]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
18 from utils
import HwsimSkip
, alloc_fail
19 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
21 def check_hlr_auc_gw_support():
22 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
23 raise HwsimSkip("No hlr_auc_gw available")
25 def check_eap_capa(dev
, method
):
26 res
= dev
.get_capability("eap")
28 raise HwsimSkip("EAP method %s not supported in the build" % method
)
30 def check_subject_match_support(dev
):
31 tls
= dev
.request("GET tls_library")
32 if not tls
.startswith("OpenSSL"):
33 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
35 def check_altsubject_match_support(dev
):
36 tls
= dev
.request("GET tls_library")
37 if not tls
.startswith("OpenSSL"):
38 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
40 def check_domain_match_full(dev
):
41 tls
= dev
.request("GET tls_library")
42 if not tls
.startswith("OpenSSL"):
43 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
45 def check_cert_probe_support(dev
):
46 tls
= dev
.request("GET tls_library")
47 if not tls
.startswith("OpenSSL"):
48 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
51 with
open(fname
, "r") as f
:
62 return base64
.b64decode(cert
)
64 def eap_connect(dev
, ap
, method
, identity
,
65 sha256
=False, expect_failure
=False, local_error_report
=False,
67 hapd
= hostapd
.Hostapd(ap
['ifname'])
68 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
69 eap
=method
, identity
=identity
,
70 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
72 eap_check_auth(dev
, method
, True, sha256
=sha256
,
73 expect_failure
=expect_failure
,
74 local_error_report
=local_error_report
)
77 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
79 raise Exception("No connection event received from hostapd")
82 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
83 expect_failure
=False, local_error_report
=False):
84 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
86 raise Exception("Association and EAP start timed out")
87 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
89 raise Exception("EAP method selection timed out")
91 raise Exception("Unexpected EAP method")
93 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
95 raise Exception("EAP failure timed out")
96 ev
= dev
.wait_disconnected(timeout
=10)
97 if not local_error_report
:
98 if "reason=23" not in ev
:
99 raise Exception("Proper reason code for disconnection not reported")
101 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
103 raise Exception("EAP success timed out")
106 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
108 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
110 raise Exception("Association with the AP timed out")
111 status
= dev
.get_status()
112 if status
["wpa_state"] != "COMPLETED":
113 raise Exception("Connection not completed")
115 if status
["suppPortStatus"] != "Authorized":
116 raise Exception("Port not authorized")
117 if method
not in status
["selectedMethod"]:
118 raise Exception("Incorrect EAP method status")
120 e
= "WPA2-EAP-SHA256"
122 e
= "WPA2/IEEE 802.1X/EAP"
124 e
= "WPA/IEEE 802.1X/EAP"
125 if status
["key_mgmt"] != e
:
126 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
129 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
130 dev
.request("REAUTHENTICATE")
131 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
132 expect_failure
=expect_failure
)
134 def test_ap_wpa2_eap_sim(dev
, apdev
):
135 """WPA2-Enterprise connection using EAP-SIM"""
136 check_hlr_auc_gw_support()
137 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
138 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
139 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
140 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
141 hwsim_utils
.test_connectivity(dev
[0], hapd
)
142 eap_reauth(dev
[0], "SIM")
144 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000001",
145 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
146 eap_connect(dev
[2], apdev
[0], "SIM", "1232010000000002",
147 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
150 logger
.info("Negative test with incorrect key")
151 dev
[0].request("REMOVE_NETWORK all")
152 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
153 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
156 logger
.info("Invalid GSM-Milenage key")
157 dev
[0].request("REMOVE_NETWORK all")
158 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
159 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
162 logger
.info("Invalid GSM-Milenage key(2)")
163 dev
[0].request("REMOVE_NETWORK all")
164 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
165 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
168 logger
.info("Invalid GSM-Milenage key(3)")
169 dev
[0].request("REMOVE_NETWORK all")
170 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
171 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
174 logger
.info("Invalid GSM-Milenage key(4)")
175 dev
[0].request("REMOVE_NETWORK all")
176 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
177 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
180 logger
.info("Missing key configuration")
181 dev
[0].request("REMOVE_NETWORK all")
182 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
185 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
186 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
187 check_hlr_auc_gw_support()
191 raise HwsimSkip("No sqlite3 module available")
192 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
193 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
194 params
['auth_server_port'] = "1814"
195 hostapd
.add_ap(apdev
[0]['ifname'], params
)
196 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
197 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
199 logger
.info("SIM fast re-authentication")
200 eap_reauth(dev
[0], "SIM")
202 logger
.info("SIM full auth with pseudonym")
205 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
206 eap_reauth(dev
[0], "SIM")
208 logger
.info("SIM full auth with permanent identity")
211 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
212 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
213 eap_reauth(dev
[0], "SIM")
215 logger
.info("SIM reauth with mismatching MK")
218 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
219 eap_reauth(dev
[0], "SIM", expect_failure
=True)
220 dev
[0].request("REMOVE_NETWORK all")
222 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
223 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
226 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
227 eap_reauth(dev
[0], "SIM")
230 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
231 logger
.info("SIM reauth with mismatching counter")
232 eap_reauth(dev
[0], "SIM")
233 dev
[0].request("REMOVE_NETWORK all")
235 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
236 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
239 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
240 logger
.info("SIM reauth with max reauth count reached")
241 eap_reauth(dev
[0], "SIM")
243 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
244 """EAP-SIM configuration options"""
245 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
246 hostapd
.add_ap(apdev
[0]['ifname'], params
)
247 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
248 identity
="1232010000000000",
249 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
250 phase1
="sim_min_num_chal=1",
251 wait_connect
=False, scan_freq
="2412")
252 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
254 raise Exception("No EAP error message seen")
255 dev
[0].request("REMOVE_NETWORK all")
257 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
258 identity
="1232010000000000",
259 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
260 phase1
="sim_min_num_chal=4",
261 wait_connect
=False, scan_freq
="2412")
262 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
264 raise Exception("No EAP error message seen (2)")
265 dev
[0].request("REMOVE_NETWORK all")
267 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
268 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
269 phase1
="sim_min_num_chal=2")
270 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
271 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
272 anonymous_identity
="345678")
274 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
275 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
277 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
279 dev
[0].request("SET external_sim 0")
281 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
282 check_hlr_auc_gw_support()
283 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
284 hostapd
.add_ap(apdev
[0]['ifname'], params
)
285 dev
[0].request("SET external_sim 1")
286 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
287 identity
="1232010000000000",
288 wait_connect
=False, scan_freq
="2412")
289 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
291 raise Exception("Network connected timed out")
293 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
295 raise Exception("Wait for external SIM processing request timed out")
297 if p
[1] != "GSM-AUTH":
298 raise Exception("Unexpected CTRL-REQ-SIM type")
299 rid
= p
[0].split('-')[3]
302 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
303 # This will fail during processing, but the ctrl_iface command succeeds
304 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
305 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
307 raise Exception("EAP failure not reported")
308 dev
[0].request("DISCONNECT")
309 dev
[0].wait_disconnected()
312 dev
[0].select_network(id, freq
="2412")
313 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
