3322 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3323 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3324 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3325 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3326 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3327 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3328 ("Connection with dynamic PEAP/EAP-GTC password entry",
3329 "PEAP", None, "user", "auth=GTC", None, "password")]
3330 for [desc
, eap
, anon
, identity
, phase2
, req_id
, req_pw
] in tests
:
3332 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
3333 anonymous_identity
=anon
, identity
=identity
,
3334 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
3335 wait_connect
=False, scan_freq
="2412")
3337 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3339 raise Exception("Request for identity timed out")
3340 id = ev
.split(':')[0].split('-')[-1]
3341 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3342 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD", "CTRL-REQ-OTP"])
3344 raise Exception("Request for password timed out")
3345 id = ev
.split(':')[0].split('-')[-1]
3346 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
3347 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
3348 dev
[0].wait_connected(timeout
=10)
3349 dev
[0].request("REMOVE_NETWORK all")
3351 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
3352 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3353 check_eap_capa(dev
[0], "MSCHAPV2")
3354 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3355 hapd
= hostapd
.add_ap(apdev
[0], params
)
3357 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
3358 only_add_network
=True)
3360 req_id
= "DOMAIN\mschapv2 user"
3361 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3362 anonymous_identity
="ttls", identity
=None,
3363 password
="password",
3364 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3365 wait_connect
=False, scan_freq
="2412")
3366 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3368 raise Exception("Request for identity timed out")
3369 id = ev
.split(':')[0].split('-')[-1]
3370 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3371 dev
[0].wait_connected(timeout
=10)
3373 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
3374 raise Exception("Failed to enable network")
3375 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
3377 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3378 dev
[0].request("REMOVE_NETWORK all")
3380 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
3381 """WPA2-Enterprise connection using EAP vendor test"""
3382 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3383 hapd
= hostapd
.add_ap(apdev
[0], params
)
3384 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
3385 eap_reauth(dev
[0], "VENDOR-TEST")
3386 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
3389 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
3390 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3391 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3392 hostapd
.add_ap(apdev
[0], params
)
3394 tests
= ["eap_vendor_test_init",
3395 "eap_msg_alloc;eap_vendor_test_process",
3396 "eap_vendor_test_getKey"]
3398 with
alloc_fail(dev
[0], 1, func
):
3399 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
3401 eap
="VENDOR-TEST", identity
="vendor-test",
3403 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3404 dev
[0].request("REMOVE_NETWORK all")
3405 dev
[0].wait_disconnected()
3407 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
3408 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3409 check_eap_capa(dev
[0], "FAST")
3410 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3411 hapd
= hostapd
.add_ap(apdev
[0], params
)
3412 eap_connect(dev
[0], hapd
, "FAST", "user",
3413 anonymous_identity
="FAST", password
="password",
3414 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3415 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
3416 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3417 res
= eap_reauth(dev
[0], "FAST")
3418 if res
['tls_session_reused'] != '1':
3419 raise Exception("EAP-FAST could not use PAC session ticket")
3421 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
3422 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3423 check_eap_capa(dev
[0], "FAST")
3424 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
3425 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
3426 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3427 hapd
= hostapd
.add_ap(apdev
[0], params
)
3430 eap_connect(dev
[0], hapd
, "FAST", "user",
3431 anonymous_identity
="FAST", password
="password",
3432 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3433 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3434 with
open(pac_file
, "r") as f
:
3436 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3437 raise Exception("PAC file header missing")
3438 if "PAC-Key=" not in data
:
3439 raise Exception("PAC-Key missing from PAC file")
3440 dev
[0].request("REMOVE_NETWORK all")
3441 eap_connect(dev
[0], hapd
, "FAST", "user",
3442 anonymous_identity
="FAST", password
="password",
3443 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3446 eap_connect(dev
[1], hapd
, "FAST", "user",
3447 anonymous_identity
="FAST", password
="password",
3448 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3449 phase1
="fast_provisioning=1 fast_pac_format=binary",
3451 dev
[1].request("REMOVE_NETWORK all")
3452 eap_connect(dev
[1], hapd
, "FAST", "user",
3453 anonymous_identity
="FAST", password
="password",
3454 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3455 phase1
="fast_pac_format=binary",
3463 os
.remove(pac_file2
)
3467 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3468 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3469 check_eap_capa(dev
[0], "FAST")
3470 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3471 hapd
= hostapd
.add_ap(apdev
[0], params
)
3472 eap_connect(dev
[0], hapd
, "FAST", "user",
3473 anonymous_identity
="FAST", password
="password",
3474 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3475 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3476 pac_file
="blob://fast_pac_bin")
3477 res
= eap_reauth(dev
[0], "FAST")
3478 if res
['tls_session_reused'] != '1':
3479 raise Exception("EAP-FAST could not use PAC session ticket")
3481 # Verify fast_max_pac_list_len=0 special case
3482 dev
[0].request("REMOVE_NETWORK all")
3483 dev
[0].wait_disconnected()
3484 eap_connect(dev
[0], hapd
, "FAST", "user",
3485 anonymous_identity
="FAST", password
="password",
3486 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3487 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3488 pac_file
="blob://fast_pac_bin")
3490 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3491 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3492 check_eap_capa(dev
[0], "FAST")
3493 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3494 hostapd
.add_ap(apdev
[0], params
)
3496 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3497 identity
="user", anonymous_identity
="FAST",
3498 password
="password",
3499 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3500 pac_file
="blob://fast_pac_not_in_use",
3501 wait_connect
=False, scan_freq
="2412")
3502 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3504 raise Exception("Timeout on EAP failure report")
3505 dev
[0].request("REMOVE_NETWORK all")
3507 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3508 identity
="user", anonymous_identity
="FAST",
3509 password
="password",
3510 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3511 wait_connect
=False, scan_freq
="2412")
3512 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3514 raise Exception("Timeout on EAP failure report")
3516 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3517 """EAP-FAST and binary PAC errors"""
3518 check_eap_capa(dev
[0], "FAST")
3519 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3520 hapd
= hostapd
.add_ap(apdev
[0], params
)
3522 tests
= [(1, "=eap_fast_save_pac_bin"),
3523 (1, "eap_fast_write_pac"),
3524 (2, "eap_fast_write_pac"),]
3525 for count
, func
in tests
:
3526 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3527 raise Exception("Could not set blob")
3529 with
alloc_fail(dev
[0], count
, func
):
3530 eap_connect(dev
[0], hapd
, "FAST", "user",
3531 anonymous_identity
="FAST", password
="password",
3532 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3533 phase1
="fast_provisioning=1 fast_pac_format=binary",
3534 pac_file
="blob://fast_pac_bin_errors")
3535 dev
[0].request("REMOVE_NETWORK all")
3536 dev
[0].wait_disconnected()
3538 tests
= ["00", "000000000000", "6ae4920c0001",
3540 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3541 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3542 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3543 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3545 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3546 raise Exception("Could not set blob")
3548 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3549 identity
="user", anonymous_identity
="FAST",
3550 password
="password",
3551 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3552 phase1
="fast_provisioning=1 fast_pac_format=binary",
3553 pac_file
="blob://fast_pac_bin_errors",
3554 scan_freq
="2412", wait_connect
=False)
3555 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3558 raise Exception("Failure not reported")
3559 dev
[0].request("REMOVE_NETWORK all")
3560 dev
[0].wait_disconnected()
3562 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3563 tests
= [(1, "eap_fast_load_pac_bin"),
3564 (2, "eap_fast_load_pac_bin"),
3565 (3, "eap_fast_load_pac_bin")]
3566 for count
, func
in tests
:
3567 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3568 raise Exception("Could not set blob")
3570 with
alloc_fail(dev
[0], count
, func
):
3571 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3572 identity
="user", anonymous_identity
="FAST",
3573 password
="password",
3574 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3575 phase1
="fast_provisioning=1 fast_pac_format=binary",
3576 pac_file
="blob://fast_pac_bin_errors",
3577 scan_freq
="2412", wait_connect
=False)
3578 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3581 raise Exception("Failure not reported")
3582 dev
[0].request("REMOVE_NETWORK all")
3583 dev
[0].wait_disconnected()
3585 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3586 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3587 raise Exception("Could not set blob")
3589 eap_connect(dev
[0], hapd
, "FAST", "user",
3590 anonymous_identity
="FAST", password
="password",
3591 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3592 phase1
="fast_provisioning=1 fast_pac_format=binary",
3593 pac_file
="blob://fast_pac_bin_errors")
3594 dev
[0].request("REMOVE_NETWORK all")
3595 dev
[0].wait_disconnected()
3597 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3598 tests
= [(1, "eap_fast_pac_get_a_id"),
3599 (2, "eap_fast_pac_get_a_id")]
3600 for count
, func
in tests
:
3601 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3602 raise Exception("Could not set blob")
3603 with
alloc_fail(dev
[0], count
, func
):
3604 eap_connect(dev
[0], hapd
, "FAST", "user",
3605 anonymous_identity
="FAST", password
="password",
3606 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3607 phase1
="fast_provisioning=1 fast_pac_format=binary",
3608 pac_file
="blob://fast_pac_bin_errors")
3609 dev
[0].request("REMOVE_NETWORK all")
3610 dev
[0].wait_disconnected()
3612 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3613 """EAP-FAST and text PAC errors"""
3614 check_eap_capa(dev
[0], "FAST")
3615 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3616 hostapd
.add_ap(apdev
[0], params
)
3618 tests
= [(1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3619 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3620 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3621 (1, "eap_fast_parse_start"),
3622 (1, "eap_fast_save_pac")]
3623 for count
, func
in tests
:
3624 dev
[0].request("FLUSH")
3625 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3626 raise Exception("Could not set blob")
3628 with
alloc_fail(dev
[0], count
, func
):
3629 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3630 identity
="user", anonymous_identity
="FAST",
3631 password
="password",
3632 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3633 phase1
="fast_provisioning=1",
3634 pac_file
="blob://fast_pac_text_errors",
3635 scan_freq
="2412", wait_connect
=False)
3636 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3637 dev
[0].request("REMOVE_NETWORK all")
3638 dev
[0].wait_disconnected()
3640 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3644 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + binascii
.hexlify(pac
.encode()).decode()):
3645 raise Exception("Could not set blob")
3647 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3648 identity
="user", anonymous_identity
="FAST",
3649 password
="password",
3650 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3651 phase1
="fast_provisioning=1",
3652 pac_file
="blob://fast_pac_text_errors",
3653 scan_freq
="2412", wait_connect
=False)
3654 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3656 raise Exception("Failure not reported")
3657 dev
[0].request("REMOVE_NETWORK all")
3658 dev
[0].wait_disconnected()
3660 dev
[0].request("FLUSH")
3661 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3662 raise Exception("Could not set blob")
3664 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3666 params
= int_eap_server_params()
3667 params
['ssid'] = "test-wpa2-eap-2"
3668 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3669 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3670 params
['eap_fast_a_id_info'] = "test server %d" % i
3672 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3674 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3675 identity
="user", anonymous_identity
="FAST",
3676 password
="password",
3677 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3678 phase1
="fast_provisioning=1",
3679 pac_file
="blob://fast_pac_text_errors",
3680 scan_freq
="2412", wait_connect
=False)
3681 dev
[0].wait_connected()
3682 dev
[0].request("REMOVE_NETWORK all")
3683 dev
[0].wait_disconnected()
3687 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3688 """EAP-FAST and PAC list truncation"""
3689 check_eap_capa(dev
[0], "FAST")
3690 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3691 raise Exception("Could not set blob")
3693 params
= int_eap_server_params()
3694 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3695 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3696 params
['eap_fast_a_id_info'] = "test server %d" % i
3697 hapd
= hostapd
.add_ap(apdev
[0], params
)
3699 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3700 identity
="user", anonymous_identity
="FAST",
3701 password
="password",
3702 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3703 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3704 pac_file
="blob://fast_pac_truncate",
3705 scan_freq
="2412", wait_connect
=False)
3706 dev
[0].wait_connected()
3707 dev
[0].request("REMOVE_NETWORK all")
3708 dev
[0].wait_disconnected()
3712 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3713 """EAP-FAST and PAC refresh"""
3714 check_eap_capa(dev
[0], "FAST")
3715 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3716 raise Exception("Could not set blob")
3718 params
= int_eap_server_params()
3719 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3720 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3721 params
['eap_fast_a_id_info'] = "test server %d" % i
3722 params
['pac_key_refresh_time'] = "1"
3723 params
['pac_key_lifetime'] = "10"
3724 hapd
= hostapd
.add_ap(apdev
[0], params
)
3726 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3727 identity
="user", anonymous_identity
="FAST",
3728 password
="password",
3729 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3730 phase1
="fast_provisioning=1",
3731 pac_file
="blob://fast_pac_refresh",
3732 scan_freq
="2412", wait_connect
=False)
3733 dev
[0].wait_connected()
3734 dev
[0].request("REMOVE_NETWORK all")
3735 dev
[0].wait_disconnected()
3740 params
= int_eap_server_params()
3741 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3742 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3743 params
['eap_fast_a_id_info'] = "test server %d" % i
3744 params
['pac_key_refresh_time'] = "10"
3745 params
['pac_key_lifetime'] = "10"
3746 hapd
= hostapd
.add_ap(apdev
[0], params
)
3748 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3749 identity
="user", anonymous_identity
="FAST",
3750 password
="password",
3751 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3752 phase1
="fast_provisioning=1",
3753 pac_file
="blob://fast_pac_refresh",
3754 scan_freq
="2412", wait_connect
=False)
3755 dev
[0].wait_connected()
3756 dev
[0].request("REMOVE_NETWORK all")
3757 dev
[0].wait_disconnected()
3761 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3762 """EAP-FAST and PAC lifetime"""
3763 check_eap_capa(dev
[0], "FAST")
3764 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3765 raise Exception("Could not set blob")
3768 params
= int_eap_server_params()
3769 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3770 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3771 params
['eap_fast_a_id_info'] = "test server %d" % i
3772 params
['pac_key_refresh_time'] = "0"
3773 params
['pac_key_lifetime'] = "2"
3774 hapd
= hostapd
.add_ap(apdev
[0], params
)
3776 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3777 identity
="user", anonymous_identity
="FAST",
3778 password
="password",
3779 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3780 phase1
="fast_provisioning=2",
3781 pac_file
="blob://fast_pac_refresh",
3782 scan_freq
="2412", wait_connect
=False)
3783 dev
[0].wait_connected()
3784 dev
[0].request("DISCONNECT")
3785 dev
[0].wait_disconnected()
3788 dev
[0].request("PMKSA_FLUSH")
3789 dev
[0].request("RECONNECT")
3790 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3792 raise Exception("No EAP-Failure seen after expired PAC")
3793 dev
[0].request("DISCONNECT")
3794 dev
[0].wait_disconnected()
3796 dev
[0].select_network(id)
3797 dev
[0].wait_connected()
3798 dev
[0].request("REMOVE_NETWORK all")
3799 dev
[0].wait_disconnected()
3801 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3802 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3803 check_eap_capa(dev
[0], "FAST")
3804 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3805 hapd
= hostapd
.add_ap(apdev
[0], params
)
3806 eap_connect(dev
[0], hapd
, "FAST", "user",
3807 anonymous_identity
="FAST", password
