]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: WPA2-Enterprise connection using EAP-EKE (many connections)
[thirdparty/hostap.git] / tests / hwsim / test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
4 #
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
7
8 import base64
9 import binascii
10 import time
11 import subprocess
12 import logging
13 logger = logging.getLogger()
14 import os
15 import socket
16 import SocketServer
17
18 import hwsim_utils
19 import hostapd
20 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
21 from wpasupplicant import WpaSupplicant
22 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
23
24 try:
25 import OpenSSL
26 openssl_imported = True
27 except ImportError:
28 openssl_imported = False
29
30 def check_hlr_auc_gw_support():
31 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
32 raise HwsimSkip("No hlr_auc_gw available")
33
34 def check_eap_capa(dev, method):
35 res = dev.get_capability("eap")
36 if method not in res:
37 raise HwsimSkip("EAP method %s not supported in the build" % method)
38
39 def check_subject_match_support(dev):
40 tls = dev.request("GET tls_library")
41 if not tls.startswith("OpenSSL"):
42 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
43
44 def check_altsubject_match_support(dev):
45 tls = dev.request("GET tls_library")
46 if not tls.startswith("OpenSSL"):
47 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
48
49 def check_domain_match(dev):
50 tls = dev.request("GET tls_library")
51 if tls.startswith("internal"):
52 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
53
54 def check_domain_suffix_match(dev):
55 tls = dev.request("GET tls_library")
56 if tls.startswith("internal"):
57 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
58
59 def check_domain_match_full(dev):
60 tls = dev.request("GET tls_library")
61 if not tls.startswith("OpenSSL"):
62 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
63
64 def check_cert_probe_support(dev):
65 tls = dev.request("GET tls_library")
66 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
67 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
68
69 def check_ext_cert_check_support(dev):
70 tls = dev.request("GET tls_library")
71 if not tls.startswith("OpenSSL"):
72 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
73
74 def check_ocsp_support(dev):
75 tls = dev.request("GET tls_library")
76 #if tls.startswith("internal"):
77 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
78 #if "BoringSSL" in tls:
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80
81 def check_pkcs12_support(dev):
82 tls = dev.request("GET tls_library")
83 #if tls.startswith("internal"):
84 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
85
86 def check_dh_dsa_support(dev):
87 tls = dev.request("GET tls_library")
88 if tls.startswith("internal"):
89 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
90
91 def read_pem(fname):
92 with open(fname, "r") as f:
93 lines = f.readlines()
94 copy = False
95 cert = ""
96 for l in lines:
97 if "-----END" in l:
98 break
99 if copy:
100 cert = cert + l
101 if "-----BEGIN" in l:
102 copy = True
103 return base64.b64decode(cert)
104
105 def eap_connect(dev, ap, method, identity,
106 sha256=False, expect_failure=False, local_error_report=False,
107 maybe_local_error=False, **kwargs):
108 hapd = hostapd.Hostapd(ap['ifname'])
109 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
110 eap=method, identity=identity,
111 wait_connect=False, scan_freq="2412", ieee80211w="1",
112 **kwargs)
113 eap_check_auth(dev, method, True, sha256=sha256,
114 expect_failure=expect_failure,
115 local_error_report=local_error_report,
116 maybe_local_error=maybe_local_error)
117 if expect_failure:
118 return id
119 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
120 if ev is None:
121 raise Exception("No connection event received from hostapd")
122 return id
123
124 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
125 expect_failure=False, local_error_report=False,
126 maybe_local_error=False):
127 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
128 if ev is None:
129 raise Exception("Association and EAP start timed out")
130 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
131 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
132 if ev is None:
133 raise Exception("EAP method selection timed out")
134 if "CTRL-EVENT-EAP-FAILURE" in ev:
135 if maybe_local_error:
136 return
137 raise Exception("Could not select EAP method")
138 if method not in ev:
139 raise Exception("Unexpected EAP method")
140 if expect_failure:
141 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
142 if ev is None:
143 raise Exception("EAP failure timed out")
144 ev = dev.wait_disconnected(timeout=10)
145 if maybe_local_error and "locally_generated=1" in ev:
146 return
147 if not local_error_report:
148 if "reason=23" not in ev:
149 raise Exception("Proper reason code for disconnection not reported")
150 return
151 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
152 if ev is None:
153 raise Exception("EAP success timed out")
154
155 if initial:
156 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
157 else:
158 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
159 if ev is None:
160 raise Exception("Association with the AP timed out")
161 status = dev.get_status()
162 if status["wpa_state"] != "COMPLETED":
163 raise Exception("Connection not completed")
164
165 if status["suppPortStatus"] != "Authorized":
166 raise Exception("Port not authorized")
167 if method not in status["selectedMethod"]:
168 raise Exception("Incorrect EAP method status")
169 if sha256:
170 e = "WPA2-EAP-SHA256"
171 elif rsn:
172 e = "WPA2/IEEE 802.1X/EAP"
173 else:
174 e = "WPA/IEEE 802.1X/EAP"
175 if status["key_mgmt"] != e:
176 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
177 return status
178
179 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
180 dev.request("REAUTHENTICATE")
181 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
182 expect_failure=expect_failure)
183
184 def test_ap_wpa2_eap_sim(dev, apdev):
185 """WPA2-Enterprise connection using EAP-SIM"""
186 check_hlr_auc_gw_support()
187 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
188 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
189 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
190 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
191 hwsim_utils.test_connectivity(dev[0], hapd)
192 eap_reauth(dev[0], "SIM")
193
194 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
195 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
196 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
197 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
198 expect_failure=True)
199
200 logger.info("Negative test with incorrect key")
201 dev[0].request("REMOVE_NETWORK all")
202 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
203 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
204 expect_failure=True)
205
206 logger.info("Invalid GSM-Milenage key")
207 dev[0].request("REMOVE_NETWORK all")
208 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
209 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
210 expect_failure=True)
211
212 logger.info("Invalid GSM-Milenage key(2)")
213 dev[0].request("REMOVE_NETWORK all")
214 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
215 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
216 expect_failure=True)
217
218 logger.info("Invalid GSM-Milenage key(3)")
219 dev[0].request("REMOVE_NETWORK all")
220 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
221 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
222 expect_failure=True)
223
224 logger.info("Invalid GSM-Milenage key(4)")
225 dev[0].request("REMOVE_NETWORK all")
226 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
227 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
228 expect_failure=True)
229
230 logger.info("Missing key configuration")
231 dev[0].request("REMOVE_NETWORK all")
232 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
233 expect_failure=True)
234
235 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
236 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
237 check_hlr_auc_gw_support()
238 try:
239 import sqlite3
240 except ImportError:
241 raise HwsimSkip("No sqlite3 module available")
242 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
243 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
244 params['auth_server_port'] = "1814"
245 hostapd.add_ap(apdev[0]['ifname'], params)
246 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
247 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
248
249 logger.info("SIM fast re-authentication")
250 eap_reauth(dev[0], "SIM")
251
252 logger.info("SIM full auth with pseudonym")
253 with con:
254 cur = con.cursor()
255 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
256 eap_reauth(dev[0], "SIM")
257
258 logger.info("SIM full auth with permanent identity")
259 with con:
260 cur = con.cursor()
261 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
262 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
263 eap_reauth(dev[0], "SIM")
264
265 logger.info("SIM reauth with mismatching MK")
266 with con:
267 cur = con.cursor()
268 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
269 eap_reauth(dev[0], "SIM", expect_failure=True)
270 dev[0].request("REMOVE_NETWORK all")
271
272 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
273 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
274 with con:
275 cur = con.cursor()
276 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
277 eap_reauth(dev[0], "SIM")
278 with con:
279 cur = con.cursor()
280 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
281 logger.info("SIM reauth with mismatching counter")
282 eap_reauth(dev[0], "SIM")
283 dev[0].request("REMOVE_NETWORK all")
284
285 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
286 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
287 with con:
288 cur = con.cursor()
289 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
290 logger.info("SIM reauth with max reauth count reached")
291 eap_reauth(dev[0], "SIM")
292
293 def test_ap_wpa2_eap_sim_config(dev, apdev):
294 """EAP-SIM configuration options"""
295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
296 hostapd.add_ap(apdev[0]['ifname'], params)
297 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
298 identity="1232010000000000",
299 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
300 phase1="sim_min_num_chal=1",
301 wait_connect=False, scan_freq="2412")
302 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
303 if ev is None:
304 raise Exception("No EAP error message seen")
305 dev[0].request("REMOVE_NETWORK all")
306
307 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
308 identity="1232010000000000",
309 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
310 phase1="sim_min_num_chal=4",
311 wait_connect=False, scan_freq="2412")
312 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
313 if ev is None:
314 raise Exception("No EAP error message seen (2)")
315 dev[0].request("REMOVE_NETWORK all")
316
317 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
318 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
319 phase1="sim_min_num_chal=2")
320 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
321 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
322 anonymous_identity="345678")
323
324 def test_ap_wpa2_eap_sim_ext(dev, apdev):
325 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
326 try:
327 _test_ap_wpa2_eap_sim_ext(dev, apdev)
328 finally:
329 dev[0].request("SET external_sim 0")
330
331 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
332 check_hlr_auc_gw_support()
333 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
334 hostapd.add_ap(apdev[0]['ifname'], params)
335 dev[0].request("SET external_sim 1")
336 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
337 identity="1232010000000000",
338 wait_connect=False, scan_freq="2412")
339 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
340 if ev is None:
341 raise Exception("Network connected timed out")
342
343 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
344 if ev is None:
345 raise Exception("Wait for external SIM processing request timed out")
346 p = ev.split(':', 2)
347 if p[1] != "GSM-AUTH":
348 raise Exception("Unexpected CTRL-REQ-SIM type")
349 rid = p[0].split('-')[3]
350
351 # IK:CK:RES
352 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
353 # This will fail during processing, but the ctrl_iface command succeeds
354 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
356 if ev is None:
357 raise Exception("EAP failure not reported")
358 dev[0].request("DISCONNECT")
359 dev[0].wait_disconnected()
360 time.sleep(0.1)
361
362 dev[0].select_network(id, freq="2412")
363 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
364 if ev is None:
365 raise Exception("Wait for external SIM processing request timed out")
366 p = ev.split(':', 2)
367 if p[1] != "GSM-AUTH":
368 raise Exception("Unexpected CTRL-REQ-SIM type")
369 rid = p[0].split('-')[3]
370 # This will fail during GSM auth validation
371 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
372 raise Exception("CTRL-RSP-SIM failed")
373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
374 if ev is None:
375 raise Exception("EAP failure not reported")
376 dev[0].request("DISCONNECT")
377 dev[0].wait_disconnected()
378 time.sleep(0.1)
379
380 dev[0].select_network(id, freq="2412")
381 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
382 if ev is None:
383 raise Exception("Wait for external SIM processing request timed out")
384 p = ev.split(':', 2)
385 if p[1] != "GSM-AUTH":
386 raise Exception("Unexpected CTRL-REQ-SIM type")
387 rid = p[0].split('-')[3]
388 # This will fail during GSM auth validation
389 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
390 raise Exception("CTRL-RSP-SIM failed")
391 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
392 if ev is None:
393 raise Exception("EAP failure not reported")
394 dev[0].request("DISCONNECT")
395 dev[0].wait_disconnected()
396 time.sleep(0.1)
397
398 dev[0].select_network(id, freq="2412")
399 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
400 if ev is None:
401 raise Exception("Wait for external SIM processing request timed out")
402 p = ev.split(':', 2)
403 if p[1] != "GSM-AUTH":
404 raise Exception("Unexpected CTRL-REQ-SIM type")
405 rid = p[0].split('-')[3]
406 # This will fail during GSM auth validation
407 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
408 raise Exception("CTRL-RSP-SIM failed")
409 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
410 if ev is None:
411 raise Exception("EAP failure not reported")
412 dev[0].request("DISCONNECT")
413 dev[0].wait_disconnected()
414 time.sleep(0.1)
415
416 dev[0].select_network(id, freq="2412")
417 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
418 if ev is None:
419 raise Exception("Wait for external SIM processing request timed out")
420 p = ev.split(':', 2)
421 if p[1] != "GSM-AUTH":
422 raise Exception("Unexpected CTRL-REQ-SIM type")
423 rid = p[0].split('-')[3]
424 # This will fail during GSM auth validation
425 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
426 raise Exception("CTRL-RSP-SIM failed")
427 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
428 if ev is None:
429 raise Exception("EAP failure not reported")
430 dev[0].request("DISCONNECT")
431 dev[0].wait_disconnected()
432 time.sleep(0.1)
433
434 dev[0].select_network(id, freq="2412")
435 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
436 if ev is None:
437 raise Exception("Wait for external SIM processing request timed out")
438 p = ev.split(':', 2)
439 if p[1] != "GSM-AUTH":
440 raise Exception("Unexpected CTRL-REQ-SIM type")
441 rid = p[0].split('-')[3]
442 # This will fail during GSM auth validation
443 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
444 raise Exception("CTRL-RSP-SIM failed")
445 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
446 if ev is None:
447 raise Exception("EAP failure not reported")
448 dev[0].request("DISCONNECT")
449 dev[0].wait_disconnected()
450 time.sleep(0.1)
451
452 dev[0].select_network(id, freq="2412")
453 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
454 if ev is None:
455 raise Exception("Wait for external SIM processing request timed out")
456 p = ev.split(':', 2)
457 if p[1] != "GSM-AUTH":
458 raise Exception("Unexpected CTRL-REQ-SIM type")
459 rid = p[0].split('-')[3]
460 # This will fail during GSM auth validation
461 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
462 raise Exception("CTRL-RSP-SIM failed")
463 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
464 if ev is None:
465 raise Exception("EAP failure not reported")
466
467 def test_ap_wpa2_eap_sim_oom(dev, apdev):
468 """EAP-SIM and OOM"""
469 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
470 hostapd.add_ap(apdev[0]['ifname'], params)
471 tests = [ (1, "milenage_f2345"),
472 (2, "milenage_f2345"),
473 (3, "milenage_f2345"),
474 (4, "milenage_f2345"),
475 (5, "milenage_f2345"),
476 (6, "milenage_f2345"),
477 (7, "milenage_f2345"),
478 (8, "milenage_f2345"),
479 (9, "milenage_f2345"),
480 (10, "milenage_f2345"),
481 (11, "milenage_f2345"),
482 (12, "milenage_f2345") ]
483 for count, func in tests:
484 with alloc_fail(dev[0], count, func):
485 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
486 identity="1232010000000000",
487 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
488 wait_connect=False, scan_freq="2412")
489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
490 if ev is None:
491 raise Exception("EAP method not selected")
492 dev[0].wait_disconnected()
493 dev[0].request("REMOVE_NETWORK all")
494
495 def test_ap_wpa2_eap_aka(dev, apdev):
496 """WPA2-Enterprise connection using EAP-AKA"""
497 check_hlr_auc_gw_support()
498 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
499 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
500 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
501 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
502 hwsim_utils.test_connectivity(dev[0], hapd)
503 eap_reauth(dev[0], "AKA")
504
505 logger.info("Negative test with incorrect key")
506 dev[0].request("REMOVE_NETWORK all")
507 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
508 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
509 expect_failure=True)
510
511 logger.info("Invalid Milenage key")
512 dev[0].request("REMOVE_NETWORK all")
513 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
514 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
515 expect_failure=True)
516
517 logger.info("Invalid Milenage key(2)")
518 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
519 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
520 expect_failure=True)
521
522 logger.info("Invalid Milenage key(3)")
523 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
524 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
525 expect_failure=True)
526
527 logger.info("Invalid Milenage key(4)")
528 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
529 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
530 expect_failure=True)
531
532 logger.info("Invalid Milenage key(5)")
533 dev[0].request("REMOVE_NETWORK all")
534 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
535 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
536 expect_failure=True)
537
538 logger.info("Invalid Milenage key(6)")
539 dev[0].request("REMOVE_NETWORK all")
540 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
541 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
542 expect_failure=True)
543
544 logger.info("Missing key configuration")
545 dev[0].request("REMOVE_NETWORK all")
546 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
547 expect_failure=True)
548
549 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
550 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
551 check_hlr_auc_gw_support()
552 try:
553 import sqlite3
554 except ImportError:
555 raise HwsimSkip("No sqlite3 module available")
556 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
558 params['auth_server_port'] = "1814"
559 hostapd.add_ap(apdev[0]['ifname'], params)
560 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
561 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
562
563 logger.info("AKA fast re-authentication")
564 eap_reauth(dev[0], "AKA")
565
566 logger.info("AKA full auth with pseudonym")
567 with con:
568 cur = con.cursor()
569 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
570 eap_reauth(dev[0], "AKA")
571
572 logger.info("AKA full auth with permanent identity")
573 with con:
574 cur = con.cursor()
575 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
576 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
577 eap_reauth(dev[0], "AKA")
578
579 logger.info("AKA reauth with mismatching MK")
580 with con:
581 cur = con.cursor()
582 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
583 eap_reauth(dev[0], "AKA", expect_failure=True)
584 dev[0].request("REMOVE_NETWORK all")
585
586 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
587 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
588 with con:
589 cur = con.cursor()
590 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
591 eap_reauth(dev[0], "AKA")
592 with con:
593 cur = con.cursor()
594 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
595 logger.info("AKA reauth with mismatching counter")
596 eap_reauth(dev[0], "AKA")
597 dev[0].request("REMOVE_NETWORK all")
598
599 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
600 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
601 with con:
602 cur = con.cursor()
603 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
604 logger.info("AKA reauth with max reauth count reached")
605 eap_reauth(dev[0], "AKA")
606
607 def test_ap_wpa2_eap_aka_config(dev, apdev):
608 """EAP-AKA configuration options"""
609 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
610 hostapd.add_ap(apdev[0]['ifname'], params)
611 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
612 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
613 anonymous_identity="2345678")
614
615 def test_ap_wpa2_eap_aka_ext(dev, apdev):
616 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
617 try:
618 _test_ap_wpa2_eap_aka_ext(dev, apdev)
619 finally:
620 dev[0].request("SET external_sim 0")
621
622 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
623 check_hlr_auc_gw_support()
624 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
625 hostapd.add_ap(apdev[0]['ifname'], params)
626 dev[0].request("SET external_sim 1")
627 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
628 identity="0232010000000000",
629 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
630 wait_connect=False, scan_freq="2412")
631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
632 if ev is None:
633 raise Exception("Network connected timed out")
634
635 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
636 if ev is None:
637 raise Exception("Wait for external SIM processing request timed out")
638 p = ev.split(':', 2)
639 if p[1] != "UMTS-AUTH":
640 raise Exception("Unexpected CTRL-REQ-SIM type")
641 rid = p[0].split('-')[3]
642
643 # IK:CK:RES
644 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
645 # This will fail during processing, but the ctrl_iface command succeeds
646 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
647 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
648 if ev is None:
649 raise Exception("EAP failure not reported")
650 dev[0].request("DISCONNECT")
651 dev[0].wait_disconnected()
652 time.sleep(0.1)
653 dev[0].dump_monitor()
654
655 dev[0].select_network(id, freq="2412")
656 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
657 if ev is None:
658 raise Exception("Wait for external SIM processing request timed out")
659 p = ev.split(':', 2)
660 if p[1] != "UMTS-AUTH":
661 raise Exception("Unexpected CTRL-REQ-SIM type")
662 rid = p[0].split('-')[3]
663 # This will fail during UMTS auth validation
664 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
665 raise Exception("CTRL-RSP-SIM failed")
666 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
667 if ev is None:
668 raise Exception("Wait for external SIM processing request timed out")
669 p = ev.split(':', 2)
670 if p[1] != "UMTS-AUTH":
671 raise Exception("Unexpected CTRL-REQ-SIM type")
672 rid = p[0].split('-')[3]
673 # This will fail during UMTS auth validation
674 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
675 raise Exception("CTRL-RSP-SIM failed")
676 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
677 if ev is None:
678 raise Exception("EAP failure not reported")
679 dev[0].request("DISCONNECT")
680 dev[0].wait_disconnected()
681 time.sleep(0.1)
682 dev[0].dump_monitor()
683
684 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
685 ":UMTS-AUTH:34",
686 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
687 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
688 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
689 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
690 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
691 for t in tests:
692 dev[0].select_network(id, freq="2412")
693 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
694 if ev is None:
695 raise Exception("Wait for external SIM processing request timed out")
696 p = ev.split(':', 2)
697 if p[1] != "UMTS-AUTH":
698 raise Exception("Unexpected CTRL-REQ-SIM type")
699 rid = p[0].split('-')[3]
700 # This will fail during UMTS auth validation
701 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
702 raise Exception("CTRL-RSP-SIM failed")
703 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
704 if ev is None:
705 raise Exception("EAP failure not reported")
706 dev[0].request("DISCONNECT")
707 dev[0].wait_disconnected()
708 time.sleep(0.1)
709 dev[0].dump_monitor()
710
711 def test_ap_wpa2_eap_aka_prime(dev, apdev):
712 """WPA2-Enterprise connection using EAP-AKA'"""
713 check_hlr_auc_gw_support()
714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
715 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
716 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
717 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
718 hwsim_utils.test_connectivity(dev[0], hapd)
719 eap_reauth(dev[0], "AKA'")
720
721 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
722 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
723 identity="6555444333222111@both",
724 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
725 wait_connect=False, scan_freq="2412")
726 dev[1].wait_connected(timeout=15)
727
728 logger.info("Negative test with incorrect key")
729 dev[0].request("REMOVE_NETWORK all")
730 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
731 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
732 expect_failure=True)
733
734 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
735 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
736 check_hlr_auc_gw_support()
737 try:
738 import sqlite3
739 except ImportError:
740 raise HwsimSkip("No sqlite3 module available")
741 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 params['auth_server_port'] = "1814"
744 hostapd.add_ap(apdev[0]['ifname'], params)