315 raise Exception("Wait for external SIM processing request timed out")
317 if p
[1] != "GSM-AUTH":
318 raise Exception("Unexpected CTRL-REQ-SIM type")
319 rid
= p
[0].split('-')[3]
320 # This will fail during GSM auth validation
321 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
322 raise Exception("CTRL-RSP-SIM failed")
323 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
325 raise Exception("EAP failure not reported")
326 dev
[0].request("DISCONNECT")
327 dev
[0].wait_disconnected()
330 dev
[0].select_network(id, freq
="2412")
331 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
333 raise Exception("Wait for external SIM processing request timed out")
335 if p
[1] != "GSM-AUTH":
336 raise Exception("Unexpected CTRL-REQ-SIM type")
337 rid
= p
[0].split('-')[3]
338 # This will fail during GSM auth validation
339 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
340 raise Exception("CTRL-RSP-SIM failed")
341 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
343 raise Exception("EAP failure not reported")
344 dev
[0].request("DISCONNECT")
345 dev
[0].wait_disconnected()
348 dev
[0].select_network(id, freq
="2412")
349 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
351 raise Exception("Wait for external SIM processing request timed out")
353 if p
[1] != "GSM-AUTH":
354 raise Exception("Unexpected CTRL-REQ-SIM type")
355 rid
= p
[0].split('-')[3]
356 # This will fail during GSM auth validation
357 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
358 raise Exception("CTRL-RSP-SIM failed")
359 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
361 raise Exception("EAP failure not reported")
362 dev
[0].request("DISCONNECT")
363 dev
[0].wait_disconnected()
366 dev
[0].select_network(id, freq
="2412")
367 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
369 raise Exception("Wait for external SIM processing request timed out")
371 if p
[1] != "GSM-AUTH":
372 raise Exception("Unexpected CTRL-REQ-SIM type")
373 rid
= p
[0].split('-')[3]
374 # This will fail during GSM auth validation
375 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
376 raise Exception("CTRL-RSP-SIM failed")
377 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
379 raise Exception("EAP failure not reported")
380 dev
[0].request("DISCONNECT")
381 dev
[0].wait_disconnected()
384 dev
[0].select_network(id, freq
="2412")
385 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
387 raise Exception("Wait for external SIM processing request timed out")
389 if p
[1] != "GSM-AUTH":
390 raise Exception("Unexpected CTRL-REQ-SIM type")
391 rid
= p
[0].split('-')[3]
392 # This will fail during GSM auth validation
393 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
394 raise Exception("CTRL-RSP-SIM failed")
395 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
397 raise Exception("EAP failure not reported")
398 dev
[0].request("DISCONNECT")
399 dev
[0].wait_disconnected()
402 dev
[0].select_network(id, freq
="2412")
403 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
405 raise Exception("Wait for external SIM processing request timed out")
407 if p
[1] != "GSM-AUTH":
408 raise Exception("Unexpected CTRL-REQ-SIM type")
409 rid
= p
[0].split('-')[3]
410 # This will fail during GSM auth validation
411 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
412 raise Exception("CTRL-RSP-SIM failed")
413 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
415 raise Exception("EAP failure not reported")
417 def test_ap_wpa2_eap_aka(dev
, apdev
):
418 """WPA2-Enterprise connection using EAP-AKA"""
419 check_hlr_auc_gw_support()
420 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
421 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
422 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
423 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
424 hwsim_utils
.test_connectivity(dev
[0], hapd
)
425 eap_reauth(dev
[0], "AKA")
427 logger
.info("Negative test with incorrect key")
428 dev
[0].request("REMOVE_NETWORK all")
429 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
430 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
433 logger
.info("Invalid Milenage key")
434 dev
[0].request("REMOVE_NETWORK all")
435 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
436 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
439 logger
.info("Invalid Milenage key(2)")
440 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
441 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
444 logger
.info("Invalid Milenage key(3)")
445 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
446 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
449 logger
.info("Invalid Milenage key(4)")
450 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
451 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
454 logger
.info("Invalid Milenage key(5)")
455 dev
[0].request("REMOVE_NETWORK all")
456 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
457 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
460 logger
.info("Invalid Milenage key(6)")
461 dev
[0].request("REMOVE_NETWORK all")
462 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
463 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
466 logger
.info("Missing key configuration")
467 dev
[0].request("REMOVE_NETWORK all")
468 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
471 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
472 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
473 check_hlr_auc_gw_support()
477 raise HwsimSkip("No sqlite3 module available")
478 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
479 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
480 params
['auth_server_port'] = "1814"
481 hostapd
.add_ap(apdev
[0]['ifname'], params
)
482 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
483 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
485 logger
.info("AKA fast re-authentication")
486 eap_reauth(dev
[0], "AKA")
488 logger
.info("AKA full auth with pseudonym")
491 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
492 eap_reauth(dev
[0], "AKA")
494 logger
.info("AKA full auth with permanent identity")
497 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
498 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
499 eap_reauth(dev
[0], "AKA")
501 logger
.info("AKA reauth with mismatching MK")
504 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
505 eap_reauth(dev
[0], "AKA", expect_failure
=True)
506 dev
[0].request("REMOVE_NETWORK all")
508 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
509 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
512 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
513 eap_reauth(dev
[0], "AKA")
516 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
517 logger
.info("AKA reauth with mismatching counter")
518 eap_reauth(dev
[0], "AKA")
519 dev
[0].request("REMOVE_NETWORK all")
521 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
522 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
525 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
526 logger
.info("AKA reauth with max reauth count reached")
527 eap_reauth(dev
[0], "AKA")
529 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
530 """EAP-AKA configuration options"""
531 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
532 hostapd
.add_ap(apdev
[0]['ifname'], params
)
533 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
534 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
535 anonymous_identity
="2345678")
537 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
538 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
540 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
542 dev
[0].request("SET external_sim 0")
544 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
545 check_hlr_auc_gw_support()
546 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
547 hostapd
.add_ap(apdev
[0]['ifname'], params
)
548 dev
[0].request("SET external_sim 1")
549 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
550 identity
="0232010000000000",
551 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
552 wait_connect
=False, scan_freq
="2412")
553 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
555 raise Exception("Network connected timed out")
557 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
559 raise Exception("Wait for external SIM processing request timed out")
561 if p
[1] != "UMTS-AUTH":
562 raise Exception("Unexpected CTRL-REQ-SIM type")
563 rid
= p
[0].split('-')[3]
566 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
567 # This will fail during processing, but the ctrl_iface command succeeds
568 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
569 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
571 raise Exception("EAP failure not reported")
572 dev
[0].request("DISCONNECT")
573 dev
[0].wait_disconnected()
576 dev
[0].select_network(id, freq
="2412")
577 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
579 raise Exception("Wait for external SIM processing request timed out")
581 if p
[1] != "UMTS-AUTH":
582 raise Exception("Unexpected CTRL-REQ-SIM type")
583 rid
= p
[0].split('-')[3]
584 # This will fail during UMTS auth validation
585 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
586 raise Exception("CTRL-RSP-SIM failed")
587 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
589 raise Exception("Wait for external SIM processing request timed out")
591 if p
[1] != "UMTS-AUTH":
592 raise Exception("Unexpected CTRL-REQ-SIM type")
593 rid
= p
[0].split('-')[3]
594 # This will fail during UMTS auth validation
595 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
596 raise Exception("CTRL-RSP-SIM failed")