="password",
3808 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3809 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3810 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3811 res
= eap_reauth(dev
[0], "FAST")
3812 if res
['tls_session_reused'] != '1':
3813 raise Exception("EAP-FAST could not use PAC session ticket")
3815 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3816 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3817 check_eap_capa(dev
[0], "FAST")
3818 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3819 hapd
= hostapd
.add_ap(apdev
[0], params
)
3820 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3821 anonymous_identity
="FAST", password
="password",
3822 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3823 phase1
="fast_provisioning=2",
3824 pac_file
="blob://fast_pac_auth")
3825 dev
[0].set_network_quoted(id, "identity", "user2")
3826 dev
[0].wait_disconnected()
3827 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3829 raise Exception("EAP-FAST not started")
3830 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3832 raise Exception("EAP failure not reported")
3833 dev
[0].wait_disconnected()
3835 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3836 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3837 check_eap_capa(dev
[0], "FAST")
3838 tls
= dev
[0].request("GET tls_library")
3839 if tls
.startswith("OpenSSL"):
3840 func
= "tls_connection_get_eap_fast_key"
3842 elif tls
.startswith("internal"):
3843 func
= "tls_connection_prf"
3846 raise HwsimSkip("Unsupported TLS library")
3847 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3848 hapd
= hostapd
.add_ap(apdev
[0], params
)
3849 with
alloc_fail(dev
[0], count
, func
):
3850 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3851 identity
="user", anonymous_identity
="FAST",
3852 password
="password", ca_cert
="auth_serv/ca.pem",
3854 phase1
="fast_provisioning=2",
3855 pac_file
="blob://fast_pac_auth",
3856 wait_connect
=False, scan_freq
="2412")
3857 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3859 raise Exception("EAP failure not reported")
3860 dev
[0].request("DISCONNECT")
3862 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3863 """EAP-FAST/MSCHAPv2 and server OOM"""
3864 check_eap_capa(dev
[0], "FAST")
3866 params
= int_eap_server_params()
3867 params
['dh_file'] = 'auth_serv/dh.conf'
3868 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3869 params
['eap_fast_a_id'] = '1011'
3870 params
['eap_fast_a_id_info'] = 'another test server'
3871 hapd
= hostapd
.add_ap(apdev
[0], params
)
3873 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3874 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3875 anonymous_identity
="FAST", password
="password",
3876 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3877 phase1
="fast_provisioning=1",
3878 pac_file
="blob://fast_pac",
3879 expect_failure
=True)
3880 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3882 raise Exception("No EAP failure reported")
3883 dev
[0].wait_disconnected()
3884 dev
[0].request("DISCONNECT")
3886 dev
[0].select_network(id, freq
="2412")
3888 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3889 """EAP-FAST and different TLS cipher suites"""
3890 check_eap_capa(dev
[0], "FAST")
3891 tls
= dev
[0].request("GET tls_library")
3892 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
3893 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls
)
3895 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3896 hapd
= hostapd
.add_ap(apdev
[0], params
)
3898 dev
[0].request("SET blob fast_pac_ciphers ")
3899 eap_connect(dev
[0], hapd
, "FAST", "user",
3900 anonymous_identity
="FAST", password
="password",
3901 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3902 phase1
="fast_provisioning=2",
3903 pac_file
="blob://fast_pac_ciphers")
3904 res
= dev
[0].get_status_field('EAP TLS cipher')
3905 dev
[0].request("REMOVE_NETWORK all")
3906 dev
[0].wait_disconnected()
3907 if res
!= "DHE-RSA-AES256-SHA":
3908 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3910 tests
= ["DHE-RSA-AES128-SHA",
3914 "DHE-RSA-AES256-SHA"]
3915 for cipher
in tests
:
3916 dev
[0].dump_monitor()
3917 logger
.info("Testing " + cipher
)
3919 eap_connect(dev
[0], hapd
, "FAST", "user",
3920 openssl_ciphers
=cipher
,
3921 anonymous_identity
="FAST", password
="password",
3922 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3923 pac_file
="blob://fast_pac_ciphers",
3924 report_failure
=True)
3925 except Exception as e
:
3926 if cipher
== "RC4-SHA" and \
3927 ("Could not select EAP method" in str(e
) or \
3928 "EAP failed" in str(e
)):
3929 if "run=OpenSSL 1.1" in tls
:
3930 logger
.info("Allow failure due to missing TLS library support")
3931 dev
[0].request("REMOVE_NETWORK all")
3932 dev
[0].wait_disconnected()
3935 res
= dev
[0].get_status_field('EAP TLS cipher')
3936 dev
[0].request("REMOVE_NETWORK all")
3937 dev
[0].wait_disconnected()
3939 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3941 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3942 """EAP-FAST and provisioning options"""
3943 check_eap_capa(dev
[0], "FAST")
3944 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3945 raise Exception("Could not set blob")
3948 params
= int_eap_server_params()
3949 params
['disable_pmksa_caching'] = '1'
3950 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3951 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3952 params
['eap_fast_a_id_info'] = "test server %d" % i
3953 params
['eap_fast_prov'] = "0"
3954 hapd
= hostapd
.add_ap(apdev
[0], params
)
3956 logger
.info("Provisioning attempt while server has provisioning disabled")
3957 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3958 identity
="user", anonymous_identity
="FAST",
3959 password
="password",
3960 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3961 phase1
="fast_provisioning=2",
3962 pac_file
="blob://fast_pac_prov",
3963 scan_freq
="2412", wait_connect
=False)
3964 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3967 raise Exception("EAP result not reported")
3968 if "parameter='failure'" not in ev
:
3969 raise Exception("Unexpected EAP result: " + ev
)
3970 dev
[0].wait_disconnected()
3971 dev
[0].request("DISCONNECT")
3972 dev
[0].dump_monitor()
3975 logger
.info("Authenticated provisioning")
3976 hapd
.set("eap_fast_prov", "2")
3979 dev
[0].select_network(id, freq
="2412")
3980 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3983 raise Exception("EAP result not reported")
3984 if "parameter='success'" not in ev
:
3985 raise Exception("Unexpected EAP result: " + ev
)
3986 dev
[0].wait_connected()
3987 dev
[0].request("DISCONNECT")
3988 dev
[0].wait_disconnected()
3989 dev
[0].dump_monitor()
3992 logger
.info("Provisioning disabled - using previously provisioned PAC")
3993 hapd
.set("eap_fast_prov", "0")
3996 dev
[0].select_network(id, freq
="2412")
3997 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
4000 raise Exception("EAP result not reported")
4001 if "parameter='success'" not in ev
:
4002 raise Exception("Unexpected EAP result: " + ev
)
4003 dev
[0].wait_connected()
4004 dev
[0].request("DISCONNECT")
4005 dev
[0].wait_disconnected()
4006 dev
[0].dump_monitor()
4008 logger
.info("Drop PAC and verify connection failure")
4009 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
4010 raise Exception("Could not set blob")
4012 dev
[0].select_network(id, freq
="2412")
4013 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
4016 raise Exception("EAP result not reported")
4017 if "parameter='failure'" not in ev
:
4018 raise Exception("Unexpected EAP result: " + ev
)
4019 dev
[0].wait_disconnected()
4020 dev
[0].request("DISCONNECT")
4021 dev
[0].dump_monitor()
4024 logger
.info("Anonymous provisioning")
4025 hapd
.set("eap_fast_prov", "1")
4027 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
4028 dev
[0].select_network(id, freq
="2412")
4029 # Anonymous provisioning results in EAP-Failure first
4030 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
4033 raise Exception("EAP result not reported")
4034 if "parameter='failure'" not in ev
:
4035 raise Exception("Unexpected EAP result: " + ev
)
4036 dev
[0].wait_disconnected()
4037 # And then the actual data connection
4038 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
4041 raise Exception("EAP result not reported")
4042 if "parameter='success'" not in ev
:
4043 raise Exception("Unexpected EAP result: " + ev
)
4044 dev
[0].wait_connected()
4045 dev
[0].request("DISCONNECT")
4046 dev
[0].wait_disconnected()
4047 dev
[0].dump_monitor()
4050 logger
.info("Provisioning disabled - using previously provisioned PAC")
4051 hapd
.set("eap_fast_prov", "0")
4054 dev
[0].select_network(id, freq
="2412")
4055 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
4058 raise Exception("EAP result not reported")
4059 if "parameter='success'" not in ev
:
4060 raise Exception("Unexpected EAP result: " + ev
)
4061 dev
[0].wait_connected()
4062 dev
[0].request("DISCONNECT")
4063 dev
[0].wait_disconnected()
4064 dev
[0].dump_monitor()
4066 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
4067 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
4068 check_ocsp_support(dev
[0])
4069 check_pkcs12_support(dev
[0])
4070 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4071 hapd
= hostapd
.add_ap(apdev
[0], params
)
4072 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4073 private_key
="auth_serv/user.pkcs12",
4074 private_key_passwd
="whatever", ocsp
=2)
4076 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
4077 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
4078 check_ocsp_multi_support(dev
[0])
4079 check_pkcs12_support(dev
[0])
4081 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4082 hapd
= hostapd
.add_ap(apdev
[0], params
)
4083 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4084 private_key
="auth_serv/user.pkcs12",
4085 private_key_passwd
="whatever", ocsp
=2)
4087 def int_eap_server_params():
4088 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
4089 "rsn_pairwise": "CCMP", "ieee8021x": "1",
4090 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
4091 "ca_cert": "auth_serv/ca.pem",
4092 "server_cert": "auth_serv/server.pem",
4093 "private_key": "auth_serv/server.key",
4094 "dh_file": "auth_serv/dh.conf"}
4097 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
4098 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
4099 check_ocsp_support(dev
[0])
4100 check_pkcs12_support(dev
[0])
4101 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
4102 if not os
.path
.exists(ocsp
):
4103 raise HwsimSkip("No OCSP response available")
4104 params
= int_eap_server_params()
4105 params
["ocsp_stapling_response"] = ocsp
4106 hostapd
.add_ap(apdev
[0], params
)
4107 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4108 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4109 private_key
="auth_serv/user.pkcs12",
4110 private_key_passwd
="whatever", ocsp
=2,
4113 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
4114 """EAP-TLS and CA signed OCSP response (good)"""
4115 check_ocsp_support(dev
[0])
4116 check_pkcs12_support(dev
[0])
4117 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
4118 if not os
.path
.exists(ocsp
):
4119 raise HwsimSkip("No OCSP response available")
4120 params
= int_eap_server_params()
4121 params
["ocsp_stapling_response"] = ocsp
4122 hostapd
.add_ap(apdev
[0], params
)
4123 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4124 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4125 private_key
="auth_serv/user.pkcs12",
4126 private_key_passwd
="whatever", ocsp
=2,
4129 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
4130 """EAP-TLS and CA signed OCSP response (revoked)"""
4131 check_ocsp_support(dev
[0])
4132 check_pkcs12_support(dev
[0])
4133 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
4134 if not os
.path
.exists(ocsp
):
4135 raise HwsimSkip("No OCSP response available")
4136 params
= int_eap_server_params()
4137 params
["ocsp_stapling_response"] = ocsp
4138 hostapd
.add_ap(apdev
[0], params
)
4139 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4140 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4141 private_key
="auth_serv/user.pkcs12",
4142 private_key_passwd
="whatever", ocsp
=2,
4143 wait_connect
=False, scan_freq
="2412")
4146 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4148 raise Exception("Timeout on EAP status")
4149 if 'bad certificate status response' in ev
:
4151 if 'certificate revoked' in ev
:
4155 raise Exception("Unexpected number of EAP status messages")
4157 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4159 raise Exception("Timeout on EAP failure report")
4161 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
4162 """EAP-TLS and CA signed OCSP response (unknown)"""
4163 check_ocsp_support(dev
[0])
4164 check_pkcs12_support(dev
[0])
4165 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
4166 if not os
.path
.exists(ocsp
):
4167 raise HwsimSkip("No OCSP response available")
4168 params
= int_eap_server_params()
4169 params
["ocsp_stapling_response"] = ocsp
4170 hostapd
.add_ap(apdev
[0], params
)
4171 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4172 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4173 private_key
="auth_serv/user.pkcs12",
4174 private_key_passwd
="whatever", ocsp
=2,
4175 wait_connect
=False, scan_freq
="2412")
4178 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4180 raise Exception("Timeout on EAP status")
4181 if 'bad certificate status response' in ev
:
4185 raise Exception("Unexpected number of EAP status messages")
4187 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4189 raise Exception("Timeout on EAP failure report")
4191 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
4192 """EAP-TLS and server signed OCSP response"""
4193 check_ocsp_support(dev
[0])
4194 check_pkcs12_support(dev
[0])
4195 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
4196 if not os
.path
.exists(ocsp
):
4197 raise HwsimSkip("No OCSP response available")
4198 params
= int_eap_server_params()
4199 params
["ocsp_stapling_response"] = ocsp
4200 hostapd
.add_ap(apdev
[0], params
)
4201 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4202 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4203 private_key
="auth_serv/user.pkcs12",
4204 private_key_passwd
="whatever", ocsp
=2,
4205 wait_connect
=False, scan_freq
="2412")
4208 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4210 raise Exception("Timeout on EAP status")
4211 if 'bad certificate status response' in ev
:
4215 raise Exception("Unexpected number of EAP status messages")
4217 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4219 raise Exception("Timeout on EAP failure report")
4221 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
4222 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
4223 check_ocsp_support(dev
[0])
4224 check_pkcs12_support(dev
[0])
4225 params
= int_eap_server_params()
4226 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
4227 hostapd
.add_ap(apdev
[0], params
)
4228 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4229 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4230 private_key
="auth_serv/user.pkcs12",
4231 private_key_passwd
="whatever", ocsp
=2,
4232 wait_connect
=False, scan_freq
="2412")
4235 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4237 raise Exception("Timeout on EAP status")
4238 if 'bad certificate status response' in ev
:
4242 raise Exception("Unexpected number of EAP status messages")
4244 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4246 raise Exception("Timeout on EAP failure report")
4248 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
4249 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
4250 check_ocsp_support(dev
[0])
4251 check_pkcs12_support(dev
[0])
4252 params
= int_eap_server_params()
4253 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
4254 hostapd
.add_ap(apdev
[0], params
)
4255 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4256 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4257 private_key
="auth_serv/user.pkcs12",
4258 private_key_passwd
="whatever", ocsp
=2,
4259 wait_connect
=False, scan_freq
="2412")
4262 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4264 raise Exception("Timeout on EAP status")
4265 if 'bad certificate status response' in ev
:
4269 raise Exception("Unexpected number of EAP status messages")
4271 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4273 raise Exception("Timeout on EAP failure report")
4275 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
4276 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
4277 check_ocsp_support(dev
[0])
4278 check_pkcs12_support(dev
[0])
4279 params
= int_eap_server_params()
4280 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
4281 hostapd
.add_ap(apdev
[0], params
)
4282 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4283 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4284 private_key
="auth_serv/user.pkcs12",
4285 private_key_passwd
="whatever", ocsp
=2,
4286 wait_connect
=False, scan_freq
="2412")
4289 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4291 raise Exception("Timeout on EAP status")
4292 if 'bad certificate status response' in ev
:
4296 raise Exception("Unexpected number of EAP status messages")
4298 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4300 raise Exception("Timeout on EAP failure report")
4302 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
4303 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4304 check_ocsp_support(dev
[0])
4305 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
4306 if not os
.path
.exists(ocsp
):
4307 raise HwsimSkip("No OCSP response available")
4308 params
= int_eap_server_params()
4309 params
["ocsp_stapling_response"] = ocsp
4310 hostapd
.add_ap(apdev
[0], params
)
4311 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4312 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4313 anonymous_identity
="ttls", password
="password",
4314 phase2
="auth=PAP", ocsp
=2,
4315 wait_connect
=False, scan_freq
="2412")
4318 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4320 raise Exception("Timeout on EAP status")
4321 if 'bad certificate status response' in ev
:
4323 if 'certificate revoked' in ev
:
4327 raise Exception("Unexpected number of EAP status messages")
4329 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4331 raise Exception("Timeout on EAP failure report")
4333 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
4334 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4335 check_ocsp_support(dev
[0])
4336 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4337 if not os
.path
.exists(ocsp
):
4338 raise HwsimSkip("No OCSP response available")
4339 params