745 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
746 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
747
748 logger.info("AKA' fast re-authentication")
749 eap_reauth(dev[0], "AKA'")
750
751 logger.info("AKA' full auth with pseudonym")
752 with con:
753 cur = con.cursor()
754 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
755 eap_reauth(dev[0], "AKA'")
756
757 logger.info("AKA' full auth with permanent identity")
758 with con:
759 cur = con.cursor()
760 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
761 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
762 eap_reauth(dev[0], "AKA'")
763
764 logger.info("AKA' reauth with mismatching k_aut")
765 with con:
766 cur = con.cursor()
767 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
768 eap_reauth(dev[0], "AKA'", expect_failure=True)
769 dev[0].request("REMOVE_NETWORK all")
770
771 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
772 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
773 with con:
774 cur = con.cursor()
775 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
776 eap_reauth(dev[0], "AKA'")
777 with con:
778 cur = con.cursor()
779 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
780 logger.info("AKA' reauth with mismatching counter")
781 eap_reauth(dev[0], "AKA'")
782 dev[0].request("REMOVE_NETWORK all")
783
784 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
785 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
786 with con:
787 cur = con.cursor()
788 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
789 logger.info("AKA' reauth with max reauth count reached")
790 eap_reauth(dev[0], "AKA'")
791
792 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
793 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
795 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
796 key_mgmt = hapd.get_config()['key_mgmt']
797 if key_mgmt.split(' ')[0] != "WPA-EAP":
798 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
799 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
800 anonymous_identity="ttls", password="password",
801 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
802 hwsim_utils.test_connectivity(dev[0], hapd)
803 eap_reauth(dev[0], "TTLS")
804 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
805 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
806
807 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
808 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
809 check_subject_match_support(dev[0])
810 check_altsubject_match_support(dev[0])
811 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
812 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
813 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
814 anonymous_identity="ttls", password="password",
815 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
816 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
817 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
818 eap_reauth(dev[0], "TTLS")
819
820 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
821 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
823 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
824 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
825 anonymous_identity="ttls", password="wrong",
826 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
827 expect_failure=True)
828 eap_connect(dev[1], apdev[0], "TTLS", "user",
829 anonymous_identity="ttls", password="password",
830 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
831 expect_failure=True)
832
833 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
834 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
835 skip_with_fips(dev[0])
836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
837 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
838 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
839 anonymous_identity="ttls", password="password",
840 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
841 hwsim_utils.test_connectivity(dev[0], hapd)
842 eap_reauth(dev[0], "TTLS")
843
844 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
845 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
846 skip_with_fips(dev[0])
847 check_altsubject_match_support(dev[0])
848 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
849 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
850 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
851 anonymous_identity="ttls", password="password",
852 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
853 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
854 eap_reauth(dev[0], "TTLS")
855
856 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
857 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
858 skip_with_fips(dev[0])
859 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
860 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
861 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
862 anonymous_identity="ttls", password="wrong",
863 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
864 expect_failure=True)
865 eap_connect(dev[1], apdev[0], "TTLS", "user",
866 anonymous_identity="ttls", password="password",
867 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
868 expect_failure=True)
869
870 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
871 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
872 skip_with_fips(dev[0])
873 check_domain_suffix_match(dev[0])
874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
875 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
876 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
877 anonymous_identity="ttls", password="password",
878 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
879 domain_suffix_match="server.w1.fi")
880 hwsim_utils.test_connectivity(dev[0], hapd)
881 eap_reauth(dev[0], "TTLS")
882 dev[0].request("REMOVE_NETWORK all")
883 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
884 anonymous_identity="ttls", password="password",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
886 fragment_size="200")
887 dev[0].request("REMOVE_NETWORK all")
888 dev[0].wait_disconnected()
889 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
890 anonymous_identity="ttls",
891 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
892 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
893
894 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
895 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
896 skip_with_fips(dev[0])
897 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
898 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
899 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
900 anonymous_identity="ttls", password="wrong",
901 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
902 expect_failure=True)
903 eap_connect(dev[1], apdev[0], "TTLS", "user",
904 anonymous_identity="ttls", password="password",
905 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
906 expect_failure=True)
907 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
908 anonymous_identity="ttls", password="password",
909 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
910 expect_failure=True)
911
912 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
913 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
914 check_domain_suffix_match(dev[0])
915 check_eap_capa(dev[0], "MSCHAPV2")
916 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
917 hostapd.add_ap(apdev[0]['ifname'], params)
918 hapd = hostapd.Hostapd(apdev[0]['ifname'])
919 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
920 anonymous_identity="ttls", password="password",
921 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
922 domain_suffix_match="server.w1.fi")
923 hwsim_utils.test_connectivity(dev[0], hapd)
924 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
925 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
926 eap_reauth(dev[0], "TTLS")
927 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
928 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
929 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
930 raise Exception("dot1xAuthEapolFramesRx did not increase")
931 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
932 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
933 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
934 raise Exception("backendAuthSuccesses did not increase")
935
936 logger.info("Password as hash value")
937 dev[0].request("REMOVE_NETWORK all")
938 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
939 anonymous_identity="ttls",
940 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
941 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
942
943 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
944 """EAP-TTLS with invalid phase2 parameter values"""
945 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
946 hostapd.add_ap(apdev[0]['ifname'], params)
947 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
948 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
949 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
950 for t in tests:
951 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
952 identity="DOMAIN\mschapv2 user",
953 anonymous_identity="ttls", password="password",
954 ca_cert="auth_serv/ca.pem", phase2=t,
955 wait_connect=False, scan_freq="2412")
956 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
957 if ev is None or "method=21" not in ev:
958 raise Exception("EAP-TTLS not started")
959 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
960 "CTRL-EVENT-CONNECTED"], timeout=5)
961 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
962 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
963 dev[0].request("REMOVE_NETWORK all")
964 dev[0].wait_disconnected()
965 dev[0].dump_monitor()
966
967 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
968 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
969 check_domain_match_full(dev[0])
970 skip_with_fips(dev[0])
971 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
972 hostapd.add_ap(apdev[0]['ifname'], params)
973 hapd = hostapd.Hostapd(apdev[0]['ifname'])
974 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
975 anonymous_identity="ttls", password="password",
976 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
977 domain_suffix_match="w1.fi")
978 hwsim_utils.test_connectivity(dev[0], hapd)
979 eap_reauth(dev[0], "TTLS")
980
981 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
982 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
983 check_domain_match(dev[0])
984 skip_with_fips(dev[0])
985 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
986 hostapd.add_ap(apdev[0]['ifname'], params)
987 hapd = hostapd.Hostapd(apdev[0]['ifname'])
988 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
989 anonymous_identity="ttls", password="password",
990 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
991 domain_match="Server.w1.fi")
992 hwsim_utils.test_connectivity(dev[0], hapd)
993 eap_reauth(dev[0], "TTLS")
994
995 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
996 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
997 skip_with_fips(dev[0])
998 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
999 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1000 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1001 anonymous_identity="ttls", password="password1",
1002 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1003 expect_failure=True)
1004 eap_connect(dev[1], apdev[0], "TTLS", "user",
1005 anonymous_identity="ttls", password="password",
1006 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1007 expect_failure=True)
1008
1009 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1010 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1011 skip_with_fips(dev[0])
1012 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1013 hostapd.add_ap(apdev[0]['ifname'], params)
1014 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1015 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1016 anonymous_identity="ttls", password="secret-åäö-€-password",
1017 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1018 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1019 anonymous_identity="ttls",
1020 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1021 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1022 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1023 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1024 eap="TTLS", identity="utf8-user-hash",
1025 anonymous_identity="ttls", password_hex=p,
1026 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1027 wait_connect=False, scan_freq="2412")
1028 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1029 if ev is None:
1030 raise Exception("No failure reported")
1031 dev[2].request("REMOVE_NETWORK all")
1032 dev[2].wait_disconnected()
1033
1034 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1035 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1036 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1037 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1038 eap_connect(dev[0], apdev[0], "TTLS", "user",
1039 anonymous_identity="ttls", password="password",
1040 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1041 hwsim_utils.test_connectivity(dev[0], hapd)
1042 eap_reauth(dev[0], "TTLS")
1043
1044 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1045 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1046 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1047 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1048 eap_connect(dev[0], apdev[0], "TTLS", "user",
1049 anonymous_identity="ttls", password="wrong",
1050 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1051 expect_failure=True)
1052
1053 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1054 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1055 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1056 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1057 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1058 anonymous_identity="ttls", password="password",
1059 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1060 expect_failure=True)
1061
1062 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1063 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1064 params = int_eap_server_params()
1065 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1066 with alloc_fail(hapd, 1, "eap_gtc_init"):
1067 eap_connect(dev[0], apdev[0], "TTLS", "user",
1068 anonymous_identity="ttls", password="password",
1069 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1070 expect_failure=True)
1071 dev[0].request("REMOVE_NETWORK all")
1072
1073 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1074 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1075 eap="TTLS", identity="user",
1076 anonymous_identity="ttls", password="password",
1077 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1078 wait_connect=False, scan_freq="2412")
1079 # This would eventually time out, but we can stop after having reached
1080 # the allocation failure.
1081 for i in range(20):
1082 time.sleep(0.1)
1083 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1084 break
1085
1086 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1087 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1088 check_eap_capa(dev[0], "MD5")
1089 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1090 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1091 eap_connect(dev[0], apdev[0], "TTLS", "user",
1092 anonymous_identity="ttls", password="password",
1093 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1094 hwsim_utils.test_connectivity(dev[0], hapd)
1095 eap_reauth(dev[0], "TTLS")
1096
1097 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1098 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1099 check_eap_capa(dev[0], "MD5")
1100 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1101 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1102 eap_connect(dev[0], apdev[0], "TTLS", "user",
1103 anonymous_identity="ttls", password="wrong",
1104 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1105 expect_failure=True)
1106
1107 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1108 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1109 check_eap_capa(dev[0], "MD5")
1110 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1111 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1112 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1113 anonymous_identity="ttls", password="password",
1114 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1115 expect_failure=True)
1116
1117 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1118 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1119 check_eap_capa(dev[0], "MD5")
1120 params = int_eap_server_params()
1121 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1122 with alloc_fail(hapd, 1, "eap_md5_init"):
1123 eap_connect(dev[0], apdev[0], "TTLS", "user",
1124 anonymous_identity="ttls", password="password",
1125 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1126 expect_failure=True)
1127 dev[0].request("REMOVE_NETWORK all")
1128
1129 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1130 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1131 eap="TTLS", identity="user",
1132 anonymous_identity="ttls", password="password",
1133 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1134 wait_connect=False, scan_freq="2412")
1135 # This would eventually time out, but we can stop after having reached
1136 # the allocation failure.
1137 for i in range(20):
1138 time.sleep(0.1)
1139 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1140 break
1141
1142 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1143 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1144 check_eap_capa(dev[0], "MSCHAPV2")
1145 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1146 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1147 eap_connect(dev[0], apdev[0], "TTLS", "user",
1148 anonymous_identity="ttls", password="password",
1149 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1150 hwsim_utils.test_connectivity(dev[0], hapd)
1151 eap_reauth(dev[0], "TTLS")
1152
1153 logger.info("Negative test with incorrect password")
1154 dev[0].request("REMOVE_NETWORK all")
1155 eap_connect(dev[0], apdev[0], "TTLS", "user",
1156 anonymous_identity="ttls", password="password1",
1157 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1158 expect_failure=True)
1159
1160 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1161 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1162 check_eap_capa(dev[0], "MSCHAPV2")
1163 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1164 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1165 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1166 anonymous_identity="ttls", password="password",
1167 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1168 expect_failure=True)
1169
1170 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1171 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1172 check_eap_capa(dev[0], "MSCHAPV2")
1173 params = int_eap_server_params()
1174 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1175 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1176 eap_connect(dev[0], apdev[0], "TTLS", "user",
1177 anonymous_identity="ttls", password="password",
1178 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1179 expect_failure=True)
1180 dev[0].request("REMOVE_NETWORK all")
1181
1182 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1183 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1184 eap="TTLS", identity="user",
1185 anonymous_identity="ttls", password="password",
1186 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1187 wait_connect=False, scan_freq="2412")
1188 # This would eventually time out, but we can stop after having reached
1189 # the allocation failure.
1190 for i in range(20):
1191 time.sleep(0.1)
1192 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1193 break
1194 dev[0].request("REMOVE_NETWORK all")
1195
1196 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1197 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1198 eap="TTLS", identity="user",
1199 anonymous_identity="ttls", password="password",
1200 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1201 wait_connect=False, scan_freq="2412")
1202 # This would eventually time out, but we can stop after having reached
1203 # the allocation failure.
1204 for i in range(20):
1205 time.sleep(0.1)
1206 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1207 break
1208 dev[0].request("REMOVE_NETWORK all")
1209
1210 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1211 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1212 eap="TTLS", identity="user",
1213 anonymous_identity="ttls", password="wrong",
1214 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1215 wait_connect=False, scan_freq="2412")
1216 # This would eventually time out, but we can stop after having reached
1217 # the allocation failure.
1218 for i in range(20):
1219 time.sleep(0.1)
1220 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1221 break
1222 dev[0].request("REMOVE_NETWORK all")
1223
1224 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1225 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1226 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1227 hostapd.add_ap(apdev[0]['ifname'], params)
1228 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1229 anonymous_identity="0232010000000000@ttls",
1230 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1231 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1232
1233 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1234 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1235 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1236 hostapd.add_ap(apdev[0]['ifname'], params)
1237 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1238 anonymous_identity="0232010000000000@peap",
1239 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1240 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1241
1242 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1243 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1244 check_eap_capa(dev[0], "FAST")
1245 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1246 hostapd.add_ap(apdev[0]['ifname'], params)
1247 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1248 anonymous_identity="0232010000000000@fast",
1249 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1250 phase1="fast_provisioning=2",
1251 pac_file="blob://fast_pac_auth_aka",
1252 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1253
1254 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1255 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1256 check_eap_capa(dev[0], "MSCHAPV2")
1257 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1258 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1259 eap_connect(dev[0], apdev[0], "PEAP", "user",
1260 anonymous_identity="peap", password="password",
1261 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1262 hwsim_utils.test_connectivity(dev[0], hapd)
1263 eap_reauth(dev[0], "PEAP")
1264 dev[0].request("REMOVE_NETWORK all")
1265 eap_connect(dev[0], apdev[0], "PEAP", "user",
1266 anonymous_identity="peap", password="password",
1267 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1268 fragment_size="200")
1269
1270 logger.info("Password as hash value")
1271 dev[0].request("REMOVE_NETWORK all")
1272 eap_connect(dev[0], apdev[0], "PEAP", "user",
1273 anonymous_identity="peap",
1274 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1275 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1276
1277 logger.info("Negative test with incorrect password")
1278 dev[0].request("REMOVE_NETWORK all")
1279 eap_connect(dev[0], apdev[0], "PEAP", "user",
1280 anonymous_identity="peap", password="password1",
1281 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1282 expect_failure=True)
1283
1284 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1285 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1286 check_eap_capa(dev[0], "MSCHAPV2")
1287 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1288 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1289 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1290 anonymous_identity="peap", password="password",
1291 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1292 hwsim_utils.test_connectivity(dev[0], hapd)
1293 eap_reauth(dev[0], "PEAP")
1294
1295 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1296 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1297 check_eap_capa(dev[0], "MSCHAPV2")
1298 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1299 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1300 eap_connect(dev[0], apdev[0], "PEAP", "user",
1301 anonymous_identity="peap", password="wrong",
1302 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1303 expect_failure=True)
1304
1305 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1306 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1307 check_eap_capa(dev[0], "MSCHAPV2")
1308 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1309 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1310 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1311 ca_cert="auth_serv/ca.pem",
1312 phase1="peapver=0 crypto_binding=2",
1313 phase2="auth=MSCHAPV2")
1314 hwsim_utils.test_connectivity(dev[0], hapd)
1315 eap_reauth(dev[0], "PEAP")
1316
1317 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1318 ca_cert="auth_serv/ca.pem",
1319 phase1="peapver=0 crypto_binding=1",
1320 phase2="auth=MSCHAPV2")
1321 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1322 ca_cert="auth_serv/ca.pem",
1323 phase1="peapver=0 crypto_binding=0",
1324 phase2="auth=MSCHAPV2")
1325
1326 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1327 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1328 check_eap_capa(dev[0], "MSCHAPV2")
1329 params = int_eap_server_params()
1330 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1331 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1332 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1333 ca_cert="auth_serv/ca.pem",
1334 phase1="peapver=0 crypto_binding=2",
1335 phase2="auth=MSCHAPV2",
1336 expect_failure=True, local_error_report=True)
1337
1338 def test_ap_wpa2_eap_peap_params(dev, apdev):
1339 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1340 check_eap_capa(dev[0], "MSCHAPV2")
1341 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1342 hostapd.add_ap(apdev[0]['ifname'], params)
1343 eap_connect(dev[0], apdev[0], "PEAP", "user",
1344 anonymous_identity="peap", password="password",
1345 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1346 phase1="peapver=0 peaplabel=1",
1347 expect_failure=True)
1348 dev[0].request("REMOVE_NETWORK all")
1349 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1350 identity="user",
1351 anonymous_identity="peap", password="password",
1352 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1353 phase1="peap_outer_success=0",
1354 wait_connect=False, scan_freq="2412")
1355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1356 if ev is None:
1357 raise Exception("No EAP success seen")
1358 # This won't succeed to connect with peap_outer_success=0, so stop here.
