]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
20 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
21 from wpasupplicant
import WpaSupplicant
22 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
26 openssl_imported
= True
28 openssl_imported
= False
30 def check_hlr_auc_gw_support():
31 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
32 raise HwsimSkip("No hlr_auc_gw available")
34 def check_eap_capa(dev
, method
):
35 res
= dev
.get_capability("eap")
37 raise HwsimSkip("EAP method %s not supported in the build" % method
)
39 def check_subject_match_support(dev
):
40 tls
= dev
.request("GET tls_library")
41 if not tls
.startswith("OpenSSL"):
42 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
44 def check_altsubject_match_support(dev
):
45 tls
= dev
.request("GET tls_library")
46 if not tls
.startswith("OpenSSL"):
47 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
49 def check_domain_match(dev
):
50 tls
= dev
.request("GET tls_library")
51 if tls
.startswith("internal"):
52 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
54 def check_domain_suffix_match(dev
):
55 tls
= dev
.request("GET tls_library")
56 if tls
.startswith("internal"):
57 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
59 def check_domain_match_full(dev
):
60 tls
= dev
.request("GET tls_library")
61 if not tls
.startswith("OpenSSL"):
62 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
64 def check_cert_probe_support(dev
):
65 tls
= dev
.request("GET tls_library")
66 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
67 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
69 def check_ext_cert_check_support(dev
):
70 tls
= dev
.request("GET tls_library")
71 if not tls
.startswith("OpenSSL"):
72 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
74 def check_ocsp_support(dev
):
75 tls
= dev
.request("GET tls_library")
76 #if tls.startswith("internal"):
77 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
78 #if "BoringSSL" in tls:
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
81 def check_pkcs12_support(dev
):
82 tls
= dev
.request("GET tls_library")
83 #if tls.startswith("internal"):
84 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
86 def check_dh_dsa_support(dev
):
87 tls
= dev
.request("GET tls_library")
88 if tls
.startswith("internal"):
89 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
92 with
open(fname
, "r") as f
:
101 if "-----BEGIN" in l
:
103 return base64
.b64decode(cert
)
105 def eap_connect(dev
, ap
, method
, identity
,
106 sha256
=False, expect_failure
=False, local_error_report
=False,
107 maybe_local_error
=False, **kwargs
):
108 hapd
= hostapd
.Hostapd(ap
['ifname'])
109 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
110 eap
=method
, identity
=identity
,
111 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
113 eap_check_auth(dev
, method
, True, sha256
=sha256
,
114 expect_failure
=expect_failure
,
115 local_error_report
=local_error_report
,
116 maybe_local_error
=maybe_local_error
)
119 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
121 raise Exception("No connection event received from hostapd")
124 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
125 expect_failure
=False, local_error_report
=False,
126 maybe_local_error
=False):
127 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
129 raise Exception("Association and EAP start timed out")
130 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
131 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
133 raise Exception("EAP method selection timed out")
134 if "CTRL-EVENT-EAP-FAILURE" in ev
:
135 if maybe_local_error
:
137 raise Exception("Could not select EAP method")
139 raise Exception("Unexpected EAP method")
141 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
143 raise Exception("EAP failure timed out")
144 ev
= dev
.wait_disconnected(timeout
=10)
145 if maybe_local_error
and "locally_generated=1" in ev
:
147 if not local_error_report
:
148 if "reason=23" not in ev
:
149 raise Exception("Proper reason code for disconnection not reported")
151 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
153 raise Exception("EAP success timed out")
156 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
158 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
160 raise Exception("Association with the AP timed out")
161 status
= dev
.get_status()
162 if status
["wpa_state"] != "COMPLETED":
163 raise Exception("Connection not completed")
165 if status
["suppPortStatus"] != "Authorized":
166 raise Exception("Port not authorized")
167 if method
not in status
["selectedMethod"]:
168 raise Exception("Incorrect EAP method status")
170 e
= "WPA2-EAP-SHA256"
172 e
= "WPA2/IEEE 802.1X/EAP"
174 e
= "WPA/IEEE 802.1X/EAP"
175 if status
["key_mgmt"] != e
:
176 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
179 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
180 dev
.request("REAUTHENTICATE")
181 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
182 expect_failure
=expect_failure
)
184 def test_ap_wpa2_eap_sim(dev
, apdev
):
185 """WPA2-Enterprise connection using EAP-SIM"""
186 check_hlr_auc_gw_support()
187 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
188 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
189 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
190 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
191 hwsim_utils
.test_connectivity(dev
[0], hapd
)
192 eap_reauth(dev
[0], "SIM")
194 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000001",
195 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
196 eap_connect(dev
[2], apdev
[0], "SIM", "1232010000000002",
197 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
200 logger
.info("Negative test with incorrect key")
201 dev
[0].request("REMOVE_NETWORK all")
202 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
203 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
206 logger
.info("Invalid GSM-Milenage key")
207 dev
[0].request("REMOVE_NETWORK all")
208 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
209 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
212 logger
.info("Invalid GSM-Milenage key(2)")
213 dev
[0].request("REMOVE_NETWORK all")
214 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
215 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
218 logger
.info("Invalid GSM-Milenage key(3)")
219 dev
[0].request("REMOVE_NETWORK all")
220 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
221 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
224 logger
.info("Invalid GSM-Milenage key(4)")
225 dev
[0].request("REMOVE_NETWORK all")
226 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
227 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
230 logger
.info("Missing key configuration")
231 dev
[0].request("REMOVE_NETWORK all")
232 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
235 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
236 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
237 check_hlr_auc_gw_support()
241 raise HwsimSkip("No sqlite3 module available")
242 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
243 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
244 params
['auth_server_port'] = "1814"
245 hostapd
.add_ap(apdev
[0]['ifname'], params
)
246 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
247 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
249 logger
.info("SIM fast re-authentication")
250 eap_reauth(dev
[0], "SIM")
252 logger
.info("SIM full auth with pseudonym")
255 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
256 eap_reauth(dev
[0], "SIM")
258 logger
.info("SIM full auth with permanent identity")
261 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
262 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
263 eap_reauth(dev
[0], "SIM")
265 logger
.info("SIM reauth with mismatching MK")
268 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
269 eap_reauth(dev
[0], "SIM", expect_failure
=True)
270 dev
[0].request("REMOVE_NETWORK all")
272 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
273 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
276 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
277 eap_reauth(dev
[0], "SIM")
280 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
281 logger
.info("SIM reauth with mismatching counter")
282 eap_reauth(dev
[0], "SIM")
283 dev
[0].request("REMOVE_NETWORK all")
285 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
286 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
289 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
290 logger
.info("SIM reauth with max reauth count reached")
291 eap_reauth(dev
[0], "SIM")
293 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
294 """EAP-SIM configuration options"""
295 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
296 hostapd
.add_ap(apdev
[0]['ifname'], params
)
297 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
298 identity
="1232010000000000",
299 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
300 phase1
="sim_min_num_chal=1",
301 wait_connect
=False, scan_freq
="2412")
302 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
304 raise Exception("No EAP error message seen")
305 dev
[0].request("REMOVE_NETWORK all")
307 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
308 identity
="1232010000000000",
309 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
310 phase1
="sim_min_num_chal=4",
311 wait_connect
=False, scan_freq
="2412")
312 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
314 raise Exception("No EAP error message seen (2)")
315 dev
[0].request("REMOVE_NETWORK all")
317 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
318 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
319 phase1
="sim_min_num_chal=2")
320 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
321 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
322 anonymous_identity
="345678")
324 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
325 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
327 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
329 dev
[0].request("SET external_sim 0")
331 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
332 check_hlr_auc_gw_support()
333 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
334 hostapd
.add_ap(apdev
[0]['ifname'], params
)
335 dev
[0].request("SET external_sim 1")
336 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
337 identity
="1232010000000000",
338 wait_connect
=False, scan_freq
="2412")
339 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
341 raise Exception("Network connected timed out")
343 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
345 raise Exception("Wait for external SIM processing request timed out")
347 if p
[1] != "GSM-AUTH":
348 raise Exception("Unexpected CTRL-REQ-SIM type")
349 rid
= p
[0].split('-')[3]
352 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
353 # This will fail during processing, but the ctrl_iface command succeeds
354 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
355 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
357 raise Exception("EAP failure not reported")
358 dev
[0].request("DISCONNECT")
359 dev
[0].wait_disconnected()
362 dev
[0].select_network(id, freq
="2412")
363 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
365 raise Exception("Wait for external SIM processing request timed out")
367 if p
[1] != "GSM-AUTH":
368 raise Exception("Unexpected CTRL-REQ-SIM type")
369 rid
= p
[0].split('-')[3]
370 # This will fail during GSM auth validation
371 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
372 raise Exception("CTRL-RSP-SIM failed")
373 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
375 raise Exception("EAP failure not reported")
376 dev
[0].request("DISCONNECT")
377 dev
[0].wait_disconnected()
380 dev
[0].select_network(id, freq
="2412")
381 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
383 raise Exception("Wait for external SIM processing request timed out")
385 if p
[1] != "GSM-AUTH":
386 raise Exception("Unexpected CTRL-REQ-SIM type")
387 rid
= p
[0].split('-')[3]
388 # This will fail during GSM auth validation
389 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
390 raise Exception("CTRL-RSP-SIM failed")
391 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
393 raise Exception("EAP failure not reported")
394 dev
[0].request("DISCONNECT")
395 dev
[0].wait_disconnected()
398 dev
[0].select_network(id, freq
="2412")
399 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
401 raise Exception("Wait for external SIM processing request timed out")
403 if p
[1] != "GSM-AUTH":
404 raise Exception("Unexpected CTRL-REQ-SIM type")
405 rid
= p
[0].split('-')[3]
406 # This will fail during GSM auth validation
407 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
408 raise Exception("CTRL-RSP-SIM failed")
409 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
411 raise Exception("EAP failure not reported")
412 dev
[0].request("DISCONNECT")
413 dev
[0].wait_disconnected()
416 dev
[0].select_network(id, freq
="2412")
417 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
419 raise Exception("Wait for external SIM processing request timed out")
421 if p
[1] != "GSM-AUTH":
422 raise Exception("Unexpected CTRL-REQ-SIM type")
423 rid
= p
[0].split('-')[3]
424 # This will fail during GSM auth validation
425 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
426 raise Exception("CTRL-RSP-SIM failed")
427 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
429 raise Exception("EAP failure not reported")
430 dev
[0].request("DISCONNECT")
431 dev
[0].wait_disconnected()
434 dev
[0].select_network(id, freq
="2412")
435 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
437 raise Exception("Wait for external SIM processing request timed out")
439 if p
[1] != "GSM-AUTH":
440 raise Exception("Unexpected CTRL-REQ-SIM type")
441 rid
= p
[0].split('-')[3]
442 # This will fail during GSM auth validation
443 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
444 raise Exception("CTRL-RSP-SIM failed")
445 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
447 raise Exception("EAP failure not reported")
448 dev
[0].request("DISCONNECT")
449 dev
[0].wait_disconnected()
452 dev
[0].select_network(id, freq
="2412")
453 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
455 raise Exception("Wait for external SIM processing request timed out")
457 if p
[1] != "GSM-AUTH":
458 raise Exception("Unexpected CTRL-REQ-SIM type")
459 rid
= p
[0].split('-')[3]
460 # This will fail during GSM auth validation
461 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
462 raise Exception("CTRL-RSP-SIM failed")
463 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
465 raise Exception("EAP failure not reported")
467 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
468 """EAP-SIM and OOM"""
469 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
470 hostapd
.add_ap(apdev
[0]['ifname'], params
)
471 tests
= [ (1, "milenage_f2345"),
472 (2, "milenage_f2345"),
473 (3, "milenage_f2345"),
474 (4, "milenage_f2345"),
475 (5, "milenage_f2345"),
476 (6, "milenage_f2345"),
477 (7, "milenage_f2345"),
478 (8, "milenage_f2345"),
479 (9, "milenage_f2345"),
480 (10, "milenage_f2345"),
481 (11, "milenage_f2345"),
482 (12, "milenage_f2345") ]
483 for count
, func
in tests
:
484 with
alloc_fail(dev
[0], count
, func
):
485 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
486 identity
="1232010000000000",
487 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
488 wait_connect
=False, scan_freq
="2412")
489 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
491 raise Exception("EAP method not selected")
492 dev
[0].wait_disconnected()
493 dev
[0].request("REMOVE_NETWORK all")
495 def test_ap_wpa2_eap_aka(dev
, apdev
):
496 """WPA2-Enterprise connection using EAP-AKA"""
497 check_hlr_auc_gw_support()
498 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
499 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
500 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
501 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
502 hwsim_utils
.test_connectivity(dev
[0], hapd
)
503 eap_reauth(dev
[0], "AKA")
505 logger
.info("Negative test with incorrect key")
506 dev
[0].request("REMOVE_NETWORK all")
507 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
508 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
511 logger
.info("Invalid Milenage key")
512 dev
[0].request("REMOVE_NETWORK all")
513 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
514 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
517 logger
.info("Invalid Milenage key(2)")
518 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
519 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
522 logger
.info("Invalid Milenage key(3)")
523 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
524 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
527 logger
.info("Invalid Milenage key(4)")
528 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
529 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
532 logger
.info("Invalid Milenage key(5)")
533 dev
[0].request("REMOVE_NETWORK all")
534 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
535 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
538 logger
.info("Invalid Milenage key(6)")
539 dev
[0].request("REMOVE_NETWORK all")
540 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
541 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
544 logger
.info("Missing key configuration")
545 dev
[0].request("REMOVE_NETWORK all")
546 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
549 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
550 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
551 check_hlr_auc_gw_support()
555 raise HwsimSkip("No sqlite3 module available")
556 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
557 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
558 params
['auth_server_port'] = "1814"
559 hostapd
.add_ap(apdev
[0]['ifname'], params
)
560 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
561 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
563 logger
.info("AKA fast re-authentication")
564 eap_reauth(dev
[0], "AKA")
566 logger
.info("AKA full auth with pseudonym")
569 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
570 eap_reauth(dev
[0], "AKA")
572 logger
.info("AKA full auth with permanent identity")
575 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
576 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
577 eap_reauth(dev
[0], "AKA")
579 logger
.info("AKA reauth with mismatching MK")
582 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
583 eap_reauth(dev
[0], "AKA", expect_failure
=True)
584 dev
[0].request("REMOVE_NETWORK all")
586 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
587 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
590 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
591 eap_reauth(dev
[0], "AKA")
594 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
595 logger
.info("AKA reauth with mismatching counter")
596 eap_reauth(dev
[0], "AKA")
597 dev
[0].request("REMOVE_NETWORK all")
599 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
600 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
603 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
604 logger
.info("AKA reauth with max reauth count reached")
605 eap_reauth(dev
[0], "AKA")
607 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
608 """EAP-AKA configuration options"""
609 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
610 hostapd
.add_ap(apdev
[0]['ifname'], params
)
611 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
612 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
613 anonymous_identity
="2345678")
615 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
616 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
618 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
620 dev
[0].request("SET external_sim 0")
622 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
623 check_hlr_auc_gw_support()
624 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
625 hostapd
.add_ap(apdev
[0]['ifname'], params
)
626 dev
[0].request("SET external_sim 1")
627 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
628 identity
="0232010000000000",
629 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
630 wait_connect
=False, scan_freq
="2412")
631 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
633 raise Exception("Network connected timed out")
635 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
637 raise Exception("Wait for external SIM processing request timed out")
639 if p
[1] != "UMTS-AUTH":
640 raise Exception("Unexpected CTRL-REQ-SIM type")
641 rid
= p
[0].split('-')[3]
644 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
645 # This will fail during processing, but the ctrl_iface command succeeds
646 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
647 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
649 raise Exception("EAP failure not reported")
650 dev
[0].request("DISCONNECT")
651 dev
[0].wait_disconnected()
653 dev
[0].dump_monitor()
655 dev
[0].select_network(id, freq
="2412")
656 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
658 raise Exception("Wait for external SIM processing request timed out")
660 if p
[1] != "UMTS-AUTH":
661 raise Exception("Unexpected CTRL-REQ-SIM type")
662 rid
= p
[0].split('-')[3]
663 # This will fail during UMTS auth validation
664 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
665 raise Exception("CTRL-RSP-SIM failed")
666 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
668 raise Exception("Wait for external SIM processing request timed out")
670 if p
[1] != "UMTS-AUTH":
671 raise Exception("Unexpected CTRL-REQ-SIM type")
672 rid
= p
[0].split('-')[3]
673 # This will fail during UMTS auth validation
674 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
675 raise Exception("CTRL-RSP-SIM failed")
676 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
678 raise Exception("EAP failure not reported")
679 dev
[0].request("DISCONNECT")
680 dev
[0].wait_disconnected()
682 dev
[0].dump_monitor()
684 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
686 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
687 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
688 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
689 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
690 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
692 dev
[0].select_network(id, freq
="2412")
693 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
695 raise Exception("Wait for external SIM processing request timed out")
697 if p
[1] != "UMTS-AUTH":
698 raise Exception("Unexpected CTRL-REQ-SIM type")
699 rid
= p
[0].split('-')[3]
700 # This will fail during UMTS auth validation
701 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
702 raise Exception("CTRL-RSP-SIM failed")
703 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
705 raise Exception("EAP failure not reported")
706 dev
[0].request("DISCONNECT")
707 dev
[0].wait_disconnected()
709 dev
[0].dump_monitor()
711 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
712 """WPA2-Enterprise connection using EAP-AKA'"""
713 check_hlr_auc_gw_support()
714 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
715 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
716 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
717 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
718 hwsim_utils
.test_connectivity(dev
[0], hapd
)
719 eap_reauth(dev
[0], "AKA'")
721 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
722 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
723 identity
="6555444333222111@both",
724 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
725 wait_connect
=False, scan_freq
="2412")
726 dev
[1].wait_connected(timeout
=15)
728 logger
.info("Negative test with incorrect key")
729 dev
[0].request("REMOVE_NETWORK all")
730 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
731 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
734 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
735 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
736 check_hlr_auc_gw_support()
740 raise HwsimSkip("No sqlite3 module available")
741 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
742 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
743 params
['auth_server_port'] = "1814"
744 hostapd
.add_ap(apdev
[0]['ifname'], params
)
745 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
746 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
748 logger
.info("AKA' fast re-authentication")
749 eap_reauth(dev
[0], "AKA'")
751 logger
.info("AKA' full auth with pseudonym")
754 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
755 eap_reauth(dev
[0], "AKA'")
757 logger
.info("AKA' full auth with permanent identity")
760 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
761 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
762 eap_reauth(dev
[0], "AKA'")
764 logger
.info("AKA' reauth with mismatching k_aut")
767 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
768 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
769 dev
[0].request("REMOVE_NETWORK all")
771 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
772 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
775 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
776 eap_reauth(dev
[0], "AKA'")
779 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
780 logger
.info("AKA' reauth with mismatching counter")
781 eap_reauth(dev
[0], "AKA'")
782 dev
[0].request("REMOVE_NETWORK all")
784 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
785 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