597 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
599 raise Exception("EAP failure not reported")
600 dev
[0].request("DISCONNECT")
601 dev
[0].wait_disconnected()
604 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
606 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
607 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
608 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
609 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
610 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
612 dev
[0].select_network(id, freq
="2412")
613 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
615 raise Exception("Wait for external SIM processing request timed out")
617 if p
[1] != "UMTS-AUTH":
618 raise Exception("Unexpected CTRL-REQ-SIM type")
619 rid
= p
[0].split('-')[3]
620 # This will fail during UMTS auth validation
621 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
622 raise Exception("CTRL-RSP-SIM failed")
623 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
625 raise Exception("EAP failure not reported")
626 dev
[0].request("DISCONNECT")
627 dev
[0].wait_disconnected()
630 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
631 """WPA2-Enterprise connection using EAP-AKA'"""
632 check_hlr_auc_gw_support()
633 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
634 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
635 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
636 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
637 hwsim_utils
.test_connectivity(dev
[0], hapd
)
638 eap_reauth(dev
[0], "AKA'")
640 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
641 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
642 identity
="6555444333222111@both",
643 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
644 wait_connect
=False, scan_freq
="2412")
645 dev
[1].wait_connected(timeout
=15)
647 logger
.info("Negative test with incorrect key")
648 dev
[0].request("REMOVE_NETWORK all")
649 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
650 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
653 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
654 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
655 check_hlr_auc_gw_support()
659 raise HwsimSkip("No sqlite3 module available")
660 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
661 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
662 params
['auth_server_port'] = "1814"
663 hostapd
.add_ap(apdev
[0]['ifname'], params
)
664 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
665 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
667 logger
.info("AKA' fast re-authentication")
668 eap_reauth(dev
[0], "AKA'")
670 logger
.info("AKA' full auth with pseudonym")
673 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
674 eap_reauth(dev
[0], "AKA'")
676 logger
.info("AKA' full auth with permanent identity")
679 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
680 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
681 eap_reauth(dev
[0], "AKA'")
683 logger
.info("AKA' reauth with mismatching k_aut")
686 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
687 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
688 dev
[0].request("REMOVE_NETWORK all")
690 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
691 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
694 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
695 eap_reauth(dev
[0], "AKA'")
698 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
699 logger
.info("AKA' reauth with mismatching counter")
700 eap_reauth(dev
[0], "AKA'")
701 dev
[0].request("REMOVE_NETWORK all")
703 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
704 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
707 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
708 logger
.info("AKA' reauth with max reauth count reached")
709 eap_reauth(dev
[0], "AKA'")
711 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
712 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
713 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
714 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
715 key_mgmt
= hapd
.get_config()['key_mgmt']
716 if key_mgmt
.split(' ')[0] != "WPA-EAP":
717 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
718 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
719 anonymous_identity
="ttls", password
="password",
720 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
721 hwsim_utils
.test_connectivity(dev
[0], hapd
)
722 eap_reauth(dev
[0], "TTLS")
723 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
724 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
726 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
727 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
728 check_subject_match_support(dev
[0])
729 check_altsubject_match_support(dev
[0])
730 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
731 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
732 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
733 anonymous_identity
="ttls", password
="password",
734 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
735 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
736 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
737 eap_reauth(dev
[0], "TTLS")
739 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
740 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
741 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
742 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
743 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
744 anonymous_identity
="ttls", password
="wrong",
745 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
747 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
748 anonymous_identity
="ttls", password
="password",
749 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
752 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
753 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
754 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
755 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
756 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
757 anonymous_identity
="ttls", password
="password",
758 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
759 hwsim_utils
.test_connectivity(dev
[0], hapd
)
760 eap_reauth(dev
[0], "TTLS")
762 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
763 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
764 check_altsubject_match_support(dev
[0])
765 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
766 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
767 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
768 anonymous_identity
="ttls", password
="password",
769 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
770 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
771 eap_reauth(dev
[0], "TTLS")
773 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
774 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
775 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
776 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
777 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
778 anonymous_identity
="ttls", password
="wrong",
779 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
781 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
782 anonymous_identity
="ttls", password
="password",
783 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
786 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
787 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
788 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
789 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
790 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
791 anonymous_identity
="ttls", password
="password",
792 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
793 domain_suffix_match
="server.w1.fi")
794 hwsim_utils
.test_connectivity(dev
[0], hapd
)
795 eap_reauth(dev
[0], "TTLS")
796 dev
[0].request("REMOVE_NETWORK all")
797 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
798 anonymous_identity
="ttls", password
="password",
799 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
802 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
803 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
804 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
805 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
806 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
807 anonymous_identity
="ttls", password
="wrong",
808 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
810 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
811 anonymous_identity
="ttls", password
="password",
812 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
814 eap_connect(dev
[2], apdev
[0], "TTLS", "no such user",
815 anonymous_identity
="ttls", password
="password",
816 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
819 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
820 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
821 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
822 hostapd
.add_ap(apdev
[0]['ifname'], params
)
823 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
824 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
825 anonymous_identity
="ttls", password
="password",
826 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
827 domain_suffix_match
="server.w1.fi")
828 hwsim_utils
.test_connectivity(dev
[0], hapd
)
829 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
830 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
831 eap_reauth(dev
[0], "TTLS")
832 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