1359 dev[0].request("REMOVE_NETWORK all")
1360 dev[0].wait_disconnected()
1361 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1362 ca_cert="auth_serv/ca.pem",
1363 phase1="peap_outer_success=1",
1364 phase2="auth=MSCHAPV2")
1365 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1366 ca_cert="auth_serv/ca.pem",
1367 phase1="peap_outer_success=2",
1368 phase2="auth=MSCHAPV2")
1369 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1370 identity="user",
1371 anonymous_identity="peap", password="password",
1372 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1373 phase1="peapver=1 peaplabel=1",
1374 wait_connect=False, scan_freq="2412")
1375 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1376 if ev is None:
1377 raise Exception("No EAP success seen")
1378 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1379 if ev is not None:
1380 raise Exception("Unexpected connection")
1381
1382 tests = [ ("peap-ver0", ""),
1383 ("peap-ver1", ""),
1384 ("peap-ver0", "peapver=0"),
1385 ("peap-ver1", "peapver=1") ]
1386 for anon,phase1 in tests:
1387 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1388 identity="user", anonymous_identity=anon,
1389 password="password", phase1=phase1,
1390 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1391 scan_freq="2412")
1392 dev[0].request("REMOVE_NETWORK all")
1393 dev[0].wait_disconnected()
1394
1395 tests = [ ("peap-ver0", "peapver=1"),
1396 ("peap-ver1", "peapver=0") ]
1397 for anon,phase1 in tests:
1398 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1399 identity="user", anonymous_identity=anon,
1400 password="password", phase1=phase1,
1401 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1402 wait_connect=False, scan_freq="2412")
1403 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1404 if ev is None:
1405 raise Exception("No EAP-Failure seen")
1406 dev[0].request("REMOVE_NETWORK all")
1407 dev[0].wait_disconnected()
1408
1409 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1410 ca_cert="auth_serv/ca.pem",
1411 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1412 phase2="auth=MSCHAPV2")
1413
1414 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1415 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1416 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1417 hostapd.add_ap(apdev[0]['ifname'], params)
1418 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1419 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1420 ca_cert2="auth_serv/ca.pem",
1421 client_cert2="auth_serv/user.pem",
1422 private_key2="auth_serv/user.key")
1423 eap_reauth(dev[0], "PEAP")
1424
1425 def test_ap_wpa2_eap_tls(dev, apdev):
1426 """WPA2-Enterprise connection using EAP-TLS"""
1427 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1428 hostapd.add_ap(apdev[0]['ifname'], params)
1429 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1430 client_cert="auth_serv/user.pem",
1431 private_key="auth_serv/user.key")
1432 eap_reauth(dev[0], "TLS")
1433
1434 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1435 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1436 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1437 hostapd.add_ap(apdev[0]['ifname'], params)
1438 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1439 client_cert="auth_serv/user.pem",
1440 private_key="auth_serv/user.key.pkcs8",
1441 private_key_passwd="whatever")
1442
1443 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1444 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1445 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1446 hostapd.add_ap(apdev[0]['ifname'], params)
1447 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1448 client_cert="auth_serv/user.pem",
1449 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1450 private_key_passwd="whatever")
1451
1452 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1453 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1454 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1455 hostapd.add_ap(apdev[0]['ifname'], params)
1456 cert = read_pem("auth_serv/ca.pem")
1457 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1458 raise Exception("Could not set cacert blob")
1459 cert = read_pem("auth_serv/user.pem")
1460 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1461 raise Exception("Could not set usercert blob")
1462 key = read_pem("auth_serv/user.rsa-key")
1463 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1464 raise Exception("Could not set cacert blob")
1465 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1466 client_cert="blob://usercert",
1467 private_key="blob://userkey")
1468
1469 def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
1470 """EAP-TLS and config blob missing"""
1471 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1472 hostapd.add_ap(apdev[0]['ifname'], params)
1473 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1474 identity="tls user",
1475 ca_cert="blob://testing-blob-does-not-exist",
1476 client_cert="blob://testing-blob-does-not-exist",
1477 private_key="blob://testing-blob-does-not-exist",
1478 wait_connect=False, scan_freq="2412")
1479 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
1480 if ev is None:
1481 raise Exception("EAP failure not reported")
1482 dev[0].request("REMOVE_NETWORK all")
1483 dev[0].wait_disconnected()
1484
1485 def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
1486 """EAP-TLS and TLS Message Length in unfragmented packets"""
1487 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1488 hostapd.add_ap(apdev[0]['ifname'], params)
1489 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1490 phase1="include_tls_length=1",
1491 client_cert="auth_serv/user.pem",
1492 private_key="auth_serv/user.key")
1493
1494 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1495 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1496 check_pkcs12_support(dev[0])
1497 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1498 hostapd.add_ap(apdev[0]['ifname'], params)
1499 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1500 private_key="auth_serv/user.pkcs12",
1501 private_key_passwd="whatever")
1502 dev[0].request("REMOVE_NETWORK all")
1503 dev[0].wait_disconnected()
1504
1505 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1506 identity="tls user",
1507 ca_cert="auth_serv/ca.pem",
1508 private_key="auth_serv/user.pkcs12",
1509 wait_connect=False, scan_freq="2412")
1510 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1511 if ev is None:
1512 raise Exception("Request for private key passphrase timed out")
1513 id = ev.split(':')[0].split('-')[-1]
1514 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1515 dev[0].wait_connected(timeout=10)
1516 dev[0].request("REMOVE_NETWORK all")
1517 dev[0].wait_disconnected()
1518
1519 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1520 # different files to cover both cases of the extra certificate being the
1521 # one that signed the client certificate and it being unrelated to the
1522 # client certificate.
1523 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1524 for i in range(2):
1525 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1526 ca_cert="auth_serv/ca.pem",
1527 private_key=pkcs12,
1528 private_key_passwd="whatever")
1529 dev[0].request("REMOVE_NETWORK all")
1530 dev[0].wait_disconnected()
1531
1532 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1533 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1534 check_pkcs12_support(dev[0])
1535 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1536 hostapd.add_ap(apdev[0]['ifname'], params)
1537 cert = read_pem("auth_serv/ca.pem")
1538 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1539 raise Exception("Could not set cacert blob")
1540 with open("auth_serv/user.pkcs12", "rb") as f:
1541 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1542 raise Exception("Could not set pkcs12 blob")
1543 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1544 private_key="blob://pkcs12",
1545 private_key_passwd="whatever")
1546
1547 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1548 """WPA2-Enterprise negative test - incorrect trust root"""
1549 check_eap_capa(dev[0], "MSCHAPV2")
1550 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1551 hostapd.add_ap(apdev[0]['ifname'], params)
1552 cert = read_pem("auth_serv/ca-incorrect.pem")
1553 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1554 raise Exception("Could not set cacert blob")
1555 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1556 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1557 password="password", phase2="auth=MSCHAPV2",
1558 ca_cert="blob://cacert",
1559 wait_connect=False, scan_freq="2412")
1560 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1561 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1562 password="password", phase2="auth=MSCHAPV2",
1563 ca_cert="auth_serv/ca-incorrect.pem",
1564 wait_connect=False, scan_freq="2412")
1565
1566 for dev in (dev[0], dev[1]):
1567 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1568 if ev is None:
1569 raise Exception("Association and EAP start timed out")
1570
1571 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1572 if ev is None:
1573 raise Exception("EAP method selection timed out")
1574 if "TTLS" not in ev:
1575 raise Exception("Unexpected EAP method")
1576
1577 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1578 "CTRL-EVENT-EAP-SUCCESS",
1579 "CTRL-EVENT-EAP-FAILURE",
1580 "CTRL-EVENT-CONNECTED",
1581 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1582 if ev is None:
1583 raise Exception("EAP result timed out")
1584 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1585 raise Exception("TLS certificate error not reported")
1586
1587 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1588 "CTRL-EVENT-EAP-FAILURE",
1589 "CTRL-EVENT-CONNECTED",
1590 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1591 if ev is None:
1592 raise Exception("EAP result(2) timed out")
1593 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1594 raise Exception("EAP failure not reported")
1595
1596 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1597 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1598 if ev is None:
1599 raise Exception("EAP result(3) timed out")
1600 if "CTRL-EVENT-DISCONNECTED" not in ev:
1601 raise Exception("Disconnection not reported")
1602
1603 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1604 if ev is None:
1605 raise Exception("Network block disabling not reported")
1606
1607 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1608 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1609 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1610 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1611 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1612 identity="pap user", anonymous_identity="ttls",
1613 password="password", phase2="auth=PAP",
1614 ca_cert="auth_serv/ca.pem",
1615 wait_connect=True, scan_freq="2412")
1616 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1617 identity="pap user", anonymous_identity="ttls",
1618 password="password", phase2="auth=PAP",
1619 ca_cert="auth_serv/ca-incorrect.pem",
1620 only_add_network=True, scan_freq="2412")
1621
1622 dev[0].request("DISCONNECT")
1623 dev[0].wait_disconnected()
1624 dev[0].dump_monitor()
1625 dev[0].select_network(id, freq="2412")
1626
1627 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1628 if ev is None:
1629 raise Exception("EAP-TTLS not re-started")
1630
1631 ev = dev[0].wait_disconnected(timeout=15)
1632 if "reason=23" not in ev:
1633 raise Exception("Proper reason code for disconnection not reported")
1634
1635 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1636 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1637 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1638 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1639 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1640 identity="pap user", anonymous_identity="ttls",
1641 password="password", phase2="auth=PAP",
1642 wait_connect=True, scan_freq="2412")
1643 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1644 identity="pap user", anonymous_identity="ttls",
1645 password="password", phase2="auth=PAP",
1646 ca_cert="auth_serv/ca-incorrect.pem",
1647 only_add_network=True, scan_freq="2412")
1648
1649 dev[0].request("DISCONNECT")
1650 dev[0].wait_disconnected()
1651 dev[0].dump_monitor()
1652 dev[0].select_network(id, freq="2412")
1653
1654 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1655 if ev is None:
1656 raise Exception("EAP-TTLS not re-started")
1657
1658 ev = dev[0].wait_disconnected(timeout=15)
1659 if "reason=23" not in ev:
1660 raise Exception("Proper reason code for disconnection not reported")
1661
1662 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1663 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1664 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1665 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1666 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1667 identity="pap user", anonymous_identity="ttls",
1668 password="password", phase2="auth=PAP",
1669 ca_cert="auth_serv/ca.pem",
1670 wait_connect=True, scan_freq="2412")
1671 dev[0].request("DISCONNECT")
1672 dev[0].wait_disconnected()
1673 dev[0].dump_monitor()
1674 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1675 dev[0].select_network(id, freq="2412")
1676
1677 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1678 if ev is None:
1679 raise Exception("EAP-TTLS not re-started")
1680
1681 ev = dev[0].wait_disconnected(timeout=15)
1682 if "reason=23" not in ev:
1683 raise Exception("Proper reason code for disconnection not reported")
1684
1685 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1686 """WPA2-Enterprise negative test - domain suffix mismatch"""
1687 check_domain_suffix_match(dev[0])
1688 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1689 hostapd.add_ap(apdev[0]['ifname'], params)
1690 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1691 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1692 password="password", phase2="auth=MSCHAPV2",
1693 ca_cert="auth_serv/ca.pem",
1694 domain_suffix_match="incorrect.example.com",
1695 wait_connect=False, scan_freq="2412")
1696
1697 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1698 if ev is None:
1699 raise Exception("Association and EAP start timed out")
1700
1701 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1702 if ev is None:
1703 raise Exception("EAP method selection timed out")
1704 if "TTLS" not in ev:
1705 raise Exception("Unexpected EAP method")
1706
1707 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1708 "CTRL-EVENT-EAP-SUCCESS",
1709 "CTRL-EVENT-EAP-FAILURE",
1710 "CTRL-EVENT-CONNECTED",
1711 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1712 if ev is None:
1713 raise Exception("EAP result timed out")
1714 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1715 raise Exception("TLS certificate error not reported")
1716 if "Domain suffix mismatch" not in ev:
1717 raise Exception("Domain suffix mismatch not reported")
1718
1719 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1720 "CTRL-EVENT-EAP-FAILURE",
1721 "CTRL-EVENT-CONNECTED",
1722 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1723 if ev is None:
1724 raise Exception("EAP result(2) timed out")
1725 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1726 raise Exception("EAP failure not reported")
1727
1728 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1729 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1730 if ev is None:
1731 raise Exception("EAP result(3) timed out")
1732 if "CTRL-EVENT-DISCONNECTED" not in ev:
1733 raise Exception("Disconnection not reported")
1734
1735 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1736 if ev is None:
1737 raise Exception("Network block disabling not reported")
1738
1739 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1740 """WPA2-Enterprise negative test - domain mismatch"""
1741 check_domain_match(dev[0])
1742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1743 hostapd.add_ap(apdev[0]['ifname'], params)
1744 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1745 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1746 password="password", phase2="auth=MSCHAPV2",
1747 ca_cert="auth_serv/ca.pem",
1748 domain_match="w1.fi",
1749 wait_connect=False, scan_freq="2412")
1750
1751 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1752 if ev is None:
1753 raise Exception("Association and EAP start timed out")
1754
1755 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1756 if ev is None:
1757 raise Exception("EAP method selection timed out")
1758 if "TTLS" not in ev:
1759 raise Exception("Unexpected EAP method")
1760
1761 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1762 "CTRL-EVENT-EAP-SUCCESS",
1763 "CTRL-EVENT-EAP-FAILURE",
1764 "CTRL-EVENT-CONNECTED",
1765 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1766 if ev is None:
1767 raise Exception("EAP result timed out")
1768 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1769 raise Exception("TLS certificate error not reported")
1770 if "Domain mismatch" not in ev:
1771 raise Exception("Domain mismatch not reported")
1772
1773 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1774 "CTRL-EVENT-EAP-FAILURE",
1775 "CTRL-EVENT-CONNECTED",
1776 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1777 if ev is None:
1778 raise Exception("EAP result(2) timed out")
1779 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1780 raise Exception("EAP failure not reported")
1781
1782 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1783 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1784 if ev is None:
1785 raise Exception("EAP result(3) timed out")
1786 if "CTRL-EVENT-DISCONNECTED" not in ev:
1787 raise Exception("Disconnection not reported")
1788
1789 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1790 if ev is None:
1791 raise Exception("Network block disabling not reported")
1792
1793 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1794 """WPA2-Enterprise negative test - subject mismatch"""
1795 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1796 hostapd.add_ap(apdev[0]['ifname'], params)
1797 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1798 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1799 password="password", phase2="auth=MSCHAPV2",
1800 ca_cert="auth_serv/ca.pem",
1801 subject_match="/C=FI/O=w1.fi/CN=example.com",
1802 wait_connect=False, scan_freq="2412")
1803
1804 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1805 if ev is None:
1806 raise Exception("Association and EAP start timed out")
1807
1808 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1809 "EAP: Failed to initialize EAP method"], timeout=10)
1810 if ev is None:
1811 raise Exception("EAP method selection timed out")
1812 if "EAP: Failed to initialize EAP method" in ev:
1813 tls = dev[0].request("GET tls_library")
1814 if tls.startswith("OpenSSL"):
1815 raise Exception("Failed to select EAP method")
1816 logger.info("subject_match not supported - connection failed, so test succeeded")
1817 return
1818 if "TTLS" not in ev:
1819 raise Exception("Unexpected EAP method")
1820
1821 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1822 "CTRL-EVENT-EAP-SUCCESS",
1823 "CTRL-EVENT-EAP-FAILURE",
1824 "CTRL-EVENT-CONNECTED",
1825 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1826 if ev is None:
1827 raise Exception("EAP result timed out")
1828 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1829 raise Exception("TLS certificate error not reported")
1830 if "Subject mismatch" not in ev:
1831 raise Exception("Subject mismatch not reported")
1832
1833 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1834 "CTRL-EVENT-EAP-FAILURE",
1835 "CTRL-EVENT-CONNECTED",
1836 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1837 if ev is None:
1838 raise Exception("EAP result(2) timed out")
1839 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1840 raise Exception("EAP failure not reported")
1841
1842 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1843 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1844 if ev is None:
1845 raise Exception("EAP result(3) timed out")
1846 if "CTRL-EVENT-DISCONNECTED" not in ev:
1847 raise Exception("Disconnection not reported")
1848
1849 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1850 if ev is None:
1851 raise Exception("Network block disabling not reported")
1852
1853 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1854 """WPA2-Enterprise negative test - altsubject mismatch"""
1855 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1856 hostapd.add_ap(apdev[0]['ifname'], params)
1857
1858 tests = [ "incorrect.example.com",
1859 "DNS:incorrect.example.com",
1860 "DNS:w1.fi",
1861 "DNS:erver.w1.fi" ]
1862 for match in tests:
1863 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1864
1865 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1866 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1867 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1868 password="password", phase2="auth=MSCHAPV2",
1869 ca_cert="auth_serv/ca.pem",
1870 altsubject_match=match,
1871 wait_connect=False, scan_freq="2412")
1872
1873 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1874 if ev is None:
1875 raise Exception("Association and EAP start timed out")
1876
1877 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1878 "EAP: Failed to initialize EAP method"], timeout=10)
1879 if ev is None:
1880 raise Exception("EAP method selection timed out")
1881 if "EAP: Failed to initialize EAP method" in ev:
1882 tls = dev[0].request("GET tls_library")
1883 if tls.startswith("OpenSSL"):
1884 raise Exception("Failed to select EAP method")
1885 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1886 return
1887 if "TTLS" not in ev:
1888 raise Exception("Unexpected EAP method")
1889
1890 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1891 "CTRL-EVENT-EAP-SUCCESS",
1892 "CTRL-EVENT-EAP-FAILURE",
1893 "CTRL-EVENT-CONNECTED",
1894 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1895 if ev is None:
1896 raise Exception("EAP result timed out")
1897 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1898 raise Exception("TLS certificate error not reported")
1899 if "AltSubject mismatch" not in ev:
1900 raise Exception("altsubject mismatch not reported")
1901
1902 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1903 "CTRL-EVENT-EAP-FAILURE",
1904 "CTRL-EVENT-CONNECTED",
1905 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1906 if ev is None:
1907 raise Exception("EAP result(2) timed out")
1908 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1909 raise Exception("EAP failure not reported")
1910
1911 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1912 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1913 if ev is None:
1914 raise Exception("EAP result(3) timed out")
1915 if "CTRL-EVENT-DISCONNECTED" not in ev:
1916 raise Exception("Disconnection not reported")
1917
1918 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1919 if ev is None:
1920 raise Exception("Network block disabling not reported")
1921
1922 dev[0].request("REMOVE_NETWORK all")
1923
1924 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1925 """WPA2-Enterprise connection using UNAUTH-TLS"""
1926 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1927 hostapd.add_ap(apdev[0]['ifname'], params)
1928 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1929 ca_cert="auth_serv/ca.pem")
1930 eap_reauth(dev[0], "UNAUTH-TLS")
1931
1932 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1933 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1934 check_cert_probe_support(dev[0])
1935 skip_with_fips(dev[0])
1936 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
1937 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1938 hostapd.add_ap(apdev[0]['ifname'], params)
1939 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1940 identity="probe", ca_cert="probe://",
1941 wait_connect=False, scan_freq="2412")
1942 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1943 if ev is None:
1944 raise Exception("Association and EAP start timed out")
1945 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1946 if ev is None:
1947 raise Exception("No peer server certificate event seen")
1948 if "hash=" + srv_cert_hash not in ev:
1949 raise Exception("Expected server certificate hash not reported")
1950 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1951 if ev is None:
1952 raise Exception("EAP result timed out")
1953 if "Server certificate chain probe" not in ev:
1954 raise Exception("Server certificate probe not reported")
1955 dev[0].wait_disconnected(timeout=10)
1956 dev[0].request("REMOVE_NETWORK all")
1957
1958 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1959 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1960 password="password", phase2="auth=MSCHAPV2",
1961 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1962 wait_connect=False, scan_freq="2412")
1963 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1964 if ev is None:
1965 raise Exception("Association and EAP start timed out")
1966 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1967 if ev is None:
1968 raise Exception("EAP result timed out")
1969 if "Server certificate mismatch" not in ev:
1970 raise Exception("Server certificate mismatch not reported")
1971 dev[0].wait_disconnected(timeout=10)
1972 dev[0].request("REMOVE_NETWORK all")
1973