= int_eap_server_params()
4340 params
["ocsp_stapling_response"] = ocsp
4341 hostapd
.add_ap(apdev
[0], params
)
4342 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4343 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4344 anonymous_identity
="ttls", password
="password",
4345 phase2
="auth=PAP", ocsp
=2,
4346 wait_connect
=False, scan_freq
="2412")
4349 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4351 raise Exception("Timeout on EAP status")
4352 if 'bad certificate status response' in ev
:
4356 raise Exception("Unexpected number of EAP status messages")
4358 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4360 raise Exception("Timeout on EAP failure report")
4362 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
4363 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4364 check_ocsp_support(dev
[0])
4365 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4366 if not os
.path
.exists(ocsp
):
4367 raise HwsimSkip("No OCSP response available")
4368 params
= int_eap_server_params()
4369 params
["ocsp_stapling_response"] = ocsp
4370 hostapd
.add_ap(apdev
[0], params
)
4371 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4372 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4373 anonymous_identity
="ttls", password
="password",
4374 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
4376 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
4377 """EAP-TLS with intermediate server/user CA"""
4378 params
= int_eap_server_params()
4379 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4380 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4381 params
["private_key"] = "auth_serv/iCA-server/server.key"
4382 hostapd
.add_ap(apdev
[0], params
)
4383 tls
= dev
[0].request("GET tls_library")
4384 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4385 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4386 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4388 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4389 client_cert
= "auth_serv/iCA-user/user.pem"
4390 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4391 identity
="tls user",
4393 client_cert
=client_cert
,
4394 private_key
="auth_serv/iCA-user/user.key",
4397 def root_ocsp(cert
):
4398 ca
= "auth_serv/ca.pem"
4400 fd2
, fn2
= tempfile
.mkstemp()
4403 arg
= ["openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-sha256",
4404 "-cert", cert
, "-no_nonce", "-text"]
4405 logger
.info(' '.join(arg
))
4406 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4407 stderr
=subprocess
.PIPE
)
4408 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4412 if cmd
.returncode
!= 0:
4413 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4414 logger
.info("OCSP request:\n" + res
)
4416 fd
, fn
= tempfile
.mkstemp()
4418 arg
= ["openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4419 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
4420 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4421 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4423 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4424 stderr
=subprocess
.PIPE
)
4425 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4429 if cmd
.returncode
!= 0:
4430 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4431 logger
.info("OCSP response:\n" + res
)
4435 def ica_ocsp(cert
, md
="-sha256"):
4436 prefix
= "auth_serv/iCA-server/"
4437 ca
= prefix
+ "cacert.pem"
4438 cert
= prefix
+ cert
4440 fd2
, fn2
= tempfile
.mkstemp()
4443 arg
= ["openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, md
,
4444 "-cert", cert
, "-no_nonce", "-text"]
4445 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4446 stderr
=subprocess
.PIPE
)
4447 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4451 if cmd
.returncode
!= 0:
4452 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4453 logger
.info("OCSP request:\n" + res
)
4455 fd
, fn
= tempfile
.mkstemp()
4457 arg
= ["openssl", "ocsp", "-index", prefix
+ "index.txt",
4458 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
4459 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4460 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4462 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4463 stderr
=subprocess
.PIPE
)
4464 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4468 if cmd
.returncode
!= 0:
4469 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4470 logger
.info("OCSP response:\n" + res
)
4474 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4475 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4476 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha256")
4478 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev
, apdev
, params
):
4479 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4480 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha1")
4482 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, md
):
4483 params
= int_eap_server_params()
4484 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4485 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4486 params
["private_key"] = "auth_serv/iCA-server/server.key"
4487 fn
= ica_ocsp("server.pem", md
)
4488 params
["ocsp_stapling_response"] = fn
4490 hostapd
.add_ap(apdev
[0], params
)
4491 tls
= dev
[0].request("GET tls_library")
4492 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4493 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4494 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4496 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4497 client_cert
= "auth_serv/iCA-user/user.pem"
4498 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4499 identity
="tls user",
4501 client_cert
=client_cert
,
4502 private_key
="auth_serv/iCA-user/user.key",
4503 scan_freq
="2412", ocsp
=2)
4507 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4508 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4509 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4512 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev
, apdev
, params
):
4513 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4514 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4517 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
, md
):
4518 check_ocsp_support(dev
[0])
4519 params
= int_eap_server_params()
4520 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4521 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4522 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4523 fn
= ica_ocsp("server-revoked.pem", md
)
4524 params
["ocsp_stapling_response"] = fn
4526 hostapd
.add_ap(apdev
[0], params
)
4527 tls
= dev
[0].request("GET tls_library")
4528 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4529 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4530 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4532 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4533 client_cert
= "auth_serv/iCA-user/user.pem"
4534 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4535 identity
="tls user",
4537 client_cert
=client_cert
,
4538 private_key
="auth_serv/iCA-user/user.key",
4539 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4542 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4543 "CTRL-EVENT-EAP-SUCCESS"])
4545 raise Exception("Timeout on EAP status")
4546 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4547 raise Exception("Unexpected EAP-Success")
4548 if 'bad certificate status response' in ev
:
4550 if 'certificate revoked' in ev
:
4554 raise Exception("Unexpected number of EAP status messages")
4556 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4558 raise Exception("Timeout on EAP failure report")
4559 dev
[0].request("REMOVE_NETWORK all")
4560 dev
[0].wait_disconnected()
4564 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4565 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4566 check_ocsp_support(dev
[0])
4567 check_ocsp_multi_support(dev
[0])
4569 params
= int_eap_server_params()
4570 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4571 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4572 params
["private_key"] = "auth_serv/iCA-server/server.key"
4573 fn
= ica_ocsp("server.pem")
4574 params
["ocsp_stapling_response"] = fn
4576 hostapd
.add_ap(apdev
[0], params
)
4577 tls
= dev
[0].request("GET tls_library")
4578 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4579 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4580 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4582 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4583 client_cert
= "auth_serv/iCA-user/user.pem"
4584 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4585 identity
="tls user",
4587 client_cert
=client_cert
,
4588 private_key
="auth_serv/iCA-user/user.key",
4589 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4592 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4593 "CTRL-EVENT-EAP-SUCCESS"])
4595 raise Exception("Timeout on EAP status")
4596 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4597 raise Exception("Unexpected EAP-Success")
4598 if 'bad certificate status response' in ev
:
4600 if 'certificate revoked' in ev
:
4604 raise Exception("Unexpected number of EAP status messages")
4606 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4608 raise Exception("Timeout on EAP failure report")
4609 dev
[0].request("REMOVE_NETWORK all")
4610 dev
[0].wait_disconnected()
4614 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4615 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4616 check_ocsp_support(dev
[0])
4617 check_ocsp_multi_support(dev
[0])
4619 params
= int_eap_server_params()
4620 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4621 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4622 params
["private_key"] = "auth_serv/iCA-server/server.key"
4623 fn
= ica_ocsp("server.pem")
4624 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4625 params
["ocsp_stapling_response"] = fn
4627 with
open(fn
, "rb") as f
:
4628 resp_server
= f
.read()
4629 with
open(fn2
, "rb") as f
:
4632 fd3
, fn3
= tempfile
.mkstemp()
4634 f
= os
.fdopen(fd3
, 'wb')
4635 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4636 f
.write(resp_server
)
4637 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4641 params
["ocsp_stapling_response_multi"] = fn3
4643 hostapd
.add_ap(apdev
[0], params
)
4644 tls
= dev
[0].request("GET tls_library")
4645 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4646 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4647 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4649 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4650 client_cert
= "auth_serv/iCA-user/user.pem"
4651 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4652 identity
="tls user",
4654 client_cert
=client_cert
,
4655 private_key
="auth_serv/iCA-user/user.key",
4656 scan_freq
="2412", ocsp
=3)
4657 dev
[0].request("REMOVE_NETWORK all")
4658 dev
[0].wait_disconnected()
4664 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4665 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4666 check_ocsp_support(dev
[0])
4667 check_ocsp_multi_support(dev
[0])
4668 check_pkcs12_support(dev
[0])
4670 ocsp_revoked
= os
.path
.join(params
['logdir'],
4671 "ocsp-resp-ca-signed-revoked.der")
4672 if not os
.path
.exists(ocsp_revoked
):
4673 raise HwsimSkip("No OCSP response (revoked) available")
4674 ocsp_unknown
= os
.path
.join(params
['logdir'],
4675 "ocsp-resp-ca-signed-unknown.der")
4676 if not os
.path
.exists(ocsp_unknown
):
4677 raise HwsimSkip("No OCSP response(unknown) available")
4679 with
open(ocsp_revoked
, "rb") as f
:
4680 resp_revoked
= f
.read()
4681 with
open(ocsp_unknown
, "rb") as f
:
4682 resp_unknown
= f
.read()
4684 fd
, fn
= tempfile
.mkstemp()
4686 # This is not really a valid order of the OCSPResponse items in the
4687 # list, but this works for now to verify parsing and processing of
4688 # multiple responses.
4689 f
= os
.fdopen(fd
, 'wb')
4690 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4691 f
.write(resp_unknown
)
4692 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4693 f
.write(resp_revoked
)
4694 f
.write(struct
.pack(">L", 0)[1:4])
4695 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4696 f
.write(resp_unknown
)
4699 params
= int_eap_server_params()
4700 params
["ocsp_stapling_response_multi"] = fn
4701 hostapd
.add_ap(apdev
[0], params
)
4702 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4703 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4704 private_key
="auth_serv/user.pkcs12",
4705 private_key_passwd
="whatever", ocsp
=1,
4706 wait_connect
=False, scan_freq
="2412")
4709 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4710 "CTRL-EVENT-EAP-SUCCESS"])
4712 raise Exception("Timeout on EAP status")
4713 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4714 raise Exception("Unexpected EAP-Success")
4715 if 'bad certificate status response' in ev
:
4717 if 'certificate revoked' in ev
:
4721 raise Exception("Unexpected number of EAP status messages")
4725 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4726 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4727 check_domain_match_full(dev
[0])
4728 check_pkcs12_support(dev
[0])
4729 params
= int_eap_server_params()
4730 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4731 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4732 hostapd
.add_ap(apdev
[0], params
)
4733 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4734 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4735 private_key
="auth_serv/user.pkcs12",
4736 private_key_passwd
="whatever",
4737 domain_suffix_match
="server3.w1.fi",
4740 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4741 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4742 check_domain_match(dev
[0])
4743 check_pkcs12_support(dev
[0])
4744 params
= int_eap_server_params()
4745 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4746 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4747 hostapd
.add_ap(apdev
[0], params
)
4748 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4749 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4750 private_key
="auth_serv/user.pkcs12",
4751 private_key_passwd
="whatever",
4752 domain_match
="server3.w1.fi",
4755 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4756 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4757 check_domain_match_full(dev
[0])
4758 check_pkcs12_support(dev
[0])
4759 params
= int_eap_server_params()
4760 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4761 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4762 hostapd
.add_ap(apdev
[0], params
)
4763 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4764 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4765 private_key
="auth_serv/user.pkcs12",
4766 private_key_passwd
="whatever",
4767 domain_suffix_match
="w1.fi",
4770 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4771 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4772 check_domain_suffix_match(dev
[0])
4773 check_pkcs12_support(dev
[0])
4774 params
= int_eap_server_params()
4775 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4776 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4777 hostapd
.add_ap(apdev
[0], params
)
4778 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4779 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4780 private_key
="auth_serv/user.pkcs12",
4781 private_key_passwd
="whatever",
4782 domain_suffix_match
="example.com",
4785 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4786 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4787 private_key
="auth_serv/user.pkcs12",
4788 private_key_passwd
="whatever",
4789 domain_suffix_match
="erver3.w1.fi",
4792 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4794 raise Exception("Timeout on EAP failure report")
4795 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4797 raise Exception("Timeout on EAP failure report (2)")
4799 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4800 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4801 check_domain_match(dev
[0])
4802 check_pkcs12_support(dev
[0])
4803 params
= int_eap_server_params()
4804 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4805 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4806 hostapd
.add_ap(apdev
[0], params
)
4807 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4808 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4809 private_key
="auth_serv/user.pkcs12",
4810 private_key_passwd
="whatever",
4811 domain_match
="example.com",
4814 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4815 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4816 private_key
="auth_serv/user.pkcs12",
4817 private_key_passwd
="whatever",
4818 domain_match
="w1.fi",
4821 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4823 raise Exception("Timeout on EAP failure report")
4824 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4826 raise Exception("Timeout on EAP failure report (2)")
4828 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4829 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4830 skip_with_fips(dev
[0])
4831 params
= int_eap_server_params()
4832 params
["server_cert"] = "auth_serv/server-expired.pem"
4833 params
["private_key"] = "auth_serv/server-expired.key"
4834 hostapd
.add_ap(apdev
[0], params
)
4835 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4836 identity
="mschap user", password
="password",
4837 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4840 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4842 raise Exception("Timeout on EAP certificate error report")
4843 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4844 raise Exception("Unexpected failure reason: " + ev
)
4845 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4847 raise Exception("Timeout on EAP failure report")
4849 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4850 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4851 skip_with_fips(dev
[0])
4852 params
= int_eap_server_params()
4853 params
["server_cert"] = "auth_serv/server-expired.pem"
4854 params
["private_key"] = "auth_serv/server-expired.key"
4855 hostapd
.add_ap(apdev
[0], params
)
4856 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4857 identity
="mschap user", password
="password",
4858 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4859 phase1
="tls_disable_time_checks=1",
4862 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4863 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4864 skip_with_fips(dev
[0])
4865 params
= int_eap_server_params()
4866 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4867 params
["private_key"] = "auth_serv/server-long-duration.key"
4868 hostapd
.add_ap(apdev
[0], params
)
4869 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4870 identity
="mschap user", password
="password",