833 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
834 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
835 raise Exception("dot1xAuthEapolFramesRx did not increase")
836 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
837 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
838 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
839 raise Exception("backendAuthSuccesses did not increase")
841 logger
.info("Password as hash value")
842 dev
[0].request("REMOVE_NETWORK all")
843 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
844 anonymous_identity
="ttls",
845 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
846 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
848 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
849 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
850 check_domain_match_full(dev
[0])
851 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
852 hostapd
.add_ap(apdev
[0]['ifname'], params
)
853 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
854 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
855 anonymous_identity
="ttls", password
="password",
856 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
857 domain_suffix_match
="w1.fi")
858 hwsim_utils
.test_connectivity(dev
[0], hapd
)
859 eap_reauth(dev
[0], "TTLS")
861 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
862 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
863 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
864 hostapd
.add_ap(apdev
[0]['ifname'], params
)
865 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
866 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
867 anonymous_identity
="ttls", password
="password",
868 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
869 domain_match
="Server.w1.fi")
870 hwsim_utils
.test_connectivity(dev
[0], hapd
)
871 eap_reauth(dev
[0], "TTLS")
873 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
874 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
875 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
876 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
877 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
878 anonymous_identity
="ttls", password
="password1",
879 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
881 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
882 anonymous_identity
="ttls", password
="password",
883 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
886 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
887 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
888 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
889 hostapd
.add_ap(apdev
[0]['ifname'], params
)
890 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
891 eap_connect(dev
[0], apdev
[0], "TTLS", "utf8-user-hash",
892 anonymous_identity
="ttls", password
="secret-åäö-€-password",
893 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
894 eap_connect(dev
[1], apdev
[0], "TTLS", "utf8-user",
895 anonymous_identity
="ttls",
896 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
897 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
899 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
900 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
901 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
902 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
903 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
904 anonymous_identity
="ttls", password
="password",
905 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
906 hwsim_utils
.test_connectivity(dev
[0], hapd
)
907 eap_reauth(dev
[0], "TTLS")
909 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
910 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
911 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
912 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
913 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
914 anonymous_identity
="ttls", password
="wrong",
915 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
918 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
919 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
920 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
921 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
922 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
923 anonymous_identity
="ttls", password
="password",
924 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
927 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
928 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
929 params
= int_eap_server_params()
930 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
931 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
932 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
933 anonymous_identity
="ttls", password
="password",
934 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
936 dev
[0].request("REMOVE_NETWORK all")
938 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
939 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
940 eap
="TTLS", identity
="user",
941 anonymous_identity
="ttls", password
="password",
942 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
943 wait_connect
=False, scan_freq
="2412")
944 # This would eventually time out, but we can stop after having reached
945 # the allocation failure.
948 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
951 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
952 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
953 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
954 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
955 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
956 anonymous_identity
="ttls", password
="password",
957 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
958 hwsim_utils
.test_connectivity(dev
[0], hapd
)
959 eap_reauth(dev
[0], "TTLS")
961 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
962 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
963 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
964 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
965 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
966 anonymous_identity
="ttls", password
="wrong",
967 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
970 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
971 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
972 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
973 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
974 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
975 anonymous_identity
="ttls", password
="password",
976 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
979 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
980 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
981 params
= int_eap_server_params()
982 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
983 with
alloc_fail(hapd
, 1, "eap_md5_init"):
984 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
985 anonymous_identity
="ttls", password
="password",
986 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
988 dev
[0].request("REMOVE_NETWORK all")
990 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
991 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
992 eap
="TTLS", identity
="user",
993 anonymous_identity
="ttls", password
="password",
994 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
995 wait_connect
=False, scan_freq
="2412")
996 # This would eventually time out, but we can stop after having reached
997 # the allocation failure.
1000 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1003 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1004 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1005 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1006 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1007 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1008 anonymous_identity
="ttls", password
="password",
1009 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1010 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1011 eap_reauth(dev
[0], "TTLS")
1013 logger
.info("Negative test with incorrect password")
1014 dev
[0].request("REMOVE_NETWORK all")
1015 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1016 anonymous_identity
="ttls", password
="password1",
1017 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1018 expect_failure
=True)
1020 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1021 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1022 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1023 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1024 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
1025 anonymous_identity
="ttls", password
="password",
1026 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1027 expect_failure
=True)
1029 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1030 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1031 params
= int_eap_server_params()
1032 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1033 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1034 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1035 anonymous_identity
="ttls", password
="password",
1036 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1037 expect_failure
=True)
1038 dev
[0].request("REMOVE_NETWORK all")
1040 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1041 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1042 eap
="TTLS", identity
="user",
1043 anonymous_identity
="ttls", password
="password",
1044 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1045 wait_connect
=False, scan_freq
="2412")
1046 # This would eventually time out, but we can stop after having reached
1047 # the allocation failure.