1974 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1975 anonymous_identity="ttls", password="password",
1976 ca_cert="hash://server/sha256/" + srv_cert_hash,
1977 phase2="auth=MSCHAPV2")
1978
1979 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1980 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1981 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1982 hostapd.add_ap(apdev[0]['ifname'], params)
1983 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1984 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1985 password="password", phase2="auth=MSCHAPV2",
1986 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1987 wait_connect=False, scan_freq="2412")
1988 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1989 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1990 password="password", phase2="auth=MSCHAPV2",
1991 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1992 wait_connect=False, scan_freq="2412")
1993 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1994 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1995 password="password", phase2="auth=MSCHAPV2",
1996 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1997 wait_connect=False, scan_freq="2412")
1998 for i in range(0, 3):
1999 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2000 if ev is None:
2001 raise Exception("Association and EAP start timed out")
2002 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2003 if ev is None:
2004 raise Exception("Did not report EAP method initialization failure")
2005
2006 def test_ap_wpa2_eap_pwd(dev, apdev):
2007 """WPA2-Enterprise connection using EAP-pwd"""
2008 check_eap_capa(dev[0], "PWD")
2009 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2010 hostapd.add_ap(apdev[0]['ifname'], params)
2011 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2012 eap_reauth(dev[0], "PWD")
2013 dev[0].request("REMOVE_NETWORK all")
2014
2015 eap_connect(dev[1], apdev[0], "PWD",
2016 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2017 password="secret password",
2018 fragment_size="90")
2019
2020 logger.info("Negative test with incorrect password")
2021 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
2022 expect_failure=True, local_error_report=True)
2023
2024 eap_connect(dev[0], apdev[0], "PWD",
2025 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2026 password="secret password",
2027 fragment_size="31")
2028
2029 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2030 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2031 check_eap_capa(dev[0], "PWD")
2032 skip_with_fips(dev[0])
2033 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2034 hostapd.add_ap(apdev[0]['ifname'], params)
2035 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
2036 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
2037 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2038 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
2039 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2040 expect_failure=True, local_error_report=True)
2041
2042 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2043 """WPA2-Enterprise connection using various EAP-pwd groups"""
2044 check_eap_capa(dev[0], "PWD")
2045 tls = dev[0].request("GET tls_library")
2046 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2047 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2048 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2049 groups = [ 19, 20, 21, 25, 26 ]
2050 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2051 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2052 groups += [ 27, 28, 29, 30 ]
2053 for i in groups:
2054 logger.info("Group %d" % i)
2055 params['pwd_group'] = str(i)
2056 hostapd.add_ap(apdev[0]['ifname'], params)
2057 try:
2058 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
2059 password="secret password")
2060 dev[0].request("REMOVE_NETWORK all")
2061 dev[0].wait_disconnected()
2062 dev[0].dump_monitor()
2063 except:
2064 if "BoringSSL" in tls and i in [ 25 ]:
2065 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2066 dev[0].request("DISCONNECT")
2067 time.sleep(0.1)
2068 dev[0].request("REMOVE_NETWORK all")
2069 dev[0].dump_monitor()
2070 continue
2071 raise
2072
2073 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2074 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2075 check_eap_capa(dev[0], "PWD")
2076 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2077 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2078 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2079 params['pwd_group'] = "0"
2080 hostapd.add_ap(apdev[0]['ifname'], params)
2081 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2082 identity="pwd user", password="secret password",
2083 scan_freq="2412", wait_connect=False)
2084 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2085 if ev is None:
2086 raise Exception("Timeout on EAP failure report")
2087
2088 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2089 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2090 check_eap_capa(dev[0], "PWD")
2091 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2092 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2093 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2094 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2095 "pwd_group": "19", "fragment_size": "40" }
2096 hostapd.add_ap(apdev[0]['ifname'], params)
2097 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2098
2099 def test_ap_wpa2_eap_gpsk(dev, apdev):
2100 """WPA2-Enterprise connection using EAP-GPSK"""
2101 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2102 hostapd.add_ap(apdev[0]['ifname'], params)
2103 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2104 password="abcdefghijklmnop0123456789abcdef")
2105 eap_reauth(dev[0], "GPSK")
2106
2107 logger.info("Test forced algorithm selection")
2108 for phase1 in [ "cipher=1", "cipher=2" ]:
2109 dev[0].set_network_quoted(id, "phase1", phase1)
2110 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2111 if ev is None:
2112 raise Exception("EAP success timed out")
2113 dev[0].wait_connected(timeout=10)
2114
2115 logger.info("Test failed algorithm negotiation")
2116 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2117 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2118 if ev is None:
2119 raise Exception("EAP failure timed out")
2120
2121 logger.info("Negative test with incorrect password")
2122 dev[0].request("REMOVE_NETWORK all")
2123 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2124 password="ffcdefghijklmnop0123456789abcdef",
2125 expect_failure=True)
2126
2127 def test_ap_wpa2_eap_sake(dev, apdev):
2128 """WPA2-Enterprise connection using EAP-SAKE"""
2129 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2130 hostapd.add_ap(apdev[0]['ifname'], params)
2131 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2132 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2133 eap_reauth(dev[0], "SAKE")
2134
2135 logger.info("Negative test with incorrect password")
2136 dev[0].request("REMOVE_NETWORK all")
2137 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2138 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2139 expect_failure=True)
2140
2141 def test_ap_wpa2_eap_eke(dev, apdev):
2142 """WPA2-Enterprise connection using EAP-EKE"""
2143 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2144 hostapd.add_ap(apdev[0]['ifname'], params)
2145 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2146 eap_reauth(dev[0], "EKE")
2147
2148 logger.info("Test forced algorithm selection")
2149 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2150 "dhgroup=4 encr=1 prf=2 mac=2",
2151 "dhgroup=3 encr=1 prf=2 mac=2",
2152 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2153 dev[0].set_network_quoted(id, "phase1", phase1)
2154 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2155 if ev is None:
2156 raise Exception("EAP success timed out")
2157 dev[0].wait_connected(timeout=10)
2158
2159 logger.info("Test failed algorithm negotiation")
2160 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2161 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2162 if ev is None:
2163 raise Exception("EAP failure timed out")
2164
2165 logger.info("Negative test with incorrect password")
2166 dev[0].request("REMOVE_NETWORK all")
2167 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2168 expect_failure=True)
2169
2170 def test_ap_wpa2_eap_eke_many(dev, apdev, params):
2171 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2172 if not params['long']:
2173 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2174 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2175 hostapd.add_ap(apdev[0]['ifname'], params)
2176 success = 0
2177 fail = 0
2178 for i in range(100):
2179 for j in range(3):
2180 dev[j].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="EKE",
2181 identity="eke user", password="hello",
2182 phase1="dhgroup=3 encr=1 prf=1 mac=1",
2183 scan_freq="2412", wait_connect=False)
2184 for j in range(3):
2185 ev = dev[j].wait_event(["CTRL-EVENT-CONNECTED",
2186 "CTRL-EVENT-DISCONNECTED"], timeout=15)
2187 if ev is None:
2188 raise Exception("No connected/disconnected event")
2189 if "CTRL-EVENT-DISCONNECTED" in ev:
2190 fail += 1
2191 # The RADIUS server limits on active sessions can be hit when
2192 # going through this test case, so try to give some more time
2193 # for the server to remove sessions.
2194 logger.info("Failed to connect i=%d j=%d" % (i, j))
2195 dev[j].request("REMOVE_NETWORK all")
2196 time.sleep(1)
2197 else:
2198 success += 1
2199 dev[j].request("REMOVE_NETWORK all")
2200 dev[j].wait_disconnected()
2201 dev[j].dump_monitor()
2202 logger.info("Total success=%d failure=%d" % (success, fail))
2203
2204 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2205 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2206 params = int_eap_server_params()
2207 params['server_id'] = 'example.server@w1.fi'
2208 hostapd.add_ap(apdev[0]['ifname'], params)
2209 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2210
2211 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2212 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2213 params = int_eap_server_params()
2214 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2215 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2216
2217 for count,func in [ (1, "eap_eke_build_commit"),
2218 (2, "eap_eke_build_commit"),
2219 (3, "eap_eke_build_commit"),
2220 (1, "eap_eke_build_confirm"),
2221 (2, "eap_eke_build_confirm"),
2222 (1, "eap_eke_process_commit"),
2223 (2, "eap_eke_process_commit"),
2224 (1, "eap_eke_process_confirm"),
2225 (1, "eap_eke_process_identity"),
2226 (2, "eap_eke_process_identity"),
2227 (3, "eap_eke_process_identity"),
2228 (4, "eap_eke_process_identity") ]:
2229 with alloc_fail(hapd, count, func):
2230 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2231 expect_failure=True)
2232 dev[0].request("REMOVE_NETWORK all")
2233
2234 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2235 (1, "eap_eke_get_session_id", "hello"),
2236 (1, "eap_eke_getKey", "hello"),
2237 (1, "eap_eke_build_msg", "hello"),
2238 (1, "eap_eke_build_failure", "wrong"),
2239 (1, "eap_eke_build_identity", "hello"),
2240 (2, "eap_eke_build_identity", "hello") ]:
2241 with alloc_fail(hapd, count, func):
2242 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2243 eap="EKE", identity="eke user", password=pw,
2244 wait_connect=False, scan_freq="2412")
2245 # This would eventually time out, but we can stop after having
2246 # reached the allocation failure.
2247 for i in range(20):
2248 time.sleep(0.1)
2249 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2250 break
2251 dev[0].request("REMOVE_NETWORK all")
2252
2253 for count in range(1, 1000):
2254 try:
2255 with alloc_fail(hapd, count, "eap_server_sm_step"):
2256 dev[0].connect("test-wpa2-eap",
2257 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2258 eap="EKE", identity="eke user", password=pw,
2259 wait_connect=False, scan_freq="2412")
2260 # This would eventually time out, but we can stop after having
2261 # reached the allocation failure.
2262 for i in range(10):
2263 time.sleep(0.1)
2264 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2265 break
2266 dev[0].request("REMOVE_NETWORK all")
2267 except Exception, e:
2268 if str(e) == "Allocation failure did not trigger":
2269 if count < 30:
2270 raise Exception("Too few allocation failures")
2271 logger.info("%d allocation failures tested" % (count - 1))
2272 break
2273 raise e
2274
2275 def test_ap_wpa2_eap_ikev2(dev, apdev):
2276 """WPA2-Enterprise connection using EAP-IKEv2"""
2277 check_eap_capa(dev[0], "IKEV2")
2278 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2279 hostapd.add_ap(apdev[0]['ifname'], params)
2280 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2281 password="ike password")
2282 eap_reauth(dev[0], "IKEV2")
2283 dev[0].request("REMOVE_NETWORK all")
2284 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2285 password="ike password", fragment_size="50")
2286
2287 logger.info("Negative test with incorrect password")
2288 dev[0].request("REMOVE_NETWORK all")
2289 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2290 password="ike-password", expect_failure=True)
2291
2292 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2293 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2294 check_eap_capa(dev[0], "IKEV2")
2295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2296 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2297 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2298 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2299 "fragment_size": "50" }
2300 hostapd.add_ap(apdev[0]['ifname'], params)
2301 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2302 password="ike password")
2303 eap_reauth(dev[0], "IKEV2")
2304
2305 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2306 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2307 check_eap_capa(dev[0], "IKEV2")
2308 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2309 hostapd.add_ap(apdev[0]['ifname'], params)
2310
2311 tests = [ (1, "dh_init"),
2312 (2, "dh_init"),
2313 (1, "dh_derive_shared") ]
2314 for count, func in tests:
2315 with alloc_fail(dev[0], count, func):
2316 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2317 identity="ikev2 user", password="ike password",
2318 wait_connect=False, scan_freq="2412")
2319 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2320 if ev is None:
2321 raise Exception("EAP method not selected")
2322 for i in range(10):
2323 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2324 break
2325 time.sleep(0.02)
2326 dev[0].request("REMOVE_NETWORK all")
2327
2328 tests = [ (1, "os_get_random;dh_init") ]
2329 for count, func in tests:
2330 with fail_test(dev[0], count, func):
2331 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2332 identity="ikev2 user", password="ike password",
2333 wait_connect=False, scan_freq="2412")
2334 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2335 if ev is None:
2336 raise Exception("EAP method not selected")
2337 for i in range(10):
2338 if "0:" in dev[0].request("GET_FAIL"):
2339 break
2340 time.sleep(0.02)
2341 dev[0].request("REMOVE_NETWORK all")
2342
2343 def test_ap_wpa2_eap_pax(dev, apdev):
2344 """WPA2-Enterprise connection using EAP-PAX"""
2345 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2346 hostapd.add_ap(apdev[0]['ifname'], params)
2347 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2348 password_hex="0123456789abcdef0123456789abcdef")
2349 eap_reauth(dev[0], "PAX")
2350
2351 logger.info("Negative test with incorrect password")
2352 dev[0].request("REMOVE_NETWORK all")
2353 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2354 password_hex="ff23456789abcdef0123456789abcdef",
2355 expect_failure=True)
2356
2357 def test_ap_wpa2_eap_psk(dev, apdev):
2358 """WPA2-Enterprise connection using EAP-PSK"""
2359 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2360 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2361 params["ieee80211w"] = "2"
2362 hostapd.add_ap(apdev[0]['ifname'], params)
2363 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2364 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2365 eap_reauth(dev[0], "PSK", sha256=True)
2366 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2367 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2368
2369 bss = dev[0].get_bss(apdev[0]['bssid'])
2370 if 'flags' not in bss:
2371 raise Exception("Could not get BSS flags from BSS table")
2372 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2373 raise Exception("Unexpected BSS flags: " + bss['flags'])
2374
2375 logger.info("Negative test with incorrect password")
2376 dev[0].request("REMOVE_NETWORK all")
2377 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2378 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2379 expect_failure=True)
2380
2381 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2382 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2383 skip_with_fips(dev[0])
2384 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2385 hostapd.add_ap(apdev[0]['ifname'], params)
2386 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2387 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2388 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2389 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2390 (1, "=aes_128_eax_encrypt"),
2391 (1, "omac1_aes_vector"),
2392 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2393 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2394 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2395 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2396 (1, "=aes_128_eax_decrypt") ]
2397 for count, func in tests:
2398 with alloc_fail(dev[0], count, func):
2399 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2400 identity="psk.user@example.com",
2401 password_hex="0123456789abcdef0123456789abcdef",
2402 wait_connect=False, scan_freq="2412")
2403 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2404 if ev is None:
2405 raise Exception("EAP method not selected")
2406 for i in range(10):
2407 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2408 break
2409 time.sleep(0.02)
2410 dev[0].request("REMOVE_NETWORK all")
2411
2412 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2413 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2414 identity="psk.user@example.com",
2415 password_hex="0123456789abcdef0123456789abcdef",
2416 wait_connect=False, scan_freq="2412")
2417 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2418 if ev is None:
2419 raise Exception("EAP method failure not reported")
2420 dev[0].request("REMOVE_NETWORK all")
2421
2422 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2423 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2424 check_eap_capa(dev[0], "MSCHAPV2")
2425 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2426 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2427 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2428 identity="user", password="password", phase2="auth=MSCHAPV2",
2429 ca_cert="auth_serv/ca.pem", wait_connect=False,
2430 scan_freq="2412")
2431 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2432 hwsim_utils.test_connectivity(dev[0], hapd)
2433 eap_reauth(dev[0], "PEAP", rsn=False)
2434 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2435 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2436 status = dev[0].get_status(extra="VERBOSE")
2437 if 'portControl' not in status:
2438 raise Exception("portControl missing from STATUS-VERBOSE")
2439 if status['portControl'] != 'Auto':
2440 raise Exception("Unexpected portControl value: " + status['portControl'])
2441 if 'eap_session_id' not in status:
2442 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2443 if not status['eap_session_id'].startswith("19"):
2444 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2445
2446 def test_ap_wpa2_eap_interactive(dev, apdev):
2447 """WPA2-Enterprise connection using interactive identity/password entry"""
2448 check_eap_capa(dev[0], "MSCHAPV2")
2449 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2450 hostapd.add_ap(apdev[0]['ifname'], params)
2451 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2452
2453 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2454 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2455 None, "password"),
2456 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2457 "TTLS", "ttls", None, "auth=MSCHAPV2",
2458 "DOMAIN\mschapv2 user", "password"),
2459 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2460 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2461 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2462 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2463 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2464 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2465 ("Connection with dynamic PEAP/EAP-GTC password entry",
2466 "PEAP", None, "user", "auth=GTC", None, "password") ]
2467 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2468 logger.info(desc)
2469 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2470 anonymous_identity=anon, identity=identity,
2471 ca_cert="auth_serv/ca.pem", phase2=phase2,
2472 wait_connect=False, scan_freq="2412")
2473 if req_id:
2474 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2475 if ev is None:
2476 raise Exception("Request for identity timed out")
2477 id = ev.split(':')[0].split('-')[-1]
2478 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2479 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2480 if ev is None:
2481 raise Exception("Request for password timed out")
2482 id = ev.split(':')[0].split('-')[-1]
2483 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2484 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2485 dev[0].wait_connected(timeout=10)
2486 dev[0].request("REMOVE_NETWORK all")
2487
2488 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2489 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2490 check_eap_capa(dev[0], "MSCHAPV2")
2491 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2492 hostapd.add_ap(apdev[0]['ifname'], params)
2493 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2494
2495 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2496 only_add_network=True)
2497
2498 req_id = "DOMAIN\mschapv2 user"
2499 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2500 anonymous_identity="ttls", identity=None,
2501 password="password",
2502 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2503 wait_connect=False, scan_freq="2412")
2504 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2505 if ev is None:
2506 raise Exception("Request for identity timed out")
2507 id = ev.split(':')[0].split('-')[-1]
2508 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2509 dev[0].wait_connected(timeout=10)
2510
2511 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2512 raise Exception("Failed to enable network")
2513 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2514 if ev is not None:
2515 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2516 dev[0].request("REMOVE_NETWORK all")
2517
2518 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2519 """WPA2-Enterprise connection using EAP vendor test"""
2520 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2521 hostapd.add_ap(apdev[0]['ifname'], params)
2522 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2523 eap_reauth(dev[0], "VENDOR-TEST")
2524 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2525 password="pending")
2526
2527 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2528 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2529 check_eap_capa(dev[0], "FAST")
2530 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2531 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2532 eap_connect(dev[0], apdev[0], "FAST", "user",
2533 anonymous_identity="FAST", password="password",
2534 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2535 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2536 hwsim_utils.test_connectivity(dev[0], hapd)
2537 res = eap_reauth(dev[0], "FAST")
2538 if res['tls_session_reused'] != '1':
2539 raise Exception("EAP-FAST could not use PAC session ticket")
2540
2541 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2542 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2543 check_eap_capa(dev[0], "FAST")
2544 pac_file = os.path.join(params['logdir'], "fast.pac")
2545 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2546 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2547 hostapd.add_ap(apdev[0]['ifname'], params)
2548
2549 try:
2550 eap_connect(dev[0], apdev[0], "FAST", "user",
2551 anonymous_identity="FAST", password="password",
2552 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2553 phase1="fast_provisioning=1", pac_file=pac_file)
2554 with open(pac_file, "r") as f:
2555 data = f.read()
2556 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2557 raise Exception("PAC file header missing")
2558 if "PAC-Key=" not in data:
2559 raise Exception("PAC-Key missing from PAC file")
2560 dev[0].request("REMOVE_NETWORK all")
2561 eap_connect(dev[0], apdev[0], "FAST", "user",
2562 anonymous_identity="FAST", password="password",
2563 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2564 pac_file=pac_file)
2565
2566 eap_connect(dev[1], apdev[0], "FAST", "user",
2567 anonymous_identity="FAST", password="password",
2568 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2569 phase1="fast_provisioning=1 fast_pac_format=binary",
2570 pac_file=pac_file2)