4871 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4874 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4875 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4876 skip_with_fips(dev
[0])
4877 params
= int_eap_server_params()
4878 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4879 params
["private_key"] = "auth_serv/server-eku-client.key"
4880 hostapd
.add_ap(apdev
[0], params
)
4881 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4882 identity
="mschap user", password
="password",
4883 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4886 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4888 raise Exception("Timeout on EAP failure report")
4890 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4891 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4892 skip_with_fips(dev
[0])
4893 params
= int_eap_server_params()
4894 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4895 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4896 hostapd
.add_ap(apdev
[0], params
)
4897 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4898 identity
="mschap user", password
="password",
4899 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4902 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4903 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4904 skip_with_fips(dev
[0])
4905 params
= int_eap_server_params()
4906 del params
["server_cert"]
4907 params
["private_key"] = "auth_serv/server.pkcs12"
4908 hostapd
.add_ap(apdev
[0], params
)
4909 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4910 identity
="mschap user", password
="password",
4911 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4914 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
4915 """EAP-TTLS and server PKCS#12 file with extra certs"""
4916 skip_with_fips(dev
[0])
4917 params
= int_eap_server_params()
4918 del params
["server_cert"]
4919 params
["private_key"] = "auth_serv/server-extra.pkcs12"
4920 params
["private_key_passwd"] = "whatever"
4921 hostapd
.add_ap(apdev
[0], params
)
4922 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4923 identity
="mschap user", password
="password",
4924 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4927 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
4928 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4929 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4930 hapd
= hostapd
.add_ap(apdev
[0], params
)
4931 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4932 anonymous_identity
="ttls", password
="password",
4933 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4934 dh_file
="auth_serv/dh.conf")
4936 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
4937 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4938 check_dh_dsa_support(dev
[0])
4939 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4940 hapd
= hostapd
.add_ap(apdev
[0], params
)
4941 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4942 anonymous_identity
="ttls", password
="password",
4943 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4944 dh_file
="auth_serv/dsaparam.pem")
4946 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4947 """EAP-TTLS and DH params file not found"""
4948 skip_with_fips(dev
[0])
4949 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4950 hostapd
.add_ap(apdev
[0], params
)
4951 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4952 identity
="mschap user", password
="password",
4953 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4954 dh_file
="auth_serv/dh-no-such-file.conf",
4955 scan_freq
="2412", wait_connect
=False)
4956 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4958 raise Exception("EAP failure timed out")
4959 dev
[0].request("REMOVE_NETWORK all")
4960 dev
[0].wait_disconnected()
4962 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4963 """EAP-TTLS and invalid DH params file"""
4964 skip_with_fips(dev
[0])
4965 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4966 hostapd
.add_ap(apdev
[0], params
)
4967 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4968 identity
="mschap user", password
="password",
4969 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4970 dh_file
="auth_serv/ca.pem",
4971 scan_freq
="2412", wait_connect
=False)
4972 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4974 raise Exception("EAP failure timed out")
4975 dev
[0].request("REMOVE_NETWORK all")
4976 dev
[0].wait_disconnected()
4978 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
4979 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4980 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4981 hapd
= hostapd
.add_ap(apdev
[0], params
)
4982 dh
= read_pem("auth_serv/dh2.conf")
4983 if "OK" not in dev
[0].request("SET blob dhparams " + binascii
.hexlify(dh
).decode()):
4984 raise Exception("Could not set dhparams blob")
4985 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4986 anonymous_identity
="ttls", password
="password",
4987 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4988 dh_file
="blob://dhparams")
4990 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
4991 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4992 params
= int_eap_server_params()
4993 params
["dh_file"] = "auth_serv/dh2.conf"
4994 hapd
= hostapd
.add_ap(apdev
[0], params
)
4995 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4996 anonymous_identity
="ttls", password
="password",
4997 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4999 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
5000 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
5001 params
= int_eap_server_params()
5002 params
["dh_file"] = "auth_serv/dsaparam.pem"
5003 hapd
= hostapd
.add_ap(apdev
[0], params
)
5004 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5005 anonymous_identity
="ttls", password
="password",
5006 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
5008 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
5009 """EAP-TLS server and dhparams file not found"""
5010 params
= int_eap_server_params()
5011 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
5012 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
5013 if "FAIL" not in hapd
.request("ENABLE"):
5014 raise Exception("Invalid configuration accepted")
5016 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
5017 """EAP-TLS server and invalid dhparams file"""
5018 params
= int_eap_server_params()
5019 params
["dh_file"] = "auth_serv/ca.pem"
5020 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
5021 if "FAIL" not in hapd
.request("ENABLE"):
5022 raise Exception("Invalid configuration accepted")
5024 def test_ap_wpa2_eap_reauth(dev
, apdev
):
5025 """WPA2-Enterprise and Authenticator forcing reauthentication"""
5026 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5027 params
['eap_reauth_period'] = '2'
5028 hapd
= hostapd
.add_ap(apdev
[0], params
)
5029 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
5030 password_hex
="0123456789abcdef0123456789abcdef")
5031 logger
.info("Wait for reauthentication")
5032 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
5034 raise Exception("Timeout on reauthentication")
5035 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5037 raise Exception("Timeout on reauthentication")
5038 for i
in range(0, 20):
5039 state
= dev
[0].get_status_field("wpa_state")
5040 if state
== "COMPLETED":
5043 if state
!= "COMPLETED":
5044 raise Exception("Reauthentication did not complete")
5046 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
5047 """Optional displayable message in EAP Request-Identity"""
5048 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5049 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
5050 hapd
= hostapd
.add_ap(apdev
[0], params
)
5051 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
5052 password_hex
="0123456789abcdef0123456789abcdef")
5054 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
5055 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
5056 check_hlr_auc_gw_support()
5057 params
= int_eap_server_params()
5058 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
5059 params
['eap_sim_aka_result_ind'] = "1"
5060 hapd
= hostapd
.add_ap(apdev
[0], params
)
5062 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
5063 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5064 phase1
="result_ind=1")
5065 eap_reauth(dev
[0], "SIM")
5066 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
5067 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
5069 dev
[0].request("REMOVE_NETWORK all")
5070 dev
[1].request("REMOVE_NETWORK all")
5072 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
5073 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
5074 phase1
="result_ind=1")
5075 eap_reauth(dev
[0], "AKA")
5076 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
5077 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
5079 dev
[0].request("REMOVE_NETWORK all")
5080 dev
[1].request("REMOVE_NETWORK all")
5082 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
5083 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
5084 phase1
="result_ind=1")
5085 eap_reauth(dev
[0], "AKA'")
5086 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
5087 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
5089 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
5090 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
5091 check_hlr_auc_gw_support()
5092 params
= int_eap_server_params()
5093 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
5094 params
['eap_sim_db_timeout'] = "0"
5095 params
['disable_pmksa_caching'] = '1'
5096 hapd
= hostapd
.add_ap(apdev
[0], params
)
5098 # Run multiple iterations to make it more likely to hit the case where the
5099 # DB request times out and response is lost.
5101 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
5102 identity
="1232010000000000",
5103 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5104 wait_connect
=False, scan_freq
="2412")
5105 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
5106 "CTRL-EVENT-DISCONNECTED"],
5109 raise Exception("No connection result")
5110 dev
[0].request("REMOVE_NETWORK all")
5111 if "CTRL-EVENT-DISCONNECTED" in ev
:
5113 dev
[0].wait_disconnected()
5116 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
5117 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
5118 skip_with_fips(dev
[0])
5119 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5120 hostapd
.add_ap(apdev
[0], params
)
5121 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5122 eap
="TTLS", identity
="mschap user",
5123 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
5124 anonymous_identity
="ttls", password
="password",
5125 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5127 ev
= dev
[0].wait_event(["EAP: more than",
5128 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
5129 if ev
is None or "EAP: more than" not in ev
:
5130 raise Exception("EAP roundtrip limit not reached")
5132 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
5133 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
5134 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5135 hostapd
.add_ap(apdev
[0], params
)
5136 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5137 eap
="PSK", identity
="vendor-test",
5138 password_hex
="ff23456789abcdef0123456789abcdef",
5142 for i
in range(0, 5):
5143 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
5145 raise Exception("Association and EAP start timed out")
5146 if "refuse proposed method" in ev
:
5150 raise Exception("Unexpected EAP status: " + ev
)
5152 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
5154 raise Exception("EAP failure timed out")
5156 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
5157 """WPA2-Enterprise connection using SQLite for user DB"""
5158 skip_with_fips(dev
[0])
5162 raise HwsimSkip("No sqlite3 module available")
5163 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
5168 con
= sqlite3
.connect(dbfile
)
5171 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
5172 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
5173 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
5174 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
5175 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
5176 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
5177 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
5178 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
5181 params
= int_eap_server_params()
5182 params
["eap_user_file"] = "sqlite:" + dbfile
5183 hapd
= hostapd
.add_ap(apdev
[0], params
)
5184 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
5185 anonymous_identity
="ttls", password
="password",
5186 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5187 dev
[0].request("REMOVE_NETWORK all")
5188 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
5189 anonymous_identity
="ttls", password
="password",
5190 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
5191 dev
[1].request("REMOVE_NETWORK all")
5192 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
5193 anonymous_identity
="ttls", password
="password",
5194 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
5195 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
5196 anonymous_identity
="ttls", password
="password",
5197 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5201 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
5202 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5203 params
= int_eap_server_params()
5204 hostapd
.add_ap(apdev
[0], params
)
5205 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5206 identity
="\x80", password
="password", wait_connect
=False)
5207 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5208 identity
="a\x80", password
="password", wait_connect
=False)
5209 for i
in range(0, 2):
5210 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5212 raise Exception("Association and EAP start timed out")
5213 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5215 raise Exception("EAP method selection timed out")
5217 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
5218 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5219 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5220 hostapd
.add_ap(apdev
[0], params
)
5221 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5222 identity
="\x80", password
="password", wait_connect
=False)
5223 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5224 identity
="a\x80", password
="password", wait_connect
=False)
5225 for i
in range(0, 2):
5226 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5228 raise Exception("Association and EAP start timed out")
5229 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5231 raise Exception("EAP method selection timed out")
5233 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
5234 """OpenSSL cipher suite configuration on wpa_supplicant"""
5235 tls
= dev
[0].request("GET tls_library")
5236 if not tls
.startswith("OpenSSL"):
5237 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
5238 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5239 hapd
= hostapd
.add_ap(apdev
[0], params
)
5240 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5241 anonymous_identity
="ttls", password
="password",
5242 openssl_ciphers
="AES128",
5243 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5244 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5245 anonymous_identity
="ttls", password
="password",
5246 openssl_ciphers
="EXPORT",
5247 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5248 expect_failure
=True, maybe_local_error
=True)
5249 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5250 identity
="pap user", anonymous_identity
="ttls",
5251 password
="password",
5252 openssl_ciphers
="FOO",
5253 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5255 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5257 raise Exception("EAP failure after invalid openssl_ciphers not reported")
5258 dev
[2].request("DISCONNECT")
5260 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
5261 """OpenSSL cipher suite configuration on hostapd"""
5262 tls
= dev
[0].request("GET tls_library")
5263 if not tls
.startswith("OpenSSL"):
5264 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
5265 params
= int_eap_server_params()
5266 params
['openssl_ciphers'] = "AES256"
5267 hapd
= hostapd
.add_ap(apdev
[0], params
)
5268 tls
= hapd
.request("GET tls_library")
5269 if not tls
.startswith("OpenSSL"):
5270 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5271 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5272 anonymous_identity
="ttls", password
="password",
5273 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5274 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5275 anonymous_identity
="ttls", password
="password",
5276 openssl_ciphers
="AES128",
5277 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5278 expect_failure
=True)
5279 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
5280 anonymous_identity
="ttls", password
="password",
5281 openssl_ciphers
="HIGH:!ADH",
5282 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5284 params
['openssl_ciphers'] = "FOO"
5285 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
5286 if "FAIL" not in hapd2
.request("ENABLE"):
5287 if "run=OpenSSL 1.1.1" in tls
:
5288 logger
.info("Ignore acceptance of an invalid openssl_ciphers value with OpenSSL 1.1.1")
5290 raise Exception("Invalid openssl_ciphers value accepted")
5292 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
5293 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5294 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5295 hapd
= hostapd
.add_ap(apdev
[0], p
)
5296 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5297 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
5298 anonymous_identity
="ttls", password
=password
,
5299 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5300 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5302 def test_wpa2_eap_peap_gtc_key_lifetime_in_memory(dev
, apdev
, params
):
5303 """Key lifetime in memory with WPA2-Enterprise using PEAP/GTC"""
5304 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5305 hapd
= hostapd
.add_ap(apdev
[0], p
)
5306 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5307 id = eap_connect(dev
[0], hapd
, "PEAP", "user-secret",
5308 anonymous_identity
="peap", password
=password
,
5309 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
5310 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5312 def run_eap_key_lifetime_in_memory(dev
, params
, id, password
):
5313 pid
= find_wpas_process(dev
[0])
5315 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5316 # event has been delivered, so verify that wpa_supplicant has returned to
5317 # eloop before reading process memory.