1050 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1052 dev
[0].request("REMOVE_NETWORK all")
1054 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1055 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1056 eap
="TTLS", identity
="user",
1057 anonymous_identity
="ttls", password
="password",
1058 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1059 wait_connect
=False, scan_freq
="2412")
1060 # This would eventually time out, but we can stop after having reached
1061 # the allocation failure.
1064 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1066 dev
[0].request("REMOVE_NETWORK all")
1068 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1069 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1070 eap
="TTLS", identity
="user",
1071 anonymous_identity
="ttls", password
="wrong",
1072 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1073 wait_connect
=False, scan_freq
="2412")
1074 # This would eventually time out, but we can stop after having reached
1075 # the allocation failure.
1078 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1080 dev
[0].request("REMOVE_NETWORK all")
1082 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1083 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1084 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1085 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1086 eap_connect(dev
[0], apdev
[0], "TTLS", "0232010000000000",
1087 anonymous_identity
="0232010000000000@ttls",
1088 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1089 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1091 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1092 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1093 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1094 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1095 eap_connect(dev
[0], apdev
[0], "PEAP", "0232010000000000",
1096 anonymous_identity
="0232010000000000@peap",
1097 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1098 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1100 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1101 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1102 check_eap_capa(dev
[0], "FAST")
1103 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1104 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1105 eap_connect(dev
[0], apdev
[0], "FAST", "0232010000000000",
1106 anonymous_identity
="0232010000000000@fast",
1107 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1108 phase1
="fast_provisioning=2",
1109 pac_file
="blob://fast_pac_auth_aka",
1110 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1112 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1113 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1114 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1115 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1116 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1117 anonymous_identity
="peap", password
="password",
1118 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1119 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1120 eap_reauth(dev
[0], "PEAP")
1121 dev
[0].request("REMOVE_NETWORK all")
1122 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1123 anonymous_identity
="peap", password
="password",
1124 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1125 fragment_size
="200")
1127 logger
.info("Password as hash value")
1128 dev
[0].request("REMOVE_NETWORK all")
1129 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1130 anonymous_identity
="peap",
1131 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1132 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1134 logger
.info("Negative test with incorrect password")
1135 dev
[0].request("REMOVE_NETWORK all")
1136 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1137 anonymous_identity
="peap", password
="password1",
1138 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1139 expect_failure
=True)
1141 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1142 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1143 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1144 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1145 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1146 ca_cert
="auth_serv/ca.pem",
1147 phase1
="peapver=0 crypto_binding=2",
1148 phase2
="auth=MSCHAPV2")
1149 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1150 eap_reauth(dev
[0], "PEAP")
1152 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1153 ca_cert
="auth_serv/ca.pem",
1154 phase1
="peapver=0 crypto_binding=1",
1155 phase2
="auth=MSCHAPV2")
1156 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1157 ca_cert
="auth_serv/ca.pem",
1158 phase1
="peapver=0 crypto_binding=0",
1159 phase2
="auth=MSCHAPV2")
1161 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1162 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1163 params
= int_eap_server_params()
1164 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1165 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1166 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1167 ca_cert
="auth_serv/ca.pem",
1168 phase1
="peapver=0 crypto_binding=2",
1169 phase2
="auth=MSCHAPV2",
1170 expect_failure
=True, local_error_report
=True)
1172 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1173 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1174 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1175 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1176 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1177 anonymous_identity
="peap", password
="password",
1178 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1179 phase1
="peapver=0 peaplabel=1",
1180 expect_failure
=True)
1181 dev
[0].request("REMOVE_NETWORK all")
1182 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1183 ca_cert
="auth_serv/ca.pem",
1184 phase1
="peap_outer_success=1",
1185 phase2
="auth=MSCHAPV2")
1186 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1187 ca_cert
="auth_serv/ca.pem",
1188 phase1
="peap_outer_success=2",
1189 phase2
="auth=MSCHAPV2")
1190 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1192 anonymous_identity
="peap", password
="password",
1193 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1194 phase1
="peapver=1 peaplabel=1",
1195 wait_connect
=False, scan_freq
="2412")
1196 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1198 raise Exception("No EAP success seen")
1199 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1201 raise Exception("Unexpected connection")
1203 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
1204 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1205 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1206 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1207 eap_connect(dev
[0], apdev
[0], "PEAP", "cert user",
1208 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
1209 ca_cert2
="auth_serv/ca.pem",
1210 client_cert2
="auth_serv/user.pem",
1211 private_key2
="auth_serv/user.key")
1212 eap_reauth(dev
[0], "PEAP")
1214 def test_ap_wpa2_eap_tls(dev
, apdev
):
1215 """WPA2-Enterprise connection using EAP-TLS"""
1216 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1217 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1218 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1219 client_cert
="auth_serv/user.pem",
1220 private_key
="auth_serv/user.key")
1221 eap_reauth(dev
[0], "TLS")
1223 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
1224 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1225 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1226 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1227 cert
= read_pem("auth_serv/ca.pem")
1228 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1229 raise Exception("Could not set cacert blob")
1230 cert
= read_pem("auth_serv/user.pem")
1231 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
1232 raise Exception("Could not set usercert blob")
1233 key
= read_pem("auth_serv/user.rsa-key")
1234 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
1235 raise Exception("Could not set cacert blob")
1236 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1237 client_cert
="blob://usercert",
1238 private_key
="blob://userkey")
1240 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
1241 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1242 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1243 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1244 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1245 private_key
="auth_serv/user.pkcs12",
1246 private_key_passwd
="whatever")
1247 dev
[0].request("REMOVE_NETWORK all")