788 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
789 logger
.info("AKA' reauth with max reauth count reached")
790 eap_reauth(dev
[0], "AKA'")
792 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
793 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
794 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
795 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
796 key_mgmt
= hapd
.get_config()['key_mgmt']
797 if key_mgmt
.split(' ')[0] != "WPA-EAP":
798 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
799 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
800 anonymous_identity
="ttls", password
="password",
801 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
802 hwsim_utils
.test_connectivity(dev
[0], hapd
)
803 eap_reauth(dev
[0], "TTLS")
804 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
805 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
807 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
808 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
809 check_subject_match_support(dev
[0])
810 check_altsubject_match_support(dev
[0])
811 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
812 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
813 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
814 anonymous_identity
="ttls", password
="password",
815 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
816 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
817 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
818 eap_reauth(dev
[0], "TTLS")
820 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
821 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
822 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
823 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
824 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
825 anonymous_identity
="ttls", password
="wrong",
826 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
828 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
829 anonymous_identity
="ttls", password
="password",
830 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
833 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
834 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
835 skip_with_fips(dev
[0])
836 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
837 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
838 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
839 anonymous_identity
="ttls", password
="password",
840 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
841 hwsim_utils
.test_connectivity(dev
[0], hapd
)
842 eap_reauth(dev
[0], "TTLS")
844 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
845 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
846 skip_with_fips(dev
[0])
847 check_altsubject_match_support(dev
[0])
848 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
849 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
850 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
851 anonymous_identity
="ttls", password
="password",
852 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
853 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
854 eap_reauth(dev
[0], "TTLS")
856 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
857 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
858 skip_with_fips(dev
[0])
859 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
860 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
861 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
862 anonymous_identity
="ttls", password
="wrong",
863 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
865 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
866 anonymous_identity
="ttls", password
="password",
867 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
870 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
871 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
872 skip_with_fips(dev
[0])
873 check_domain_suffix_match(dev
[0])
874 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
875 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
876 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
877 anonymous_identity
="ttls", password
="password",
878 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
879 domain_suffix_match
="server.w1.fi")
880 hwsim_utils
.test_connectivity(dev
[0], hapd
)
881 eap_reauth(dev
[0], "TTLS")
882 dev
[0].request("REMOVE_NETWORK all")
883 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
884 anonymous_identity
="ttls", password
="password",
885 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
887 dev
[0].request("REMOVE_NETWORK all")
888 dev
[0].wait_disconnected()
889 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
890 anonymous_identity
="ttls",
891 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
892 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
894 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
895 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
896 skip_with_fips(dev
[0])
897 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
898 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
899 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
900 anonymous_identity
="ttls", password
="wrong",
901 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
903 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
904 anonymous_identity
="ttls", password
="password",
905 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
907 eap_connect(dev
[2], apdev
[0], "TTLS", "no such user",
908 anonymous_identity
="ttls", password
="password",
909 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
912 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
913 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
914 check_domain_suffix_match(dev
[0])
915 check_eap_capa(dev
[0], "MSCHAPV2")
916 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
917 hostapd
.add_ap(apdev
[0]['ifname'], params
)
918 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
919 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
920 anonymous_identity
="ttls", password
="password",
921 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
922 domain_suffix_match
="server.w1.fi")
923 hwsim_utils
.test_connectivity(dev
[0], hapd
)
924 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
925 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
926 eap_reauth(dev
[0], "TTLS")
927 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
928 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
929 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
930 raise Exception("dot1xAuthEapolFramesRx did not increase")
931 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
932 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
933 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
934 raise Exception("backendAuthSuccesses did not increase")
936 logger
.info("Password as hash value")
937 dev
[0].request("REMOVE_NETWORK all")
938 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
939 anonymous_identity
="ttls",
940 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
941 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
943 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
944 """EAP-TTLS with invalid phase2 parameter values"""
945 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
946 hostapd
.add_ap(apdev
[0]['ifname'], params
)
947 tests
= [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
948 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
949 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
951 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
952 identity
="DOMAIN\mschapv2 user",
953 anonymous_identity
="ttls", password
="password",
954 ca_cert
="auth_serv/ca.pem", phase2
=t
,
955 wait_connect
=False, scan_freq
="2412")
956 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
957 if ev
is None or "method=21" not in ev
:
958 raise Exception("EAP-TTLS not started")
959 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
960 "CTRL-EVENT-CONNECTED"], timeout
=5)
961 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
962 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
963 dev
[0].request("REMOVE_NETWORK all")
964 dev
[0].wait_disconnected()
965 dev
[0].dump_monitor()
967 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
968 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
969 check_domain_match_full(dev
[0])
970 skip_with_fips(dev
[0])
971 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
972 hostapd
.add_ap(apdev
[0]['ifname'], params
)
973 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
974 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
975 anonymous_identity
="ttls", password
="password",
976 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
977 domain_suffix_match
="w1.fi")
978 hwsim_utils
.test_connectivity(dev
[0], hapd
)
979 eap_reauth(dev
[0], "TTLS")
981 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
982 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
983 check_domain_match(dev
[0])
984 skip_with_fips(dev
[0])
985 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
986 hostapd
.add_ap(apdev
[0]['ifname'], params
)
987 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
988 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
989 anonymous_identity
="ttls", password
="password",
990 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
991 domain_match
="Server.w1.fi")
992 hwsim_utils
.test_connectivity(dev
[0], hapd
)
993 eap_reauth(dev
[0], "TTLS")
995 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
996 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
997 skip_with_fips(dev
[0])
998 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
999 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1000 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
1001 anonymous_identity
="ttls", password
="password1",
1002 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1003 expect_failure
=True)
1004 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
1005 anonymous_identity
="ttls", password
="password",
1006 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1007 expect_failure
=True)
1009 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1010 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1011 skip_with_fips(dev
[0])
1012 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1013 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1014 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
1015 eap_connect(dev
[0], apdev
[0], "TTLS", "utf8-user-hash",
1016 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1017 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1018 eap_connect(dev
[1], apdev
[0], "TTLS", "utf8-user",
1019 anonymous_identity
="ttls",
1020 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1021 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1022 for p
in [ "80", "41c041e04141e041", 257*"41" ]:
1023 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1024 eap
="TTLS", identity
="utf8-user-hash",
1025 anonymous_identity
="ttls", password_hex
=p
,
1026 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1027 wait_connect
=False, scan_freq
="2412")
1028 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1030 raise Exception("No failure reported")
1031 dev
[2].request("REMOVE_NETWORK all")
1032 dev
[2].wait_disconnected()
1034 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1035 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1036 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1037 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1038 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1039 anonymous_identity
="ttls", password
="password",
1040 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1041 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1042 eap_reauth(dev
[0], "TTLS")
1044 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1045 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1046 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1047 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1048 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1049 anonymous_identity
="ttls", password
="wrong",
1050 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1051 expect_failure
=True)
1053 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1054 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1055 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1056 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1057 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
1058 anonymous_identity
="ttls", password
="password",
1059 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1060 expect_failure
=True)
1062 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1063 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1064 params
= int_eap_server_params()
1065 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1066 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1067 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1068 anonymous_identity
="ttls", password
="password",
1069 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1070 expect_failure
=True)
1071 dev
[0].request("REMOVE_NETWORK all")
1073 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1074 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1075 eap
="TTLS", identity
="user",
1076 anonymous_identity
="ttls", password
="password",
1077 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1078 wait_connect
=False, scan_freq
="2412")
1079 # This would eventually time out, but we can stop after having reached
1080 # the allocation failure.
1083 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1086 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1087 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1088 check_eap_capa(dev
[0], "MD5")
1089 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1090 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1091 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1092 anonymous_identity
="ttls", password
="password",
1093 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1094 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1095 eap_reauth(dev
[0], "TTLS")
1097 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1098 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1099 check_eap_capa(dev
[0], "MD5")
1100 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1101 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1102 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1103 anonymous_identity
="ttls", password
="wrong",
1104 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1105 expect_failure
=True)
1107 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1108 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1109 check_eap_capa(dev
[0], "MD5")
1110 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1111 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1112 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
1113 anonymous_identity
="ttls", password
="password",
1114 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1115 expect_failure
=True)
1117 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1118 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1119 check_eap_capa(dev
[0], "MD5")
1120 params
= int_eap_server_params()
1121 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1122 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1123 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1124 anonymous_identity
="ttls", password
="password",
1125 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1126 expect_failure
=True)
1127 dev
[0].request("REMOVE_NETWORK all")
1129 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1130 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1131 eap
="TTLS", identity
="user",
1132 anonymous_identity
="ttls", password
="password",
1133 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1134 wait_connect
=False, scan_freq
="2412")
1135 # This would eventually time out, but we can stop after having reached
1136 # the allocation failure.
1139 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1142 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1143 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1144 check_eap_capa(dev
[0], "MSCHAPV2")
1145 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1146 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1147 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1148 anonymous_identity
="ttls", password
="password",
1149 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1150 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1151 eap_reauth(dev
[0], "TTLS")
1153 logger
.info("Negative test with incorrect password")
1154 dev
[0].request("REMOVE_NETWORK all")
1155 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1156 anonymous_identity
="ttls", password
="password1",
1157 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1158 expect_failure
=True)
1160 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1161 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1162 check_eap_capa(dev
[0], "MSCHAPV2")
1163 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1164 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1165 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
1166 anonymous_identity
="ttls", password
="password",
1167 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1168 expect_failure
=True)
1170 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1171 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1172 check_eap_capa(dev
[0], "MSCHAPV2")
1173 params
= int_eap_server_params()
1174 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1175 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1176 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1177 anonymous_identity
="ttls", password
="password",
1178 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1179 expect_failure
=True)
1180 dev
[0].request("REMOVE_NETWORK all")
1182 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1183 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1184 eap
="TTLS", identity
="user",
1185 anonymous_identity
="ttls", password
="password",
1186 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1187 wait_connect
=False, scan_freq
="2412")
1188 # This would eventually time out, but we can stop after having reached
1189 # the allocation failure.
1192 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1194 dev
[0].request("REMOVE_NETWORK all")
1196 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1197 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1198 eap
="TTLS", identity
="user",
1199 anonymous_identity
="ttls", password
="password",
1200 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1201 wait_connect
=False, scan_freq
="2412")
1202 # This would eventually time out, but we can stop after having reached
1203 # the allocation failure.
1206 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1208 dev
[0].request("REMOVE_NETWORK all")
1210 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1211 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1212 eap
="TTLS", identity
="user",
1213 anonymous_identity
="ttls", password
="wrong",
1214 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1215 wait_connect
=False, scan_freq
="2412")
1216 # This would eventually time out, but we can stop after having reached
1217 # the allocation failure.
1220 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1222 dev
[0].request("REMOVE_NETWORK all")
1224 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1225 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1226 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1227 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1228 eap_connect(dev
[0], apdev
[0], "TTLS", "0232010000000000",
1229 anonymous_identity
="0232010000000000@ttls",
1230 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1231 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1233 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1234 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1235 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1236 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1237 eap_connect(dev
[0], apdev
[0], "PEAP", "0232010000000000",
1238 anonymous_identity
="0232010000000000@peap",
1239 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1240 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1242 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1243 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1244 check_eap_capa(dev
[0], "FAST")
1245 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1246 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1247 eap_connect(dev
[0], apdev
[0], "FAST", "0232010000000000",
1248 anonymous_identity
="0232010000000000@fast",
1249 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1250 phase1
="fast_provisioning=2",
1251 pac_file
="blob://fast_pac_auth_aka",
1252 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1254 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1255 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1256 check_eap_capa(dev
[0], "MSCHAPV2")
1257 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1258 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1259 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1260 anonymous_identity
="peap", password
="password",
1261 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1262 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1263 eap_reauth(dev
[0], "PEAP")
1264 dev
[0].request("REMOVE_NETWORK all")
1265 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1266 anonymous_identity
="peap", password
="password",
1267 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1268 fragment_size
="200")
1270 logger
.info("Password as hash value")
1271 dev
[0].request("REMOVE_NETWORK all")
1272 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1273 anonymous_identity
="peap",
1274 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1275 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1277 logger
.info("Negative test with incorrect password")
1278 dev
[0].request("REMOVE_NETWORK all")
1279 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1280 anonymous_identity
="peap", password
="password1",
1281 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1282 expect_failure
=True)
1284 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1285 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1286 check_eap_capa(dev
[0], "MSCHAPV2")
1287 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1288 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1289 eap_connect(dev
[0], apdev
[0], "PEAP", "DOMAIN\user3",
1290 anonymous_identity
="peap", password
="password",
1291 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1292 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1293 eap_reauth(dev
[0], "PEAP")
1295 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1296 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1297 check_eap_capa(dev
[0], "MSCHAPV2")
1298 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1299 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1300 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1301 anonymous_identity
="peap", password
="wrong",
1302 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1303 expect_failure
=True)
1305 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1306 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1307 check_eap_capa(dev
[0], "MSCHAPV2")
1308 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1309 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1310 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1311 ca_cert
="auth_serv/ca.pem",
1312 phase1
="peapver=0 crypto_binding=2",
1313 phase2
="auth=MSCHAPV2")
1314 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1315 eap_reauth(dev
[0], "PEAP")
1317 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1318 ca_cert
="auth_serv/ca.pem",
1319 phase1
="peapver=0 crypto_binding=1",
1320 phase2
="auth=MSCHAPV2")
1321 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1322 ca_cert
="auth_serv/ca.pem",
1323 phase1
="peapver=0 crypto_binding=0",
1324 phase2
="auth=MSCHAPV2")
1326 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1327 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1328 check_eap_capa(dev
[0], "MSCHAPV2")
1329 params
= int_eap_server_params()
1330 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1331 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1332 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1333 ca_cert
="auth_serv/ca.pem",
1334 phase1
="peapver=0 crypto_binding=2",
1335 phase2
="auth=MSCHAPV2",
1336 expect_failure
=True, local_error_report
=True)
1338 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1339 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1340 check_eap_capa(dev
[0], "MSCHAPV2")
1341 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1342 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1343 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1344 anonymous_identity
="peap", password
="password",
1345 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1346 phase1
="peapver=0 peaplabel=1",
1347 expect_failure
=True)
1348 dev
[0].request("REMOVE_NETWORK all")
1349 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1351 anonymous_identity
="peap", password
="password",
1352 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1353 phase1
="peap_outer_success=0",
1354 wait_connect
=False, scan_freq
="2412")
1355 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1357 raise Exception("No EAP success seen")
1358 # This won't succeed to connect with peap_outer_success=0, so stop here.