5320 password
= password
.encode()
5321 buf
= read_process_memory(pid
, password
)
5323 dev
[0].request("DISCONNECT")
5324 dev
[0].wait_disconnected()
5332 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
5333 for l
in f
.readlines():
5334 if "EAP-TTLS: Derived key - hexdump" in l
or \
5335 "EAP-PEAP: Derived key - hexdump" in l
:
5336 val
= l
.strip().split(':')[3].replace(' ', '')
5337 msk
= binascii
.unhexlify(val
)
5338 if "EAP-TTLS: Derived EMSK - hexdump" in l
or \
5339 "EAP-PEAP: Derived EMSK - hexdump" in l
:
5340 val
= l
.strip().split(':')[3].replace(' ', '')
5341 emsk
= binascii
.unhexlify(val
)
5342 if "WPA: PMK - hexdump" in l
:
5343 val
= l
.strip().split(':')[3].replace(' ', '')
5344 pmk
= binascii
.unhexlify(val
)
5345 if "WPA: PTK - hexdump" in l
:
5346 val
= l
.strip().split(':')[3].replace(' ', '')
5347 ptk
= binascii
.unhexlify(val
)
5348 if "WPA: Group Key - hexdump" in l
:
5349 val
= l
.strip().split(':')[3].replace(' ', '')
5350 gtk
= binascii
.unhexlify(val
)
5351 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
5352 raise Exception("Could not find keys from debug log")
5354 raise Exception("Unexpected GTK length")
5360 fname
= os
.path
.join(params
['logdir'],
5361 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5363 logger
.info("Checking keys in memory while associated")
5364 get_key_locations(buf
, password
, "Password")
5365 get_key_locations(buf
, pmk
, "PMK")
5366 get_key_locations(buf
, msk
, "MSK")
5367 get_key_locations(buf
, emsk
, "EMSK")
5368 if password
not in buf
:
5369 raise HwsimSkip("Password not found while associated")
5371 raise HwsimSkip("PMK not found while associated")
5373 raise Exception("KCK not found while associated")
5375 raise Exception("KEK not found while associated")
5377 # raise Exception("TK found from memory")
5379 logger
.info("Checking keys in memory after disassociation")
5380 buf
= read_process_memory(pid
, password
)
5382 # Note: Password is still present in network configuration
5383 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5385 get_key_locations(buf
, password
, "Password")
5386 get_key_locations(buf
, pmk
, "PMK")
5387 get_key_locations(buf
, msk
, "MSK")
5388 get_key_locations(buf
, emsk
, "EMSK")
5389 verify_not_present(buf
, kck
, fname
, "KCK")
5390 verify_not_present(buf
, kek
, fname
, "KEK")
5391 verify_not_present(buf
, tk
, fname
, "TK")
5393 get_key_locations(buf
, gtk
, "GTK")
5394 verify_not_present(buf
, gtk
, fname
, "GTK")
5396 dev
[0].request("PMKSA_FLUSH")
5397 dev
[0].set_network_quoted(id, "identity", "foo")
5398 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5399 buf
= read_process_memory(pid
, password
)
5400 get_key_locations(buf
, password
, "Password")
5401 get_key_locations(buf
, pmk
, "PMK")
5402 get_key_locations(buf
, msk
, "MSK")
5403 get_key_locations(buf
, emsk
, "EMSK")
5404 verify_not_present(buf
, pmk
, fname
, "PMK")
5406 dev
[0].request("REMOVE_NETWORK all")
5408 logger
.info("Checking keys in memory after network profile removal")
5409 buf
= read_process_memory(pid
, password
)
5411 get_key_locations(buf
, password
, "Password")
5412 get_key_locations(buf
, pmk
, "PMK")
5413 get_key_locations(buf
, msk
, "MSK")
5414 get_key_locations(buf
, emsk
, "EMSK")
5415 verify_not_present(buf
, password
, fname
, "password")
5416 verify_not_present(buf
, pmk
, fname
, "PMK")
5417 verify_not_present(buf
, kck
, fname
, "KCK")
5418 verify_not_present(buf
, kek
, fname
, "KEK")
5419 verify_not_present(buf
, tk
, fname
, "TK")
5420 verify_not_present(buf
, gtk
, fname
, "GTK")
5421 verify_not_present(buf
, msk
, fname
, "MSK")
5422 verify_not_present(buf
, emsk
, fname
, "EMSK")
5424 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
5425 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5426 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5427 hapd
= hostapd
.add_ap(apdev
[0], params
)
5428 bssid
= apdev
[0]['bssid']
5429 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5430 anonymous_identity
="ttls", password
="password",
5431 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5433 # Send unexpected WEP EAPOL-Key; this gets dropped
5434 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5436 raise Exception("EAPOL_RX to wpa_supplicant failed")
5438 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5439 """WPA2-EAP and wpas interface in a bridge"""
5440 br_ifname
= 'sta-br0'
5443 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
5445 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
5446 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
5447 subprocess
.call(['brctl', 'delbr', br_ifname
])
5448 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
5450 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5451 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5452 hapd
= hostapd
.add_ap(apdev
[0], params
)
5454 br_ifname
= 'sta-br0'
5456 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
5457 subprocess
.call(['brctl', 'addbr', br_ifname
])
5458 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
5459 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
5460 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
5461 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
5462 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
5465 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
5466 password_hex
="0123456789abcdef0123456789abcdef")
5468 eap_reauth(wpas
, "PAX")
5470 # Try again as a regression test for packet socket workaround
5471 eap_reauth(wpas
, "PAX")
5473 wpas
.request("DISCONNECT")
5474 wpas
.wait_disconnected()
5476 wpas
.request("RECONNECT")
5477 wpas
.wait_connected()
5480 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
5481 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5482 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5483 hapd
= hostapd
.add_ap(apdev
[0], params
)
5484 key_mgmt
= hapd
.get_config()['key_mgmt']
5485 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5486 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5487 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5488 anonymous_identity
="ttls", password
="password",
5489 ca_cert
="auth_serv/ca.pem",
5490 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
5491 eap_reauth(dev
[0], "TTLS")
5493 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
5494 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5495 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5496 hapd
= hostapd
.add_ap(apdev
[0], params
)
5497 key_mgmt
= hapd
.get_config()['key_mgmt']
5498 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5499 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5500 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5501 anonymous_identity
="ttls", password
="password",
5502 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5504 eap_reauth(dev
[0], "TTLS")
5506 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
5507 """EAP-TLS and server checking CRL"""
5508 params
= int_eap_server_params()
5509 params
['check_crl'] = '1'
5510 hapd
= hostapd
.add_ap(apdev
[0], params
)
5512 # check_crl=1 and no CRL available --> reject connection
5513 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5514 client_cert
="auth_serv/user.pem",
5515 private_key
="auth_serv/user.key", expect_failure
=True)
5516 dev
[0].request("REMOVE_NETWORK all")
5519 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
5522 # check_crl=1 and valid CRL --> accept
5523 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5524 client_cert
="auth_serv/user.pem",
5525 private_key
="auth_serv/user.key")
5526 dev
[0].request("REMOVE_NETWORK all")
5529 hapd
.set("check_crl", "2")
5532 # check_crl=2 and valid CRL --> accept
5533 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5534 client_cert
="auth_serv/user.pem",
5535 private_key
="auth_serv/user.key")
5536 dev
[0].request("REMOVE_NETWORK all")
5538 def test_ap_wpa2_eap_tls_crl_reload(dev
, apdev
, params
):
5539 """EAP-TLS and server reloading CRL from ca_cert"""
5540 ca_cert
= os
.path
.join(params
['logdir'],
5541 "ap_wpa2_eap_tls_crl_reload.ca_cert")
5542 with
open('auth_serv/ca.pem', 'r') as f
:
5543 only_cert
= f
.read()
5544 with
open('auth_serv/ca-and-crl.pem', 'r') as f
:
5545 cert_and_crl
= f
.read()
5546 with
open(ca_cert
, 'w') as f
:
5548 params
= int_eap_server_params()
5549 params
['ca_cert'] = ca_cert
5550 params
['check_crl'] = '1'
5551 params
['crl_reload_interval'] = '1'
5552 hapd
= hostapd
.add_ap(apdev
[0], params
)
5554 # check_crl=1 and no CRL available --> reject connection
5555 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5556 client_cert
="auth_serv/user.pem",
5557 private_key
="auth_serv/user.key", expect_failure
=True)
5558 dev
[0].request("REMOVE_NETWORK all")
5559 dev
[0].dump_monitor()
5561 with
open(ca_cert
, 'w') as f
:
5562 f
.write(cert_and_crl
)
5565 # check_crl=1 and valid CRL --> accept
5566 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5567 client_cert
="auth_serv/user.pem",
5568 private_key
="auth_serv/user.key")
5569 dev
[0].request("REMOVE_NETWORK all")
5570 dev
[0].wait_disconnected()
5572 def test_ap_wpa2_eap_tls_check_cert_subject(dev
, apdev
):
5573 """EAP-TLS and server checking client subject name"""
5574 params
= int_eap_server_params()
5575 params
['check_cert_subject'] = 'C=FI/O=w1.fi/CN=Test User'
5576 hapd
= hostapd
.add_ap(apdev
[0], params
)
5577 check_check_cert_subject_support(hapd
)
5579 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5580 client_cert
="auth_serv/user.pem",
5581 private_key
="auth_serv/user.key")
5583 def test_ap_wpa2_eap_tls_check_cert_subject_neg(dev
, apdev
):
5584 """EAP-TLS and server checking client subject name (negative)"""
5585 params
= int_eap_server_params()
5586 params
['check_cert_subject'] = 'C=FI/O=example'
5587 hapd
= hostapd
.add_ap(apdev
[0], params
)
5588 check_check_cert_subject_support(hapd
)
5590 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5591 client_cert
="auth_serv/user.pem",
5592 private_key
="auth_serv/user.key", expect_failure
=True)
5594 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5595 """EAP-TLS and OOM"""
5596 check_subject_match_support(dev
[0])
5597 check_altsubject_match_support(dev
[0])
5598 check_domain_match(dev
[0])
5599 check_domain_match_full(dev
[0])
5601 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5602 hostapd
.add_ap(apdev
[0], params
)
5604 tests
= [(1, "tls_connection_set_subject_match"),
5605 (2, "tls_connection_set_subject_match"),
5606 (3, "tls_connection_set_subject_match"),
5607 (4, "tls_connection_set_subject_match")]
5608 for count
, func
in tests
:
5609 with
alloc_fail(dev
[0], count
, func
):
5610 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5611 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5612 client_cert
="auth_serv/user.pem",
5613 private_key
="auth_serv/user.key",
5614 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5615 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5616 domain_suffix_match
="server.w1.fi",
5617 domain_match
="server.w1.fi",
5618 wait_connect
=False, scan_freq
="2412")
5619 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5620 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5622 raise Exception("No passphrase request")
5623 dev
[0].request("REMOVE_NETWORK all")
5624 dev
[0].wait_disconnected()
5626 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5627 """WPA2-Enterprise connection using MAC ACL"""
5628 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5629 params
["macaddr_acl"] = "2"
5630 hapd
= hostapd
.add_ap(apdev
[0], params
)
5631 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5632 client_cert
="auth_serv/user.pem",
5633 private_key
="auth_serv/user.key")
5635 def test_ap_wpa2_eap_oom(dev
, apdev
):
5636 """EAP server and OOM"""
5637 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5638 hapd
= hostapd
.add_ap(apdev
[0], params
)
5639 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5641 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5642 # The first attempt fails, but STA will send EAPOL-Start to retry and
5644 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5645 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5646 client_cert
="auth_serv/user.pem",
5647 private_key
="auth_serv/user.key",
5650 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5651 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5652 client_cert
="auth_serv/user.pem",
5653 private_key
="auth_serv/user.key",
5655 ver
= dev
.get_status_field("eap_tls_version")
5657 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5658 dev
.request("REMOVE_NETWORK all")
5659 dev
.wait_disconnected()
5662 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5663 """EAP-TLS and TLS version configuration"""
5664 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5665 hapd
= hostapd
.add_ap(apdev
[0], params
)
5667 tls
= dev
[0].request("GET tls_library")
5668 if tls
.startswith("OpenSSL"):
5669 if "build=OpenSSL 1.0.1" not in tls
and "run=OpenSSL 1.0.1" not in tls
:
5670 check_tls_ver(dev
[0], hapd
,
5671 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5673 if tls
.startswith("wolfSSL"):
5674 if ("build=3.10.0" in tls
and "run=3.10.0" in tls
) or \
5675 ("build=3.13.0" in tls
and "run=3.13.0" in tls
):
5676 check_tls_ver(dev
[0], hapd
,
5677 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5679 elif tls
.startswith("internal"):
5680 check_tls_ver(dev
[0], hapd
,
5681 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5682 check_tls_ver(dev
[1], hapd
,
5683 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5684 check_tls_ver(dev
[2], hapd
,
5685 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5686 if "run=OpenSSL 1.1.1" in tls
:
5687 check_tls_ver(dev
[0], hapd
,
5688 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
5690 def test_ap_wpa2_eap_tls_versions_server(dev
, apdev
):
5691 """EAP-TLS and TLS version configuration on server side"""
5692 params
= {"ssid": "test-wpa2-eap",
5694 "wpa_key_mgmt": "WPA-EAP",
5695 "rsn_pairwise": "CCMP",
5698 "eap_user_file": "auth_serv/eap_user.conf",
5699 "ca_cert": "auth_serv/ca.pem",
5700 "server_cert": "auth_serv/server.pem",
5701 "private_key": "auth_serv/server.key"}
5702 hapd
= hostapd
.add_ap(apdev
[0], params
)
5704 tests
= [("TLSv1", "[ENABLE-TLSv1.0][DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"),
5705 ("TLSv1.1", "[ENABLE-TLSv1.0][ENABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"),
5706 ("TLSv1.2", "[ENABLE-TLSv1.0][ENABLE-TLSv1.1][ENABLE-TLSv1.2][DISABLE-TLSv1.3]")]
5707 for exp
, flags
in tests
:
5709 hapd
.set("tls_flags", flags
)
5711 check_tls_ver(dev
[0], hapd
, "", exp
)
5713 def test_ap_wpa2_eap_tls_13(dev
, apdev
):
5714 """EAP-TLS and TLS 1.3"""
5715 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5716 hapd
= hostapd
.add_ap(apdev
[0], params
)
5718 tls
= dev
[0].request("GET tls_library")
5719 if "run=OpenSSL 1.1.1" not in tls
:
5720 raise HwsimSkip("TLS v1.3 not supported")
5721 id = eap_connect(dev
[0], hapd
, "TLS", "tls user",
5722 ca_cert
="auth_serv/ca.pem",
5723 client_cert
="auth_serv/user.pem",
5724 private_key
="auth_serv/user.key",
5725 phase1
="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0")
5726 ver
= dev
[0].get_status_field("eap_tls_version")
5727 if ver
!= "TLSv1.3":
5728 raise Exception("Unexpected TLS version")
5730 eap_reauth(dev
[0], "TLS")
5731 dev
[0].request("DISCONNECT")
5732 dev
[0].wait_disconnected()
5733 dev
[0].request("PMKSA_FLUSH")
5734 dev
[0].request("RECONNECT")
5735 dev
[0].wait_connected()
5737 def test_ap_wpa2_eap_tls_13_ec(dev
, apdev
):
5738 """EAP-TLS and TLS 1.3 (EC certificates)"""
5739 params
= {"ssid": "test-wpa2-eap",
5741 "wpa_key_mgmt": "WPA-EAP",
5742 "rsn_pairwise": "CCMP",
5745 "eap_user_file": "auth_serv/eap_user.conf",
5746 "ca_cert": "auth_serv/ec-ca.pem",
5747 "server_cert": "auth_serv/ec-server.pem",
5748 "private_key": "auth_serv/ec-server.key",
5749 "tls_flags": "[ENABLE-TLSv1.3]"}
5750 hapd
= hostapd
.add_ap(apdev
[0], params
)
5751 tls
= hapd
.request("GET tls_library")
5752 if "run=OpenSSL 1.1.1" not in tls
:
5753 raise HwsimSkip("TLS v1.3 not supported")
5755 tls
= dev
[0].request("GET tls_library")
5756 if "run=OpenSSL 1.1.1" not in tls
:
5757 raise HwsimSkip("TLS v1.3 not supported")
5758 id = eap_connect(dev
[0], hapd
, "TLS", "tls user",
5759 ca_cert
="auth_serv/ec-ca.pem",
5760 client_cert
="auth_serv/ec-user.pem",
5761 private_key
="auth_serv/ec-user.key",
5762 phase1
="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0")
5763 ver
= dev
[0].get_status_field("eap_tls_version")
5764 if ver
!= "TLSv1.3":
5765 raise Exception("Unexpected TLS version")
5767 def test_ap_wpa2_eap_tls_rsa_and_ec(dev
, apdev
, params
):
5768 """EAP-TLS and both RSA and EC sertificates certificates"""
5769 ca
= os
.path
.join(params
['logdir'], "ap_wpa2_eap_tls_rsa_and_ec.ca.pem")
5770 with
open(ca
, "w") as f
:
5771 with
open("auth_serv/ca.pem", "r") as f2
:
5773 with
open("auth_serv/ec-ca.pem", "r") as f2
:
5775 params
= {"ssid": "test-wpa2-eap",
5777 "wpa_key_mgmt": "WPA-EAP",
5778 "rsn_pairwise": "CCMP",
5781 "eap_user_file": "auth_serv/eap_user.conf",
5783 "server_cert": "auth_serv/server.pem",
5784 "private_key": "auth_serv/server.key",
5785 "server_cert2": "auth_serv/ec-server.pem",
5786 "private_key2": "auth_serv/ec-server.key"}
5787 hapd
= hostapd
.add_ap(apdev
[0], params
)
5789 eap_connect(dev
[0], hapd
, "TLS", "tls user",
5790 ca_cert
="auth_serv/ec-ca.pem",
5791 client_cert
="auth_serv/ec-user.pem",
5792 private_key
="auth_serv/ec-user.key")
5793 dev
[0].request("REMOVE_NETWORK all")
5794 dev
[0].wait_disconnected()
5796 # TODO: Make wpa_supplicant automatically filter out cipher suites that
5797 # would require ECDH/ECDSA keys when those are not configured in the
5798 # selected client certificate. And for no-client-cert case, deprioritize
5799 # those cipher suites based on configured ca_cert value so that the most
5800 # likely to work cipher suites are selected by the server. Only do these
5801 # when an explicit openssl_ciphers parameter is not set.
5802 eap_connect(dev
[1], hapd
, "TLS", "tls user",
5803 openssl_ciphers
="DEFAULT:-aECDH:-aECDSA",
5804 ca_cert
="auth_serv/ca.pem",
5805 client_cert
="auth_serv/user.pem",
5806 private_key
="auth_serv/user.key")
5807 dev
[1].request("REMOVE_NETWORK all")
5808 dev
[1].wait_disconnected()
5810 def test_ap_wpa2_eap_tls_ec_and_rsa(dev
, apdev
, params
):
5811 """EAP-TLS and both EC and RSA sertificates certificates"""
5812 ca
= os
.path
.join(params
['logdir'], "ap_wpa2_eap_tls_ec_and_rsa.ca.pem")
5813 with
open(ca
, "w") as f
:
5814 with
open("auth_serv/ca.pem", "r") as f2
:
5816 with
open("auth_serv/ec-ca.pem", "r") as f2
:
5818 params
= {"ssid": "test-wpa2-eap",
5820 "wpa_key_mgmt": "WPA-EAP",
5821 "rsn_pairwise": "CCMP",
5824 "eap_user_file": "auth_serv/eap_user.conf",
5826 "private_key2": "auth_serv/server-extra.pkcs12",
5827 "private_key_passwd2": "whatever",
5828 "server_cert": "auth_serv/ec-server.pem",
5829 "private_key": "auth_serv/ec-server.key"}
5830 hapd
= hostapd
.add_ap(apdev
[0], params
)
5832 eap_connect(dev
[0], hapd
, "TLS", "tls user",
5833 ca_cert
="auth_serv/ec-ca.pem",
5834 client_cert
="auth_serv/ec-user.pem",
5835 private_key
="auth_serv/ec-user.key")
5836 dev
[0].request("REMOVE_NETWORK all")
5837 dev
[0].wait_disconnected()
5839 # TODO: Make wpa_supplicant automatically filter out cipher suites that
5840 # would require ECDH/ECDSA keys when those are not configured in the
5841 # selected client certificate. And for no-client-cert case, deprioritize
5842 # those cipher suites based on configured ca_cert value so that the most
5843 # likely to work cipher suites are selected by the server. Only do these
5844 # when an explicit openssl_ciphers parameter is not set.