1248 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1249 identity
="tls user",
1250 ca_cert
="auth_serv/ca.pem",
1251 private_key
="auth_serv/user.pkcs12",
1252 wait_connect
=False, scan_freq
="2412")
1253 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1255 raise Exception("Request for private key passphrase timed out")
1256 id = ev
.split(':')[0].split('-')[-1]
1257 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1258 dev
[0].wait_connected(timeout
=10)
1260 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
1261 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1262 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1263 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1264 cert
= read_pem("auth_serv/ca.pem")
1265 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1266 raise Exception("Could not set cacert blob")
1267 with
open("auth_serv/user.pkcs12", "rb") as f
:
1268 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
1269 raise Exception("Could not set pkcs12 blob")
1270 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1271 private_key
="blob://pkcs12",
1272 private_key_passwd
="whatever")
1274 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
1275 """WPA2-Enterprise negative test - incorrect trust root"""
1276 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1277 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1278 cert
= read_pem("auth_serv/ca-incorrect.pem")
1279 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1280 raise Exception("Could not set cacert blob")
1281 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1282 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1283 password
="password", phase2
="auth=MSCHAPV2",
1284 ca_cert
="blob://cacert",
1285 wait_connect
=False, scan_freq
="2412")
1286 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1287 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1288 password
="password", phase2
="auth=MSCHAPV2",
1289 ca_cert
="auth_serv/ca-incorrect.pem",
1290 wait_connect
=False, scan_freq
="2412")
1292 for dev
in (dev
[0], dev
[1]):
1293 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1295 raise Exception("Association and EAP start timed out")
1297 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1299 raise Exception("EAP method selection timed out")
1300 if "TTLS" not in ev
:
1301 raise Exception("Unexpected EAP method")
1303 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1304 "CTRL-EVENT-EAP-SUCCESS",
1305 "CTRL-EVENT-EAP-FAILURE",
1306 "CTRL-EVENT-CONNECTED",
1307 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1309 raise Exception("EAP result timed out")
1310 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1311 raise Exception("TLS certificate error not reported")
1313 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1314 "CTRL-EVENT-EAP-FAILURE",
1315 "CTRL-EVENT-CONNECTED",
1316 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1318 raise Exception("EAP result(2) timed out")
1319 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1320 raise Exception("EAP failure not reported")
1322 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
1323 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1325 raise Exception("EAP result(3) timed out")
1326 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1327 raise Exception("Disconnection not reported")
1329 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1331 raise Exception("Network block disabling not reported")
1333 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
1334 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1335 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1336 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1337 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1338 identity
="pap user", anonymous_identity
="ttls",
1339 password
="password", phase2
="auth=PAP",
1340 ca_cert
="auth_serv/ca.pem",
1341 wait_connect
=True, scan_freq
="2412")
1342 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1343 identity
="pap user", anonymous_identity
="ttls",
1344 password
="password", phase2
="auth=PAP",
1345 ca_cert
="auth_serv/ca-incorrect.pem",
1346 only_add_network
=True, scan_freq
="2412")
1348 dev
[0].request("DISCONNECT")
1349 dev
[0].wait_disconnected()
1350 dev
[0].dump_monitor()
1351 dev
[0].select_network(id, freq
="2412")
1353 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1355 raise Exception("EAP-TTLS not re-started")
1357 ev
= dev
[0].wait_disconnected(timeout
=15)
1358 if "reason=23" not in ev
:
1359 raise Exception("Proper reason code for disconnection not reported")
1361 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
1362 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1363 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1364 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1365 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1366 identity
="pap user", anonymous_identity
="ttls",
1367 password
="password", phase2
="auth=PAP",
1368 wait_connect
=True, scan_freq
="2412")
1369 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1370 identity
="pap user", anonymous_identity
="ttls",
1371 password
="password", phase2
="auth=PAP",
1372 ca_cert
="auth_serv/ca-incorrect.pem",
1373 only_add_network
=True, scan_freq
="2412")
1375 dev
[0].request("DISCONNECT")
1376 dev
[0].wait_disconnected()
1377 dev
[0].dump_monitor()
1378 dev
[0].select_network(id, freq
="2412")
1380 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1382 raise Exception("EAP-TTLS not re-started")
1384 ev
= dev
[0].wait_disconnected(timeout
=15)
1385 if "reason=23" not in ev
:
1386 raise Exception("Proper reason code for disconnection not reported")
1388 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
1389 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1390 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1391 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1392 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1393 identity
="pap user", anonymous_identity
="ttls",
1394 password
="password", phase2
="auth=PAP",
1395 ca_cert
="auth_serv/ca.pem",
1396 wait_connect
=True, scan_freq
="2412")
1397 dev
[0].request("DISCONNECT")
1398 dev
[0].wait_disconnected()
1399 dev
[0].dump_monitor()
1400 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1401 dev
[0].select_network(id, freq
="2412")
1403 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1405 raise Exception("EAP-TTLS not re-started")
1407 ev
= dev
[0].wait_disconnected(timeout
=15)
1408 if "reason=23" not in ev
:
1409 raise Exception("Proper reason code for disconnection not reported")
1411 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
1412 """WPA2-Enterprise negative test - domain suffix mismatch"""
1413 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1414 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1415 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1416 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1417 password
="password", phase2
="auth=MSCHAPV2",
1418 ca_cert
="auth_serv/ca.pem",
1419 domain_suffix_match
="incorrect.example.com",
1420 wait_connect
=False, scan_freq
="2412")
1422 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1424 raise Exception("Association and EAP start timed out")
1426 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1428 raise Exception("EAP method selection timed out")
1429 if "TTLS" not in ev
:
1430 raise Exception("Unexpected EAP method")
1432 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1433 "CTRL-EVENT-EAP-SUCCESS",
1434 "CTRL-EVENT-EAP-FAILURE",
1435 "CTRL-EVENT-CONNECTED",
1436 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1438 raise Exception("EAP result timed out")
1439 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1440 raise Exception("TLS certificate error not reported")
1441 if "Domain suffix mismatch" not in ev
:
1442 raise Exception("Domain suffix mismatch not reported")
1444 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1445 "CTRL-EVENT-EAP-FAILURE",
1446 "CTRL-EVENT-CONNECTED",
1447 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1449 raise Exception("EAP result(2) timed out")
1450 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1451 raise Exception("EAP failure not reported")
1453 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1454 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1456 raise Exception("EAP result(3) timed out")
1457 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1458 raise Exception("Disconnection not reported")
1460 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1462 raise Exception("Network block disabling not reported")
1464 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