1359 dev
[0].request("REMOVE_NETWORK all")
1360 dev
[0].wait_disconnected()
1361 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1362 ca_cert
="auth_serv/ca.pem",
1363 phase1
="peap_outer_success=1",
1364 phase2
="auth=MSCHAPV2")
1365 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1366 ca_cert
="auth_serv/ca.pem",
1367 phase1
="peap_outer_success=2",
1368 phase2
="auth=MSCHAPV2")
1369 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1371 anonymous_identity
="peap", password
="password",
1372 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1373 phase1
="peapver=1 peaplabel=1",
1374 wait_connect
=False, scan_freq
="2412")
1375 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1377 raise Exception("No EAP success seen")
1378 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1380 raise Exception("Unexpected connection")
1382 tests
= [ ("peap-ver0", ""),
1384 ("peap-ver0", "peapver=0"),
1385 ("peap-ver1", "peapver=1") ]
1386 for anon
,phase1
in tests
:
1387 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1388 identity
="user", anonymous_identity
=anon
,
1389 password
="password", phase1
=phase1
,
1390 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1392 dev
[0].request("REMOVE_NETWORK all")
1393 dev
[0].wait_disconnected()
1395 tests
= [ ("peap-ver0", "peapver=1"),
1396 ("peap-ver1", "peapver=0") ]
1397 for anon
,phase1
in tests
:
1398 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1399 identity
="user", anonymous_identity
=anon
,
1400 password
="password", phase1
=phase1
,
1401 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1402 wait_connect
=False, scan_freq
="2412")
1403 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1405 raise Exception("No EAP-Failure seen")
1406 dev
[0].request("REMOVE_NETWORK all")
1407 dev
[0].wait_disconnected()
1409 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1410 ca_cert
="auth_serv/ca.pem",
1411 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1412 phase2
="auth=MSCHAPV2")
1414 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
1415 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1416 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1417 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1418 eap_connect(dev
[0], apdev
[0], "PEAP", "cert user",
1419 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
1420 ca_cert2
="auth_serv/ca.pem",
1421 client_cert2
="auth_serv/user.pem",
1422 private_key2
="auth_serv/user.key")
1423 eap_reauth(dev
[0], "PEAP")
1425 def test_ap_wpa2_eap_tls(dev
, apdev
):
1426 """WPA2-Enterprise connection using EAP-TLS"""
1427 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1428 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1429 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1430 client_cert
="auth_serv/user.pem",
1431 private_key
="auth_serv/user.key")
1432 eap_reauth(dev
[0], "TLS")
1434 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
1435 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1436 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1437 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1438 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1439 client_cert
="auth_serv/user.pem",
1440 private_key
="auth_serv/user.key.pkcs8",
1441 private_key_passwd
="whatever")
1443 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
1444 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1445 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1446 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1447 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1448 client_cert
="auth_serv/user.pem",
1449 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
1450 private_key_passwd
="whatever")
1452 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
1453 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1454 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1455 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1456 cert
= read_pem("auth_serv/ca.pem")
1457 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1458 raise Exception("Could not set cacert blob")
1459 cert
= read_pem("auth_serv/user.pem")
1460 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
1461 raise Exception("Could not set usercert blob")
1462 key
= read_pem("auth_serv/user.rsa-key")
1463 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
1464 raise Exception("Could not set cacert blob")
1465 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1466 client_cert
="blob://usercert",
1467 private_key
="blob://userkey")
1469 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
1470 """EAP-TLS and config blob missing"""
1471 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1472 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1473 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1474 identity
="tls user",
1475 ca_cert
="blob://testing-blob-does-not-exist",
1476 client_cert
="blob://testing-blob-does-not-exist",
1477 private_key
="blob://testing-blob-does-not-exist",
1478 wait_connect
=False, scan_freq
="2412")
1479 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
1481 raise Exception("EAP failure not reported")
1482 dev
[0].request("REMOVE_NETWORK all")
1483 dev
[0].wait_disconnected()
1485 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
1486 """EAP-TLS and TLS Message Length in unfragmented packets"""
1487 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1488 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1489 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1490 phase1
="include_tls_length=1",
1491 client_cert
="auth_serv/user.pem",
1492 private_key
="auth_serv/user.key")
1494 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
1495 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1496 check_pkcs12_support(dev
[0])
1497 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1498 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1499 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1500 private_key
="auth_serv/user.pkcs12",
1501 private_key_passwd
="whatever")
1502 dev
[0].request("REMOVE_NETWORK all")
1503 dev
[0].wait_disconnected()
1505 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1506 identity
="tls user",
1507 ca_cert
="auth_serv/ca.pem",
1508 private_key
="auth_serv/user.pkcs12",
1509 wait_connect
=False, scan_freq
="2412")
1510 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1512 raise Exception("Request for private key passphrase timed out")
1513 id = ev
.split(':')[0].split('-')[-1]
1514 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1515 dev
[0].wait_connected(timeout
=10)
1516 dev
[0].request("REMOVE_NETWORK all")
1517 dev
[0].wait_disconnected()
1519 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1520 # different files to cover both cases of the extra certificate being the
1521 # one that signed the client certificate and it being unrelated to the
1522 # client certificate.
1523 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1525 eap_connect(dev
[0], apdev
[0], "TLS", "tls user",
1526 ca_cert
="auth_serv/ca.pem",
1528 private_key_passwd
="whatever")
1529 dev
[0].request("REMOVE_NETWORK all")
1530 dev
[0].wait_disconnected()
1532 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
1533 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1534 check_pkcs12_support(dev
[0])
1535 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1536 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1537 cert
= read_pem("auth_serv/ca.pem")
1538 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1539 raise Exception("Could not set cacert blob")
1540 with
open("auth_serv/user.pkcs12", "rb") as f
:
1541 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
1542 raise Exception("Could not set pkcs12 blob")
1543 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1544 private_key
="blob://pkcs12",
1545 private_key_passwd
="whatever")
1547 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
1548 """WPA2-Enterprise negative test - incorrect trust root"""
1549 check_eap_capa(dev
[0], "MSCHAPV2")
1550 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1551 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1552 cert
= read_pem("auth_serv/ca-incorrect.pem")
1553 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1554 raise Exception("Could not set cacert blob")
1555 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1556 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1557 password
="password", phase2
="auth=MSCHAPV2",
1558 ca_cert
="blob://cacert",
1559 wait_connect
=False, scan_freq
="2412")
1560 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1561 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1562 password
="password", phase2
="auth=MSCHAPV2",
1563 ca_cert
="auth_serv/ca-incorrect.pem",
1564 wait_connect
=False, scan_freq
="2412")
1566 for dev
in (dev
[0], dev
[1]):
1567 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1569 raise Exception("Association and EAP start timed out")
1571 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1573 raise Exception("EAP method selection timed out")
1574 if "TTLS" not in ev
:
1575 raise Exception("Unexpected EAP method")
1577 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1578 "CTRL-EVENT-EAP-SUCCESS",
1579 "CTRL-EVENT-EAP-FAILURE",
1580 "CTRL-EVENT-CONNECTED",
1581 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1583 raise Exception("EAP result timed out")
1584 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1585 raise Exception("TLS certificate error not reported")
1587 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1588 "CTRL-EVENT-EAP-FAILURE",
1589 "CTRL-EVENT-CONNECTED",
1590 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1592 raise Exception("EAP result(2) timed out")
1593 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1594 raise Exception("EAP failure not reported")
1596 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
1597 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1599 raise Exception("EAP result(3) timed out")
1600 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1601 raise Exception("Disconnection not reported")
1603 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1605 raise Exception("Network block disabling not reported")
1607 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
1608 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1609 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1610 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1611 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1612 identity
="pap user", anonymous_identity
="ttls",
1613 password
="password", phase2
="auth=PAP",
1614 ca_cert
="auth_serv/ca.pem",
1615 wait_connect
=True, scan_freq
="2412")
1616 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1617 identity
="pap user", anonymous_identity
="ttls",
1618 password
="password", phase2
="auth=PAP",
1619 ca_cert
="auth_serv/ca-incorrect.pem",
1620 only_add_network
=True, scan_freq
="2412")
1622 dev
[0].request("DISCONNECT")
1623 dev
[0].wait_disconnected()
1624 dev
[0].dump_monitor()
1625 dev
[0].select_network(id, freq
="2412")
1627 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1629 raise Exception("EAP-TTLS not re-started")
1631 ev
= dev
[0].wait_disconnected(timeout
=15)
1632 if "reason=23" not in ev
:
1633 raise Exception("Proper reason code for disconnection not reported")
1635 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
1636 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1637 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1638 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1639 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1640 identity
="pap user", anonymous_identity
="ttls",
1641 password
="password", phase2
="auth=PAP",
1642 wait_connect
=True, scan_freq
="2412")
1643 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1644 identity
="pap user", anonymous_identity
="ttls",
1645 password
="password", phase2
="auth=PAP",
1646 ca_cert
="auth_serv/ca-incorrect.pem",
1647 only_add_network
=True, scan_freq
="2412")
1649 dev
[0].request("DISCONNECT")
1650 dev
[0].wait_disconnected()
1651 dev
[0].dump_monitor()
1652 dev
[0].select_network(id, freq
="2412")
1654 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1656 raise Exception("EAP-TTLS not re-started")
1658 ev
= dev
[0].wait_disconnected(timeout
=15)
1659 if "reason=23" not in ev
:
1660 raise Exception("Proper reason code for disconnection not reported")
1662 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
1663 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1664 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1665 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1666 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1667 identity
="pap user", anonymous_identity
="ttls",
1668 password
="password", phase2
="auth=PAP",
1669 ca_cert
="auth_serv/ca.pem",
1670 wait_connect
=True, scan_freq
="2412")
1671 dev
[0].request("DISCONNECT")
1672 dev
[0].wait_disconnected()
1673 dev
[0].dump_monitor()
1674 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1675 dev
[0].select_network(id, freq
="2412")
1677 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1679 raise Exception("EAP-TTLS not re-started")
1681 ev
= dev
[0].wait_disconnected(timeout
=15)
1682 if "reason=23" not in ev
:
1683 raise Exception("Proper reason code for disconnection not reported")
1685 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
1686 """WPA2-Enterprise negative test - domain suffix mismatch"""
1687 check_domain_suffix_match(dev
[0])
1688 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1689 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1690 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1691 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1692 password
="password", phase2
="auth=MSCHAPV2",
1693 ca_cert
="auth_serv/ca.pem",
1694 domain_suffix_match
="incorrect.example.com",
1695 wait_connect
=False, scan_freq
="2412")
1697 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1699 raise Exception("Association and EAP start timed out")
1701 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1703 raise Exception("EAP method selection timed out")
1704 if "TTLS" not in ev
:
1705 raise Exception("Unexpected EAP method")
1707 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1708 "CTRL-EVENT-EAP-SUCCESS",
1709 "CTRL-EVENT-EAP-FAILURE",
1710 "CTRL-EVENT-CONNECTED",
1711 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1713 raise Exception("EAP result timed out")
1714 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1715 raise Exception("TLS certificate error not reported")
1716 if "Domain suffix mismatch" not in ev
:
1717 raise Exception("Domain suffix mismatch not reported")
1719 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1720 "CTRL-EVENT-EAP-FAILURE",
1721 "CTRL-EVENT-CONNECTED",
1722 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1724 raise Exception("EAP result(2) timed out")
1725 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1726 raise Exception("EAP failure not reported")
1728 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1729 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1731 raise Exception("EAP result(3) timed out")
1732 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1733 raise Exception("Disconnection not reported")
1735 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1737 raise Exception("Network block disabling not reported")
1739 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
1740 """WPA2-Enterprise negative test - domain mismatch"""
1741 check_domain_match(dev
[0])
1742 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1743 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1744 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1745 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1746 password
="password", phase2
="auth=MSCHAPV2",
1747 ca_cert
="auth_serv/ca.pem",
1748 domain_match
="w1.fi",
1749 wait_connect
=False, scan_freq
="2412")
1751 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1753 raise Exception("Association and EAP start timed out")
1755 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1757 raise Exception("EAP method selection timed out")
1758 if "TTLS" not in ev
:
1759 raise Exception("Unexpected EAP method")
1761 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1762 "CTRL-EVENT-EAP-SUCCESS",
1763 "CTRL-EVENT-EAP-FAILURE",
1764 "CTRL-EVENT-CONNECTED",
1765 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1767 raise Exception("EAP result timed out")
1768 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1769 raise Exception("TLS certificate error not reported")
1770 if "Domain mismatch" not in ev
:
1771 raise Exception("Domain mismatch not reported")
1773 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1774 "CTRL-EVENT-EAP-FAILURE",
1775 "CTRL-EVENT-CONNECTED",
1776 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1778 raise Exception("EAP result(2) timed out")
1779 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1780 raise Exception("EAP failure not reported")
1782 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1783 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1785 raise Exception("EAP result(3) timed out")
1786 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1787 raise Exception("Disconnection not reported")
1789 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1791 raise Exception("Network block disabling not reported")
1793 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
1794 """WPA2-Enterprise negative test - subject mismatch"""
1795 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1796 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1797 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1798 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1799 password
="password", phase2
="auth=MSCHAPV2",
1800 ca_cert
="auth_serv/ca.pem",
1801 subject_match
="/C=FI/O=w1.fi/CN=example.com",
1802 wait_connect
=False, scan_freq
="2412")
1804 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1806 raise Exception("Association and EAP start timed out")
1808 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1809 "EAP: Failed to initialize EAP method"], timeout
=10)
1811 raise Exception("EAP method selection timed out")
1812 if "EAP: Failed to initialize EAP method" in ev
:
1813 tls
= dev
[0].request("GET tls_library")
1814 if tls
.startswith("OpenSSL"):
1815 raise Exception("Failed to select EAP method")
1816 logger
.info("subject_match not supported - connection failed, so test succeeded")
1818 if "TTLS" not in ev
:
1819 raise Exception("Unexpected EAP method")
1821 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1822 "CTRL-EVENT-EAP-SUCCESS",
1823 "CTRL-EVENT-EAP-FAILURE",
1824 "CTRL-EVENT-CONNECTED",
1825 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1827 raise Exception("EAP result timed out")
1828 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1829 raise Exception("TLS certificate error not reported")
1830 if "Subject mismatch" not in ev
:
1831 raise Exception("Subject mismatch not reported")
1833 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1834 "CTRL-EVENT-EAP-FAILURE",
1835 "CTRL-EVENT-CONNECTED",
1836 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1838 raise Exception("EAP result(2) timed out")
1839 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1840 raise Exception("EAP failure not reported")
1842 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1843 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1845 raise Exception("EAP result(3) timed out")
1846 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1847 raise Exception("Disconnection not reported")
1849 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1851 raise Exception("Network block disabling not reported")
1853 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
1854 """WPA2-Enterprise negative test - altsubject mismatch"""
1855 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1856 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1858 tests
= [ "incorrect.example.com",
1859 "DNS:incorrect.example.com",
1863 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
1865 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
1866 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1867 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1868 password
="password", phase2
="auth=MSCHAPV2",
1869 ca_cert
="auth_serv/ca.pem",
1870 altsubject_match
=match
,
1871 wait_connect
=False, scan_freq
="2412")
1873 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1875 raise Exception("Association and EAP start timed out")
1877 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1878 "EAP: Failed to initialize EAP method"], timeout
=10)
1880 raise Exception("EAP method selection timed out")
1881 if "EAP: Failed to initialize EAP method" in ev
:
1882 tls
= dev
[0].request("GET tls_library")
1883 if tls
.startswith("OpenSSL"):
1884 raise Exception("Failed to select EAP method")
1885 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
1887 if "TTLS" not in ev
:
1888 raise Exception("Unexpected EAP method")
1890 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1891 "CTRL-EVENT-EAP-SUCCESS",
1892 "CTRL-EVENT-EAP-FAILURE",
1893 "CTRL-EVENT-CONNECTED",
1894 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1896 raise Exception("EAP result timed out")
1897 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1898 raise Exception("TLS certificate error not reported")
1899 if "AltSubject mismatch" not in ev
:
1900 raise Exception("altsubject mismatch not reported")
1902 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1903 "CTRL-EVENT-EAP-FAILURE",
1904 "CTRL-EVENT-CONNECTED",
1905 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1907 raise Exception("EAP result(2) timed out")
1908 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1909 raise Exception("EAP failure not reported")
1911 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1912 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1914 raise Exception("EAP result(3) timed out")
1915 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1916 raise Exception("Disconnection not reported")
1918 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1920 raise Exception("Network block disabling not reported")
1922 dev