5845 eap_connect(dev
[1], hapd
, "TLS", "tls user",
5846 openssl_ciphers
="DEFAULT:-aECDH:-aECDSA",
5847 ca_cert
="auth_serv/ca.pem",
5848 client_cert
="auth_serv/user.pem",
5849 private_key
="auth_serv/user.key")
5850 dev
[1].request("REMOVE_NETWORK all")
5851 dev
[1].wait_disconnected()
5853 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
5854 """RSN element protocol testing for EAP cases on STA side"""
5855 bssid
= apdev
[0]['bssid']
5856 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5857 # This is the RSN element used normally by hostapd
5858 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5859 hapd
= hostapd
.add_ap(apdev
[0], params
)
5860 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5861 identity
="gpsk user",
5862 password
="abcdefghijklmnop0123456789abcdef",
5865 tests
= [('No RSN Capabilities field',
5866 '30120100000fac040100000fac040100000fac01'),
5867 ('No AKM Suite fields',
5868 '300c0100000fac040100000fac04'),
5869 ('No Pairwise Cipher Suite fields',
5870 '30060100000fac04'),
5871 ('No Group Data Cipher Suite field',
5873 for txt
, ie
in tests
:
5874 dev
[0].request("DISCONNECT")
5875 dev
[0].wait_disconnected()
5878 hapd
.set('own_ie_override', ie
)
5880 dev
[0].request("BSS_FLUSH 0")
5881 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
5882 dev
[0].select_network(id, freq
=2412)
5883 dev
[0].wait_connected()
5885 dev
[0].request("DISCONNECT")
5886 dev
[0].wait_disconnected()
5887 dev
[0].flush_scan_cache()
5889 def check_tls_session_resumption_capa(dev
, hapd
):
5890 tls
= hapd
.request("GET tls_library")
5891 if not tls
.startswith("OpenSSL"):
5892 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls
)
5894 tls
= dev
.request("GET tls_library")
5895 if not tls
.startswith("OpenSSL"):
5896 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
5898 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
5899 """EAP-TTLS/PAP session resumption"""
5900 params
= int_eap_server_params()
5901 params
['tls_session_lifetime'] = '60'
5902 hapd
= hostapd
.add_ap(apdev
[0], params
)
5903 check_tls_session_resumption_capa(dev
[0], hapd
)
5904 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5905 anonymous_identity
="ttls", password
="password",
5906 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5908 if dev
[0].get_status_field("tls_session_reused") != '0':
5909 raise Exception("Unexpected session resumption on the first connection")
5911 dev
[0].request("REAUTHENTICATE")
5912 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5914 raise Exception("EAP success timed out")
5915 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5917 raise Exception("Key handshake with the AP timed out")
5918 if dev
[0].get_status_field("tls_session_reused") != '1':
5919 raise Exception("Session resumption not used on the second connection")
5920 hwsim_utils
.test_connectivity(dev
[0], hapd
)
5922 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
5923 """EAP-TTLS/CHAP session resumption"""
5924 params
= int_eap_server_params()
5925 params
['tls_session_lifetime'] = '60'
5926 hapd
= hostapd
.add_ap(apdev
[0], params
)
5927 check_tls_session_resumption_capa(dev
[0], hapd
)
5928 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
5929 anonymous_identity
="ttls", password
="password",
5930 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
5931 if dev
[0].get_status_field("tls_session_reused") != '0':
5932 raise Exception("Unexpected session resumption on the first connection")
5934 dev
[0].request("REAUTHENTICATE")
5935 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5937 raise Exception("EAP success timed out")
5938 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5940 raise Exception("Key handshake with the AP timed out")
5941 if dev
[0].get_status_field("tls_session_reused") != '1':
5942 raise Exception("Session resumption not used on the second connection")
5944 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
5945 """EAP-TTLS/MSCHAP session resumption"""
5946 check_domain_suffix_match(dev
[0])
5947 params
= int_eap_server_params()
5948 params
['tls_session_lifetime'] = '60'
5949 hapd
= hostapd
.add_ap(apdev
[0], params
)
5950 check_tls_session_resumption_capa(dev
[0], hapd
)
5951 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
5952 anonymous_identity
="ttls", password
="password",
5953 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5954 domain_suffix_match
="server.w1.fi")
5955 if dev
[0].get_status_field("tls_session_reused") != '0':
5956 raise Exception("Unexpected session resumption on the first connection")
5958 dev
[0].request("REAUTHENTICATE")
5959 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5961 raise Exception("EAP success timed out")
5962 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5964 raise Exception("Key handshake with the AP timed out")
5965 if dev
[0].get_status_field("tls_session_reused") != '1':
5966 raise Exception("Session resumption not used on the second connection")
5968 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
5969 """EAP-TTLS/MSCHAPv2 session resumption"""
5970 check_domain_suffix_match(dev
[0])
5971 check_eap_capa(dev
[0], "MSCHAPV2")
5972 params
= int_eap_server_params()
5973 params
['tls_session_lifetime'] = '60'
5974 hapd
= hostapd
.add_ap(apdev
[0], params
)
5975 check_tls_session_resumption_capa(dev
[0], hapd
)
5976 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
5977 anonymous_identity
="ttls", password
="password",
5978 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5979 domain_suffix_match
="server.w1.fi")
5980 if dev
[0].get_status_field("tls_session_reused") != '0':
5981 raise Exception("Unexpected session resumption on the first connection")
5983 dev
[0].request("REAUTHENTICATE")
5984 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5986 raise Exception("EAP success timed out")
5987 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5989 raise Exception("Key handshake with the AP timed out")
5990 if dev
[0].get_status_field("tls_session_reused") != '1':
5991 raise Exception("Session resumption not used on the second connection")
5993 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
5994 """EAP-TTLS/EAP-GTC session resumption"""
5995 params
= int_eap_server_params()
5996 params
['tls_session_lifetime'] = '60'
5997 hapd
= hostapd
.add_ap(apdev
[0], params
)
5998 check_tls_session_resumption_capa(dev
[0], hapd
)
5999 eap_connect(dev
[0], hapd
, "TTLS", "user",
6000 anonymous_identity
="ttls", password
="password",
6001 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
6002 if dev
[0].get_status_field("tls_session_reused") != '0':
6003 raise Exception("Unexpected session resumption on the first connection")
6005 dev
[0].request("REAUTHENTICATE")
6006 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6008 raise Exception("EAP success timed out")
6009 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6011 raise Exception("Key handshake with the AP timed out")
6012 if dev
[0].get_status_field("tls_session_reused") != '1':
6013 raise Exception("Session resumption not used on the second connection")
6015 def test_eap_ttls_no_session_resumption(dev
, apdev
):
6016 """EAP-TTLS session resumption disabled on server"""
6017 params
= int_eap_server_params()
6018 params
['tls_session_lifetime'] = '0'
6019 hapd
= hostapd
.add_ap(apdev
[0], params
)
6020 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
6021 anonymous_identity
="ttls", password
="password",
6022 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
6024 if dev
[0].get_status_field("tls_session_reused") != '0':
6025 raise Exception("Unexpected session resumption on the first connection")
6027 dev
[0].request("REAUTHENTICATE")
6028 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6030 raise Exception("EAP success timed out")
6031 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6033 raise Exception("Key handshake with the AP timed out")
6034 if dev
[0].get_status_field("tls_session_reused") != '0':
6035 raise Exception("Unexpected session resumption on the second connection")
6037 def test_eap_peap_session_resumption(dev
, apdev
):
6038 """EAP-PEAP session resumption"""
6039 check_eap_capa(dev
[0], "MSCHAPV2")
6040 params
= int_eap_server_params()
6041 params
['tls_session_lifetime'] = '60'
6042 hapd
= hostapd
.add_ap(apdev
[0], params
)
6043 check_tls_session_resumption_capa(dev
[0], hapd
)
6044 eap_connect(dev
[0], hapd
, "PEAP", "user",
6045 anonymous_identity
="peap", password
="password",
6046 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
6047 if dev
[0].get_status_field("tls_session_reused") != '0':
6048 raise Exception("Unexpected session resumption on the first connection")
6050 dev
[0].request("REAUTHENTICATE")
6051 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6053 raise Exception("EAP success timed out")
6054 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6056 raise Exception("Key handshake with the AP timed out")
6057 if dev
[0].get_status_field("tls_session_reused") != '1':
6058 raise Exception("Session resumption not used on the second connection")
6060 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
6061 """EAP-PEAP session resumption with crypto binding"""
6062 params
= int_eap_server_params()
6063 params
['tls_session_lifetime'] = '60'
6064 hapd
= hostapd
.add_ap(apdev
[0], params
)
6065 check_tls_session_resumption_capa(dev
[0], hapd
)
6066 eap_connect(dev
[0], hapd
, "PEAP", "user",
6067 anonymous_identity
="peap", password
="password",
6068 phase1
="peapver=0 crypto_binding=2",
6069 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
6070 if dev
[0].get_status_field("tls_session_reused") != '0':
6071 raise Exception("Unexpected session resumption on the first connection")
6073 dev
[0].request("REAUTHENTICATE")
6074 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6076 raise Exception("EAP success timed out")
6077 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6079 raise Exception("Key handshake with the AP timed out")
6080 if dev
[0].get_status_field("tls_session_reused") != '1':
6081 raise Exception("Session resumption not used on the second connection")
6083 def test_eap_peap_no_session_resumption(dev
, apdev
):
6084 """EAP-PEAP session resumption disabled on server"""
6085 params
= int_eap_server_params()
6086 hapd
= hostapd
.add_ap(apdev
[0], params
)
6087 eap_connect(dev
[0], hapd
, "PEAP", "user",
6088 anonymous_identity
="peap", password
="password",
6089 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
6090 if dev
[0].get_status_field("tls_session_reused") != '0':
6091 raise Exception("Unexpected session resumption on the first connection")
6093 dev
[0].request("REAUTHENTICATE")
6094 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6096 raise Exception("EAP success timed out")
6097 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6099 raise Exception("Key handshake with the AP timed out")
6100 if dev
[0].get_status_field("tls_session_reused") != '0':
6101 raise Exception("Unexpected session resumption on the second connection")
6103 def test_eap_tls_session_resumption(dev
, apdev
):
6104 """EAP-TLS session resumption"""
6105 params
= int_eap_server_params()
6106 params
['tls_session_lifetime'] = '60'
6107 hapd
= hostapd
.add_ap(apdev
[0], params
)
6108 check_tls_session_resumption_capa(dev
[0], hapd
)
6109 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6110 client_cert
="auth_serv/user.pem",
6111 private_key
="auth_serv/user.key")
6112 if dev
[0].get_status_field("tls_session_reused") != '0':
6113 raise Exception("Unexpected session resumption on the first connection")
6115 dev
[0].request("REAUTHENTICATE")
6116 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6118 raise Exception("EAP success timed out")
6119 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6121 raise Exception("Key handshake with the AP timed out")
6122 if dev
[0].get_status_field("tls_session_reused") != '1':
6123 raise Exception("Session resumption not used on the second connection")
6125 dev
[0].request("REAUTHENTICATE")
6126 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6128 raise Exception("EAP success timed out")
6129 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6131 raise Exception("Key handshake with the AP timed out")
6132 if dev
[0].get_status_field("tls_session_reused") != '1':
6133 raise Exception("Session resumption not used on the third connection")
6135 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
6136 """EAP-TLS session resumption"""
6137 params
= int_eap_server_params()
6138 params
['tls_session_lifetime'] = '1'
6139 hapd
= hostapd
.add_ap(apdev
[0], params
)
6140 check_tls_session_resumption_capa(dev
[0], hapd
)
6141 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6142 client_cert
="auth_serv/user.pem",
6143 private_key
="auth_serv/user.key")
6144 if dev
[0].get_status_field("tls_session_reused") != '0':
6145 raise Exception("Unexpected session resumption on the first connection")
6147 # Allow multiple attempts since OpenSSL may not expire the cached entry
6152 dev
[0].request("REAUTHENTICATE")
6153 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6155 raise Exception("EAP success timed out")
6156 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6158 raise Exception("Key handshake with the AP timed out")
6159 if dev
[0].get_status_field("tls_session_reused") == '0':
6161 if dev
[0].get_status_field("tls_session_reused") != '0':
6162 raise Exception("Session resumption used after lifetime expiration")
6164 def test_eap_tls_no_session_resumption(dev
, apdev
):
6165 """EAP-TLS session resumption disabled on server"""
6166 params
= int_eap_server_params()
6167 hapd
= hostapd
.add_ap(apdev
[0], params
)
6168 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6169 client_cert
="auth_serv/user.pem",
6170 private_key
="auth_serv/user.key")
6171 if dev
[0].get_status_field("tls_session_reused") != '0':
6172 raise Exception("Unexpected session resumption on the first connection")
6174 dev
[0].request("REAUTHENTICATE")
6175 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6177 raise Exception("EAP success timed out")
6178 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6180 raise Exception("Key handshake with the AP timed out")
6181 if dev
[0].get_status_field("tls_session_reused") != '0':
6182 raise Exception("Unexpected session resumption on the second connection")
6184 def test_eap_tls_session_resumption_radius(dev
, apdev
):
6185 """EAP-TLS session resumption (RADIUS)"""
6186 params
= {"ssid": "as", "beacon_int": "2000",
6187 "radius_server_clients": "auth_serv/radius_clients.conf",
6188 "radius_server_auth_port": '18128',
6190 "eap_user_file": "auth_serv/eap_user.conf",
6191 "ca_cert": "auth_serv/ca.pem",
6192 "server_cert": "auth_serv/server.pem",
6193 "private_key": "auth_serv/server.key",
6194 "tls_session_lifetime": "60"}
6195 authsrv
= hostapd
.add_ap(apdev
[1], params
)
6196 check_tls_session_resumption_capa(dev
[0], authsrv
)
6198 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6199 params
['auth_server_port'] = "18128"
6200 hapd
= hostapd
.add_ap(apdev
[0], params
)
6201 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6202 client_cert
="auth_serv/user.pem",
6203 private_key
="auth_serv/user.key")
6204 if dev
[0].get_status_field("tls_session_reused") != '0':
6205 raise Exception("Unexpected session resumption on the first connection")
6207 dev
[0].request("REAUTHENTICATE")
6208 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6210 raise Exception("EAP success timed out")
6211 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6213 raise Exception("Key handshake with the AP timed out")
6214 if dev
[0].get_status_field("tls_session_reused") != '1':
6215 raise Exception("Session resumption not used on the second connection")
6217 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
6218 """EAP-TLS session resumption disabled (RADIUS)"""
6219 params
= {"ssid": "as", "beacon_int": "2000",
6220 "radius_server_clients": "auth_serv/radius_clients.conf",
6221 "radius_server_auth_port": '18128',
6223 "eap_user_file": "auth_serv/eap_user.conf",
6224 "ca_cert": "auth_serv/ca.pem",
6225 "server_cert": "auth_serv/server.pem",
6226 "private_key": "auth_serv/server.key",
6227 "tls_session_lifetime": "0"}
6228 hostapd
.add_ap(apdev
[1], params
)
6230 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6231 params
['auth_server_port'] = "18128"