1465 """WPA2-Enterprise negative test - domain mismatch"""
1466 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1467 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1468 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1469 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1470 password
="password", phase2
="auth=MSCHAPV2",
1471 ca_cert
="auth_serv/ca.pem",
1472 domain_match
="w1.fi",
1473 wait_connect
=False, scan_freq
="2412")
1475 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1477 raise Exception("Association and EAP start timed out")
1479 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1481 raise Exception("EAP method selection timed out")
1482 if "TTLS" not in ev
:
1483 raise Exception("Unexpected EAP method")
1485 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1486 "CTRL-EVENT-EAP-SUCCESS",
1487 "CTRL-EVENT-EAP-FAILURE",
1488 "CTRL-EVENT-CONNECTED",
1489 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1491 raise Exception("EAP result timed out")
1492 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1493 raise Exception("TLS certificate error not reported")
1494 if "Domain mismatch" not in ev
:
1495 raise Exception("Domain mismatch not reported")
1497 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1498 "CTRL-EVENT-EAP-FAILURE",
1499 "CTRL-EVENT-CONNECTED",
1500 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1502 raise Exception("EAP result(2) timed out")
1503 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1504 raise Exception("EAP failure not reported")
1506 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1507 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1509 raise Exception("EAP result(3) timed out")
1510 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1511 raise Exception("Disconnection not reported")
1513 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1515 raise Exception("Network block disabling not reported")
1517 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
1518 """WPA2-Enterprise negative test - subject mismatch"""
1519 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1520 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1521 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1522 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1523 password
="password", phase2
="auth=MSCHAPV2",
1524 ca_cert
="auth_serv/ca.pem",
1525 subject_match
="/C=FI/O=w1.fi/CN=example.com",
1526 wait_connect
=False, scan_freq
="2412")
1528 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1530 raise Exception("Association and EAP start timed out")
1532 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1533 "EAP: Failed to initialize EAP method"], timeout
=10)
1535 raise Exception("EAP method selection timed out")
1536 if "EAP: Failed to initialize EAP method" in ev
:
1537 tls
= dev
[0].request("GET tls_library")
1538 if tls
.startswith("OpenSSL"):
1539 raise Exception("Failed to select EAP method")
1540 logger
.info("subject_match not supported - connection failed, so test succeeded")
1542 if "TTLS" not in ev
:
1543 raise Exception("Unexpected EAP method")
1545 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1546 "CTRL-EVENT-EAP-SUCCESS",
1547 "CTRL-EVENT-EAP-FAILURE",
1548 "CTRL-EVENT-CONNECTED",
1549 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1551 raise Exception("EAP result timed out")
1552 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1553 raise Exception("TLS certificate error not reported")
1554 if "Subject mismatch" not in ev
:
1555 raise Exception("Subject mismatch not reported")
1557 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1558 "CTRL-EVENT-EAP-FAILURE",
1559 "CTRL-EVENT-CONNECTED",
1560 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1562 raise Exception("EAP result(2) timed out")
1563 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1564 raise Exception("EAP failure not reported")
1566 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1567 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1569 raise Exception("EAP result(3) timed out")
1570 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1571 raise Exception("Disconnection not reported")
1573 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1575 raise Exception("Network block disabling not reported")
1577 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
1578 """WPA2-Enterprise negative test - altsubject mismatch"""
1579 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1580 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1582 tests
= [ "incorrect.example.com",
1583 "DNS:incorrect.example.com",
1587 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
1589 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
1590 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1591 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1592 password
="password", phase2
="auth=MSCHAPV2",
1593 ca_cert
="auth_serv/ca.pem",
1594 altsubject_match
=match
,
1595 wait_connect
=False, scan_freq
="2412")
1597 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1599 raise Exception("Association and EAP start timed out")
1601 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1602 "EAP: Failed to initialize EAP method"], timeout
=10)
1604 raise Exception("EAP method selection timed out")
1605 if "EAP: Failed to initialize EAP method" in ev
:
1606 tls
= dev
[0].request("GET tls_library")
1607 if tls
.startswith("OpenSSL"):
1608 raise Exception("Failed to select EAP method")
1609 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
1611 if "TTLS" not in ev
:
1612 raise Exception("Unexpected EAP method")
1614 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1615 "CTRL-EVENT-EAP-SUCCESS",
1616 "CTRL-EVENT-EAP-FAILURE",
1617 "CTRL-EVENT-CONNECTED",
1618 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1620 raise Exception("EAP result timed out")
1621 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1622 raise Exception("TLS certificate error not reported")
1623 if "AltSubject mismatch" not in ev
:
1624 raise Exception("altsubject mismatch not reported")
1626 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1627 "CTRL-EVENT-EAP-FAILURE",
1628 "CTRL-EVENT-CONNECTED",
1629 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1631 raise Exception("EAP result(2) timed out")
1632 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1633 raise Exception("EAP failure not reported")
1635 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1636 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1638 raise Exception("EAP result(3) timed out")
1639 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1640 raise Exception("Disconnection not reported")
1642 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1644 raise Exception("Network block disabling not reported")
1646 dev
[0].request("REMOVE_NETWORK all")
1648 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
1649 """WPA2-Enterprise connection using UNAUTH-TLS"""
1650 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1651 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1652 eap_connect(dev
[0], apdev
[0], "UNAUTH-TLS", "unauth-tls",
1653 ca_cert
="auth_serv/ca.pem")
1654 eap_reauth(dev
[0], "UNAUTH-TLS")
1656 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
1657 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1658 check_cert_probe_support(dev
[0])
1659 srv_cert_hash
= "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1660 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1661 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1662 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1663 identity
="probe", ca_cert
="probe://",
1664 wait_connect
=False, scan_freq
="2412")
1665 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1667 raise Exception("Association and EAP start timed out")
1668 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
1670 raise Exception("No peer server certificate event seen")
1671 if "hash=" + srv_cert_hash
not in ev
:
1672 raise Exception("Expected server certificate hash not reported")
1673 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1675 raise Exception("EAP result timed out")
1676 if "Server certificate chain probe" not in ev
:
1677 raise Exception("Server certificate probe not reported")
1678 dev
[0].wait_disconnected(timeout
=10)
1679 dev
[0].request("REMOVE_NETWORK all")
1681 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1682 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1683 password
="password", phase2
="auth=MSCHAPV2",
1684 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1685 wait_connect
=False, scan_freq
="2412")
1686 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1688 raise Exception("Association and EAP start timed out")