[0].request("REMOVE_NETWORK all")
1924 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
1925 """WPA2-Enterprise connection using UNAUTH-TLS"""
1926 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1927 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1928 eap_connect(dev
[0], apdev
[0], "UNAUTH-TLS", "unauth-tls",
1929 ca_cert
="auth_serv/ca.pem")
1930 eap_reauth(dev
[0], "UNAUTH-TLS")
1932 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
1933 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1934 check_cert_probe_support(dev
[0])
1935 skip_with_fips(dev
[0])
1936 srv_cert_hash
= "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
1937 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1938 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1939 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1940 identity
="probe", ca_cert
="probe://",
1941 wait_connect
=False, scan_freq
="2412")
1942 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1944 raise Exception("Association and EAP start timed out")
1945 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
1947 raise Exception("No peer server certificate event seen")
1948 if "hash=" + srv_cert_hash
not in ev
:
1949 raise Exception("Expected server certificate hash not reported")
1950 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1952 raise Exception("EAP result timed out")
1953 if "Server certificate chain probe" not in ev
:
1954 raise Exception("Server certificate probe not reported")
1955 dev
[0].wait_disconnected(timeout
=10)
1956 dev
[0].request("REMOVE_NETWORK all")
1958 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1959 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1960 password
="password", phase2
="auth=MSCHAPV2",
1961 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1962 wait_connect
=False, scan_freq
="2412")
1963 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1965 raise Exception("Association and EAP start timed out")
1966 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1968 raise Exception("EAP result timed out")
1969 if "Server certificate mismatch" not in ev
:
1970 raise Exception("Server certificate mismatch not reported")
1971 dev
[0].wait_disconnected(timeout
=10)
1972 dev
[0].request("REMOVE_NETWORK all")
1974 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
1975 anonymous_identity
="ttls", password
="password",
1976 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
1977 phase2
="auth=MSCHAPV2")
1979 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
1980 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1981 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1982 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1983 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1984 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1985 password
="password", phase2
="auth=MSCHAPV2",
1986 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1987 wait_connect
=False, scan_freq
="2412")
1988 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1989 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1990 password
="password", phase2
="auth=MSCHAPV2",
1991 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1992 wait_connect
=False, scan_freq
="2412")
1993 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1994 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1995 password
="password", phase2
="auth=MSCHAPV2",
1996 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1997 wait_connect
=False, scan_freq
="2412")
1998 for i
in range(0, 3):
1999 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
2001 raise Exception("Association and EAP start timed out")
2002 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2004 raise Exception("Did not report EAP method initialization failure")
2006 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2007 """WPA2-Enterprise connection using EAP-pwd"""
2008 check_eap_capa(dev
[0], "PWD")
2009 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2010 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2011 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
2012 eap_reauth(dev
[0], "PWD")
2013 dev
[0].request("REMOVE_NETWORK all")
2015 eap_connect(dev
[1], apdev
[0], "PWD",
2016 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2017 password
="secret password",
2020 logger
.info("Negative test with incorrect password")
2021 eap_connect(dev
[2], apdev
[0], "PWD", "pwd user", password
="secret-password",
2022 expect_failure
=True, local_error_report
=True)
2024 eap_connect(dev
[0], apdev
[0], "PWD",
2025 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2026 password
="secret password",
2029 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2030 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2031 check_eap_capa(dev
[0], "PWD")
2032 skip_with_fips(dev
[0])
2033 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2034 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2035 eap_connect(dev
[0], apdev
[0], "PWD", "pwd-hash", password
="secret password")
2036 eap_connect(dev
[1], apdev
[0], "PWD", "pwd-hash",
2037 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2038 eap_connect(dev
[2], apdev
[0], "PWD", "pwd user",
2039 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2040 expect_failure
=True, local_error_report
=True)
2042 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2043 """WPA2-Enterprise connection using various EAP-pwd groups"""
2044 check_eap_capa(dev
[0], "PWD")
2045 tls
= dev
[0].request("GET tls_library")
2046 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2047 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2048 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2049 groups
= [ 19, 20, 21, 25, 26 ]
2050 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2051 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2052 groups
+= [ 27, 28, 29, 30 ]
2054 logger
.info("Group %d" % i
)
2055 params
['pwd_group'] = str(i
)
2056 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2058 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user",
2059 password
="secret password")
2060 dev
[0].request("REMOVE_NETWORK all")
2061 dev
[0].wait_disconnected()
2062 dev
[0].dump_monitor()
2064 if "BoringSSL" in tls
and i
in [ 25 ]:
2065 logger
.info("Ignore connection failure with group %d with BoringSSL" % i
)
2066 dev
[0].request("DISCONNECT")
2068 dev
[0].request("REMOVE_NETWORK all")
2069 dev
[0].dump_monitor()
2073 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2074 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2075 check_eap_capa(dev
[0], "PWD")
2076 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2077 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2078 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2079 params
['pwd_group'] = "0"
2080 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2081 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2082 identity
="pwd user", password
="secret password",
2083 scan_freq
="2412", wait_connect
=False)
2084 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2086 raise Exception("Timeout on EAP failure report")
2088 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2089 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2090 check_eap_capa(dev
[0], "PWD")
2091 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2092 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2093 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2094 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2095 "pwd_group": "19", "fragment_size": "40" }
2096 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2097 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
2099 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2100 """WPA2-Enterprise connection using EAP-GPSK"""
2101 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2102 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2103 id = eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
2104 password
="abcdefghijklmnop0123456789abcdef")
2105 eap_reauth(dev
[0], "GPSK")
2107 logger
.info("Test forced algorithm selection")
2108 for phase1
in [ "cipher=1", "cipher=2" ]:
2109 dev
[0].set_network_quoted(id, "phase1", phase1
)
2110 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2112 raise Exception("EAP success timed out")
2113 dev
[0].wait_connected(timeout
=10)
2115 logger
.info("Test failed algorithm negotiation")
2116 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2117 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2119 raise Exception("EAP failure timed out")
2121 logger
.info("Negative test with incorrect password")
2122 dev
[0].request("REMOVE_NETWORK all")
2123 eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
2124 password
="ffcdefghijklmnop0123456789abcdef",
2125 expect_failure
=True)
2127 def test_ap_wpa2_eap_sake(dev
, apdev
):
2128 """WPA2-Enterprise connection using EAP-SAKE"""
2129 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2130 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2131 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
2132 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2133 eap_reauth(dev
[0], "SAKE")
2135 logger
.info("Negative test with incorrect password")
2136 dev
[0].request("REMOVE_NETWORK all")
2137 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
2138 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2139 expect_failure
=True)
2141 def test_ap_wpa2_eap_eke(dev
, apdev
):
2142 """WPA2-Enterprise connection using EAP-EKE"""
2143 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2144 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2145 id = eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
2146 eap_reauth(dev
[0], "EKE")
2148 logger
.info("Test forced algorithm selection")
2149 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
2150 "dhgroup=4 encr=1 prf=2 mac=2",
2151 "dhgroup=3 encr=1 prf=2 mac=2",
2152 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2153 dev
[0].set_network_quoted(id, "phase1", phase1
)
2154 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2156 raise Exception("EAP success timed out")
2157 dev
[0].wait_connected(timeout
=10)
2159 logger
.info("Test failed algorithm negotiation")
2160 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2161 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2163 raise Exception("EAP failure timed out")
2165 logger
.info("Negative test with incorrect password")
2166 dev
[0].request("REMOVE_NETWORK all")
2167 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello1",
2168 expect_failure
=True)
2170 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2171 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2172 if not params
['long']:
2173 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2174 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2175 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2178 for i
in range(100):
2180 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2181 identity
="eke user", password
="hello",
2182 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2183 scan_freq
="2412", wait_connect
=False)
2185 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2186 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2188 raise Exception("No connected/disconnected event")
2189 if "CTRL-EVENT-DISCONNECTED" in ev
:
2191 # The RADIUS server limits on active sessions can be hit when
2192 # going through this test case, so try to give some more time
2193 # for the server to remove sessions.
2194 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2195 dev
[j
].request("REMOVE_NETWORK all")
2199 dev
[j
].request("REMOVE_NETWORK all")
2200 dev
[j
].wait_disconnected()
2201 dev
[j
].dump_monitor()
2202 logger
.info("Total success=%d failure=%d" % (success
, fail
))
2204 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2205 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2206 params
= int_eap_server_params()
2207 params
['server_id'] = 'example.server@w1.fi'
2208 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2209 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
2211 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2212 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2213 params
= int_eap_server_params()
2214 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2215 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2217 for count
,func
in [ (1, "eap_eke_build_commit"),
2218 (2, "eap_eke_build_commit"),
2219 (3, "eap_eke_build_commit"),
2220 (1, "eap_eke_build_confirm"),
2221 (2, "eap_eke_build_confirm"),
2222 (1, "eap_eke_process_commit"),
2223 (2, "eap_eke_process_commit"),
2224 (1, "eap_eke_process_confirm"),
2225 (1, "eap_eke_process_identity"),
2226 (2, "eap_eke_process_identity"),
2227 (3, "eap_eke_process_identity"),
2228 (4, "eap_eke_process_identity") ]:
2229 with
alloc_fail(hapd
, count
, func
):
2230 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello",
2231 expect_failure
=True)
2232 dev
[0].request("REMOVE_NETWORK all")
2234 for count
,func
,pw
in [ (1, "eap_eke_init", "hello"),
2235 (1, "eap_eke_get_session_id", "hello"),
2236 (1, "eap_eke_getKey", "hello"),
2237 (1, "eap_eke_build_msg", "hello"),
2238 (1, "eap_eke_build_failure", "wrong"),
2239 (1, "eap_eke_build_identity", "hello"),
2240 (2, "eap_eke_build_identity", "hello") ]:
2241 with
alloc_fail(hapd
, count
, func
):
2242 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2243 eap
="EKE", identity
="eke user", password
=pw
,
2244 wait_connect
=False, scan_freq
="2412")
2245 # This would eventually time out, but we can stop after having
2246 # reached the allocation failure.
2249 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2251 dev
[0].request("REMOVE_NETWORK all")
2253 for count
in range(1, 1000):
2255 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2256 dev
[0].connect("test-wpa2-eap",
2257 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2258 eap
="EKE", identity
="eke user", password
=pw
,
2259 wait_connect
=False, scan_freq
="2412")
2260 # This would eventually time out, but we can stop after having
2261 # reached the allocation failure.
2264 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2266 dev
[0].request("REMOVE_NETWORK all")
2267 except Exception, e
:
2268 if str(e
) == "Allocation failure did not trigger":
2270 raise Exception("Too few allocation failures")
2271 logger
.info("%d allocation failures tested" % (count
- 1))
2275 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
2276 """WPA2-Enterprise connection using EAP-IKEv2"""
2277 check_eap_capa(dev
[0], "IKEV2")
2278 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2279 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2280 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2281 password
="ike password")
2282 eap_reauth(dev
[0], "IKEV2")
2283 dev
[0].request("REMOVE_NETWORK all")
2284 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2285 password
="ike password", fragment_size
="50")
2287 logger
.info("Negative test with incorrect password")
2288 dev
[0].request("REMOVE_NETWORK all")
2289 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2290 password
="ike-password", expect_failure
=True)
2292 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
2293 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2294 check_eap_capa(dev
[0], "IKEV2")
2295 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2296 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2297 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2298 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2299 "fragment_size": "50" }
2300 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2301 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2302 password
="ike password")
2303 eap_reauth(dev
[0], "IKEV2")
2305 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
2306 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2307 check_eap_capa(dev
[0], "IKEV2")
2308 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2309 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2311 tests
= [ (1, "dh_init"),
2313 (1, "dh_derive_shared") ]
2314 for count
, func
in tests
:
2315 with
alloc_fail(dev
[0], count
, func
):
2316 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2317 identity
="ikev2 user", password
="ike password",
2318 wait_connect
=False, scan_freq
="2412")
2319 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2321 raise Exception("EAP method not selected")
2323 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2326 dev
[0].request("REMOVE_NETWORK all")
2328 tests
= [ (1, "os_get_random;dh_init") ]
2329 for count
, func
in tests
:
2330 with
fail_test(dev
[0], count
, func
):
2331 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2332 identity
="ikev2 user", password
="ike password",
2333 wait_connect
=False, scan_freq
="2412")
2334 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2336 raise Exception("EAP method not selected")
2338 if "0:" in dev
[0].request("GET_FAIL"):
2341 dev
[0].request("REMOVE_NETWORK all")
2343 def test_ap_wpa2_eap_pax(dev
, apdev
):
2344 """WPA2-Enterprise connection using EAP-PAX"""
2345 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2346 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2347 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2348 password_hex
="0123456789abcdef0123456789abcdef")
2349 eap_reauth(dev
[0], "PAX")
2351 logger
.info("Negative test with incorrect password")
2352 dev
[0].request("REMOVE_NETWORK all")
2353 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2354 password_hex
="ff23456789abcdef0123456789abcdef",
2355 expect_failure
=True)
2357 def test_ap_wpa2_eap_psk(dev
, apdev
):
2358 """WPA2-Enterprise connection using EAP-PSK"""
2359 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2360 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2361 params
["ieee80211w"] = "2"
2362 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2363 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
2364 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
2365 eap_reauth(dev
[0], "PSK", sha256
=True)
2366 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2367 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2369 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
2370 if 'flags' not in bss
:
2371 raise Exception("Could not get BSS flags from BSS table")
2372 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
2373 raise Exception("Unexpected BSS flags: " + bss
['flags'])
2375 logger
.info("Negative test with incorrect password")
2376 dev
[0].request("REMOVE_NETWORK all")
2377 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
2378 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
2379 expect_failure
=True)
2381 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
2382 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2383 skip_with_fips(dev
[0])
2384 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2385 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2386 tests
= [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2387 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2388 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2389 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2390 (1, "=aes_128_eax_encrypt"),
2391 (1, "omac1_aes_vector"),
2392 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2393 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2394 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2395 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2396 (1, "=aes_128_eax_decrypt") ]
2397 for count
, func
in tests
:
2398 with
alloc_fail(dev
[0], count
, func
):
2399 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2400 identity
="psk.user@example.com",
2401 password_hex
="0123456789abcdef0123456789abcdef",
2402 wait_connect
=False, scan_freq
="2412")
2403 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2405 raise Exception("EAP method not selected")
2407 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2410 dev
[0].request("REMOVE_NETWORK all")
2412 with
alloc_fail(dev
[0], 1, "aes_128_encrypt_block"):
2413 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2414 identity
="psk.user@example.com",
2415 password_hex
="0123456789abcdef0123456789abcdef",
2416 wait_connect
=False, scan_freq
="2412")
2417 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2419 raise Exception("EAP method failure not reported")
2420 dev
[0].request("REMOVE_NETWORK all")
2422 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
2423 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2424 check_eap_capa(dev
[0], "MSCHAPV2")
2425 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
2426 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2427 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2428 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
2429 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
2431 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
2432 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2433 eap_reauth(dev
[0], "PEAP", rsn
=False)
2434 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2435 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2436 status
= dev
[0].get_status(extra
="VERBOSE")
2437 if 'portControl' not in status
:
2438 raise Exception("portControl missing from STATUS-VERBOSE")
2439 if status
['portControl'] != 'Auto':
2440 raise Exception("Unexpected portControl value: " + status
['portControl'])
2441 if 'eap_session_id' not in status
:
2442 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2443 if not status
['eap_session_id'].startswith("19"):
2444 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
2446 def test_ap_wpa2_eap_interactive(dev
, apdev
):
2447 """WPA2-Enterprise connection using interactive identity/password entry"""
2448 check_eap_capa(dev
[0], "MSCHAPV2")
2449 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2450 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2451 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
2453 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2454 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2456 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2457 "TTLS", "ttls", None, "auth=MSCHAPV2",
2458 "DOMAIN\mschapv2 user", "password"),