2571 dev[1].request("REMOVE_NETWORK all")
2572 eap_connect(dev[1], apdev[0], "FAST", "user",
2573 anonymous_identity="FAST", password="password",
2574 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2575 phase1="fast_pac_format=binary",
2576 pac_file=pac_file2)
2577 finally:
2578 try:
2579 os.remove(pac_file)
2580 except:
2581 pass
2582 try:
2583 os.remove(pac_file2)
2584 except:
2585 pass
2586
2587 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2588 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2589 check_eap_capa(dev[0], "FAST")
2590 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2591 hostapd.add_ap(apdev[0]['ifname'], params)
2592 eap_connect(dev[0], apdev[0], "FAST", "user",
2593 anonymous_identity="FAST", password="password",
2594 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2595 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2596 pac_file="blob://fast_pac_bin")
2597 res = eap_reauth(dev[0], "FAST")
2598 if res['tls_session_reused'] != '1':
2599 raise Exception("EAP-FAST could not use PAC session ticket")
2600
2601 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2602 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2603 check_eap_capa(dev[0], "FAST")
2604 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2605 hostapd.add_ap(apdev[0]['ifname'], params)
2606
2607 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2608 identity="user", anonymous_identity="FAST",
2609 password="password",
2610 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2611 pac_file="blob://fast_pac_not_in_use",
2612 wait_connect=False, scan_freq="2412")
2613 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2614 if ev is None:
2615 raise Exception("Timeout on EAP failure report")
2616 dev[0].request("REMOVE_NETWORK all")
2617
2618 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2619 identity="user", anonymous_identity="FAST",
2620 password="password",
2621 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2622 wait_connect=False, scan_freq="2412")
2623 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2624 if ev is None:
2625 raise Exception("Timeout on EAP failure report")
2626
2627 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2628 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2629 check_eap_capa(dev[0], "FAST")
2630 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2631 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2632 eap_connect(dev[0], apdev[0], "FAST", "user",
2633 anonymous_identity="FAST", password="password",
2634 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2635 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2636 hwsim_utils.test_connectivity(dev[0], hapd)
2637 res = eap_reauth(dev[0], "FAST")
2638 if res['tls_session_reused'] != '1':
2639 raise Exception("EAP-FAST could not use PAC session ticket")
2640
2641 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2642 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2643 check_eap_capa(dev[0], "FAST")
2644 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2645 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2646 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2647 anonymous_identity="FAST", password="password",
2648 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2649 phase1="fast_provisioning=2",
2650 pac_file="blob://fast_pac_auth")
2651 dev[0].set_network_quoted(id, "identity", "user2")
2652 dev[0].wait_disconnected()
2653 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2654 if ev is None:
2655 raise Exception("EAP-FAST not started")
2656 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2657 if ev is None:
2658 raise Exception("EAP failure not reported")
2659 dev[0].wait_disconnected()
2660
2661 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2662 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2663 check_eap_capa(dev[0], "FAST")
2664 tls = dev[0].request("GET tls_library")
2665 if tls.startswith("OpenSSL"):
2666 func = "openssl_tls_prf"
2667 count = 2
2668 elif tls.startswith("internal"):
2669 func = "tls_connection_prf"
2670 count = 1
2671 else:
2672 raise HwsimSkip("Unsupported TLS library")
2673 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2674 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2675 with alloc_fail(dev[0], count, func):
2676 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2677 identity="user", anonymous_identity="FAST",
2678 password="password", ca_cert="auth_serv/ca.pem",
2679 phase2="auth=GTC",
2680 phase1="fast_provisioning=2",
2681 pac_file="blob://fast_pac_auth",
2682 wait_connect=False, scan_freq="2412")
2683 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2684 if ev is None:
2685 raise Exception("EAP failure not reported")
2686 dev[0].request("DISCONNECT")
2687
2688 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2689 """EAP-FAST/MSCHAPv2 and server OOM"""
2690 check_eap_capa(dev[0], "FAST")
2691
2692 params = int_eap_server_params()
2693 params['dh_file'] = 'auth_serv/dh.conf'
2694 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2695 params['eap_fast_a_id'] = '1011'
2696 params['eap_fast_a_id_info'] = 'another test server'
2697 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2698
2699 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2700 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2701 anonymous_identity="FAST", password="password",
2702 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2703 phase1="fast_provisioning=1",
2704 pac_file="blob://fast_pac",
2705 expect_failure=True)
2706 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2707 if ev is None:
2708 raise Exception("No EAP failure reported")
2709 dev[0].wait_disconnected()
2710 dev[0].request("DISCONNECT")
2711
2712 dev[0].select_network(id, freq="2412")
2713
2714 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2715 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2716 check_ocsp_support(dev[0])
2717 check_pkcs12_support(dev[0])
2718 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2719 hostapd.add_ap(apdev[0]['ifname'], params)
2720 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2721 private_key="auth_serv/user.pkcs12",
2722 private_key_passwd="whatever", ocsp=2)
2723
2724 def int_eap_server_params():
2725 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2726 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2727 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2728 "ca_cert": "auth_serv/ca.pem",
2729 "server_cert": "auth_serv/server.pem",
2730 "private_key": "auth_serv/server.key" }
2731 return params
2732
2733 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
2734 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
2735 check_ocsp_support(dev[0])
2736 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
2737 if not os.path.exists(ocsp):
2738 raise HwsimSkip("No OCSP response available")
2739 params = int_eap_server_params()
2740 params["ocsp_stapling_response"] = ocsp
2741 hostapd.add_ap(apdev[0]['ifname'], params)
2742 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2743 identity="tls user", ca_cert="auth_serv/ca.pem",
2744 private_key="auth_serv/user.pkcs12",
2745 private_key_passwd="whatever", ocsp=2,
2746 scan_freq="2412")
2747
2748 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
2749 """EAP-TLS and CA signed OCSP response (good)"""
2750 check_ocsp_support(dev[0])
2751 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
2752 if not os.path.exists(ocsp):
2753 raise HwsimSkip("No OCSP response available")
2754 params = int_eap_server_params()
2755 params["ocsp_stapling_response"] = ocsp
2756 hostapd.add_ap(apdev[0]['ifname'], params)
2757 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2758 identity="tls user", ca_cert="auth_serv/ca.pem",
2759 private_key="auth_serv/user.pkcs12",
2760 private_key_passwd="whatever", ocsp=2,
2761 scan_freq="2412")
2762
2763 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
2764 """EAP-TLS and CA signed OCSP response (revoked)"""
2765 check_ocsp_support(dev[0])
2766 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
2767 if not os.path.exists(ocsp):
2768 raise HwsimSkip("No OCSP response available")
2769 params = int_eap_server_params()
2770 params["ocsp_stapling_response"] = ocsp
2771 hostapd.add_ap(apdev[0]['ifname'], params)
2772 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2773 identity="tls user", ca_cert="auth_serv/ca.pem",
2774 private_key="auth_serv/user.pkcs12",
2775 private_key_passwd="whatever", ocsp=2,
2776 wait_connect=False, scan_freq="2412")
2777 count = 0
2778 while True:
2779 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2780 if ev is None:
2781 raise Exception("Timeout on EAP status")
2782 if 'bad certificate status response' in ev:
2783 break
2784 if 'certificate revoked' in ev:
2785 break
2786 count = count + 1
2787 if count > 10:
2788 raise Exception("Unexpected number of EAP status messages")
2789
2790 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2791 if ev is None:
2792 raise Exception("Timeout on EAP failure report")
2793
2794 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
2795 """EAP-TLS and CA signed OCSP response (unknown)"""
2796 check_ocsp_support(dev[0])
2797 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
2798 if not os.path.exists(ocsp):
2799 raise HwsimSkip("No OCSP response available")
2800 params = int_eap_server_params()
2801 params["ocsp_stapling_response"] = ocsp
2802 hostapd.add_ap(apdev[0]['ifname'], params)
2803 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2804 identity="tls user", ca_cert="auth_serv/ca.pem",
2805 private_key="auth_serv/user.pkcs12",
2806 private_key_passwd="whatever", ocsp=2,
2807 wait_connect=False, scan_freq="2412")
2808 count = 0
2809 while True:
2810 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2811 if ev is None:
2812 raise Exception("Timeout on EAP status")
2813 if 'bad certificate status response' in ev:
2814 break
2815 count = count + 1
2816 if count > 10:
2817 raise Exception("Unexpected number of EAP status messages")
2818
2819 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2820 if ev is None:
2821 raise Exception("Timeout on EAP failure report")
2822
2823 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
2824 """EAP-TLS and server signed OCSP response"""
2825 check_ocsp_support(dev[0])
2826 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
2827 if not os.path.exists(ocsp):
2828 raise HwsimSkip("No OCSP response available")
2829 params = int_eap_server_params()
2830 params["ocsp_stapling_response"] = ocsp
2831 hostapd.add_ap(apdev[0]['ifname'], params)
2832 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2833 identity="tls user", ca_cert="auth_serv/ca.pem",
2834 private_key="auth_serv/user.pkcs12",
2835 private_key_passwd="whatever", ocsp=2,
2836 wait_connect=False, scan_freq="2412")
2837 count = 0
2838 while True:
2839 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2840 if ev is None:
2841 raise Exception("Timeout on EAP status")
2842 if 'bad certificate status response' in ev:
2843 break
2844 count = count + 1
2845 if count > 10:
2846 raise Exception("Unexpected number of EAP status messages")
2847
2848 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2849 if ev is None:
2850 raise Exception("Timeout on EAP failure report")
2851
2852 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2853 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2854 check_ocsp_support(dev[0])
2855 params = int_eap_server_params()
2856 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2857 hostapd.add_ap(apdev[0]['ifname'], params)
2858 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2859 identity="tls user", ca_cert="auth_serv/ca.pem",
2860 private_key="auth_serv/user.pkcs12",
2861 private_key_passwd="whatever", ocsp=2,
2862 wait_connect=False, scan_freq="2412")
2863 count = 0
2864 while True:
2865 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2866 if ev is None:
2867 raise Exception("Timeout on EAP status")
2868 if 'bad certificate status response' in ev:
2869 break
2870 count = count + 1
2871 if count > 10:
2872 raise Exception("Unexpected number of EAP status messages")
2873
2874 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2875 if ev is None:
2876 raise Exception("Timeout on EAP failure report")
2877
2878 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2879 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2880 check_ocsp_support(dev[0])
2881 params = int_eap_server_params()
2882 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2883 hostapd.add_ap(apdev[0]['ifname'], params)
2884 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2885 identity="tls user", ca_cert="auth_serv/ca.pem",
2886 private_key="auth_serv/user.pkcs12",
2887 private_key_passwd="whatever", ocsp=2,
2888 wait_connect=False, scan_freq="2412")
2889 count = 0
2890 while True:
2891 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2892 if ev is None:
2893 raise Exception("Timeout on EAP status")
2894 if 'bad certificate status response' in ev:
2895 break
2896 count = count + 1
2897 if count > 10:
2898 raise Exception("Unexpected number of EAP status messages")
2899
2900 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2901 if ev is None:
2902 raise Exception("Timeout on EAP failure report")
2903
2904 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2905 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2906 check_ocsp_support(dev[0])
2907 params = int_eap_server_params()
2908 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2909 hostapd.add_ap(apdev[0]['ifname'], params)
2910 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2911 identity="tls user", ca_cert="auth_serv/ca.pem",
2912 private_key="auth_serv/user.pkcs12",
2913 private_key_passwd="whatever", ocsp=2,
2914 wait_connect=False, scan_freq="2412")
2915 count = 0
2916 while True:
2917 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2918 if ev is None:
2919 raise Exception("Timeout on EAP status")
2920 if 'bad certificate status response' in ev:
2921 break
2922 count = count + 1
2923 if count > 10:
2924 raise Exception("Unexpected number of EAP status messages")
2925
2926 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2927 if ev is None:
2928 raise Exception("Timeout on EAP failure report")
2929
2930 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2931 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2932 check_ocsp_support(dev[0])
2933 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2934 if not os.path.exists(ocsp):
2935 raise HwsimSkip("No OCSP response available")
2936 params = int_eap_server_params()
2937 params["ocsp_stapling_response"] = ocsp
2938 hostapd.add_ap(apdev[0]['ifname'], params)
2939 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2940 identity="pap user", ca_cert="auth_serv/ca.pem",
2941 anonymous_identity="ttls", password="password",
2942 phase2="auth=PAP", ocsp=2,
2943 wait_connect=False, scan_freq="2412")
2944 count = 0
2945 while True:
2946 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2947 if ev is None:
2948 raise Exception("Timeout on EAP status")
2949 if 'bad certificate status response' in ev:
2950 break
2951 if 'certificate revoked' in ev:
2952 break
2953 count = count + 1
2954 if count > 10:
2955 raise Exception("Unexpected number of EAP status messages")
2956
2957 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2958 if ev is None:
2959 raise Exception("Timeout on EAP failure report")
2960
2961 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2962 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2963 check_ocsp_support(dev[0])
2964 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2965 if not os.path.exists(ocsp):
2966 raise HwsimSkip("No OCSP response available")
2967 params = int_eap_server_params()
2968 params["ocsp_stapling_response"] = ocsp
2969 hostapd.add_ap(apdev[0]['ifname'], params)
2970 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2971 identity="pap user", ca_cert="auth_serv/ca.pem",
2972 anonymous_identity="ttls", password="password",
2973 phase2="auth=PAP", ocsp=2,
2974 wait_connect=False, scan_freq="2412")
2975 count = 0
2976 while True:
2977 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2978 if ev is None:
2979 raise Exception("Timeout on EAP status")
2980 if 'bad certificate status response' in ev:
2981 break
2982 count = count + 1
2983 if count > 10:
2984 raise Exception("Unexpected number of EAP status messages")
2985
2986 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2987 if ev is None:
2988 raise Exception("Timeout on EAP failure report")
2989
2990 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2991 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2992 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2993 if not os.path.exists(ocsp):
2994 raise HwsimSkip("No OCSP response available")
2995 params = int_eap_server_params()
2996 params["ocsp_stapling_response"] = ocsp
2997 hostapd.add_ap(apdev[0]['ifname'], params)
2998 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2999 identity="pap user", ca_cert="auth_serv/ca.pem",
3000 anonymous_identity="ttls", password="password",
3001 phase2="auth=PAP", ocsp=1, scan_freq="2412")
3002
3003 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
3004 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
3005 check_domain_match_full(dev[0])
3006 params = int_eap_server_params()
3007 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3008 params["private_key"] = "auth_serv/server-no-dnsname.key"
3009 hostapd.add_ap(apdev[0]['ifname'], params)
3010 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3011 identity="tls user", ca_cert="auth_serv/ca.pem",
3012 private_key="auth_serv/user.pkcs12",
3013 private_key_passwd="whatever",
3014 domain_suffix_match="server3.w1.fi",
3015 scan_freq="2412")
3016
3017 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
3018 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
3019 check_domain_match(dev[0])
3020 params = int_eap_server_params()
3021 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3022 params["private_key"] = "auth_serv/server-no-dnsname.key"
3023 hostapd.add_ap(apdev[0]['ifname'], params)
3024 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3025 identity="tls user", ca_cert="auth_serv/ca.pem",
3026 private_key="auth_serv/user.pkcs12",
3027 private_key_passwd="whatever",
3028 domain_match="server3.w1.fi",
3029 scan_freq="2412")
3030
3031 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
3032 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
3033 check_domain_match_full(dev[0])
3034 params = int_eap_server_params()
3035 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3036 params["private_key"] = "auth_serv/server-no-dnsname.key"
3037 hostapd.add_ap(apdev[0]['ifname'], params)
3038 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3039 identity="tls user", ca_cert="auth_serv/ca.pem",
3040 private_key="auth_serv/user.pkcs12",
3041 private_key_passwd="whatever",
3042 domain_suffix_match="w1.fi",
3043 scan_freq="2412")
3044
3045 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
3046 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
3047 check_domain_suffix_match(dev[0])
3048 params = int_eap_server_params()
3049 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3050 params["private_key"] = "auth_serv/server-no-dnsname.key"
3051 hostapd.add_ap(apdev[0]['ifname'], params)
3052 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3053 identity="tls user", ca_cert="auth_serv/ca.pem",
3054 private_key="auth_serv/user.pkcs12",
3055 private_key_passwd="whatever",
3056 domain_suffix_match="example.com",
3057 wait_connect=False,
3058 scan_freq="2412")
3059 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3060 identity="tls user", ca_cert="auth_serv/ca.pem",
3061 private_key="auth_serv/user.pkcs12",
3062 private_key_passwd="whatever",
3063 domain_suffix_match="erver3.w1.fi",
3064 wait_connect=False,
3065 scan_freq="2412")
3066 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3067 if ev is None:
3068 raise Exception("Timeout on EAP failure report")
3069 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3070 if ev is None:
3071 raise Exception("Timeout on EAP failure report (2)")
3072
3073 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
3074 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
3075 check_domain_match(dev[0])
3076 params = int_eap_server_params()
3077 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3078 params["private_key"] = "auth_serv/server-no-dnsname.key"
3079 hostapd.add_ap(apdev[0]['ifname'], params)
3080 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3081 identity="tls user", ca_cert="auth_serv/ca.pem",
3082 private_key="auth_serv/user.pkcs12",
3083 private_key_passwd="whatever",
3084 domain_match="example.com",
3085 wait_connect=False,
3086 scan_freq="2412")
3087 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3088 identity="tls user", ca_cert="auth_serv/ca.pem",
3089 private_key="auth_serv/user.pkcs12",
3090 private_key_passwd="whatever",
3091 domain_match="w1.fi",
3092 wait_connect=False,
3093 scan_freq="2412")
3094 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3095 if ev is None:
3096 raise Exception("Timeout on EAP failure report")
3097 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3098 if ev is None:
3099 raise Exception("Timeout on EAP failure report (2)")
3100
3101 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
3102 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
3103 skip_with_fips(dev[0])
3104 params = int_eap_server_params()
3105 params["server_cert"] = "auth_serv/server-expired.pem"
3106 params["private_key"] = "auth_serv/server-expired.key"
3107 hostapd.add_ap(apdev[0]['ifname'], params)
3108 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3109 identity="mschap user", password="password",
3110 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3111 wait_connect=False,
3112 scan_freq="2412")
3113 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
3114 if ev is None:
3115 raise Exception("Timeout on EAP certificate error report")
3116 if "reason=4" not in ev or "certificate has expired" not in ev:
3117 raise Exception("Unexpected failure reason: " + ev)
3118 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3119 if ev is None:
3120 raise Exception("Timeout on EAP failure report")
3121
3122 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
3123 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
3124 skip_with_fips(dev[0])
3125 params = int_eap_server_params()
3126 params["server_cert"] = "auth_serv/server-expired.pem"
3127 params["private_key"] = "auth_serv/server-expired.key"
3128 hostapd.add_ap(apdev[0]['ifname'], params)
3129 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3130 identity="mschap user", password="password",
3131 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3132 phase1="tls_disable_time_checks=1",
3133 scan_freq="2412")
3134
3135 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
3136 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3137 skip_with_fips(dev[0])
3138 params = int_eap_server_params()
3139 params["server_cert"] = "auth_serv/server-long-duration.pem"
3140 params["private_key"] = "auth_serv/server-long-duration.key"
3141 hostapd.add_ap(apdev[0]['ifname'], params)
3142 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3143 identity="mschap user", password="password",
3144 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3145 scan_freq="2412")
3146
3147 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
3148 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3149 skip_with_fips(dev[0])
3150 params = int_eap_server_params()
3151 params["server_cert"] = "auth_serv/server-eku-client.pem"
3152 params["private_key"] = "auth_serv/server-eku-client.key"
3153 hostapd.add_ap(apdev[0]['ifname'], params)
3154 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3155 identity="mschap user", password="password",
3156 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3157 wait_connect=False,
3158 scan_freq="2412")
3159 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3160 if ev is None:
3161 raise Exception("Timeout on EAP failure report")
3162
3163 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
3164 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3165 skip_with_fips(dev[0])
3166 params = int_eap_server_params()
3167 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
3168 params["private_key"] = "auth_serv/server-eku-client-server.key"
3169 hostapd.add_ap(apdev[0]['ifname'], params)
3170 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3171 identity="mschap user", password="password",
3172 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3173 scan_freq="2412")
3174
3175 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
3176 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3177 skip_with_fips(dev[0])
3178 params = int_eap_server_params()
3179 del params["server_cert"]
3180 params["private_key"] = "auth_serv/server.pkcs12"
3181 hostapd.add_ap(apdev[0]['ifname'], params)
3182 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3183 identity="mschap user", password="password",
3184 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3185 scan_freq="2412")
3186
3187 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
3188 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3189 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3190 hostapd.add_ap(apdev[0]['ifname'], params)
3191 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3192 anonymous_identity="ttls", password="password",