6232 hapd
= hostapd
.add_ap(apdev
[0], params
)
6233 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6234 client_cert
="auth_serv/user.pem",
6235 private_key
="auth_serv/user.key")
6236 if dev
[0].get_status_field("tls_session_reused") != '0':
6237 raise Exception("Unexpected session resumption on the first connection")
6239 dev
[0].request("REAUTHENTICATE")
6240 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6242 raise Exception("EAP success timed out")
6243 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6245 raise Exception("Key handshake with the AP timed out")
6246 if dev
[0].get_status_field("tls_session_reused") != '0':
6247 raise Exception("Unexpected session resumption on the second connection")
6249 def test_eap_mschapv2_errors(dev
, apdev
):
6250 """EAP-MSCHAPv2 error cases"""
6251 check_eap_capa(dev
[0], "MSCHAPV2")
6252 check_eap_capa(dev
[0], "FAST")
6254 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
6255 hapd
= hostapd
.add_ap(apdev
[0], params
)
6256 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6257 identity
="phase1-user", password
="password",
6259 dev
[0].request("REMOVE_NETWORK all")
6260 dev
[0].wait_disconnected()
6262 tests
= [(1, "hash_nt_password_hash;mschapv2_derive_response"),
6263 (1, "nt_password_hash;mschapv2_derive_response"),
6264 (1, "nt_password_hash;=mschapv2_derive_response"),
6265 (1, "generate_nt_response;mschapv2_derive_response"),
6266 (1, "generate_authenticator_response;mschapv2_derive_response"),
6267 (1, "nt_password_hash;=mschapv2_derive_response"),
6268 (1, "get_master_key;mschapv2_derive_response"),
6269 (1, "os_get_random;eap_mschapv2_challenge_reply")]
6270 for count
, func
in tests
:
6271 with
fail_test(dev
[0], count
, func
):
6272 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6273 identity
="phase1-user", password
="password",
6274 wait_connect
=False, scan_freq
="2412")
6275 wait_fail_trigger(dev
[0], "GET_FAIL")
6276 dev
[0].request("REMOVE_NETWORK all")
6277 dev
[0].wait_disconnected()
6279 tests
= [(1, "hash_nt_password_hash;mschapv2_derive_response"),
6280 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
6281 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
6282 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response")]
6283 for count
, func
in tests
:
6284 with
fail_test(dev
[0], count
, func
):
6285 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6286 identity
="phase1-user",
6287 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
6288 wait_connect
=False, scan_freq
="2412")
6289 wait_fail_trigger(dev
[0], "GET_FAIL")
6290 dev
[0].request("REMOVE_NETWORK all")
6291 dev
[0].wait_disconnected()
6293 tests
= [(1, "eap_mschapv2_init"),
6294 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
6295 (1, "eap_msg_alloc;eap_mschapv2_success"),
6296 (1, "eap_mschapv2_getKey")]
6297 for count
, func
in tests
:
6298 with
alloc_fail(dev
[0], count
, func
):
6299 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6300 identity
="phase1-user", password
="password",
6301 wait_connect
=False, scan_freq
="2412")
6302 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6303 dev
[0].request("REMOVE_NETWORK all")
6304 dev
[0].wait_disconnected()
6306 tests
= [(1, "eap_msg_alloc;eap_mschapv2_failure")]
6307 for count
, func
in tests
:
6308 with
alloc_fail(dev
[0], count
, func
):
6309 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6310 identity
="phase1-user", password
="wrong password",
6311 wait_connect
=False, scan_freq
="2412")
6312 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6313 dev
[0].request("REMOVE_NETWORK all")
6314 dev
[0].wait_disconnected()
6316 tests
= [(2, "eap_mschapv2_init"),
6317 (3, "eap_mschapv2_init")]
6318 for count
, func
in tests
:
6319 with
alloc_fail(dev
[0], count
, func
):
6320 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6321 anonymous_identity
="FAST", identity
="user",
6322 password
="password",
6323 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
6324 phase1
="fast_provisioning=1",
6325 pac_file
="blob://fast_pac",
6326 wait_connect
=False, scan_freq
="2412")
6327 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6328 dev
[0].request("REMOVE_NETWORK all")
6329 dev
[0].wait_disconnected()
6331 def test_eap_gpsk_errors(dev
, apdev
):
6332 """EAP-GPSK error cases"""
6333 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
6334 hapd
= hostapd
.add_ap(apdev
[0], params
)
6335 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6336 identity
="gpsk user",
6337 password
="abcdefghijklmnop0123456789abcdef",
6339 dev
[0].request("REMOVE_NETWORK all")
6340 dev
[0].wait_disconnected()
6342 tests
= [(1, "os_get_random;eap_gpsk_send_gpsk_2", None),
6343 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6345 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6347 (1, "eap_gpsk_derive_keys_helper", None),
6348 (2, "eap_gpsk_derive_keys_helper", None),
6349 (3, "eap_gpsk_derive_keys_helper", None),
6350 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6352 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6354 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
6355 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
6356 (1, "eap_gpsk_derive_mid_helper", None)]
6357 for count
, func
, phase1
in tests
:
6358 with
fail_test(dev
[0], count
, func
):
6359 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6360 identity
="gpsk user",
6361 password
="abcdefghijklmnop0123456789abcdef",
6363 wait_connect
=False, scan_freq
="2412")
6364 wait_fail_trigger(dev
[0], "GET_FAIL")
6365 dev
[0].request("REMOVE_NETWORK all")
6366 dev
[0].wait_disconnected()
6368 tests
= [(1, "eap_gpsk_init"),
6369 (2, "eap_gpsk_init"),
6370 (3, "eap_gpsk_init"),
6371 (1, "eap_gpsk_process_id_server"),
6372 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
6373 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6374 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6375 (1, "eap_gpsk_derive_keys"),
6376 (1, "eap_gpsk_derive_keys_helper"),
6377 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
6378 (1, "eap_gpsk_getKey"),
6379 (1, "eap_gpsk_get_emsk"),
6380 (1, "eap_gpsk_get_session_id")]
6381 for count
, func
in tests
:
6382 with
alloc_fail(dev
[0], count
, func
):
6383 dev
[0].request("ERP_FLUSH")
6384 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6385 identity
="gpsk user@domain", erp
="1",
6386 password
="abcdefghijklmnop0123456789abcdef",
6387 wait_connect
=False, scan_freq
="2412")
6388 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6389 dev
[0].request("REMOVE_NETWORK all")
6390 dev
[0].wait_disconnected()
6392 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
6393 """EAP-SIM DB error cases"""
6394 sockpath
= '/tmp/hlr_auc_gw.sock-test'
6399 hparams
= int_eap_server_params()
6400 hparams
['eap_sim_db'] = 'unix:' + sockpath
6401 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
6403 # Initial test with hlr_auc_gw socket not available
6404 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
6405 eap
="SIM", identity
="1232010000000000",
6406 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
6407 scan_freq
="2412", wait_connect
=False)
6408 ev
= dev
[0].wait_event(["EAP-ERROR-CODE"], timeout
=10)
6410 raise Exception("EAP method specific error code not reported")
6411 if int(ev
.split()[1]) != 16384:
6412 raise Exception("Unexpected EAP method specific error code: " + ev
)
6413 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6415 raise Exception("EAP-Failure not reported")
6416 dev
[0].wait_disconnected()
6417 dev
[0].request("DISCONNECT")
6419 # Test with invalid responses and response timeout
6421 class test_handler(SocketServer
.DatagramRequestHandler
):
6423 data
= self
.request
[0].decode().strip()
6424 socket
= self
.request
[1]
6425 logger
.debug("Received hlr_auc_gw request: " + data
)
6426 # EAP-SIM DB: Failed to parse response string
6427 socket
.sendto(b
"FOO", self
.client_address
)
6428 # EAP-SIM DB: Failed to parse response string
6429 socket
.sendto(b
"FOO 1", self
.client_address
)
6430 # EAP-SIM DB: Unknown external response
6431 socket
.sendto(b
"FOO 1 2", self
.client_address
)
6432 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
6434 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
6437 dev
[0].select_network(id)
6438 server
.handle_request()
6439 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6441 raise Exception("EAP-Failure not reported")
6442 dev
[0].wait_disconnected()
6443 dev
[0].request("DISCONNECT")
6445 # Test with a valid response
6447 class test_handler2(SocketServer
.DatagramRequestHandler
):
6449 data
= self
.request
[0].decode().strip()
6450 socket
= self
.request
[1]
6451 logger
.debug("Received hlr_auc_gw request: " + data
)
6452 fname
= os
.path
.join(params
['logdir'],
6453 'hlr_auc_gw.milenage_db')
6454 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
6456 stdout
=subprocess
.PIPE
)
6457 res
= cmd
.stdout
.read().decode().strip()
6459 logger
.debug("hlr_auc_gw response: " + res
)
6460 socket
.sendto(res
.encode(), self
.client_address
)
6462 server
.RequestHandlerClass
= test_handler2
6464 dev
[0].select_network(id)
6465 server
.handle_request()
6466 dev
[0].wait_connected()
6467 dev
[0].request("DISCONNECT")
6468 dev
[0].wait_disconnected()
6470 def test_eap_tls_sha512(dev
, apdev
, params
):
6471 """EAP-TLS with SHA512 signature"""
6472 params
= int_eap_server_params()
6473 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6474 params
["server_cert"] = "auth_serv/sha512-server.pem"
6475 params
["private_key"] = "auth_serv/sha512-server.key"
6476 hostapd
.add_ap(apdev
[0], params
)
6478 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6479 identity
="tls user sha512",
6480 ca_cert
="auth_serv/sha512-ca.pem",
6481 client_cert
="auth_serv/sha512-user.pem",
6482 private_key
="auth_serv/sha512-user.key",
6484 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6485 identity
="tls user sha512",
6486 ca_cert
="auth_serv/sha512-ca.pem",
6487 client_cert
="auth_serv/sha384-user.pem",
6488 private_key
="auth_serv/sha384-user.key",
6491 def test_eap_tls_sha384(dev
, apdev
, params
):
6492 """EAP-TLS with SHA384 signature"""
6493 params
= int_eap_server_params()
6494 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6495 params
["server_cert"] = "auth_serv/sha384-server.pem"
6496 params
["private_key"] = "auth_serv/sha384-server.key"
6497 hostapd
.add_ap(apdev
[0], params
)
6499 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6500 identity
="tls user sha512",
6501 ca_cert
="auth_serv/sha512-ca.pem",
6502 client_cert
="auth_serv/sha512-user.pem",
6503 private_key
="auth_serv/sha512-user.key",
6505 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6506 identity
="tls user sha512",
6507 ca_cert
="auth_serv/sha512-ca.pem",
6508 client_cert
="auth_serv/sha384-user.pem",
6509 private_key
="auth_serv/sha384-user.key",
6512 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
6513 """WPA2-Enterprise AP and association request RSN IE differences"""
6514 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6515 hostapd
.add_ap(apdev
[0], params
)
6517 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
6518 params
["ieee80211w"] = "2"
6519 hostapd
.add_ap(apdev
[1], params
)
6521 # Success cases with optional RSN IE fields removed one by one
6522 tests
= [("Normal wpa_supplicant assoc req RSN IE",
6523 "30140100000fac040100000fac040100000fac010000"),
6524 ("Extra PMKIDCount field in RSN IE",
6525 "30160100000fac040100000fac040100000fac0100000000"),
6526 ("Extra Group Management Cipher Suite in RSN IE",
6527 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6528 ("Extra undefined extension field in RSN IE",
6529 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6530 ("RSN IE without RSN Capabilities",
6531 "30120100000fac040100000fac040100000fac01"),
6532 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6533 ("RSN IE without pairwise", "30060100000fac04"),
6534 ("RSN IE without group", "30020100")]
6535 for title
, ie
in tests
:
6537 set_test_assoc_ie(dev
[0], ie
)
6538 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6539 identity
="gpsk user",
6540 password
="abcdefghijklmnop0123456789abcdef",
6542 dev
[0].request("REMOVE_NETWORK all")
6543 dev
[0].wait_disconnected()
6545 tests
= [("Normal wpa_supplicant assoc req RSN IE",
6546 "30140100000fac040100000fac040100000fac01cc00"),
6547 ("Group management cipher included in assoc req RSN IE",
6548 "301a0100000fac040100000fac040100000fac01cc000000000fac06")]
6549 for title
, ie
in tests
:
6551 set_test_assoc_ie(dev
[0], ie
)
6552 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6553 eap
="GPSK", identity
="gpsk user",
6554 password
="abcdefghijklmnop0123456789abcdef",
6556 dev
[0].request("REMOVE_NETWORK all")
6557 dev
[0].wait_disconnected()
6559 tests
= [("Invalid group cipher", "30060100000fac02", 41),
6560 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42)]
6561 for title
, ie
, status
in tests
:
6563 set_test_assoc_ie(dev
[0], ie
)
6564 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6565 identity
="gpsk user",
6566 password
="abcdefghijklmnop0123456789abcdef",
6567 scan_freq
="2412", wait_connect
=False)
6568 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6570 raise Exception("Association rejection not reported")
6571 if "status_code=" + str(status
) not in ev
:
6572 raise Exception("Unexpected status code: " + ev
)
6573 dev
[0].request("REMOVE_NETWORK all")
6574 dev
[0].dump_monitor()
6576 tests
= [("Management frame protection not enabled",
6577 "30140100000fac040100000fac040100000fac010000", 31),
6578 ("Unsupported management group cipher",
6579 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46)]
6580 for title
, ie
, status
in tests
:
6582 set_test_assoc_ie(dev
[0], ie
)
6583 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6584 eap
="GPSK", identity
="gpsk user",
6585 password
="abcdefghijklmnop0123456789abcdef",
6586 scan_freq
="2412", wait_connect
=False)
6587 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6589 raise Exception("Association rejection not reported")
6590 if "status_code=" + str(status
) not in ev
:
6591 raise Exception("Unexpected status code: " + ev
)
6592 dev
[0].request("REMOVE_NETWORK all")
6593 dev
[0].dump_monitor()
6595 def test_eap_tls_ext_cert_check(dev
, apdev
):
6596 """EAP-TLS and external server certification validation"""
6597 # With internal server certificate chain validation
6598 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6599 identity
="tls user",
6600 ca_cert
="auth_serv/ca.pem",
6601 client_cert
="auth_serv/user.pem",
6602 private_key
="auth_serv/user.key",
6603 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6604 only_add_network
=True)
6605 run_ext_cert_check(dev
, apdev
, id)
6607 def test_eap_ttls_ext_cert_check(dev
, apdev
):
6608 """EAP-TTLS and external server certification validation"""
6609 # Without internal server certificate chain validation
6610 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6611 identity
="pap user", anonymous_identity
="ttls",
6612 password
="password", phase2
="auth=PAP",
6613 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6614 only_add_network
=True)
6615 run_ext_cert_check(dev
, apdev
, id)
6617 def test_eap_peap_ext_cert_check(dev
, apdev
):
6618 """EAP-PEAP and external server certification validation"""
6619 # With internal server certificate chain validation
6620 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6621 identity
="user", anonymous_identity
="peap",
6622 ca_cert
="auth_serv/ca.pem",
6623 password
="password", phase2
="auth=MSCHAPV2",
6624 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6625 only_add_network
=True)
6626 run_ext_cert_check(dev
, apdev
, id)
6628 def test_eap_fast_ext_cert_check(dev
, apdev
):
6629 """EAP-FAST and external server certification validation"""
6630 check_eap_capa(dev
[0], "FAST")
6631 # With internal server certificate chain validation
6632 dev
[0].request("SET blob fast_pac_auth_ext ")
6633 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6634 identity
="user", anonymous_identity
="FAST",
6635 ca_cert
="auth_serv/ca.pem",
6636 password
="password", phase2
="auth=GTC",
6637 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
6638 pac_file
="blob://fast_pac_auth_ext",
6640 only_add_network
=True)
6641 run_ext_cert_check(dev
, apdev
, id)
6643 def run_ext_cert_check(dev
, apdev
, net_id