2459 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2460 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2461 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2462 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2463 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2464 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2465 ("Connection with dynamic PEAP/EAP-GTC password entry",
2466 "PEAP", None, "user", "auth=GTC", None, "password") ]
2467 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
2469 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
2470 anonymous_identity
=anon
, identity
=identity
,
2471 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
2472 wait_connect
=False, scan_freq
="2412")
2474 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
2476 raise Exception("Request for identity timed out")
2477 id = ev
.split(':')[0].split('-')[-1]
2478 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
2479 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2481 raise Exception("Request for password timed out")
2482 id = ev
.split(':')[0].split('-')[-1]
2483 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
2484 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
2485 dev
[0].wait_connected(timeout
=10)
2486 dev
[0].request("REMOVE_NETWORK all")
2488 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
2489 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2490 check_eap_capa(dev
[0], "MSCHAPV2")
2491 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2492 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2493 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
2495 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
2496 only_add_network
=True)
2498 req_id
= "DOMAIN\mschapv2 user"
2499 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2500 anonymous_identity
="ttls", identity
=None,
2501 password
="password",
2502 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2503 wait_connect
=False, scan_freq
="2412")
2504 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
2506 raise Exception("Request for identity timed out")
2507 id = ev
.split(':')[0].split('-')[-1]
2508 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
2509 dev
[0].wait_connected(timeout
=10)
2511 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
2512 raise Exception("Failed to enable network")
2513 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
2515 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2516 dev
[0].request("REMOVE_NETWORK all")
2518 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
2519 """WPA2-Enterprise connection using EAP vendor test"""
2520 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2521 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2522 eap_connect(dev
[0], apdev
[0], "VENDOR-TEST", "vendor-test")
2523 eap_reauth(dev
[0], "VENDOR-TEST")
2524 eap_connect(dev
[1], apdev
[0], "VENDOR-TEST", "vendor-test",
2527 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
2528 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2529 check_eap_capa(dev
[0], "FAST")
2530 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2531 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2532 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2533 anonymous_identity
="FAST", password
="password",
2534 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2535 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
2536 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2537 res
= eap_reauth(dev
[0], "FAST")
2538 if res
['tls_session_reused'] != '1':
2539 raise Exception("EAP-FAST could not use PAC session ticket")
2541 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
2542 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2543 check_eap_capa(dev
[0], "FAST")
2544 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
2545 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
2546 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2547 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2550 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2551 anonymous_identity
="FAST", password
="password",
2552 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2553 phase1
="fast_provisioning=1", pac_file
=pac_file
)
2554 with
open(pac_file
, "r") as f
:
2556 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
2557 raise Exception("PAC file header missing")
2558 if "PAC-Key=" not in data
:
2559 raise Exception("PAC-Key missing from PAC file")
2560 dev
[0].request("REMOVE_NETWORK all")
2561 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2562 anonymous_identity
="FAST", password
="password",
2563 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2566 eap_connect(dev
[1], apdev
[0], "FAST", "user",
2567 anonymous_identity
="FAST", password
="password",
2568 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2569 phase1
="fast_provisioning=1 fast_pac_format=binary",
2571 dev
[1].request("REMOVE_NETWORK all")
2572 eap_connect(dev
[1], apdev
[0], "FAST", "user",
2573 anonymous_identity
="FAST", password
="password",
2574 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2575 phase1
="fast_pac_format=binary",
2583 os
.remove(pac_file2
)
2587 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
2588 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2589 check_eap_capa(dev
[0], "FAST")
2590 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2591 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2592 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2593 anonymous_identity
="FAST", password
="password",
2594 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2595 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2596 pac_file
="blob://fast_pac_bin")
2597 res
= eap_reauth(dev
[0], "FAST")
2598 if res
['tls_session_reused'] != '1':
2599 raise Exception("EAP-FAST could not use PAC session ticket")
2601 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
2602 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2603 check_eap_capa(dev
[0], "FAST")
2604 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2605 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2607 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2608 identity
="user", anonymous_identity
="FAST",
2609 password
="password",
2610 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2611 pac_file
="blob://fast_pac_not_in_use",
2612 wait_connect
=False, scan_freq
="2412")
2613 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2615 raise Exception("Timeout on EAP failure report")
2616 dev
[0].request("REMOVE_NETWORK all")
2618 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2619 identity
="user", anonymous_identity
="FAST",
2620 password
="password",
2621 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2622 wait_connect
=False, scan_freq
="2412")
2623 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2625 raise Exception("Timeout on EAP failure report")
2627 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
2628 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2629 check_eap_capa(dev
[0], "FAST")
2630 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2631 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2632 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2633 anonymous_identity
="FAST", password
="password",
2634 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
2635 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
2636 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2637 res
= eap_reauth(dev
[0], "FAST")
2638 if res
['tls_session_reused'] != '1':
2639 raise Exception("EAP-FAST could not use PAC session ticket")
2641 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
2642 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2643 check_eap_capa(dev
[0], "FAST")
2644 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2645 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2646 id = eap_connect(dev
[0], apdev
[0], "FAST", "user",
2647 anonymous_identity
="FAST", password
="password",
2648 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
2649 phase1
="fast_provisioning=2",
2650 pac_file
="blob://fast_pac_auth")
2651 dev
[0].set_network_quoted(id, "identity", "user2")
2652 dev
[0].wait_disconnected()
2653 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
2655 raise Exception("EAP-FAST not started")
2656 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
2658 raise Exception("EAP failure not reported")
2659 dev
[0].wait_disconnected()
2661 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
2662 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2663 check_eap_capa(dev
[0], "FAST")
2664 tls
= dev
[0].request("GET tls_library")
2665 if tls
.startswith("OpenSSL"):
2666 func
= "openssl_tls_prf"
2668 elif tls
.startswith("internal"):
2669 func
= "tls_connection_prf"
2672 raise HwsimSkip("Unsupported TLS library")
2673 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2674 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2675 with
alloc_fail(dev
[0], count
, func
):
2676 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2677 identity
="user", anonymous_identity
="FAST",
2678 password
="password", ca_cert
="auth_serv/ca.pem",
2680 phase1
="fast_provisioning=2",
2681 pac_file
="blob://fast_pac_auth",
2682 wait_connect
=False, scan_freq
="2412")
2683 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
2685 raise Exception("EAP failure not reported")
2686 dev
[0].request("DISCONNECT")
2688 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
2689 """EAP-FAST/MSCHAPv2 and server OOM"""
2690 check_eap_capa(dev
[0], "FAST")
2692 params
= int_eap_server_params()
2693 params
['dh_file'] = 'auth_serv/dh.conf'
2694 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2695 params
['eap_fast_a_id'] = '1011'
2696 params
['eap_fast_a_id_info'] = 'another test server'
2697 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2699 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
2700 id = eap_connect(dev
[0], apdev
[0], "FAST", "user",
2701 anonymous_identity
="FAST", password
="password",
2702 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2703 phase1
="fast_provisioning=1",
2704 pac_file
="blob://fast_pac",
2705 expect_failure
=True)
2706 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2708 raise Exception("No EAP failure reported")
2709 dev
[0].wait_disconnected()
2710 dev
[0].request("DISCONNECT")
2712 dev
[0].select_network(id, freq
="2412")
2714 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
2715 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2716 check_ocsp_support(dev
[0])
2717 check_pkcs12_support(dev
[0])
2718 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2719 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2720 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2721 private_key
="auth_serv/user.pkcs12",
2722 private_key_passwd
="whatever", ocsp
=2)
2724 def int_eap_server_params():
2725 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2726 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2727 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2728 "ca_cert": "auth_serv/ca.pem",
2729 "server_cert": "auth_serv/server.pem",
2730 "private_key": "auth_serv/server.key" }
2733 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
2734 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
2735 check_ocsp_support(dev
[0])
2736 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
2737 if not os
.path
.exists(ocsp
):
2738 raise HwsimSkip("No OCSP response available")
2739 params
= int_eap_server_params()
2740 params
["ocsp_stapling_response"] = ocsp
2741 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2742 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2743 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2744 private_key
="auth_serv/user.pkcs12",
2745 private_key_passwd
="whatever", ocsp
=2,
2748 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
2749 """EAP-TLS and CA signed OCSP response (good)"""
2750 check_ocsp_support(dev
[0])
2751 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
2752 if not os
.path
.exists(ocsp
):
2753 raise HwsimSkip("No OCSP response available")
2754 params
= int_eap_server_params()
2755 params
["ocsp_stapling_response"] = ocsp
2756 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2757 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2758 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2759 private_key
="auth_serv/user.pkcs12",
2760 private_key_passwd
="whatever", ocsp
=2,
2763 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
2764 """EAP-TLS and CA signed OCSP response (revoked)"""
2765 check_ocsp_support(dev
[0])
2766 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
2767 if not os
.path
.exists(ocsp
):
2768 raise HwsimSkip("No OCSP response available")
2769 params
= int_eap_server_params()
2770 params
["ocsp_stapling_response"] = ocsp
2771 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2772 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2773 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2774 private_key
="auth_serv/user.pkcs12",
2775 private_key_passwd
="whatever", ocsp
=2,
2776 wait_connect
=False, scan_freq
="2412")
2779 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2781 raise Exception("Timeout on EAP status")
2782 if 'bad certificate status response' in ev
:
2784 if 'certificate revoked' in ev
:
2788 raise Exception("Unexpected number of EAP status messages")
2790 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2792 raise Exception("Timeout on EAP failure report")
2794 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
2795 """EAP-TLS and CA signed OCSP response (unknown)"""
2796 check_ocsp_support(dev
[0])
2797 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
2798 if not os
.path
.exists(ocsp
):
2799 raise HwsimSkip("No OCSP response available")
2800 params
= int_eap_server_params()
2801 params
["ocsp_stapling_response"] = ocsp
2802 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2803 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2804 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2805 private_key
="auth_serv/user.pkcs12",
2806 private_key_passwd
="whatever", ocsp
=2,
2807 wait_connect
=False, scan_freq
="2412")
2810 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2812 raise Exception("Timeout on EAP status")
2813 if 'bad certificate status response' in ev
:
2817 raise Exception("Unexpected number of EAP status messages")
2819 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2821 raise Exception("Timeout on EAP failure report")
2823 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
2824 """EAP-TLS and server signed OCSP response"""
2825 check_ocsp_support(dev
[0])
2826 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
2827 if not os
.path
.exists(ocsp
):
2828 raise HwsimSkip("No OCSP response available")
2829 params
= int_eap_server_params()
2830 params
["ocsp_stapling_response"] = ocsp
2831 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2832 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2833 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2834 private_key
="auth_serv/user.pkcs12",
2835 private_key_passwd
="whatever", ocsp
=2,
2836 wait_connect
=False, scan_freq
="2412")
2839 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2841 raise Exception("Timeout on EAP status")
2842 if 'bad certificate status response' in ev
:
2846 raise Exception("Unexpected number of EAP status messages")
2848 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2850 raise Exception("Timeout on EAP failure report")
2852 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
2853 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2854 check_ocsp_support(dev
[0])
2855 params
= int_eap_server_params()
2856 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2857 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2858 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2859 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2860 private_key
="auth_serv/user.pkcs12",
2861 private_key_passwd
="whatever", ocsp
=2,
2862 wait_connect
=False, scan_freq
="2412")
2865 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2867 raise Exception("Timeout on EAP status")
2868 if 'bad certificate status response' in ev
:
2872 raise Exception("Unexpected number of EAP status messages")
2874 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2876 raise Exception("Timeout on EAP failure report")
2878 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
2879 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2880 check_ocsp_support(dev
[0])
2881 params
= int_eap_server_params()
2882 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2883 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2884 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2885 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2886 private_key
="auth_serv/user.pkcs12",
2887 private_key_passwd
="whatever", ocsp
=2,
2888 wait_connect
=False, scan_freq
="2412")
2891 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2893 raise Exception("Timeout on EAP status")
2894 if 'bad certificate status response' in ev
:
2898 raise Exception("Unexpected number of EAP status messages")
2900 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2902 raise Exception("Timeout on EAP failure report")
2904 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
2905 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2906 check_ocsp_support(dev
[0])
2907 params
= int_eap_server_params()
2908 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2909 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2910 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2911 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2912 private_key
="auth_serv/user.pkcs12",
2913 private_key_passwd
="whatever", ocsp
=2,
2914 wait_connect
=False, scan_freq
="2412")
2917 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2919 raise Exception("Timeout on EAP status")
2920 if 'bad certificate status response' in ev
:
2924 raise Exception("Unexpected number of EAP status messages")
2926 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2928 raise Exception("Timeout on EAP failure report")
2930 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
2931 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2932 check_ocsp_support(dev
[0])
2933 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
2934 if not os
.path
.exists(ocsp
):
2935 raise HwsimSkip("No OCSP response available")
2936 params
= int_eap_server_params()
2937 params
["ocsp_stapling_response"] = ocsp
2938 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2939 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2940 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2941 anonymous_identity
="ttls", password
="password",
2942 phase2
="auth=PAP", ocsp
=2,
2943 wait_connect
=False, scan_freq
="2412")
2946 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2948 raise Exception("Timeout on EAP status")
2949 if 'bad certificate status response' in ev
:
2951 if 'certificate revoked' in ev
:
2955 raise Exception("Unexpected number of EAP status messages")
2957 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2959 raise Exception("Timeout on EAP failure report")
2961 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
2962 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2963 check_ocsp_support(dev
[0])
2964 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2965 if not os
.path
.exists(ocsp
):
2966 raise HwsimSkip("No OCSP response available")
2967 params
= int_eap_server_params()
2968 params
["ocsp_stapling_response"] = ocsp
2969 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2970 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2971 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2972 anonymous_identity
="ttls", password
="password",
2973 phase2
="auth=PAP", ocsp
=2,
2974 wait_connect
=False, scan_freq
="2412")
2977 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2979 raise Exception("Timeout on EAP status")
2980 if 'bad certificate status response' in ev
:
2984 raise Exception("Unexpected number of EAP status messages")
2986 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2988 raise Exception("Timeout on EAP failure report")
2990 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
2991 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2992 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2993 if not os
.path
.exists(ocsp
):
2994 raise HwsimSkip("No OCSP response available")
2995 params
= int_eap_server_params()
2996 params
["ocsp_stapling_response"] = ocsp
2997 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2998 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2999 identity
="pap user", ca_cert
="auth_serv/ca.pem",
3000 anonymous_identity
="ttls", password
="password",
3001 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
3003 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
3004 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
3005 check_domain_match_full(dev
[0])
3006 params
= int_eap_server_params()
3007 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
3008 params
["private_key"] = "auth_serv/server-no-dnsname.key"
3009 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3010 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3011 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3012 private_key
="auth_serv/user.pkcs12",
3013 private_key_passwd
="whatever",
3014 domain_suffix_match
="server3.w1.fi",
3017 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
3018 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
3019 check_domain_match(dev
[0])
3020 params
= int_eap_server_params()
3021 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
3022 params
["private_key"] = "auth_serv/server-no-dnsname.key"
3023 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3024 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3025 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3026 private_key
="auth_serv/user.pkcs12",
3027 private_key_passwd
="whatever",
3028 domain_match
="server3.w1.fi",
3031 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
3032 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
3033 check_domain_match_full(dev
[0])
3034 params
= int_eap_server_params()
3035 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
3036 params