3193 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3194 dh_file="auth_serv/dh.conf")
3195
3196 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
3197 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3198 check_dh_dsa_support(dev[0])
3199 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3200 hostapd.add_ap(apdev[0]['ifname'], params)
3201 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3202 anonymous_identity="ttls", password="password",
3203 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3204 dh_file="auth_serv/dsaparam.pem")
3205
3206 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3207 """EAP-TTLS and DH params file not found"""
3208 skip_with_fips(dev[0])
3209 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3210 hostapd.add_ap(apdev[0]['ifname'], params)
3211 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3212 identity="mschap user", password="password",
3213 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3214 dh_file="auth_serv/dh-no-such-file.conf",
3215 scan_freq="2412", wait_connect=False)
3216 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3217 if ev is None:
3218 raise Exception("EAP failure timed out")
3219 dev[0].request("REMOVE_NETWORK all")
3220 dev[0].wait_disconnected()
3221
3222 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3223 """EAP-TTLS and invalid DH params file"""
3224 skip_with_fips(dev[0])
3225 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3226 hostapd.add_ap(apdev[0]['ifname'], params)
3227 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3228 identity="mschap user", password="password",
3229 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3230 dh_file="auth_serv/ca.pem",
3231 scan_freq="2412", wait_connect=False)
3232 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3233 if ev is None:
3234 raise Exception("EAP failure timed out")
3235 dev[0].request("REMOVE_NETWORK all")
3236 dev[0].wait_disconnected()
3237
3238 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
3239 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3240 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3241 hostapd.add_ap(apdev[0]['ifname'], params)
3242 dh = read_pem("auth_serv/dh2.conf")
3243 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
3244 raise Exception("Could not set dhparams blob")
3245 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3246 anonymous_identity="ttls", password="password",
3247 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3248 dh_file="blob://dhparams")
3249
3250 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
3251 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3252 params = int_eap_server_params()
3253 params["dh_file"] = "auth_serv/dh2.conf"
3254 hostapd.add_ap(apdev[0]['ifname'], params)
3255 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3256 anonymous_identity="ttls", password="password",
3257 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3258
3259 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
3260 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3261 params = int_eap_server_params()
3262 params["dh_file"] = "auth_serv/dsaparam.pem"
3263 hostapd.add_ap(apdev[0]['ifname'], params)
3264 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3265 anonymous_identity="ttls", password="password",
3266 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3267
3268 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3269 """EAP-TLS server and dhparams file not found"""
3270 params = int_eap_server_params()
3271 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
3272 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3273 if "FAIL" not in hapd.request("ENABLE"):
3274 raise Exception("Invalid configuration accepted")
3275
3276 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3277 """EAP-TLS server and invalid dhparams file"""
3278 params = int_eap_server_params()
3279 params["dh_file"] = "auth_serv/ca.pem"
3280 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3281 if "FAIL" not in hapd.request("ENABLE"):
3282 raise Exception("Invalid configuration accepted")
3283
3284 def test_ap_wpa2_eap_reauth(dev, apdev):
3285 """WPA2-Enterprise and Authenticator forcing reauthentication"""
3286 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3287 params['eap_reauth_period'] = '2'
3288 hostapd.add_ap(apdev[0]['ifname'], params)
3289 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3290 password_hex="0123456789abcdef0123456789abcdef")
3291 logger.info("Wait for reauthentication")
3292 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3293 if ev is None:
3294 raise Exception("Timeout on reauthentication")
3295 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3296 if ev is None:
3297 raise Exception("Timeout on reauthentication")
3298 for i in range(0, 20):
3299 state = dev[0].get_status_field("wpa_state")
3300 if state == "COMPLETED":
3301 break
3302 time.sleep(0.1)
3303 if state != "COMPLETED":
3304 raise Exception("Reauthentication did not complete")
3305
3306 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
3307 """Optional displayable message in EAP Request-Identity"""
3308 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3309 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3310 hostapd.add_ap(apdev[0]['ifname'], params)
3311 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3312 password_hex="0123456789abcdef0123456789abcdef")
3313
3314 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
3315 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
3316 check_hlr_auc_gw_support()
3317 params = int_eap_server_params()
3318 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
3319 params['eap_sim_aka_result_ind'] = "1"
3320 hostapd.add_ap(apdev[0]['ifname'], params)
3321
3322 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
3323 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3324 phase1="result_ind=1")
3325 eap_reauth(dev[0], "SIM")
3326 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
3327 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3328
3329 dev[0].request("REMOVE_NETWORK all")
3330 dev[1].request("REMOVE_NETWORK all")
3331
3332 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
3333 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3334 phase1="result_ind=1")
3335 eap_reauth(dev[0], "AKA")
3336 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
3337 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
3338
3339 dev[0].request("REMOVE_NETWORK all")
3340 dev[1].request("REMOVE_NETWORK all")
3341
3342 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
3343 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3344 phase1="result_ind=1")
3345 eap_reauth(dev[0], "AKA'")
3346 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
3347 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
3348
3349 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
3350 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3351 skip_with_fips(dev[0])
3352 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3353 hostapd.add_ap(apdev[0]['ifname'], params)
3354 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3355 eap="TTLS", identity="mschap user",
3356 wait_connect=False, scan_freq="2412", ieee80211w="1",
3357 anonymous_identity="ttls", password="password",
3358 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3359 fragment_size="10")
3360 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
3361 if ev is None:
3362 raise Exception("EAP roundtrip limit not reached")
3363
3364 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
3365 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3366 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3367 hostapd.add_ap(apdev[0]['ifname'], params)
3368 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3369 eap="PSK", identity="vendor-test",
3370 password_hex="ff23456789abcdef0123456789abcdef",
3371 wait_connect=False)
3372
3373 found = False
3374 for i in range(0, 5):
3375 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
3376 if ev is None:
3377 raise Exception("Association and EAP start timed out")
3378 if "refuse proposed method" in ev:
3379 found = True
3380 break
3381 if not found:
3382 raise Exception("Unexpected EAP status: " + ev)
3383
3384 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3385 if ev is None:
3386 raise Exception("EAP failure timed out")
3387
3388 def test_ap_wpa2_eap_sql(dev, apdev, params):
3389 """WPA2-Enterprise connection using SQLite for user DB"""
3390 skip_with_fips(dev[0])
3391 try:
3392 import sqlite3
3393 except ImportError:
3394 raise HwsimSkip("No sqlite3 module available")
3395 dbfile = os.path.join(params['logdir'], "eap-user.db")
3396 try:
3397 os.remove(dbfile)
3398 except:
3399 pass
3400 con = sqlite3.connect(dbfile)
3401 with con:
3402 cur = con.cursor()
3403 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3404 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3405 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3406 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3407 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3408 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3409 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3410 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3411
3412 try:
3413 params = int_eap_server_params()
3414 params["eap_user_file"] = "sqlite:" + dbfile
3415 hostapd.add_ap(apdev[0]['ifname'], params)
3416 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3417 anonymous_identity="ttls", password="password",
3418 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3419 dev[0].request("REMOVE_NETWORK all")
3420 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3421 anonymous_identity="ttls", password="password",
3422 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3423 dev[1].request("REMOVE_NETWORK all")
3424 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3425 anonymous_identity="ttls", password="password",
3426 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3427 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3428 anonymous_identity="ttls", password="password",
3429 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3430 finally:
3431 os.remove(dbfile)
3432
3433 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3434 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3435 params = int_eap_server_params()
3436 hostapd.add_ap(apdev[0]['ifname'], params)
3437 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3438 identity="\x80", password="password", wait_connect=False)
3439 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3440 identity="a\x80", password="password", wait_connect=False)
3441 for i in range(0, 2):
3442 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3443 if ev is None:
3444 raise Exception("Association and EAP start timed out")
3445 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3446 if ev is None:
3447 raise Exception("EAP method selection timed out")
3448
3449 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3450 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3451 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3452 hostapd.add_ap(apdev[0]['ifname'], params)
3453 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3454 identity="\x80", password="password", wait_connect=False)
3455 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3456 identity="a\x80", password="password", wait_connect=False)
3457 for i in range(0, 2):
3458 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3459 if ev is None:
3460 raise Exception("Association and EAP start timed out")
3461 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3462 if ev is None:
3463 raise Exception("EAP method selection timed out")
3464
3465 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3466 """OpenSSL cipher suite configuration on wpa_supplicant"""
3467 tls = dev[0].request("GET tls_library")
3468 if not tls.startswith("OpenSSL"):
3469 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3470 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3471 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3472 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3473 anonymous_identity="ttls", password="password",
3474 openssl_ciphers="AES128",
3475 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3476 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3477 anonymous_identity="ttls", password="password",
3478 openssl_ciphers="EXPORT",
3479 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3480 expect_failure=True, maybe_local_error=True)
3481 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3482 identity="pap user", anonymous_identity="ttls",
3483 password="password",
3484 openssl_ciphers="FOO",
3485 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3486 wait_connect=False)
3487 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3488 if ev is None:
3489 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3490 dev[2].request("DISCONNECT")
3491
3492 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3493 """OpenSSL cipher suite configuration on hostapd"""
3494 tls = dev[0].request("GET tls_library")
3495 if not tls.startswith("OpenSSL"):
3496 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3497 params = int_eap_server_params()
3498 params['openssl_ciphers'] = "AES256"
3499 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3500 tls = hapd.request("GET tls_library")
3501 if not tls.startswith("OpenSSL"):
3502 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3503 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3504 anonymous_identity="ttls", password="password",
3505 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3506 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3507 anonymous_identity="ttls", password="password",
3508 openssl_ciphers="AES128",
3509 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3510 expect_failure=True)
3511 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3512 anonymous_identity="ttls", password="password",
3513 openssl_ciphers="HIGH:!ADH",
3514 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3515
3516 params['openssl_ciphers'] = "FOO"
3517 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3518 if "FAIL" not in hapd2.request("ENABLE"):
3519 raise Exception("Invalid openssl_ciphers value accepted")
3520
3521 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3522 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3523 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3524 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3525 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3526 pid = find_wpas_process(dev[0])
3527 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3528 anonymous_identity="ttls", password=password,
3529 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3530 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
3531 # event has been delivered, so verify that wpa_supplicant has returned to
3532 # eloop before reading process memory.
3533 time.sleep(1)
3534 dev[0].ping()
3535 buf = read_process_memory(pid, password)
3536
3537 dev[0].request("DISCONNECT")
3538 dev[0].wait_disconnected()
3539
3540 dev[0].relog()
3541 msk = None
3542 emsk = None
3543 pmk = None
3544 ptk = None
3545 gtk = None
3546 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3547 for l in f.readlines():
3548 if "EAP-TTLS: Derived key - hexdump" in l:
3549 val = l.strip().split(':')[3].replace(' ', '')
3550 msk = binascii.unhexlify(val)
3551 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3552 val = l.strip().split(':')[3].replace(' ', '')
3553 emsk = binascii.unhexlify(val)
3554 if "WPA: PMK - hexdump" in l:
3555 val = l.strip().split(':')[3].replace(' ', '')
3556 pmk = binascii.unhexlify(val)
3557 if "WPA: PTK - hexdump" in l:
3558 val = l.strip().split(':')[3].replace(' ', '')
3559 ptk = binascii.unhexlify(val)
3560 if "WPA: Group Key - hexdump" in l:
3561 val = l.strip().split(':')[3].replace(' ', '')
3562 gtk = binascii.unhexlify(val)
3563 if not msk or not emsk or not pmk or not ptk or not gtk:
3564 raise Exception("Could not find keys from debug log")
3565 if len(gtk) != 16:
3566 raise Exception("Unexpected GTK length")
3567
3568 kck = ptk[0:16]
3569 kek = ptk[16:32]
3570 tk = ptk[32:48]
3571
3572 fname = os.path.join(params['logdir'],
3573 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3574
3575 logger.info("Checking keys in memory while associated")
3576 get_key_locations(buf, password, "Password")
3577 get_key_locations(buf, pmk, "PMK")
3578 get_key_locations(buf, msk, "MSK")
3579 get_key_locations(buf, emsk, "EMSK")
3580 if password not in buf:
3581 raise HwsimSkip("Password not found while associated")
3582 if pmk not in buf:
3583 raise HwsimSkip("PMK not found while associated")
3584 if kck not in buf:
3585 raise Exception("KCK not found while associated")
3586 if kek not in buf:
3587 raise Exception("KEK not found while associated")
3588 if tk in buf:
3589 raise Exception("TK found from memory")
3590 if gtk in buf:
3591 get_key_locations(buf, gtk, "GTK")
3592 raise Exception("GTK found from memory")
3593
3594 logger.info("Checking keys in memory after disassociation")
3595 buf = read_process_memory(pid, password)
3596
3597 # Note: Password is still present in network configuration
3598 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3599
3600 get_key_locations(buf, password, "Password")
3601 get_key_locations(buf, pmk, "PMK")
3602 get_key_locations(buf, msk, "MSK")
3603 get_key_locations(buf, emsk, "EMSK")
3604 verify_not_present(buf, kck, fname, "KCK")
3605 verify_not_present(buf, kek, fname, "KEK")
3606 verify_not_present(buf, tk, fname, "TK")
3607 verify_not_present(buf, gtk, fname, "GTK")
3608
3609 dev[0].request("PMKSA_FLUSH")
3610 dev[0].set_network_quoted(id, "identity", "foo")
3611 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3612 buf = read_process_memory(pid, password)
3613 get_key_locations(buf, password, "Password")
3614 get_key_locations(buf, pmk, "PMK")
3615 get_key_locations(buf, msk, "MSK")
3616 get_key_locations(buf, emsk, "EMSK")
3617 verify_not_present(buf, pmk, fname, "PMK")
3618
3619 dev[0].request("REMOVE_NETWORK all")
3620
3621 logger.info("Checking keys in memory after network profile removal")
3622 buf = read_process_memory(pid, password)
3623
3624 get_key_locations(buf, password, "Password")
3625 get_key_locations(buf, pmk, "PMK")
3626 get_key_locations(buf, msk, "MSK")
3627 get_key_locations(buf, emsk, "EMSK")
3628 verify_not_present(buf, password, fname, "password")
3629 verify_not_present(buf, pmk, fname, "PMK")
3630 verify_not_present(buf, kck, fname, "KCK")
3631 verify_not_present(buf, kek, fname, "KEK")
3632 verify_not_present(buf, tk, fname, "TK")
3633 verify_not_present(buf, gtk, fname, "GTK")
3634 verify_not_present(buf, msk, fname, "MSK")
3635 verify_not_present(buf, emsk, fname, "EMSK")
3636
3637 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3638 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3639 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3640 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3641 bssid = apdev[0]['bssid']
3642 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3643 anonymous_identity="ttls", password="password",
3644 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3645
3646 # Send unexpected WEP EAPOL-Key; this gets dropped
3647 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3648 if "OK" not in res:
3649 raise Exception("EAPOL_RX to wpa_supplicant failed")
3650
3651 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3652 """WPA2-EAP and wpas interface in a bridge"""
3653 br_ifname='sta-br0'
3654 ifname='wlan5'
3655 try:
3656 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3657 finally:
3658 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3659 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3660 subprocess.call(['brctl', 'delbr', br_ifname])
3661 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3662
3663 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3664 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3665 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3666
3667 br_ifname='sta-br0'
3668 ifname='wlan5'
3669 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3670 subprocess.call(['brctl', 'addbr', br_ifname])
3671 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3672 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3673 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3674 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3675 wpas.interface_add(ifname, br_ifname=br_ifname)
3676 wpas.dump_monitor()
3677
3678 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3679 password_hex="0123456789abcdef0123456789abcdef")
3680 wpas.dump_monitor()
3681 eap_reauth(wpas, "PAX")
3682 wpas.dump_monitor()
3683 # Try again as a regression test for packet socket workaround
3684 eap_reauth(wpas, "PAX")
3685 wpas.dump_monitor()
3686 wpas.request("DISCONNECT")
3687 wpas.wait_disconnected()
3688 wpas.dump_monitor()
3689 wpas.request("RECONNECT")
3690 wpas.wait_connected()
3691 wpas.dump_monitor()
3692
3693 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3694 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3695 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3696 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3697 key_mgmt = hapd.get_config()['key_mgmt']
3698 if key_mgmt.split(' ')[0] != "WPA-EAP":
3699 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3700 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3701 anonymous_identity="ttls", password="password",
3702 ca_cert="auth_serv/ca.pem",
3703 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3704 eap_reauth(dev[0], "TTLS")
3705
3706 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3707 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3708 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3709 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3710 key_mgmt = hapd.get_config()['key_mgmt']
3711 if key_mgmt.split(' ')[0] != "WPA-EAP":
3712 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3713 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3714 anonymous_identity="ttls", password="password",
3715 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3716 phase2="auth=PAP")
3717 eap_reauth(dev[0], "TTLS")
3718
3719 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3720 """EAP-TLS and server checking CRL"""
3721 params = int_eap_server_params()
3722 params['check_crl'] = '1'
3723 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3724
3725 # check_crl=1 and no CRL available --> reject connection
3726 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3727 client_cert="auth_serv/user.pem",
3728 private_key="auth_serv/user.key", expect_failure=True)
3729 dev[0].request("REMOVE_NETWORK all")
3730
3731 hapd.disable()
3732 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3733 hapd.enable()
3734
3735 # check_crl=1 and valid CRL --> accept
3736 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3737 client_cert="auth_serv/user.pem",
3738 private_key="auth_serv/user.key")
3739 dev[0].request("REMOVE_NETWORK all")
3740
3741 hapd.disable()
3742 hapd.set("check_crl", "2")
3743 hapd.enable()
3744
3745 # check_crl=2 and valid CRL --> accept
3746 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3747 client_cert="auth_serv/user.pem",
3748 private_key="auth_serv/user.key")
3749 dev[0].request("REMOVE_NETWORK all")
3750
3751 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3752 """EAP-TLS and OOM"""
3753 check_subject_match_support(dev[0])
3754 check_altsubject_match_support(dev[0])
3755 check_domain_match(dev[0])
3756 check_domain_match_full(dev[0])
3757
3758 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3759 hostapd.add_ap(apdev[0]['ifname'], params)
3760
3761 tests = [ (1, "tls_connection_set_subject_match"),
3762 (2, "tls_connection_set_subject_match"),
3763 (3, "tls_connection_set_subject_match"),
3764 (4, "tls_connection_set_subject_match") ]
3765 for count, func in tests:
3766 with alloc_fail(dev[0], count, func):
3767 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3768 identity="tls user", ca_cert="auth_serv/ca.pem",
3769 client_cert="auth_serv/user.pem",
3770 private_key="auth_serv/user.key",
3771 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3772 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3773 domain_suffix_match="server.w1.fi",
3774 domain_match="server.w1.fi",
3775 wait_connect=False, scan_freq="2412")
3776 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3777 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3778 if ev is None:
3779 raise Exception("No passphrase request")
3780 dev[0].request("REMOVE_NETWORK all")
3781 dev[0].wait_disconnected()
3782
3783 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3784 """WPA2-Enterprise connection using MAC ACL"""
3785 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3786 params["macaddr_acl"] = "2"
3787 hostapd.add_ap(apdev[0]['ifname'], params)
3788 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3789 client_cert="auth_serv/user.pem",
3790 private_key="auth_serv/user.key")
3791
3792 def test_ap_wpa2_eap_oom(dev, apdev):
3793 """EAP server and OOM"""
3794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3795 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3796 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3797
3798 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3799 # The first attempt fails, but STA will send EAPOL-Start to retry and
3800 # that succeeds.