):
6644 check_ext_cert_check_support(dev
[0])
6645 if not openssl_imported
:
6646 raise HwsimSkip("OpenSSL python method not available")
6648 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6649 hapd
= hostapd
.add_ap(apdev
[0], params
)
6651 dev
[0].select_network(net_id
)
6654 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6655 "CTRL-REQ-EXT_CERT_CHECK",
6656 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6658 raise Exception("No peer server certificate event seen")
6659 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
6662 vals
= ev
.split(' ')
6664 if v
.startswith("depth="):
6665 depth
= int(v
.split('=')[1])
6666 elif v
.startswith("cert="):
6667 cert
= v
.split('=')[1]
6668 if depth
is not None and cert
:
6669 certs
[depth
] = binascii
.unhexlify(cert
)
6670 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
6671 raise Exception("Unexpected EAP-Success")
6672 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
6673 id = ev
.split(':')[0].split('-')[-1]
6676 raise Exception("Server certificate not received")
6678 raise Exception("Server certificate issuer not received")
6680 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6682 cn
= cert
.get_subject().commonName
6683 logger
.info("Server certificate CN=" + cn
)
6685 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6687 icn
= issuer
.get_subject().commonName
6688 logger
.info("Issuer certificate CN=" + icn
)
6690 if cn
!= "server.w1.fi":
6691 raise Exception("Unexpected server certificate CN: " + cn
)
6692 if icn
!= "Root CA":
6693 raise Exception("Unexpected server certificate issuer CN: " + icn
)
6695 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
6697 raise Exception("Unexpected EAP-Success before external check result indication")
6699 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6700 dev
[0].wait_connected()
6702 dev
[0].request("DISCONNECT")
6703 dev
[0].wait_disconnected()
6704 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
6705 raise Exception("PMKSA_FLUSH failed")
6706 dev
[0].request("SET blob fast_pac_auth_ext ")
6707 dev
[0].request("RECONNECT")
6709 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
6711 raise Exception("No peer server certificate event seen (2)")
6712 id = ev
.split(':')[0].split('-')[-1]
6713 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6714 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
6716 raise Exception("EAP-Failure not reported")
6717 dev
[0].request("REMOVE_NETWORK all")
6718 dev
[0].wait_disconnected()
6720 def test_eap_tls_errors(dev
, apdev
):
6721 """EAP-TLS error cases"""
6722 params
= int_eap_server_params()
6723 params
['fragment_size'] = '100'
6724 hostapd
.add_ap(apdev
[0], params
)
6725 with
alloc_fail(dev
[0], 1,
6726 "eap_peer_tls_reassemble_fragment"):
6727 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6728 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6729 client_cert
="auth_serv/user.pem",
6730 private_key
="auth_serv/user.key",
6731 wait_connect
=False, scan_freq
="2412")
6732 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6733 dev
[0].request("REMOVE_NETWORK all")
6734 dev
[0].wait_disconnected()
6736 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
6737 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6738 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6739 client_cert
="auth_serv/user.pem",
6740 private_key
="auth_serv/user.key",
6741 wait_connect
=False, scan_freq
="2412")
6742 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6743 dev
[0].request("REMOVE_NETWORK all")
6744 dev
[0].wait_disconnected()
6746 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
6747 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6748 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6749 client_cert
="auth_serv/user.pem",
6750 private_key
="auth_serv/user.key",
6752 wait_connect
=False, scan_freq
="2412")
6753 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6754 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
6756 raise Exception("No CTRL-REQ-PIN seen")
6757 dev
[0].request("REMOVE_NETWORK all")
6758 dev
[0].wait_disconnected()
6760 tests
= ["eap_peer_tls_derive_key;eap_tls_success",
6761 "eap_peer_tls_derive_session_id;eap_tls_success",
6764 "eap_tls_get_session_id"]
6766 with
alloc_fail(dev
[0], 1, func
):
6767 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6768 identity
="tls user@domain",
6769 ca_cert
="auth_serv/ca.pem",
6770 client_cert
="auth_serv/user.pem",
6771 private_key
="auth_serv/user.key",
6773 wait_connect
=False, scan_freq
="2412")
6774 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6775 dev
[0].request("REMOVE_NETWORK all")
6776 dev
[0].wait_disconnected()
6778 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6779 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6780 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6781 wait_connect
=False, scan_freq
="2412")
6782 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6783 dev
[0].request("REMOVE_NETWORK all")
6784 dev
[0].wait_disconnected()
6786 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6787 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6788 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6789 wait_connect
=False, scan_freq
="2412")
6790 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6791 dev
[0].request("REMOVE_NETWORK all")
6792 dev
[0].wait_disconnected()
6794 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6795 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6796 eap
="WFA-UNAUTH-TLS",
6797 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6798 wait_connect
=False, scan_freq
="2412")
6799 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6800 dev
[0].request("REMOVE_NETWORK all")
6801 dev
[0].wait_disconnected()
6803 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6804 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6805 eap
="WFA-UNAUTH-TLS",
6806 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6807 wait_connect
=False, scan_freq
="2412")
6808 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6809 dev
[0].request("REMOVE_NETWORK all")
6810 dev
[0].wait_disconnected()
6812 def test_ap_wpa2_eap_status(dev
, apdev
):
6813 """EAP state machine status information"""
6814 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6815 hostapd
.add_ap(apdev
[0], params
)
6816 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6817 identity
="cert user",
6818 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6819 ca_cert2
="auth_serv/ca.pem",
6820 client_cert2
="auth_serv/user.pem",
6821 private_key2
="auth_serv/user.key",
6822 scan_freq
="2412", wait_connect
=False)
6828 selected_methods
= []
6830 for i
in range(100000):
6831 if not connected
and i
% 10 == 9:
6832 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=0.0001)
6835 s
= dev
[0].get_status(extra
="VERBOSE")
6836 if 'EAP state' in s
:
6837 state
= s
['EAP state']
6839 if state
not in states
:
6840 states
.append(state
)
6841 if state
== "SUCCESS":
6844 if 'methodState' in s
:
6845 val
= s
['methodState']
6846 if val
not in method_states
:
6847 method_states
.append(val
)
6850 if val
not in decisions
:
6851 decisions
.append(val
)
6852 if 'reqMethod' in s
:
6853 val
= s
['reqMethod']
6854 if val
not in req_methods
:
6855 req_methods
.append(val
)
6856 if 'selectedMethod' in s
:
6857 val
= s
['selectedMethod']
6858 if val
not in selected_methods
:
6859 selected_methods
.append(val
)
6860 logger
.info("Iterations: %d" % i
)
6861 logger
.info("EAP states: " + str(states
))
6862 logger
.info("methodStates: " + str(method_states
))
6863 logger
.info("decisions: " + str(decisions
))
6864 logger
.info("reqMethods: " + str(req_methods
))
6865 logger
.info("selectedMethods: " + str(selected_methods
))
6867 raise Exception("EAP did not succeed")
6869 dev
[0].wait_connected()
6870 dev
[0].request("REMOVE_NETWORK all")
6871 dev
[0].wait_disconnected()
6873 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
6874 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6875 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6876 params
['wpa_ptk_rekey'] = '2'
6877 hapd
= hostapd
.add_ap(apdev
[0], params
)
6878 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
6879 password
="abcdefghijklmnop0123456789abcdef")
6880 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
6882 raise Exception("PTK rekey timed out")
6884 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6886 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
6887 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6888 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6889 hapd
= hostapd
.add_ap(apdev
[0], params
)
6890 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
6891 identity
="gpsk user",
6892 password
="abcdefghijklmnop0123456789abcdef",
6895 def test_ap_wpa2_eap_psk_mac_addr_change(dev
, apdev
):
6896 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
6897 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6898 hapd
= hostapd
.add_ap(apdev
[0], params
)
6900 cmd
= subprocess
.Popen(['ps', '-eo', 'pid,command'], stdout
=subprocess
.PIPE
)
6901 res
= cmd
.stdout
.read().decode()
6904 for p
in res
.splitlines():
6905 if "wpa_supplicant" not in p
:
6907 if dev
[0].ifname
not in p
:
6909 pid
= int(p
.strip().split(' ')[0])
6911 logger
.info("Could not find wpa_supplicant PID")
6913 logger
.info("wpa_supplicant PID %d" % pid
)
6915 addr
= dev
[0].get_status_field("address")
6916 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6917 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6918 '02:11:22:33:44:55'])
6919 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6920 addr1
= dev
[0].get_status_field("address")
6921 if addr1
!= '02:11:22:33:44:55':
6922 raise Exception("Failed to change MAC address")
6924 # Scan using the externally set MAC address, stop the wpa_supplicant
6925 # process to avoid it from processing the ifdown event before the interface
6926 # is already UP, change the MAC address back, allow the wpa_supplicant
6927 # process to continue. This will result in the ifdown + ifup sequence of
6928 # RTM_NEWLINK events to be processed while the interface is already UP.
6930 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
6931 os
.kill(pid
, signal
.SIGSTOP
)
6934 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6935 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6937 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6939 os
.kill(pid
, signal
.SIGCONT
)
6941 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
6942 password_hex
="0123456789abcdef0123456789abcdef")
6944 addr2
= dev
[0].get_status_field("address")
6946 raise Exception("Failed to restore MAC address")
6948 def test_ap_wpa2_eap_server_get_id(dev
, apdev
):
6949 """Internal EAP server and dot1xAuthSessionUserName"""
6950 params
= int_eap_server_params()
6951 hapd
= hostapd
.add_ap(apdev
[0], params
)
6952 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6953 client_cert
="auth_serv/user.pem",
6954 private_key
="auth_serv/user.key")
6955 sta
= hapd
.get_sta(dev
[0].own_addr())
6956 if 'dot1xAuthSessionUserName' not in sta
:
6957 raise Exception("No dot1xAuthSessionUserName included")
6958 user
= sta
['dot1xAuthSessionUserName']
6959 if user
!= "tls user":
6960 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6962 def test_ap_wpa2_radius_server_get_id(dev
, apdev
):
6963 """External RADIUS server and dot1xAuthSessionUserName"""
6964 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6965 hapd
= hostapd
.add_ap(apdev
[0], params
)
6966 eap_connect(dev
[0], hapd
, "TTLS", "test-user",
6967 anonymous_identity
="ttls", password
="password",
6968 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
6969 sta
= hapd
.get_sta(dev
[0].own_addr())
6970 if 'dot1xAuthSessionUserName' not in sta
:
6971 raise Exception("No dot1xAuthSessionUserName included")
6972 user
= sta
['dot1xAuthSessionUserName']
6973 if user
!= "real-user":
6974 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6976 def test_openssl_systemwide_policy(dev
, apdev
, test_params
):
6977 """OpenSSL systemwide policy and overrides"""
6978 prefix
= "openssl_systemwide_policy"
6979 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
6981 with
HWSimRadio() as (radio
, iface
):
6982 run_openssl_systemwide_policy(iface
, apdev
, test_params
)
6984 if os
.path
.exists(pidfile
):
6985 with
open(pidfile
, 'r') as f
:
6986 pid
= int(f
.read().strip())
6987 os
.kill(pid
, signal
.SIGTERM
)
6989 def write_openssl_cnf(cnf
, MinProtocol
=None, CipherString
=None):
6990 with
open(cnf
, "w") as f
:
6991 f
.write("""openssl_conf = default_conf
6995 system_default = system_default_sect
6996 [system_default_sect]
6999 f
.write("MinProtocol = %s\n" % MinProtocol
)
7001 f
.write("CipherString = %s\n" % CipherString
)
7003 def run_openssl_systemwide_policy(iface
, apdev
, test_params
):
7004 prefix
= "openssl_systemwide_policy"
7005 logfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.log-wpas')
7006 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
7007 conffile
= os
.path
.join(test_params
['logdir'], prefix
+ '.conf')
7008 openssl_cnf
= os
.path
.join(test_params
['logdir'], prefix
+ '.openssl.cnf')
7010 write_openssl_cnf(openssl_cnf
, "TLSv1.2", "DEFAULT@SECLEVEL=2")
7012 with
open(conffile
, 'w') as f
:
7013 f
.write("ctrl_interface=DIR=/var/run/wpa_supplicant\n")
7015 params
= int_eap_server_params()
7016 params
['tls_flags'] = "[DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"
7018 hapd
= hostapd
.add_ap(apdev
[0], params
)
7020 prg
= os
.path
.join(test_params
['logdir'],
7021 'alt-wpa_supplicant/wpa_supplicant/wpa_supplicant')
7022 if not os
.path
.exists(prg
):
7023 prg
= '../../wpa_supplicant/wpa_supplicant'
7024 arg
= [prg
, '-BddtK', '-P', pidfile
, '-f', logfile
,
7025 '-Dnl80211', '-c', conffile
, '-i', iface
]
7026 logger
.info("Start wpa_supplicant: " + str(arg
))
7027 subprocess
.call(arg
, env
={'OPENSSL_CONF': openssl_cnf
})
7028 wpas
= WpaSupplicant(ifname
=iface
)
7029 if "PONG" not in wpas
.request("PING"):
7030 raise Exception("Could not PING wpa_supplicant")
7031 tls
= wpas
.request("GET tls_library")
7032 if not tls
.startswith("OpenSSL"):
7033 raise HwsimSkip("Not using OpenSSL")
7035 # Use default configuration without any TLS version overrides. This should
7036 # end up using OpenSSL systemwide policy and result in failure to find a
7037 # compatible protocol version.
7038 ca_file
= os
.path
.join(os
.getcwd(), "auth_serv/ca.pem")
7039 id = wpas
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
7040 identity
="pap user", anonymous_identity
="ttls",
7041 password
="password", phase2
="auth=PAP",
7043 scan_freq
="2412", wait_connect
=False)
7044 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
7046 raise Exception("EAP not started")
7047 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'"],
7050 raise HwsimSkip("OpenSSL systemwide policy not supported")
7051 wpas
.request("DISCONNECT")
7052 wpas
.wait_disconnected()
7055 # Explicitly allow TLSv1.0 to be used to override OpenSSL systemwide policy
7056 wpas
.set_network_quoted(id, "openssl_ciphers", "DEFAULT@SECLEVEL=1")
7057 wpas
.set_network_quoted(id, "phase1", "tls_disable_tlsv1_0=0")
7058 wpas
.select_network(id, freq
="2412")
7059 wpas
.wait_connected()
7061 wpas
.request("TERMINATE")
7063 def test_ap_wpa2_eap_tls_tod(dev
, apdev
):
7064 """EAP-TLS server certificate validation and TOD"""
7065 params
= int_eap_server_params()
7066 params
["server_cert"] = "auth_serv/server-certpol.pem"
7067 params
["private_key"] = "auth_serv/server-certpol.key"
7068 hapd
= hostapd
.add_ap(apdev
[0], params
)
7070 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
7071 eap
="TLS", identity
="tls user",
7072 wait_connect
=False, scan_freq
="2412",
7073 ca_cert
="auth_serv/ca.pem",
7074 client_cert
="auth_serv/user.pem",
7075 private_key
="auth_serv/user.key")
7078 while tod0
is None or tod1
is None:
7079 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT"], timeout
=10)
7081 raise Exception("Peer certificate not reported")
7082 if "depth=1 " in ev
and "hash=" in ev
:
7083 tod1
= " tod=1" in ev
7084 if "depth=0 " in ev
and "hash=" in ev
:
7085 tod0
= " tod=1" in ev
7086 dev
[0].wait_connected()
7088 raise Exception("TOD policy not reported for server certificate")
7090 raise Exception("TOD policy unexpectedly reported for CA certificate")