["private_key"] = "auth_serv/server-no-dnsname.key"
3037 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3038 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3039 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3040 private_key
="auth_serv/user.pkcs12",
3041 private_key_passwd
="whatever",
3042 domain_suffix_match
="w1.fi",
3045 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
3046 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
3047 check_domain_suffix_match(dev
[0])
3048 params
= int_eap_server_params()
3049 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
3050 params
["private_key"] = "auth_serv/server-no-dnsname.key"
3051 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3052 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3053 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3054 private_key
="auth_serv/user.pkcs12",
3055 private_key_passwd
="whatever",
3056 domain_suffix_match
="example.com",
3059 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3060 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3061 private_key
="auth_serv/user.pkcs12",
3062 private_key_passwd
="whatever",
3063 domain_suffix_match
="erver3.w1.fi",
3066 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3068 raise Exception("Timeout on EAP failure report")
3069 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3071 raise Exception("Timeout on EAP failure report (2)")
3073 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
3074 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
3075 check_domain_match(dev
[0])
3076 params
= int_eap_server_params()
3077 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
3078 params
["private_key"] = "auth_serv/server-no-dnsname.key"
3079 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3080 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3081 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3082 private_key
="auth_serv/user.pkcs12",
3083 private_key_passwd
="whatever",
3084 domain_match
="example.com",
3087 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3088 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3089 private_key
="auth_serv/user.pkcs12",
3090 private_key_passwd
="whatever",
3091 domain_match
="w1.fi",
3094 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3096 raise Exception("Timeout on EAP failure report")
3097 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3099 raise Exception("Timeout on EAP failure report (2)")
3101 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
3102 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
3103 skip_with_fips(dev
[0])
3104 params
= int_eap_server_params()
3105 params
["server_cert"] = "auth_serv/server-expired.pem"
3106 params
["private_key"] = "auth_serv/server-expired.key"
3107 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3108 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3109 identity
="mschap user", password
="password",
3110 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3113 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
3115 raise Exception("Timeout on EAP certificate error report")
3116 if "reason=4" not in ev
or "certificate has expired" not in ev
:
3117 raise Exception("Unexpected failure reason: " + ev
)
3118 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3120 raise Exception("Timeout on EAP failure report")
3122 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
3123 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
3124 skip_with_fips(dev
[0])
3125 params
= int_eap_server_params()
3126 params
["server_cert"] = "auth_serv/server-expired.pem"
3127 params
["private_key"] = "auth_serv/server-expired.key"
3128 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3129 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3130 identity
="mschap user", password
="password",
3131 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3132 phase1
="tls_disable_time_checks=1",
3135 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
3136 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3137 skip_with_fips(dev
[0])
3138 params
= int_eap_server_params()
3139 params
["server_cert"] = "auth_serv/server-long-duration.pem"
3140 params
["private_key"] = "auth_serv/server-long-duration.key"
3141 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3142 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3143 identity
="mschap user", password
="password",
3144 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3147 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
3148 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3149 skip_with_fips(dev
[0])
3150 params
= int_eap_server_params()
3151 params
["server_cert"] = "auth_serv/server-eku-client.pem"
3152 params
["private_key"] = "auth_serv/server-eku-client.key"
3153 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3154 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3155 identity
="mschap user", password
="password",
3156 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3159 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3161 raise Exception("Timeout on EAP failure report")
3163 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
3164 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3165 skip_with_fips(dev
[0])
3166 params
= int_eap_server_params()
3167 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
3168 params
["private_key"] = "auth_serv/server-eku-client-server.key"
3169 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3170 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3171 identity
="mschap user", password
="password",
3172 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3175 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
3176 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3177 skip_with_fips(dev
[0])
3178 params
= int_eap_server_params()
3179 del params
["server_cert"]
3180 params
["private_key"] = "auth_serv/server.pkcs12"
3181 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3182 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3183 identity
="mschap user", password
="password",
3184 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3187 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
3188 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3189 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3190 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3191 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3192 anonymous_identity
="ttls", password
="password",
3193 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
3194 dh_file
="auth_serv/dh.conf")
3196 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
3197 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3198 check_dh_dsa_support(dev
[0])
3199 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3200 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3201 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3202 anonymous_identity
="ttls", password
="password",
3203 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
3204 dh_file
="auth_serv/dsaparam.pem")
3206 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
3207 """EAP-TTLS and DH params file not found"""
3208 skip_with_fips(dev
[0])
3209 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3210 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3211 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3212 identity
="mschap user", password
="password",
3213 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3214 dh_file
="auth_serv/dh-no-such-file.conf",
3215 scan_freq
="2412", wait_connect
=False)
3216 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3218 raise Exception("EAP failure timed out")
3219 dev
[0].request("REMOVE_NETWORK all")
3220 dev
[0].wait_disconnected()
3222 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
3223 """EAP-TTLS and invalid DH params file"""
3224 skip_with_fips(dev
[0])
3225 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3226 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3227 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3228 identity
="mschap user", password
="password",
3229 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3230 dh_file
="auth_serv/ca.pem",
3231 scan_freq
="2412", wait_connect
=False)
3232 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3234 raise Exception("EAP failure timed out")
3235 dev
[0].request("REMOVE_NETWORK all")
3236 dev
[0].wait_disconnected()
3238 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
3239 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3240 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3241 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3242 dh
= read_pem("auth_serv/dh2.conf")
3243 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
3244 raise Exception("Could not set dhparams blob")
3245 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3246 anonymous_identity
="ttls", password
="password",
3247 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
3248 dh_file
="blob://dhparams")
3250 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
3251 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3252 params
= int_eap_server_params()
3253 params
["dh_file"] = "auth_serv/dh2.conf"
3254 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3255 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3256 anonymous_identity
="ttls", password
="password",
3257 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
3259 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
3260 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3261 params
= int_eap_server_params()
3262 params
["dh_file"] = "auth_serv/dsaparam.pem"
3263 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3264 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3265 anonymous_identity
="ttls", password
="password",
3266 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
3268 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
3269 """EAP-TLS server and dhparams file not found"""
3270 params
= int_eap_server_params()
3271 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
3272 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
, no_enable
=True)
3273 if "FAIL" not in hapd
.request("ENABLE"):
3274 raise Exception("Invalid configuration accepted")
3276 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
3277 """EAP-TLS server and invalid dhparams file"""
3278 params
= int_eap_server_params()
3279 params
["dh_file"] = "auth_serv/ca.pem"
3280 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
, no_enable
=True)
3281 if "FAIL" not in hapd
.request("ENABLE"):
3282 raise Exception("Invalid configuration accepted")
3284 def test_ap_wpa2_eap_reauth(dev
, apdev
):
3285 """WPA2-Enterprise and Authenticator forcing reauthentication"""
3286 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3287 params
['eap_reauth_period'] = '2'
3288 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3289 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
3290 password_hex
="0123456789abcdef0123456789abcdef")
3291 logger
.info("Wait for reauthentication")
3292 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
3294 raise Exception("Timeout on reauthentication")
3295 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3297 raise Exception("Timeout on reauthentication")
3298 for i
in range(0, 20):
3299 state
= dev
[0].get_status_field("wpa_state")
3300 if state
== "COMPLETED":
3303 if state
!= "COMPLETED":
3304 raise Exception("Reauthentication did not complete")
3306 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
3307 """Optional displayable message in EAP Request-Identity"""
3308 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3309 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3310 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3311 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
3312 password_hex
="0123456789abcdef0123456789abcdef")
3314 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
3315 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
3316 check_hlr_auc_gw_support()
3317 params
= int_eap_server_params()
3318 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
3319 params
['eap_sim_aka_result_ind'] = "1"
3320 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3322 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
3323 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3324 phase1
="result_ind=1")
3325 eap_reauth(dev
[0], "SIM")
3326 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
3327 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3329 dev
[0].request("REMOVE_NETWORK all")
3330 dev
[1].request("REMOVE_NETWORK all")
3332 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
3333 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3334 phase1
="result_ind=1")
3335 eap_reauth(dev
[0], "AKA")
3336 eap_connect(dev
[1], apdev
[0], "AKA", "0232010000000000",
3337 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
3339 dev
[0].request("REMOVE_NETWORK all")
3340 dev
[1].request("REMOVE_NETWORK all")
3342 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
3343 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3344 phase1
="result_ind=1")
3345 eap_reauth(dev
[0], "AKA'")
3346 eap_connect(dev
[1], apdev
[0], "AKA'", "6555444333222111",
3347 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
3349 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
3350 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3351 skip_with_fips(dev
[0])
3352 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3353 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3354 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3355 eap
="TTLS", identity
="mschap user",
3356 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
3357 anonymous_identity
="ttls", password
="password",
3358 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3360 ev
= dev
[0].wait_event(["EAP: more than"], timeout
=20)
3362 raise Exception("EAP roundtrip limit not reached")
3364 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
3365 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3366 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3367 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3368 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3369 eap
="PSK", identity
="vendor-test",
3370 password_hex
="ff23456789abcdef0123456789abcdef",
3374 for i
in range(0, 5):
3375 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=10)
3377 raise Exception("Association and EAP start timed out")
3378 if "refuse proposed method" in ev
:
3382 raise Exception("Unexpected EAP status: " + ev
)
3384 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3386 raise Exception("EAP failure timed out")
3388 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
3389 """WPA2-Enterprise connection using SQLite for user DB"""
3390 skip_with_fips(dev
[0])
3394 raise HwsimSkip("No sqlite3 module available")
3395 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
3400 con
= sqlite3
.connect(dbfile
)
3403 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3404 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3405 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3406 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3407 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3408 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3409 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3410 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3413 params
= int_eap_server_params()
3414 params
["eap_user_file"] = "sqlite:" + dbfile
3415 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3416 eap_connect(dev
[0], apdev
[0], "TTLS", "user-mschapv2",
3417 anonymous_identity
="ttls", password
="password",
3418 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
3419 dev
[0].request("REMOVE_NETWORK all")
3420 eap_connect(dev
[1], apdev
[0], "TTLS", "user-mschap",
3421 anonymous_identity
="ttls", password
="password",
3422 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
3423 dev
[1].request("REMOVE_NETWORK all")
3424 eap_connect(dev
[0], apdev
[0], "TTLS", "user-chap",
3425 anonymous_identity
="ttls", password
="password",
3426 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
3427 eap_connect(dev
[1], apdev
[0], "TTLS", "user-pap",
3428 anonymous_identity
="ttls", password
="password",
3429 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3433 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
3434 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3435 params
= int_eap_server_params()
3436 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3437 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3438 identity
="\x80", password
="password", wait_connect
=False)
3439 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3440 identity
="a\x80", password
="password", wait_connect
=False)
3441 for i
in range(0, 2):
3442 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
3444 raise Exception("Association and EAP start timed out")
3445 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
3447 raise Exception("EAP method selection timed out")
3449 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
3450 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3451 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3452 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3453 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3454 identity
="\x80", password
="password", wait_connect
=False)
3455 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3456 identity
="a\x80", password
="password", wait_connect
=False)
3457 for i
in range(0, 2):
3458 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
3460 raise Exception("Association and EAP start timed out")
3461 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
3463 raise Exception("EAP method selection timed out")
3465 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
3466 """OpenSSL cipher suite configuration on wpa_supplicant"""
3467 tls
= dev
[0].request("GET tls_library")
3468 if not tls
.startswith("OpenSSL"):
3469 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
3470 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3471 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3472 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3473 anonymous_identity
="ttls", password
="password",
3474 openssl_ciphers
="AES128",
3475 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3476 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
3477 anonymous_identity
="ttls", password
="password",
3478 openssl_ciphers
="EXPORT",
3479 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
3480 expect_failure
=True, maybe_local_error
=True)
3481 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3482 identity
="pap user", anonymous_identity
="ttls",
3483 password
="password",
3484 openssl_ciphers
="FOO",
3485 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
3487 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3489 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3490 dev
[2].request("DISCONNECT")
3492 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
3493 """OpenSSL cipher suite configuration on hostapd"""
3494 tls
= dev
[0].request("GET tls_library")
3495 if not tls
.startswith("OpenSSL"):
3496 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
3497 params
= int_eap_server_params()
3498 params
['openssl_ciphers'] = "AES256"
3499 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3500 tls
= hapd
.request("GET tls_library")
3501 if not tls
.startswith("OpenSSL"):
3502 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
3503 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3504 anonymous_identity
="ttls", password
="password",
3505 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3506 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
3507 anonymous_identity
="ttls", password
="password",
3508 openssl_ciphers
="AES128",
3509 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
3510 expect_failure
=True)
3511 eap_connect(dev
[2], apdev
[0], "TTLS", "pap user",
3512 anonymous_identity
="ttls", password
="password",
3513 openssl_ciphers
="HIGH:!ADH",
3514 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3516 params
['openssl_ciphers'] = "FOO"
3517 hapd2
= hostapd
.add_ap(apdev
[1]['ifname'], params
, no_enable
=True)
3518 if "FAIL" not in hapd2
.request("ENABLE"):
3519 raise Exception("Invalid openssl_ciphers value accepted")
3521 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
3522 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3523 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3524 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], p
)
3525 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3526 pid
= find_wpas_process(dev
[0])
3527 id = eap_connect(dev
[0], apdev
[0], "TTLS", "pap-secret",
3528 anonymous_identity
="ttls", password
=password
,
3529 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3530 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
3531 # event has been delivered, so verify that wpa_supplicant has returned to
3532 # eloop before reading process memory.
3535 buf
= read_process_memory(pid
, password
)
3537 dev
[0].request("DISCONNECT")
3538 dev
[0].wait_disconnected()
3546 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
3547 for l
in f
.readlines():
3548 if "EAP-TTLS: Derived key - hexdump" in l
:
3549 val
= l
.strip().split(':')[3].replace(' ', '')
3550 msk
= binascii
.unhexlify(val
)
3551 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
3552 val
= l
.strip().split(':')[3].replace(' ', '')
3553 emsk
= binascii
.unhexlify(val
)
3554 if "WPA: PMK - hexdump" in l
:
3555 val
= l
.strip().split(':')[3].replace(' ', '')
3556 pmk
= binascii
.unhexlify(val
)
3557 if "WPA: PTK - hexdump" in l
:
3558 val
= l
.strip().split(':')[3].replace(' ', '')
3559 ptk
= binascii
.unhexlify(val
)
3560 if "WPA: Group Key - hexdump" in l
:
3561 val
= l
.strip().split(':')[3].replace(' ', '')
3562 gtk
= binascii
.unhexlify(val
)
3563 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
3564 raise Exception("Could not find keys from debug log")
3566 raise Exception("Unexpected GTK length")
3572 fname
= os
.path
.join(params
['logdir'],
3573 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3575 logger
.info("Checking keys in memory while associated")
3576 get_key_locations(buf