3801 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3802 identity="tls user", ca_cert="auth_serv/ca.pem",
3803 client_cert="auth_serv/user.pem",
3804 private_key="auth_serv/user.key",
3805 scan_freq="2412")
3806
3807 def check_tls_ver(dev, ap, phase1, expected):
3808 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3809 client_cert="auth_serv/user.pem",
3810 private_key="auth_serv/user.key",
3811 phase1=phase1)
3812 ver = dev.get_status_field("eap_tls_version")
3813 if ver != expected:
3814 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3815
3816 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3817 """EAP-TLS and TLS version configuration"""
3818 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3819 hostapd.add_ap(apdev[0]['ifname'], params)
3820
3821 tls = dev[0].request("GET tls_library")
3822 if tls.startswith("OpenSSL"):
3823 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3824 check_tls_ver(dev[0], apdev[0],
3825 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3826 "TLSv1.2")
3827 elif tls.startswith("internal"):
3828 check_tls_ver(dev[0], apdev[0],
3829 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3830 check_tls_ver(dev[1], apdev[0],
3831 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3832 check_tls_ver(dev[2], apdev[0],
3833 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3834
3835 def test_rsn_ie_proto_eap_sta(dev, apdev):
3836 """RSN element protocol testing for EAP cases on STA side"""
3837 bssid = apdev[0]['bssid']
3838 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3839 # This is the RSN element used normally by hostapd
3840 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3841 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3842 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3843 identity="gpsk user",
3844 password="abcdefghijklmnop0123456789abcdef",
3845 scan_freq="2412")
3846
3847 tests = [ ('No RSN Capabilities field',
3848 '30120100000fac040100000fac040100000fac01'),
3849 ('No AKM Suite fields',
3850 '300c0100000fac040100000fac04'),
3851 ('No Pairwise Cipher Suite fields',
3852 '30060100000fac04'),
3853 ('No Group Data Cipher Suite field',
3854 '30020100') ]
3855 for txt,ie in tests:
3856 dev[0].request("DISCONNECT")
3857 dev[0].wait_disconnected()
3858 logger.info(txt)
3859 hapd.disable()
3860 hapd.set('own_ie_override', ie)
3861 hapd.enable()
3862 dev[0].request("BSS_FLUSH 0")
3863 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3864 dev[0].select_network(id, freq=2412)
3865 dev[0].wait_connected()
3866
3867 def check_tls_session_resumption_capa(dev, hapd):
3868 tls = hapd.request("GET tls_library")
3869 if not tls.startswith("OpenSSL"):
3870 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3871
3872 tls = dev.request("GET tls_library")
3873 if not tls.startswith("OpenSSL"):
3874 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3875
3876 def test_eap_ttls_pap_session_resumption(dev, apdev):
3877 """EAP-TTLS/PAP session resumption"""
3878 params = int_eap_server_params()
3879 params['tls_session_lifetime'] = '60'
3880 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3881 check_tls_session_resumption_capa(dev[0], hapd)
3882 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3883 anonymous_identity="ttls", password="password",
3884 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3885 phase2="auth=PAP")
3886 if dev[0].get_status_field("tls_session_reused") != '0':
3887 raise Exception("Unexpected session resumption on the first connection")
3888
3889 dev[0].request("REAUTHENTICATE")
3890 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3891 if ev is None:
3892 raise Exception("EAP success timed out")
3893 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3894 if ev is None:
3895 raise Exception("Key handshake with the AP timed out")
3896 if dev[0].get_status_field("tls_session_reused") != '1':
3897 raise Exception("Session resumption not used on the second connection")
3898
3899 def test_eap_ttls_chap_session_resumption(dev, apdev):
3900 """EAP-TTLS/CHAP session resumption"""
3901 params = int_eap_server_params()
3902 params['tls_session_lifetime'] = '60'
3903 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3904 check_tls_session_resumption_capa(dev[0], hapd)
3905 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3906 anonymous_identity="ttls", password="password",
3907 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3908 if dev[0].get_status_field("tls_session_reused") != '0':
3909 raise Exception("Unexpected session resumption on the first connection")
3910
3911 dev[0].request("REAUTHENTICATE")
3912 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3913 if ev is None:
3914 raise Exception("EAP success timed out")
3915 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3916 if ev is None:
3917 raise Exception("Key handshake with the AP timed out")
3918 if dev[0].get_status_field("tls_session_reused") != '1':
3919 raise Exception("Session resumption not used on the second connection")
3920
3921 def test_eap_ttls_mschap_session_resumption(dev, apdev):
3922 """EAP-TTLS/MSCHAP session resumption"""
3923 check_domain_suffix_match(dev[0])
3924 params = int_eap_server_params()
3925 params['tls_session_lifetime'] = '60'
3926 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3927 check_tls_session_resumption_capa(dev[0], hapd)
3928 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
3929 anonymous_identity="ttls", password="password",
3930 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3931 domain_suffix_match="server.w1.fi")
3932 if dev[0].get_status_field("tls_session_reused") != '0':
3933 raise Exception("Unexpected session resumption on the first connection")
3934
3935 dev[0].request("REAUTHENTICATE")
3936 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3937 if ev is None:
3938 raise Exception("EAP success timed out")
3939 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3940 if ev is None:
3941 raise Exception("Key handshake with the AP timed out")
3942 if dev[0].get_status_field("tls_session_reused") != '1':
3943 raise Exception("Session resumption not used on the second connection")
3944
3945 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
3946 """EAP-TTLS/MSCHAPv2 session resumption"""
3947 check_domain_suffix_match(dev[0])
3948 check_eap_capa(dev[0], "MSCHAPV2")
3949 params = int_eap_server_params()
3950 params['tls_session_lifetime'] = '60'
3951 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3952 check_tls_session_resumption_capa(dev[0], hapd)
3953 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
3954 anonymous_identity="ttls", password="password",
3955 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3956 domain_suffix_match="server.w1.fi")
3957 if dev[0].get_status_field("tls_session_reused") != '0':
3958 raise Exception("Unexpected session resumption on the first connection")
3959
3960 dev[0].request("REAUTHENTICATE")
3961 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3962 if ev is None:
3963 raise Exception("EAP success timed out")
3964 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3965 if ev is None:
3966 raise Exception("Key handshake with the AP timed out")
3967 if dev[0].get_status_field("tls_session_reused") != '1':
3968 raise Exception("Session resumption not used on the second connection")
3969
3970 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
3971 """EAP-TTLS/EAP-GTC session resumption"""
3972 params = int_eap_server_params()
3973 params['tls_session_lifetime'] = '60'
3974 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3975 check_tls_session_resumption_capa(dev[0], hapd)
3976 eap_connect(dev[0], apdev[0], "TTLS", "user",
3977 anonymous_identity="ttls", password="password",
3978 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
3979 if dev[0].get_status_field("tls_session_reused") != '0':
3980 raise Exception("Unexpected session resumption on the first connection")
3981
3982 dev[0].request("REAUTHENTICATE")
3983 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3984 if ev is None:
3985 raise Exception("EAP success timed out")
3986 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3987 if ev is None:
3988 raise Exception("Key handshake with the AP timed out")
3989 if dev[0].get_status_field("tls_session_reused") != '1':
3990 raise Exception("Session resumption not used on the second connection")
3991
3992 def test_eap_ttls_no_session_resumption(dev, apdev):
3993 """EAP-TTLS session resumption disabled on server"""
3994 params = int_eap_server_params()
3995 params['tls_session_lifetime'] = '0'
3996 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3997 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3998 anonymous_identity="ttls", password="password",
3999 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4000 phase2="auth=PAP")
4001 if dev[0].get_status_field("tls_session_reused") != '0':
4002 raise Exception("Unexpected session resumption on the first connection")
4003
4004 dev[0].request("REAUTHENTICATE")
4005 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4006 if ev is None:
4007 raise Exception("EAP success timed out")
4008 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4009 if ev is None:
4010 raise Exception("Key handshake with the AP timed out")
4011 if dev[0].get_status_field("tls_session_reused") != '0':
4012 raise Exception("Unexpected session resumption on the second connection")
4013
4014 def test_eap_peap_session_resumption(dev, apdev):
4015 """EAP-PEAP session resumption"""
4016 params = int_eap_server_params()
4017 params['tls_session_lifetime'] = '60'
4018 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4019 check_tls_session_resumption_capa(dev[0], hapd)
4020 eap_connect(dev[0], apdev[0], "PEAP", "user",
4021 anonymous_identity="peap", password="password",
4022 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4023 if dev[0].get_status_field("tls_session_reused") != '0':
4024 raise Exception("Unexpected session resumption on the first connection")
4025
4026 dev[0].request("REAUTHENTICATE")
4027 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4028 if ev is None:
4029 raise Exception("EAP success timed out")
4030 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4031 if ev is None:
4032 raise Exception("Key handshake with the AP timed out")
4033 if dev[0].get_status_field("tls_session_reused") != '1':
4034 raise Exception("Session resumption not used on the second connection")
4035
4036 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
4037 """EAP-PEAP session resumption with crypto binding"""
4038 params = int_eap_server_params()
4039 params['tls_session_lifetime'] = '60'
4040 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4041 check_tls_session_resumption_capa(dev[0], hapd)
4042 eap_connect(dev[0], apdev[0], "PEAP", "user",
4043 anonymous_identity="peap", password="password",
4044 phase1="peapver=0 crypto_binding=2",
4045 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4046 if dev[0].get_status_field("tls_session_reused") != '0':
4047 raise Exception("Unexpected session resumption on the first connection")
4048
4049 dev[0].request("REAUTHENTICATE")
4050 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4051 if ev is None:
4052 raise Exception("EAP success timed out")
4053 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4054 if ev is None:
4055 raise Exception("Key handshake with the AP timed out")
4056 if dev[0].get_status_field("tls_session_reused") != '1':
4057 raise Exception("Session resumption not used on the second connection")
4058
4059 def test_eap_peap_no_session_resumption(dev, apdev):
4060 """EAP-PEAP session resumption disabled on server"""
4061 params = int_eap_server_params()
4062 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4063 eap_connect(dev[0], apdev[0], "PEAP", "user",
4064 anonymous_identity="peap", password="password",
4065 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4066 if dev[0].get_status_field("tls_session_reused") != '0':
4067 raise Exception("Unexpected session resumption on the first connection")
4068
4069 dev[0].request("REAUTHENTICATE")
4070 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4071 if ev is None:
4072 raise Exception("EAP success timed out")
4073 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4074 if ev is None:
4075 raise Exception("Key handshake with the AP timed out")
4076 if dev[0].get_status_field("tls_session_reused") != '0':
4077 raise Exception("Unexpected session resumption on the second connection")
4078
4079 def test_eap_tls_session_resumption(dev, apdev):
4080 """EAP-TLS session resumption"""
4081 params = int_eap_server_params()
4082 params['tls_session_lifetime'] = '60'
4083 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4084 check_tls_session_resumption_capa(dev[0], hapd)
4085 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4086 client_cert="auth_serv/user.pem",
4087 private_key="auth_serv/user.key")
4088 if dev[0].get_status_field("tls_session_reused") != '0':
4089 raise Exception("Unexpected session resumption on the first connection")
4090
4091 dev[0].request("REAUTHENTICATE")
4092 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4093 if ev is None:
4094 raise Exception("EAP success timed out")
4095 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4096 if ev is None:
4097 raise Exception("Key handshake with the AP timed out")
4098 if dev[0].get_status_field("tls_session_reused") != '1':
4099 raise Exception("Session resumption not used on the second connection")
4100
4101 dev[0].request("REAUTHENTICATE")
4102 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4103 if ev is None:
4104 raise Exception("EAP success timed out")
4105 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4106 if ev is None:
4107 raise Exception("Key handshake with the AP timed out")
4108 if dev[0].get_status_field("tls_session_reused") != '1':
4109 raise Exception("Session resumption not used on the third connection")
4110
4111 def test_eap_tls_session_resumption_expiration(dev, apdev):
4112 """EAP-TLS session resumption"""
4113 params = int_eap_server_params()
4114 params['tls_session_lifetime'] = '1'
4115 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4116 check_tls_session_resumption_capa(dev[0], hapd)
4117 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4118 client_cert="auth_serv/user.pem",
4119 private_key="auth_serv/user.key")
4120 if dev[0].get_status_field("tls_session_reused") != '0':
4121 raise Exception("Unexpected session resumption on the first connection")
4122
4123 # Allow multiple attempts since OpenSSL may not expire the cached entry
4124 # immediately.