, password
, "Password")
3577 get_key_locations(buf
, pmk
, "PMK")
3578 get_key_locations(buf
, msk
, "MSK")
3579 get_key_locations(buf
, emsk
, "EMSK")
3580 if password
not in buf
:
3581 raise HwsimSkip("Password not found while associated")
3583 raise HwsimSkip("PMK not found while associated")
3585 raise Exception("KCK not found while associated")
3587 raise Exception("KEK not found while associated")
3589 raise Exception("TK found from memory")
3591 get_key_locations(buf
, gtk
, "GTK")
3592 raise Exception("GTK found from memory")
3594 logger
.info("Checking keys in memory after disassociation")
3595 buf
= read_process_memory(pid
, password
)
3597 # Note: Password is still present in network configuration
3598 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3600 get_key_locations(buf
, password
, "Password")
3601 get_key_locations(buf
, pmk
, "PMK")
3602 get_key_locations(buf
, msk
, "MSK")
3603 get_key_locations(buf
, emsk
, "EMSK")
3604 verify_not_present(buf
, kck
, fname
, "KCK")
3605 verify_not_present(buf
, kek
, fname
, "KEK")
3606 verify_not_present(buf
, tk
, fname
, "TK")
3607 verify_not_present(buf
, gtk
, fname
, "GTK")
3609 dev
[0].request("PMKSA_FLUSH")
3610 dev
[0].set_network_quoted(id, "identity", "foo")
3611 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3612 buf
= read_process_memory(pid
, password
)
3613 get_key_locations(buf
, password
, "Password")
3614 get_key_locations(buf
, pmk
, "PMK")
3615 get_key_locations(buf
, msk
, "MSK")
3616 get_key_locations(buf
, emsk
, "EMSK")
3617 verify_not_present(buf
, pmk
, fname
, "PMK")
3619 dev
[0].request("REMOVE_NETWORK all")
3621 logger
.info("Checking keys in memory after network profile removal")
3622 buf
= read_process_memory(pid
, password
)
3624 get_key_locations(buf
, password
, "Password")
3625 get_key_locations(buf
, pmk
, "PMK")
3626 get_key_locations(buf
, msk
, "MSK")
3627 get_key_locations(buf
, emsk
, "EMSK")
3628 verify_not_present(buf
, password
, fname
, "password")
3629 verify_not_present(buf
, pmk
, fname
, "PMK")
3630 verify_not_present(buf
, kck
, fname
, "KCK")
3631 verify_not_present(buf
, kek
, fname
, "KEK")
3632 verify_not_present(buf
, tk
, fname
, "TK")
3633 verify_not_present(buf
, gtk
, fname
, "GTK")
3634 verify_not_present(buf
, msk
, fname
, "MSK")
3635 verify_not_present(buf
, emsk
, fname
, "EMSK")
3637 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
3638 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3639 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3640 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3641 bssid
= apdev
[0]['bssid']
3642 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3643 anonymous_identity
="ttls", password
="password",
3644 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3646 # Send unexpected WEP EAPOL-Key; this gets dropped
3647 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3649 raise Exception("EAPOL_RX to wpa_supplicant failed")
3651 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
3652 """WPA2-EAP and wpas interface in a bridge"""
3656 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
3658 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
3659 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
3660 subprocess
.call(['brctl', 'delbr', br_ifname
])
3661 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
3663 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
3664 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3665 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3669 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
3670 subprocess
.call(['brctl', 'addbr', br_ifname
])
3671 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
3672 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
3673 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
3674 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
3675 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
3678 id = eap_connect(wpas
, apdev
[0], "PAX", "pax.user@example.com",
3679 password_hex
="0123456789abcdef0123456789abcdef")
3681 eap_reauth(wpas
, "PAX")
3683 # Try again as a regression test for packet socket workaround
3684 eap_reauth(wpas
, "PAX")
3686 wpas
.request("DISCONNECT")
3687 wpas
.wait_disconnected()
3689 wpas
.request("RECONNECT")
3690 wpas
.wait_connected()
3693 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
3694 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3695 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3696 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3697 key_mgmt
= hapd
.get_config()['key_mgmt']
3698 if key_mgmt
.split(' ')[0] != "WPA-EAP":
3699 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
3700 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3701 anonymous_identity
="ttls", password
="password",
3702 ca_cert
="auth_serv/ca.pem",
3703 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
3704 eap_reauth(dev
[0], "TTLS")
3706 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
3707 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3708 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3709 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3710 key_mgmt
= hapd
.get_config()['key_mgmt']
3711 if key_mgmt
.split(' ')[0] != "WPA-EAP":
3712 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
3713 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3714 anonymous_identity
="ttls", password
="password",
3715 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
3717 eap_reauth(dev
[0], "TTLS")
3719 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
3720 """EAP-TLS and server checking CRL"""
3721 params
= int_eap_server_params()
3722 params
['check_crl'] = '1'
3723 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3725 # check_crl=1 and no CRL available --> reject connection
3726 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3727 client_cert
="auth_serv/user.pem",
3728 private_key
="auth_serv/user.key", expect_failure
=True)
3729 dev
[0].request("REMOVE_NETWORK all")
3732 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
3735 # check_crl=1 and valid CRL --> accept
3736 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3737 client_cert
="auth_serv/user.pem",
3738 private_key
="auth_serv/user.key")
3739 dev
[0].request("REMOVE_NETWORK all")
3742 hapd
.set("check_crl", "2")
3745 # check_crl=2 and valid CRL --> accept
3746 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3747 client_cert
="auth_serv/user.pem",
3748 private_key
="auth_serv/user.key")
3749 dev
[0].request("REMOVE_NETWORK all")
3751 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
3752 """EAP-TLS and OOM"""
3753 check_subject_match_support(dev
[0])
3754 check_altsubject_match_support(dev
[0])
3755 check_domain_match(dev
[0])
3756 check_domain_match_full(dev
[0])
3758 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3759 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3761 tests
= [ (1, "tls_connection_set_subject_match"),
3762 (2, "tls_connection_set_subject_match"),
3763 (3, "tls_connection_set_subject_match"),
3764 (4, "tls_connection_set_subject_match") ]
3765 for count
, func
in tests
:
3766 with
alloc_fail(dev
[0], count
, func
):
3767 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3768 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3769 client_cert
="auth_serv/user.pem",
3770 private_key
="auth_serv/user.key",
3771 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
3772 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3773 domain_suffix_match
="server.w1.fi",
3774 domain_match
="server.w1.fi",
3775 wait_connect
=False, scan_freq
="2412")
3776 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3777 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
3779 raise Exception("No passphrase request")
3780 dev
[0].request("REMOVE_NETWORK all")
3781 dev
[0].wait_disconnected()
3783 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
3784 """WPA2-Enterprise connection using MAC ACL"""
3785 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3786 params
["macaddr_acl"] = "2"
3787 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3788 eap_connect(dev
[1], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3789 client_cert
="auth_serv/user.pem",
3790 private_key
="auth_serv/user.key")
3792 def test_ap_wpa2_eap_oom(dev
, apdev
):
3793 """EAP server and OOM"""
3794 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3795 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3796 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
3798 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
3799 # The first attempt fails, but STA will send EAPOL-Start to retry and
3801 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3802 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3803 client_cert
="auth_serv/user.pem",
3804 private_key
="auth_serv/user.key",
3807 def check_tls_ver(dev
, ap
, phase1
, expected
):
3808 eap_connect(dev
, ap
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3809 client_cert
="auth_serv/user.pem",
3810 private_key
="auth_serv/user.key",
3812 ver
= dev
.get_status_field("eap_tls_version")
3814 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
3816 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
3817 """EAP-TLS and TLS version configuration"""
3818 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3819 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3821 tls
= dev
[0].request("GET tls_library")
3822 if tls
.startswith("OpenSSL"):
3823 if "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
3824 check_tls_ver(dev
[0], apdev
[0],
3825 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3827 elif tls
.startswith("internal"):
3828 check_tls_ver(dev
[0], apdev
[0],
3829 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3830 check_tls_ver(dev
[1], apdev
[0],
3831 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3832 check_tls_ver(dev
[2], apdev
[0],
3833 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3835 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
3836 """RSN element protocol testing for EAP cases on STA side"""
3837 bssid
= apdev
[0]['bssid']
3838 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3839 # This is the RSN element used normally by hostapd
3840 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3841 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3842 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
3843 identity
="gpsk user",
3844 password
="abcdefghijklmnop0123456789abcdef",
3847 tests
= [ ('No RSN Capabilities field',
3848 '30120100000fac040100000fac040100000fac01'),
3849 ('No AKM Suite fields',
3850 '300c0100000fac040100000fac04'),
3851 ('No Pairwise Cipher Suite fields',
3852 '30060100000fac04'),
3853 ('No Group Data Cipher Suite field',
3855 for txt
,ie
in tests
:
3856 dev
[0].request("DISCONNECT")
3857 dev
[0].wait_disconnected()
3860 hapd
.set('own_ie_override', ie
)
3862 dev
[0].request("BSS_FLUSH 0")
3863 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
3864 dev
[0].select_network(id, freq
=2412)
3865 dev
[0].wait_connected()
3867 def check_tls_session_resumption_capa(dev
, hapd
):
3868 tls
= hapd
.request("GET tls_library")
3869 if not tls
.startswith("OpenSSL"):
3870 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
3872 tls
= dev
.request("GET tls_library")
3873 if not tls
.startswith("OpenSSL"):
3874 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
3876 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
3877 """EAP-TTLS/PAP session resumption"""
3878 params
= int_eap_server_params()
3879 params
['tls_session_lifetime'] = '60'
3880 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3881 check_tls_session_resumption_capa(dev
[0], hapd
)
3882 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3883 anonymous_identity
="ttls", password
="password",
3884 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
3886 if dev
[0].get_status_field("tls_session_reused") != '0':
3887 raise Exception("Unexpected session resumption on the first connection")
3889 dev
[0].request("REAUTHENTICATE")
3890 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3892 raise Exception("EAP success timed out")
3893 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3895 raise Exception("Key handshake with the AP timed out")
3896 if dev
[0].get_status_field("tls_session_reused") != '1':
3897 raise Exception("Session resumption not used on the second connection")
3899 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
3900 """EAP-TTLS/CHAP session resumption"""
3901 params
= int_eap_server_params()
3902 params
['tls_session_lifetime'] = '60'
3903 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3904 check_tls_session_resumption_capa(dev
[0], hapd
)
3905 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
3906 anonymous_identity
="ttls", password
="password",
3907 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
3908 if dev
[0].get_status_field("tls_session_reused") != '0':
3909 raise Exception("Unexpected session resumption on the first connection")
3911 dev
[0].request("REAUTHENTICATE")
3912 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3914 raise Exception("EAP success timed out")
3915 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3917 raise Exception("Key handshake with the AP timed out")
3918 if dev
[0].get_status_field("tls_session_reused") != '1':
3919 raise Exception("Session resumption not used on the second connection")
3921 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
3922 """EAP-TTLS/MSCHAP session resumption"""
3923 check_domain_suffix_match(dev
[0])
3924 params
= int_eap_server_params()
3925 params
['tls_session_lifetime'] = '60'
3926 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3927 check_tls_session_resumption_capa(dev
[0], hapd
)
3928 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
3929 anonymous_identity
="ttls", password
="password",
3930 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3931 domain_suffix_match
="server.w1.fi")
3932 if dev
[0].get_status_field("tls_session_reused") != '0':
3933 raise Exception("Unexpected session resumption on the first connection")
3935 dev
[0].request("REAUTHENTICATE")
3936 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3938 raise Exception("EAP success timed out")
3939 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3941 raise Exception("Key handshake with the AP timed out")
3942 if dev
[0].get_status_field("tls_session_reused") != '1':
3943 raise Exception("Session resumption not used on the second connection")
3945 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
3946 """EAP-TTLS/MSCHAPv2 session resumption"""
3947 check_domain_suffix_match(dev
[0])
3948 check_eap_capa(dev
[0], "MSCHAPV2")
3949 params
= int_eap_server_params()
3950 params
['tls_session_lifetime'] = '60'
3951 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3952 check_tls_session_resumption_capa(dev
[0], hapd
)
3953 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
3954 anonymous_identity
="ttls", password
="password",
3955 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3956 domain_suffix_match
="server.w1.fi")
3957 if dev
[0].get_status_field("tls_session_reused") != '0':
3958 raise Exception("Unexpected session resumption on the first connection")
3960 dev
[0].request("REAUTHENTICATE")
3961 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3963 raise Exception("EAP success timed out")
3964 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3966 raise Exception("Key handshake with the AP timed out")
3967 if dev
[0].get_status_field("tls_session_reused") != '1':
3968 raise Exception("Session resumption not used on the second connection")
3970 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
3971 """EAP-TTLS/EAP-GTC session resumption"""
3972 params
= int_eap_server_params()
3973 params
['tls_session_lifetime'] = '60'
3974 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3975 check_tls_session_resumption_capa(dev
[0], hapd
)
3976 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
3977 anonymous_identity
="ttls", password
="password",
3978 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
3979 if dev
[0].get_status_field("tls_session_reused") != '0':
3980 raise Exception("Unexpected session resumption on the first connection")
3982 dev
[0].request("REAUTHENTICATE")
3983 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3985 raise Exception("EAP success timed out")
3986 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3988 raise Exception("Key handshake with the AP timed out")
3989 if dev
[0].get_status_field("tls_session_reused") != '1':
3990 raise Exception("Session resumption not used on the second connection")
3992 def test_eap_ttls_no_session_resumption(dev
, apdev
):
3993 """EAP-TTLS session resumption disabled on server"""
3994 params
= int_eap_server_params()
3995 params
['tls_session_lifetime'] = '0'
3996 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3997 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3998 anonymous_identity
="ttls", password
="password",
3999 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
4001 if dev
[0].get_status_field("tls_session_reused") != '0':
4002 raise Exception("Unexpected session resumption on the first connection")
4004 dev
[0].request("REAUTHENTICATE")
4005 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4007 raise Exception("EAP success timed out")
4008 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4010 raise Exception("Key handshake with the AP timed out")
4011 if dev
[0].get_status_field("tls_session_reused") != '0':
4012 raise Exception("Unexpected session resumption on the second connection")
4014 def test_eap_peap_session_resumption(dev
, apdev
):
4015 """EAP-PEAP session resumption"""
4016 params
= int_eap_server_params()
4017 params
['tls_session_lifetime'] = '60'
4018 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4019 check_tls_session_resumption_capa(dev
[0], hapd
)
4020 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
4021 anonymous_identity
="peap", password
="password",
4022 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4023 if dev
[0].get_status_field("tls_session_reused") != '0':
4024 raise Exception("Unexpected session resumption on the first connection")
4026 dev
[0].request("REAUTHENTICATE")
4027 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4029 raise Exception("EAP success timed out")
4030 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4032 raise Exception("Key handshake with the AP timed out")
4033 if dev
[0].get_status_field("tls_session_reused") != '1':
4034 raise Exception("Session resumption not used on the second connection")
4036 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
4037 """EAP-PEAP session resumption with crypto binding"""
4038 params
= int_eap_server_params()
4039 params
['tls_session_lifetime'] = '60'
4040 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4041 check_tls_session_resumption_capa(dev
[0], hapd
)
4042 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
4043 anonymous_identity
="peap", password
="password",
4044 phase1
="peapver=0 crypto_binding=2",
4045 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4046 if dev
[0].get_status_field("tls_session_reused") != '0':
4047 raise Exception("Unexpected session resumption on the first connection")
4049 dev
[0].request("REAUTHENTICATE")
4050 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4052 raise Exception("EAP success timed out")
4053 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4055 raise Exception("Key handshake with the AP timed out")
4056 if dev
[0].get_status_field("tls_session_reused") != '1':
4057 raise Exception("Session resumption not used on the second connection")
4059 def test_eap_peap_no_session_resumption(dev
, apdev
):
4060 """EAP-PEAP session resumption disabled on server"""
4061 params
= int_eap_server_params()
4062 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4063 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
4064 anonymous_identity
="peap", password
="password",
4065 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4066 if dev
[0].get_status_field("tls_session_reused") != '0':
4067 raise Exception("Unexpected session resumption on the first connection")
4069 dev
[0].request("REAUTHENTICATE")
4070 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4072 raise Exception("EAP success timed out")
4073 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4075 raise Exception("Key handshake with the AP timed out")
4076 if dev
[0].get_status_field("tls_session_reused") != '0':
4077 raise Exception("Unexpected session resumption on the second connection")
4079 def test_eap_tls_session_resumption(dev
, apdev
):
4080 """EAP-TLS session resumption"""
4081 params
= int_eap_server_params()
4082 params
['tls_session_lifetime'] = '60'
4083 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4084 check_tls_session_resumption_capa(dev
[0], hapd
)
4085 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4086 client_cert
="auth_serv/user.pem",
4087 private_key
="auth_serv/user.key")
4088 if dev
[0].get_status_field("tls_session_reused") != '0':
4089 raise Exception("Unexpected session resumption on the first connection")
4091 dev
[0].request("REAUTHENTICATE")
4092 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4094 raise Exception("EAP success timed out")
4095 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4097 raise Exception("Key handshake with the AP timed out")
4098 if dev
[0].get_status_field("tls_session_reused") != '1':
4099 raise Exception("Session resumption not used on the second connection")
4101 dev
[0].request("REAUTHENTICATE")
4102 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4104 raise Exception("EAP success timed out")
4105 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4107 raise Exception("Key handshake with the AP timed out")
4108 if dev
[0].get_status_field("tls_session_reused") != '1':
4109 raise Exception("Session resumption not used on the third connection")
4111 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
4112 """EAP-TLS session resumption"""
4113 params
= int_eap_server_params()
4114 params
['tls_session_lifetime'] = '1'
4115 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4116 check_tls_session_resumption_capa(dev
[0], hapd
)
4117 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4118 client_cert
="auth_serv/user.pem",
4119 private_key
="auth_serv/user.key")
4120 if dev
[0].get_status_field("tls_session_reused") != '0':
4121 raise Exception("Unexpected session resumption on the first connection")
4123 # Allow multiple attempts since OpenSSL may not expire the cached entry
4128 dev
[0].request("REAUTHENTICATE")
4129 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4131 raise Exception("EAP success timed out")
4132 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4134 raise Exception("Key handshake with the AP timed out")
4135 if dev
[0].get_status_field("tls_session_reused") == '0':
4137 if dev
[0].get_status_field("tls_session_reused") != '0':
4138 raise Exception("Session resumption used after lifetime expiration")
4140 def test_eap_tls_no_session_resumption(dev
, apdev
):
4141 """EAP-TLS session resumption disabled on server"""
4142 params
= int_eap_server_params()
4143 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4144 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4145 client_cert
="auth_serv/user.pem",
4146 private_key
="auth_serv/user.key")
4147 if dev
[0].get_status_field("tls_session_reused") != '0':
4148 raise Exception("Unexpected session resumption on the first connection")
4150 dev
[0].request("REAUTHENTICATE")
4151 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4153 raise Exception("EAP success timed out")
4154 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4156 raise Exception("Key handshake with the AP timed out")
4157 if dev
[0].get_status_field("tls_session_reused") != '0':
4158 raise Exception("Unexpected session resumption on the second connection")
4160 def test_eap_tls_session_resumption_radius(dev
, apdev
):
4161 """EAP-TLS session resumption (RADIUS)"""
4162 params
= { "ssid": "as", "beacon_int": "2000",
4163 "radius_server_clients": "auth_serv/radius_clients.conf",
4164 "radius_server_auth_port": '18128',
4166 "eap_user_file": "auth_serv/eap_user.conf",
4167 "ca_cert": "auth_serv/ca.pem",
4168 "server_cert": "auth_serv/server.pem",
4169 "private_key": "auth_serv/server.key",
4170 "tls_session_lifetime": "60" }
4171 authsrv
= hostapd
.add_ap(apdev
[1]['ifname'], params
)
4172 check_tls_session_resumption_capa(dev
[0], authsrv
)
4174 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4175 params
['auth_server_port'] = "18128"
4176 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4177 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4178 client_cert
="auth_serv/user.pem",
4179 private_key
="auth_serv/user.key")
4180 if dev
[0].get_status_field("tls_session_reused") != '0':
4181 raise Exception("Unexpected session resumption on the first connection")
4183 dev
[0].request("REAUTHENTICATE")
4184 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4186 raise Exception("EAP success timed out")
4187 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4189 raise Exception("Key handshake with the AP timed out")
4190 if dev
[0].get_status_field("tls_session_reused") != '1':
4191 raise Exception("Session resumption not used on the second connection")
4193 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
4194 """EAP-TLS session resumption disabled (RADIUS)"""
4195 params
= { "ssid": "as", "beacon_int": "2000",
4196 "radius_server_clients": "auth_serv/radius_clients.conf",
4197 "radius_server_auth_port": '18128',
4199 "eap_user_file": "auth_serv/eap_user.conf",
4200 "ca_cert": "auth_serv/ca.pem",
4201 "server_cert": "auth_serv/server.pem",
4202 "private_key": "auth_serv/server.key",
4203 "tls_session_lifetime": "0" }
4204 hostapd
.add_ap(apdev
[1]['ifname'], params
)
4206 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4207 params
['auth_server_port'] = "18128"
4208 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4209 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4210 client_cert
="auth_serv/user.pem",
4211 private_key
="auth_serv/user.key")
4212 if dev
[0].get_status_field("tls_session_reused") != '0':
4213 raise Exception("Unexpected session resumption on the first connection")
4215 dev
[0].request("REAUTHENTICATE")
4216 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4218 raise Exception("EAP success timed out")
4219 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4221 raise Exception("Key handshake with the AP timed out")
4222 if dev
[0].get_status_field("tls_session_reused") != '0':
4223 raise Exception("Unexpected session resumption on the second connection")
4225 def test_eap_mschapv2_errors(dev
, apdev
):
4226 """EAP-MSCHAPv2 error cases"""
4227 check_eap_capa(dev
[0], "MSCHAPV2")
4228 check_eap_capa(dev
[0], "FAST")
4230 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
4231 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4232 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4233 identity
="phase1-user", password
="password",
4235 dev
[0].request("REMOVE_NETWORK all")
4236 dev
[0].wait_disconnected()
4238 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4239 (1, "nt_password_hash;mschapv2_derive_response"),
4240 (1, "nt_password_hash;=mschapv2_derive_response"),
4241 (1, "generate_nt_response;mschapv2_derive_response"),
4242 (1, "generate_authenticator_response;mschapv2_derive_response"),
4243 (1, "nt_password_hash;=mschapv2_derive_response"),
4244 (1, "get_master_key;mschapv2_derive_response"),
4245 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4246 for count
, func
in tests
:
4247 with
fail_test(dev
[0], count
, func
):
4248 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4249 identity
="phase1-user", password
="password",
4250 wait_connect
=False, scan_freq
="2412")
4251 wait_fail_trigger(dev
[0], "GET_FAIL")
4252 dev
[0].request("REMOVE_NETWORK all")
4253 dev
[0].wait_disconnected()
4255 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4256 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4257 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4258 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4259 for count
, func
in tests
:
4260 with
fail_test(dev
[0], count
, func
):
4261 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4262 identity
="phase1-user",
4263 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
4264 wait_connect
=False, scan_freq
="2412")
4265 wait_fail_trigger(dev
[0], "GET_FAIL")
4266 dev
[0].request("REMOVE_NETWORK all")
4267 dev
[0].wait_disconnected()
4269 tests
= [ (1, "eap_mschapv2_init"),
4270 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4271 (1, "eap_msg_alloc;eap_mschapv2_success"),
4272 (1, "eap_mschapv2_getKey") ]
4273 for count
, func
in tests
:
4274 with
alloc_fail(dev
[0], count
, func
):
4275 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4276 identity
="phase1-user", password
="password",
4277 wait_connect
=False, scan_freq
="2412")
4278 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
4279 dev
[0].request("REMOVE_NETWORK all")
4280 dev
[0].wait_disconnected()
4282 tests
= [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4283 for count
, func
in tests
:
4284 with
alloc_fail(dev
[0], count
, func
):
4285 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4286 identity
="phase1-user", password
="wrong password",
4287 wait_connect
=False, scan_freq
="2412")
4288 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
4289 dev
[0].request("REMOVE_NETWORK all")
4290 dev
[0].wait_disconnected()
4292 tests
= [ (2, "eap_mschapv2_init"),
4293 (3, "eap_mschapv2_init") ]
4294 for count
, func
in tests
:
4295 with
alloc_fail(dev
[0], count
, func
):
4296 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
4297 anonymous_identity
="FAST", identity
="user",
4298 password
="password",
4299 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
4300 phase1
="fast_provisioning=1",
4301 pac_file
="blob://fast_pac",
4302 wait_connect
=False, scan_freq
="2412")
4303 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
4304 dev
[0].request("REMOVE_NETWORK all")
4305 dev
[0].wait_disconnected()
4307 def test_eap_gpsk_errors(dev
, apdev
):
4308 """EAP-GPSK error cases"""
4309 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
4310 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4311 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4312 identity
="gpsk user",
4313 password
="abcdefghijklmnop0123456789abcdef",
4315 dev
[0].request("REMOVE_NETWORK all")
4316 dev
[0].wait_disconnected()
4318 tests
= [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
4319 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4321 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4323 (1, "eap_gpsk_derive_keys_helper", None),
4324 (2, "eap_gpsk_derive_keys_helper", None),
4325 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4327 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4329 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
4330 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
4331 (1, "eap_gpsk_derive_mid_helper", None) ]
4332 for count
, func
, phase1
in tests
:
4333 with
fail_test(dev
[0], count
, func
):
4334 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4335 identity
="gpsk user",
4336 password
="abcdefghijklmnop0123456789abcdef",
4338 wait_connect
=False, scan_freq
="2412")
4339 wait_fail_trigger(dev
[0], "GET_FAIL")
4340 dev
[0].request("REMOVE_NETWORK all")
4341 dev
[0].wait_disconnected()
4343 tests
= [ (1, "eap_gpsk_init"),
4344 (2, "eap_gpsk_init"),
4345 (3, "eap_gpsk_init"),
4346 (1, "eap_gpsk_process_id_server"),
4347 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
4348 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4349 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4350 (1, "eap_gpsk_derive_keys"),
4351 (1, "eap_gpsk_derive_keys_helper"),
4352 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
4353 (1, "eap_gpsk_getKey"),
4354 (1, "eap_gpsk_get_emsk"),
4355 (1, "eap_gpsk_get_session_id") ]
4356 for count
, func
in tests
:
4357 with
alloc_fail(dev
[0], count
, func
):
4358 dev
[0].request("ERP_FLUSH")
4359 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4360 identity
="gpsk user", erp
="1",
4361 password
="abcdefghijklmnop0123456789abcdef",
4362 wait_connect
=False, scan_freq
="2412")
4363 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
4364 dev
[0].request("REMOVE_NETWORK all")
4365 dev
[0].wait_disconnected()
4367 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
4368 """EAP-SIM DB error cases"""
4369 sockpath
= '/tmp/hlr_auc_gw.sock-test'
4374 hparams
= int_eap_server_params()
4375 hparams
['eap_sim_db'] = 'unix:' + sockpath
4376 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], hparams
)
4378 # Initial test with hlr_auc_gw socket not available
4379 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4380 eap
="SIM", identity
="1232010000000000",
4381 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4382 scan_freq
="2412", wait_connect
=False)
4383 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
4385 raise Exception("EAP-Failure not reported")
4386 dev
[0].wait_disconnected()
4387 dev
[0].request("DISCONNECT")
4389 # Test with invalid responses and response timeout
4391 class test_handler(SocketServer
.DatagramRequestHandler
):
4393 data
= self
.request
[0].strip()
4394 socket
= self
.request
[1]
4395 logger
.debug("Received hlr_auc_gw request: " + data
)
4396 # EAP-SIM DB: Failed to parse response string
4397 socket
.sendto("FOO", self
.client_address
)
4398 # EAP-SIM DB: Failed to parse response string
4399 socket
.sendto("FOO 1", self
.client_address
)
4400 # EAP-SIM DB: Unknown external response
4401 socket
.sendto("FOO 1 2", self
.client_address
)
4402 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
4404 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
4407 dev
[0].select_network(id)
4408 server
.handle_request()
4409 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
4411 raise Exception("EAP-Failure not reported")
4412 dev
[0].wait_disconnected()
4413 dev
[0].request("DISCONNECT")
4415 # Test with a valid response
4417 class test_handler2(SocketServer
.DatagramRequestHandler
):
4419 data
= self
.request
[0].strip()
4420 socket
= self
.request
[1]
4421 logger
.debug("Received hlr_auc_gw request: " + data
)
4422 fname
= os
.path
.join(params
['logdir'],
4423 'hlr_auc_gw.milenage_db')
4424 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
4426 stdout
=subprocess
.PIPE
)
4427 res
= cmd
.stdout
.read().strip()
4429 logger
.debug("hlr_auc_gw response: " + res
)
4430 socket
.sendto(res
, self
.client_address
)
4432 server
.RequestHandlerClass
= test_handler2
4434 dev
[0].select_network(id)
4435 server
.handle_request()
4436 dev
[0].wait_connected()
4437 dev
[0].request("DISCONNECT")
4438 dev
[0].wait_disconnected()
4440 def test_eap_tls_sha512(dev
, apdev
, params
):
4441 """EAP-TLS with SHA512 signature"""
4442 params
= int_eap_server_params()
4443 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
4444 params
["server_cert"] = "auth_serv/sha512-server.pem"
4445 params
["private_key"] = "auth_serv/sha512-server.key"
4446 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4448 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4449 identity
="tls user sha512",
4450 ca_cert
="auth_serv/sha512-ca.pem",
4451 client_cert
="auth_serv/sha512-user.pem",
4452 private_key
="auth_serv/sha512-user.key",
4454 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4455 identity
="tls user sha512",
4456 ca_cert
="auth_serv/sha512-ca.pem",
4457 client_cert
="auth_serv/sha384-user.pem",
4458 private_key
="auth_serv/sha384-user.key",
4461 def test_eap_tls_sha384(dev
, apdev
, params
):
4462 """EAP-TLS with SHA384 signature"""
4463 params
= int_eap_server_params()
4464 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
4465 params
["server_cert"] = "auth_serv/sha384-server.pem"
4466 params
["private_key"] = "auth_serv/sha384-server.key"
4467 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4469 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4470 identity
="tls user sha512",
4471 ca_cert
="auth_serv/sha512-ca.pem",
4472 client_cert
="auth_serv/sha512-user.pem",
4473 private_key
="auth_serv/sha512-user.key",
4475 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4476 identity
="tls user sha512",
4477 ca_cert
="auth_serv/sha512-ca.pem",
4478 client_cert
="auth_serv/sha384-user.pem",
4479 private_key
="auth_serv/sha384-user.key",
4482 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
4483 """WPA2-Enterprise AP and association request RSN IE differences"""
4484 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4485 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4487 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
4488 params
["ieee80211w"] = "2"
4489 hostapd
.add_ap(apdev
[1]['ifname'], params
)
4491 # Success cases with optional RSN IE fields removed one by one
4492 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
4493 "30140100000fac040100000fac040100000fac010000"),
4494 ("Extra PMKIDCount field in RSN IE",
4495 "30160100000fac040100000fac040100000fac0100000000"),
4496 ("Extra Group Management Cipher Suite in RSN IE",
4497 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
4498 ("Extra undefined extension field in RSN IE",
4499 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
4500 ("RSN IE without RSN Capabilities",
4501 "30120100000fac040100000fac040100000fac01"),
4502 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
4503 ("RSN IE without pairwise", "30060100000fac04"),
4504 ("RSN IE without group", "30020100") ]
4505 for title
, ie
in tests
:
4507 set_test_assoc_ie(dev
[0], ie
)
4508 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4509 identity
="gpsk user",
4510 password
="abcdefghijklmnop0123456789abcdef",
4512 dev
[0].request("REMOVE_NETWORK all")
4513 dev
[0].wait_disconnected()
4515 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
4516 "30140100000fac040100000fac040100000fac01cc00"),
4517 ("Group management cipher included in assoc req RSN IE",
4518 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
4519 for title
, ie
in tests
:
4521 set_test_assoc_ie(dev
[0], ie
)
4522 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
4523 eap
="GPSK", identity
="gpsk user",
4524 password
="abcdefghijklmnop0123456789abcdef",
4526 dev
[0].request("REMOVE_NETWORK all")
4527 dev
[0].wait_disconnected()
4529 tests
= [ ("Invalid group cipher", "30060100000fac02", 41),
4530 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
4531 for title
, ie
, status
in tests
:
4533 set_test_assoc_ie(dev
[0], ie
)
4534 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4535 identity
="gpsk user",
4536 password
="abcdefghijklmnop0123456789abcdef",
4537 scan_freq
="2412", wait_connect
=False)
4538 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4540 raise Exception("Association rejection not reported")
4541 if "status_code=" + str(status
) not in ev
:
4542 raise Exception("Unexpected status code: " + ev
)
4543 dev
[0].request("REMOVE_NETWORK all")
4544 dev
[0].dump_monitor()
4546 tests
= [ ("Management frame protection not enabled",
4547 "30140100000fac040100000fac040100000fac010000", 31),
4548 ("Unsupported management group cipher",
4549 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
4550 for title
, ie
, status
in tests
:
4552 set_test_assoc_ie(dev
[0], ie
)
4553 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
4554 eap
="GPSK", identity
="gpsk user",
4555 password
="abcdefghijklmnop0123456789abcdef",
4556 scan_freq
="2412", wait_connect
=False)
4557 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4559 raise Exception("Association rejection not reported")
4560 if "status_code=" + str(status
) not in ev
:
4561 raise Exception("Unexpected status code: " + ev
)
4562 dev
[0].request("REMOVE_NETWORK all")
4563 dev
[0].dump_monitor()
4565 def test_eap_tls_ext_cert_check(dev
, apdev
):
4566 """EAP-TLS and external server certification validation"""
4567 # With internal server certificate chain validation
4568 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4569 identity
="tls user",
4570 ca_cert
="auth_serv/ca.pem",
4571 client_cert
="auth_serv/user.pem",
4572 private_key
="auth_serv/user.key",
4573 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
4574 only_add_network
=True)
4575 run_ext_cert_check(dev
, apdev
, id)
4577 def test_eap_ttls_ext_cert_check(dev
, apdev
):
4578 """EAP-TTLS and external server certification validation"""
4579 # Without internal server certificate chain validation
4580 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4581 identity
="pap user", anonymous_identity
="ttls",
4582 password
="password", phase2
="auth=PAP",
4583 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
4584 only_add_network
=True)
4585 run_ext_cert_check(dev
, apdev
, id)
4587 def test_eap_peap_ext_cert_check(dev
, apdev
):
4588 """EAP-PEAP and external server certification validation"""
4589 # With internal server certificate chain validation
4590 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
4591 identity
="user", anonymous_identity
="peap",
4592 ca_cert
="auth_serv/ca.pem",
4593 password
="password", phase2
="auth=MSCHAPV2",
4594 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
4595 only_add_network
=True)
4596 run_ext_cert_check(dev
, apdev
, id)
4598 def test_eap_fast_ext_cert_check(dev
, apdev
):
4599 """EAP-FAST and external server certification validation"""
4600 check_eap_capa(dev
[0], "FAST")
4601 # With internal server certificate chain validation
4602 dev
[0].request("SET blob fast_pac_auth_ext ")
4603 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
4604 identity
="user", anonymous_identity
="FAST",
4605 ca_cert
="auth_serv/ca.pem",
4606 password
="password", phase2
="auth=GTC",
4607 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
4608 pac_file
="blob://fast_pac_auth_ext",
4610 only_add_network
=True)
4611 run_ext_cert_check(dev
, apdev
, id)
4613 def run_ext_cert_check(dev
, apdev
, net_id
):
4614 check_ext_cert_check_support(dev
[0])
4615 if not openssl_imported
:
4616 raise HwsimSkip("OpenSSL python method not available")
4618 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4619 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4621 dev
[0].select_network(net_id
)
4624 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
4625 "CTRL-REQ-EXT_CERT_CHECK",
4626 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4628 raise Exception("No peer server certificate event seen")
4629 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
4632 vals
= ev
.split(' ')
4634 if v
.startswith("depth="):
4635 depth
= int(v
.split('=')[1])
4636 elif v
.startswith("cert="):
4637 cert
= v
.split('=')[1]
4638 if depth
is not None and cert
:
4639 certs
[depth
] = binascii
.unhexlify(cert
)
4640 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
4641 raise Exception("Unexpected EAP-Success")
4642 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
4643 id = ev
.split(':')[0].split('-')[-1]
4646 raise Exception("Server certificate not received")
4648 raise Exception("Server certificate issuer not received")
4650 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
4652 cn
= cert
.get_subject().commonName
4653 logger
.info("Server certificate CN=" + cn
)
4655 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
4657 icn
= issuer
.get_subject().commonName
4658 logger
.info("Issuer certificate CN=" + icn
)
4660 if cn
!= "server.w1.fi":
4661 raise Exception("Unexpected server certificate CN: " + cn
)
4662 if icn
!= "Root CA":
4663 raise Exception("Unexpected server certificate issuer CN: " + icn
)
4665 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
4667 raise Exception("Unexpected EAP-Success before external check result indication")
4669 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
4670 dev
[0].wait_connected()
4672 dev
[0].request("DISCONNECT")
4673 dev
[0].wait_disconnected()
4674 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
4675 raise Exception("PMKSA_FLUSH failed")
4676 dev
[0].request("SET blob fast_pac_auth_ext ")
4677 dev
[0].request("RECONNECT")
4679 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
4681 raise Exception("No peer server certificate event seen (2)")
4682 id = ev
.split(':')[0].split('-')[-1]
4683 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
4684 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
4686 raise Exception("EAP-Failure not reported")
4687 dev
[0].request("REMOVE_NETWORK all")
4688 dev
[0].wait_disconnected()