4125 for i in range(10):
4126 time.sleep(1.2)
4127
4128 dev[0].request("REAUTHENTICATE")
4129 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4130 if ev is None:
4131 raise Exception("EAP success timed out")
4132 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4133 if ev is None:
4134 raise Exception("Key handshake with the AP timed out")
4135 if dev[0].get_status_field("tls_session_reused") == '0':
4136 break
4137 if dev[0].get_status_field("tls_session_reused") != '0':
4138 raise Exception("Session resumption used after lifetime expiration")
4139
4140 def test_eap_tls_no_session_resumption(dev, apdev):
4141 """EAP-TLS session resumption disabled on server"""
4142 params = int_eap_server_params()
4143 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4144 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4145 client_cert="auth_serv/user.pem",
4146 private_key="auth_serv/user.key")
4147 if dev[0].get_status_field("tls_session_reused") != '0':
4148 raise Exception("Unexpected session resumption on the first connection")
4149
4150 dev[0].request("REAUTHENTICATE")
4151 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4152 if ev is None:
4153 raise Exception("EAP success timed out")
4154 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4155 if ev is None:
4156 raise Exception("Key handshake with the AP timed out")
4157 if dev[0].get_status_field("tls_session_reused") != '0':
4158 raise Exception("Unexpected session resumption on the second connection")
4159
4160 def test_eap_tls_session_resumption_radius(dev, apdev):
4161 """EAP-TLS session resumption (RADIUS)"""
4162 params = { "ssid": "as", "beacon_int": "2000",
4163 "radius_server_clients": "auth_serv/radius_clients.conf",
4164 "radius_server_auth_port": '18128',
4165 "eap_server": "1",
4166 "eap_user_file": "auth_serv/eap_user.conf",
4167 "ca_cert": "auth_serv/ca.pem",
4168 "server_cert": "auth_serv/server.pem",
4169 "private_key": "auth_serv/server.key",
4170 "tls_session_lifetime": "60" }
4171 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
4172 check_tls_session_resumption_capa(dev[0], authsrv)
4173
4174 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4175 params['auth_server_port'] = "18128"
4176 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4177 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4178 client_cert="auth_serv/user.pem",
4179 private_key="auth_serv/user.key")
4180 if dev[0].get_status_field("tls_session_reused") != '0':
4181 raise Exception("Unexpected session resumption on the first connection")
4182
4183 dev[0].request("REAUTHENTICATE")
4184 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4185 if ev is None:
4186 raise Exception("EAP success timed out")
4187 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4188 if ev is None:
4189 raise Exception("Key handshake with the AP timed out")
4190 if dev[0].get_status_field("tls_session_reused") != '1':
4191 raise Exception("Session resumption not used on the second connection")
4192
4193 def test_eap_tls_no_session_resumption_radius(dev, apdev):
4194 """EAP-TLS session resumption disabled (RADIUS)"""
4195 params = { "ssid": "as", "beacon_int": "2000",
4196 "radius_server_clients": "auth_serv/radius_clients.conf",
4197 "radius_server_auth_port": '18128',
4198 "eap_server": "1",
4199 "eap_user_file": "auth_serv/eap_user.conf",
4200 "ca_cert": "auth_serv/ca.pem",
4201 "server_cert": "auth_serv/server.pem",
4202 "private_key": "auth_serv/server.key",
4203 "tls_session_lifetime": "0" }
4204 hostapd.add_ap(apdev[1]['ifname'], params)
4205
4206 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4207 params['auth_server_port'] = "18128"
4208 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4209 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4210 client_cert="auth_serv/user.pem",
4211 private_key="auth_serv/user.key")
4212 if dev[0].get_status_field("tls_session_reused") != '0':
4213 raise Exception("Unexpected session resumption on the first connection")
4214
4215 dev[0].request("REAUTHENTICATE")
4216 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4217 if ev is None:
4218 raise Exception("EAP success timed out")
4219 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4220 if ev is None:
4221 raise Exception("Key handshake with the AP timed out")
4222 if dev[0].get_status_field("tls_session_reused") != '0':
4223 raise Exception("Unexpected session resumption on the second connection")
4224
4225 def test_eap_mschapv2_errors(dev, apdev):
4226 """EAP-MSCHAPv2 error cases"""
4227 check_eap_capa(dev[0], "MSCHAPV2")
4228 check_eap_capa(dev[0], "FAST")
4229
4230 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4231 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4232 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4233 identity="phase1-user", password="password",
4234 scan_freq="2412")
4235 dev[0].request("REMOVE_NETWORK all")
4236 dev[0].wait_disconnected()
4237
4238 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4239 (1, "nt_password_hash;mschapv2_derive_response"),
4240 (1, "nt_password_hash;=mschapv2_derive_response"),
4241 (1, "generate_nt_response;mschapv2_derive_response"),
4242 (1, "generate_authenticator_response;mschapv2_derive_response"),
4243 (1, "nt_password_hash;=mschapv2_derive_response"),
4244 (1, "get_master_key;mschapv2_derive_response"),
4245 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4246 for count, func in tests:
4247 with fail_test(dev[0], count, func):
4248 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4249 identity="phase1-user", password="password",
4250 wait_connect=False, scan_freq="2412")
4251 wait_fail_trigger(dev[0], "GET_FAIL")
4252 dev[0].request("REMOVE_NETWORK all")
4253 dev[0].wait_disconnected()
4254
4255 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4256 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4257 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4258 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4259 for count, func in tests:
4260 with fail_test(dev[0], count, func):
4261 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4262 identity="phase1-user",
4263 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
4264 wait_connect=False, scan_freq="2412")
4265 wait_fail_trigger(dev[0], "GET_FAIL")
4266 dev[0].request("REMOVE_NETWORK all")
4267 dev[0].wait_disconnected()
4268
4269 tests = [ (1, "eap_mschapv2_init"),
4270 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4271 (1, "eap_msg_alloc;eap_mschapv2_success"),
4272 (1, "eap_mschapv2_getKey") ]
4273 for count, func in tests:
4274 with alloc_fail(dev[0], count, func):
4275 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4276 identity="phase1-user", password="password",
4277 wait_connect=False, scan_freq="2412")
4278 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4279 dev[0].request("REMOVE_NETWORK all")
4280 dev[0].wait_disconnected()
4281
4282 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4283 for count, func in tests:
4284 with alloc_fail(dev[0], count, func):
4285 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4286 identity="phase1-user", password="wrong password",
4287 wait_connect=False, scan_freq="2412")
4288 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4289 dev[0].request("REMOVE_NETWORK all")
4290 dev[0].wait_disconnected()
4291
4292 tests = [ (2, "eap_mschapv2_init"),
4293 (3, "eap_mschapv2_init") ]
4294 for count, func in tests:
4295 with alloc_fail(dev[0], count, func):
4296 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
4297 anonymous_identity="FAST", identity="user",
4298 password="password",
4299 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4300 phase1="fast_provisioning=1",
4301 pac_file="blob://fast_pac",
4302 wait_connect=False, scan_freq="2412")
4303 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4304 dev[0].request("REMOVE_NETWORK all")
4305 dev[0].wait_disconnected()
4306
4307 def test_eap_gpsk_errors(dev, apdev):
4308 """EAP-GPSK error cases"""
4309 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4310 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4311 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4312 identity="gpsk user",
4313 password="abcdefghijklmnop0123456789abcdef",
4314 scan_freq="2412")
4315 dev[0].request("REMOVE_NETWORK all")
4316 dev[0].wait_disconnected()
4317
4318 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
4319 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4320 "cipher=1"),
4321 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4322 "cipher=2"),
4323 (1, "eap_gpsk_derive_keys_helper", None),
4324 (2, "eap_gpsk_derive_keys_helper", None),
4325 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4326 "cipher=1"),
4327 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4328 "cipher=2"),
4329 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
4330 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
4331 (1, "eap_gpsk_derive_mid_helper", None) ]
4332 for count, func, phase1 in tests:
4333 with fail_test(dev[0], count, func):
4334 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4335 identity="gpsk user",
4336 password="abcdefghijklmnop0123456789abcdef",
4337 phase1=phase1,
4338 wait_connect=False, scan_freq="2412")
4339 wait_fail_trigger(dev[0], "GET_FAIL")
4340 dev[0].request("REMOVE_NETWORK all")
4341 dev[0].wait_disconnected()
4342
4343 tests = [ (1, "eap_gpsk_init"),
4344 (2, "eap_gpsk_init"),
4345 (3, "eap_gpsk_init"),
4346 (1, "eap_gpsk_process_id_server"),
4347 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
4348 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4349 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4350 (1, "eap_gpsk_derive_keys"),
4351 (1, "eap_gpsk_derive_keys_helper"),
4352 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
4353 (1, "eap_gpsk_getKey"),
4354 (1, "eap_gpsk_get_emsk"),
4355 (1, "eap_gpsk_get_session_id") ]
4356 for count, func in tests:
4357 with alloc_fail(dev[0], count, func):
4358 dev[0].request("ERP_FLUSH")
4359 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4360 identity="gpsk user", erp="1",
4361 password="abcdefghijklmnop0123456789abcdef",
4362 wait_connect=False, scan_freq="2412")
4363 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4364 dev[0].request("REMOVE_NETWORK all")
4365 dev[0].wait_disconnected()
4366
4367 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
4368 """EAP-SIM DB error cases"""
4369 sockpath = '/tmp/hlr_auc_gw.sock-test'
4370 try:
4371 os.remove(sockpath)
4372 except:
4373 pass
4374 hparams = int_eap_server_params()
4375 hparams['eap_sim_db'] = 'unix:' + sockpath
4376 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
4377
4378 # Initial test with hlr_auc_gw socket not available
4379 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4380 eap="SIM", identity="1232010000000000",
4381 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4382 scan_freq="2412", wait_connect=False)
4383 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4384 if ev is None:
4385 raise Exception("EAP-Failure not reported")
4386 dev[0].wait_disconnected()
4387 dev[0].request("DISCONNECT")
4388
4389 # Test with invalid responses and response timeout
4390
4391 class test_handler(SocketServer.DatagramRequestHandler):
4392 def handle(self):
4393 data = self.request[0].strip()
4394 socket = self.request[1]
4395 logger.debug("Received hlr_auc_gw request: " + data)
4396 # EAP-SIM DB: Failed to parse response string
4397 socket.sendto("FOO", self.client_address)
4398 # EAP-SIM DB: Failed to parse response string
4399 socket.sendto("FOO 1", self.client_address)
4400 # EAP-SIM DB: Unknown external response
4401 socket.sendto("FOO 1 2", self.client_address)
4402 logger.info("No proper response - wait for pending eap_sim_db request timeout")
4403
4404 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
4405 server.timeout = 1
4406
4407 dev[0].select_network(id)
4408 server.handle_request()
4409 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4410 if ev is None:
4411 raise Exception("EAP-Failure not reported")
4412 dev[0].wait_disconnected()
4413 dev[0].request("DISCONNECT")
4414
4415 # Test with a valid response
4416
4417 class test_handler2(SocketServer.DatagramRequestHandler):
4418 def handle(self):
4419 data = self.request[0].strip()
4420 socket = self.request[1]
4421 logger.debug("Received hlr_auc_gw request: " + data)
4422 fname = os.path.join(params['logdir'],
4423 'hlr_auc_gw.milenage_db')
4424 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
4425 '-m', fname, data],
4426 stdout=subprocess.PIPE)
4427 res = cmd.stdout.read().strip()
4428 cmd.stdout.close()
4429 logger.debug("hlr_auc_gw response: " + res)
4430 socket.sendto(res, self.client_address)
4431
4432 server.RequestHandlerClass = test_handler2
4433
4434 dev[0].select_network(id)
4435 server.handle_request()
4436 dev[0].wait_connected()
4437 dev[0].request("DISCONNECT")
4438 dev[0].wait_disconnected()
4439
4440 def test_eap_tls_sha512(dev, apdev, params):
4441 """EAP-TLS with SHA512 signature"""
4442 params = int_eap_server_params()
4443 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4444 params["server_cert"] = "auth_serv/sha512-server.pem"
4445 params["private_key"] = "auth_serv/sha512-server.key"
4446 hostapd.add_ap(apdev[0]['ifname'], params)
4447
4448 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4449 identity="tls user sha512",
4450 ca_cert="auth_serv/sha512-ca.pem",
4451 client_cert="auth_serv/sha512-user.pem",
4452 private_key="auth_serv/sha512-user.key",
4453 scan_freq="2412")
4454 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4455 identity="tls user sha512",
4456 ca_cert="auth_serv/sha512-ca.pem",
4457 client_cert="auth_serv/sha384-user.pem",
4458 private_key="auth_serv/sha384-user.key",
4459 scan_freq="2412")
4460
4461 def test_eap_tls_sha384(dev, apdev, params):
4462 """EAP-TLS with SHA384 signature"""
4463 params = int_eap_server_params()
4464 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4465 params["server_cert"] = "auth_serv/sha384-server.pem"
4466 params["private_key"] = "auth_serv/sha384-server.key"
4467 hostapd.add_ap(apdev[0]['ifname'], params)
4468
4469 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4470 identity="tls user sha512",
4471 ca_cert="auth_serv/sha512-ca.pem",
4472 client_cert="auth_serv/sha512-user.pem",
4473 private_key="auth_serv/sha512-user.key",
4474 scan_freq="2412")
4475 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4476 identity="tls user sha512",
4477 ca_cert="auth_serv/sha512-ca.pem",
4478 client_cert="auth_serv/sha384-user.pem",
4479 private_key="auth_serv/sha384-user.key",
4480 scan_freq="2412")
4481
4482 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
4483 """WPA2-Enterprise AP and association request RSN IE differences"""
4484 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4485 hostapd.add_ap(apdev[0]['ifname'], params)
4486
4487 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
4488 params["ieee80211w"] = "2"
4489 hostapd.add_ap(apdev[1]['ifname'], params)
4490
4491 # Success cases with optional RSN IE fields removed one by one
4492 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4493 "30140100000fac040100000fac040100000fac010000"),
4494 ("Extra PMKIDCount field in RSN IE",
4495 "30160100000fac040100000fac040100000fac0100000000"),
4496 ("Extra Group Management Cipher Suite in RSN IE",
4497 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
4498 ("Extra undefined extension field in RSN IE",
4499 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
4500 ("RSN IE without RSN Capabilities",
4501 "30120100000fac040100000fac040100000fac01"),
4502 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
4503 ("RSN IE without pairwise", "30060100000fac04"),
4504 ("RSN IE without group", "30020100") ]
4505 for title, ie in tests:
4506 logger.info(title)
4507 set_test_assoc_ie(dev[0], ie)
4508 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4509 identity="gpsk user",
4510 password="abcdefghijklmnop0123456789abcdef",
4511 scan_freq="2412")
4512 dev[0].request("REMOVE_NETWORK all")
4513 dev[0].wait_disconnected()
4514
4515 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4516 "30140100000fac040100000fac040100000fac01cc00"),
4517 ("Group management cipher included in assoc req RSN IE",
4518 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
4519 for title, ie in tests:
4520 logger.info(title)
4521 set_test_assoc_ie(dev[0], ie)
4522 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4523 eap="GPSK", identity="gpsk user",
4524 password="abcdefghijklmnop0123456789abcdef",
4525 scan_freq="2412")
4526 dev[0].request("REMOVE_NETWORK all")
4527 dev[0].wait_disconnected()
4528
4529 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
4530 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
4531 for title, ie, status in tests:
4532 logger.info(title)
4533 set_test_assoc_ie(dev[0], ie)
4534 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4535 identity="gpsk user",
4536 password="abcdefghijklmnop0123456789abcdef",
4537 scan_freq="2412", wait_connect=False)
4538 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4539 if ev is None:
4540 raise Exception("Association rejection not reported")
4541 if "status_code=" + str(status) not in ev:
4542 raise Exception("Unexpected status code: " + ev)
4543 dev[0].request("REMOVE_NETWORK all")
4544 dev[0].dump_monitor()
4545
4546 tests = [ ("Management frame protection not enabled",
4547 "30140100000fac040100000fac040100000fac010000", 31),
4548 ("Unsupported management group cipher",
4549 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
4550 for title, ie, status in tests:
4551 logger.info(title)
4552 set_test_assoc_ie(dev[0], ie)
4553 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4554 eap="GPSK", identity="gpsk user",
4555 password="abcdefghijklmnop0123456789abcdef",
4556 scan_freq="2412", wait_connect=False)
4557 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4558 if ev is None:
4559 raise Exception("Association rejection not reported")
4560 if "status_code=" + str(status) not in ev:
4561 raise Exception("Unexpected status code: " + ev)
4562 dev[0].request("REMOVE_NETWORK all")
4563 dev[0].dump_monitor()
4564
4565 def test_eap_tls_ext_cert_check(dev, apdev):
4566 """EAP-TLS and external server certification validation"""
4567 # With internal server certificate chain validation
4568 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4569 identity="tls user",
4570 ca_cert="auth_serv/ca.pem",
4571 client_cert="auth_serv/user.pem",
4572 private_key="auth_serv/user.key",
4573 phase1="tls_ext_cert_check=1", scan_freq="2412",
4574 only_add_network=True)
4575 run_ext_cert_check(dev, apdev, id)
4576
4577 def test_eap_ttls_ext_cert_check(dev, apdev):
4578 """EAP-TTLS and external server certification validation"""
4579 # Without internal server certificate chain validation
4580 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4581 identity="pap user", anonymous_identity="ttls",
4582 password="password", phase2="auth=PAP",
4583 phase1="tls_ext_cert_check=1", scan_freq="2412",
4584 only_add_network=True)
4585 run_ext_cert_check(dev, apdev, id)
4586
4587 def test_eap_peap_ext_cert_check(dev, apdev):
4588 """EAP-PEAP and external server certification validation"""
4589 # With internal server certificate chain validation
4590 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
4591 identity="user", anonymous_identity="peap",
4592 ca_cert="auth_serv/ca.pem",
4593 password="password", phase2="auth=MSCHAPV2",
4594 phase1="tls_ext_cert_check=1", scan_freq="2412",
4595 only_add_network=True)
4596 run_ext_cert_check(dev, apdev, id)
4597
4598 def test_eap_fast_ext_cert_check(dev, apdev):
4599 """EAP-FAST and external server certification validation"""
4600 check_eap_capa(dev[0], "FAST")
4601 # With internal server certificate chain validation
4602 dev[0].request("SET blob fast_pac_auth_ext ")
4603 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
4604 identity="user", anonymous_identity="FAST",
4605 ca_cert="auth_serv/ca.pem",
4606 password="password", phase2="auth=GTC",
4607 phase1="tls_ext_cert_check=1 fast_provisioning=2",
4608 pac_file="blob://fast_pac_auth_ext",
4609 scan_freq="2412",
4610 only_add_network=True)
4611 run_ext_cert_check(dev, apdev, id)
4612
4613 def run_ext_cert_check(dev, apdev, net_id):
4614 check_ext_cert_check_support(dev[0])
4615 if not openssl_imported:
4616 raise HwsimSkip("OpenSSL python method not available")
4617
4618 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4619 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4620
4621 dev[0].select_network(net_id)
4622 certs = {}
4623 while True:
4624 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
4625 "CTRL-REQ-EXT_CERT_CHECK",
4626 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4627 if ev is None:
4628 raise Exception("No peer server certificate event seen")
4629 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
4630 depth = None
4631 cert = None
4632 vals = ev.split(' ')
4633 for v in vals:
4634 if v.startswith("depth="):
4635 depth = int(v.split('=')[1])
4636 elif v.startswith("cert="):
4637 cert = v.split('=')[1]
4638 if depth is not None and cert:
4639 certs[depth] = binascii.unhexlify(cert)
4640 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
4641 raise Exception("Unexpected EAP-Success")
4642 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
4643 id = ev.split(':')[0].split('-')[-1]
4644 break
4645 if 0 not in certs:
4646 raise Exception("Server certificate not received")
4647 if 1 not in certs:
4648 raise Exception("Server certificate issuer not received")
4649
4650 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4651 certs[0])
4652 cn = cert.get_subject().commonName
4653 logger.info("Server certificate CN=" + cn)
4654
4655 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4656 certs[1])
4657 icn = issuer.get_subject().commonName
4658 logger.info("Issuer certificate CN=" + icn)
4659
4660 if cn != "server.w1.fi":
4661 raise Exception("Unexpected server certificate CN: " + cn)
4662 if icn != "Root CA":
4663 raise Exception("Unexpected server certificate issuer CN: " + icn)
4664
4665 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
4666 if ev:
4667 raise Exception("Unexpected EAP-Success before external check result indication")
4668
4669 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
4670 dev[0].wait_connected()
4671
4672 dev[0].request("DISCONNECT")
4673 dev[0].wait_disconnected()
4674 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
4675 raise Exception("PMKSA_FLUSH failed")
4676 dev[0].request("SET blob fast_pac_auth_ext ")
4677 dev[0].request("RECONNECT")
4678
4679 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
4680 if ev is None:
4681 raise Exception("No peer server certificate event seen (2)")
4682 id = ev.split(':')[0].split('-')[-1]
4683 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
4684 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
4685 if ev is None:
4686 raise Exception("EAP-Failure not reported")
4687 dev[0].request("REMOVE_NETWORK all")
4688 dev[0].wait_disconnected()
Unnamed repository; edit this file 'description' to name the repository.