1689 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1691 raise Exception("EAP result timed out")
1692 if "Server certificate mismatch" not in ev
:
1693 raise Exception("Server certificate mismatch not reported")
1694 dev
[0].wait_disconnected(timeout
=10)
1695 dev
[0].request("REMOVE_NETWORK all")
1697 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
1698 anonymous_identity
="ttls", password
="password",
1699 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
1700 phase2
="auth=MSCHAPV2")
1702 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
1703 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1704 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1705 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1706 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1707 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1708 password
="password", phase2
="auth=MSCHAPV2",
1709 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1710 wait_connect
=False, scan_freq
="2412")
1711 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1712 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1713 password
="password", phase2
="auth=MSCHAPV2",
1714 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1715 wait_connect
=False, scan_freq
="2412")
1716 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1717 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1718 password
="password", phase2
="auth=MSCHAPV2",
1719 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1720 wait_connect
=False, scan_freq
="2412")
1721 for i
in range(0, 3):
1722 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1724 raise Exception("Association and EAP start timed out")
1725 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
1727 raise Exception("Did not report EAP method initialization failure")
1729 def test_ap_wpa2_eap_pwd(dev
, apdev
):
1730 """WPA2-Enterprise connection using EAP-pwd"""
1731 check_eap_capa(dev
[0], "PWD")
1732 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1733 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1734 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1735 eap_reauth(dev
[0], "PWD")
1736 dev
[0].request("REMOVE_NETWORK all")
1738 eap_connect(dev
[1], apdev
[0], "PWD",
1739 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1740 password
="secret password",
1743 logger
.info("Negative test with incorrect password")
1744 eap_connect(dev
[2], apdev
[0], "PWD", "pwd user", password
="secret-password",
1745 expect_failure
=True, local_error_report
=True)
1747 eap_connect(dev
[0], apdev
[0], "PWD",
1748 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1749 password
="secret password",
1752 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
1753 """WPA2-Enterprise connection using various EAP-pwd groups"""
1754 check_eap_capa(dev
[0], "PWD")
1755 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1756 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1757 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1758 for i
in [ 19, 20, 21, 25, 26 ]:
1759 params
['pwd_group'] = str(i
)
1760 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1761 dev
[0].request("REMOVE_NETWORK all")
1762 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1764 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
1765 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1766 check_eap_capa(dev
[0], "PWD")
1767 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1768 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1769 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1770 params
['pwd_group'] = "0"
1771 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1772 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
1773 identity
="pwd user", password
="secret password",
1774 scan_freq
="2412", wait_connect
=False)
1775 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1777 raise Exception("Timeout on EAP failure report")
1779 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
1780 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1781 check_eap_capa(dev
[0], "PWD")
1782 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1783 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1784 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1785 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1786 "pwd_group": "19", "fragment_size": "40" }
1787 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1788 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1790 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
1791 """WPA2-Enterprise connection using EAP-GPSK"""
1792 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1793 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1794 id = eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
1795 password
="abcdefghijklmnop0123456789abcdef")
1796 eap_reauth(dev
[0], "GPSK")
1798 logger
.info("Test forced algorithm selection")
1799 for phase1
in [ "cipher=1", "cipher=2" ]:
1800 dev
[0].set_network_quoted(id, "phase1", phase1
)
1801 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
1803 raise Exception("EAP success timed out")
1804 dev
[0].wait_connected(timeout
=10)
1806 logger
.info("Test failed algorithm negotiation")
1807 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
1808 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
1810 raise Exception("EAP failure timed out")
1812 logger
.info("Negative test with incorrect password")
1813 dev
[0].request("REMOVE_NETWORK all")
1814 eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
1815 password
="ffcdefghijklmnop0123456789abcdef",
1816 expect_failure
=True)
1818 def test_ap_wpa2_eap_sake(dev
, apdev
):
1819 """WPA2-Enterprise connection using EAP-SAKE"""
1820 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1821 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1822 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
1823 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1824 eap_reauth(dev
[0], "SAKE")
1826 logger
.info("Negative test with incorrect password")
1827 dev
[0].request("REMOVE_NETWORK all")
1828 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
1829 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1830 expect_failure
=True)
1832 def test_ap_wpa2_eap_eke(dev
, apdev
):
1833 """WPA2-Enterprise connection using EAP-EKE"""
1834 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1835 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1836 id = eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
1837 eap_reauth(dev
[0], "EKE")
1839 logger
.info("Test forced algorithm selection")
1840 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
1841 "dhgroup=4 encr=1 prf=2 mac=2",
1842 "dhgroup=3 encr=1 prf=2 mac=2",
1843 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1844 dev
[0].set_network_quoted(id, "phase1", phase1
)
1845 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
1847 raise Exception("EAP success timed out")
1848 dev
[0].wait_connected(timeout
=10)
1850 logger
.info("Test failed algorithm negotiation")
1851 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1852 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
1854 raise Exception("EAP failure timed out")
1856 logger
.info("Negative test with incorrect password")
1857 dev
[0].request("REMOVE_NETWORK all")
1858 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello1",
1859 expect_failure
=True)
1861 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
1862 """WPA2-Enterprise connection using EAP-IKEv2"""
1863 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1864 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1865 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1866 password
="ike password")
1867 eap_reauth(dev
[0], "IKEV2")
1868 dev
[0].request("REMOVE_NETWORK all")
1869 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1870 password
="ike password", fragment_size
="50")
1872 logger
.info("Negative test with incorrect password")
1873 dev
[0].request("REMOVE_NETWORK all")
1874 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1875 password
="ike-password", expect_failure
=True)
1877 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
1878 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1879 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1880 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1881 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1882 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1883 "fragment_size": "50" }
1884 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1885 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1886 password
="ike password")
1887 eap_reauth(dev
[0], "IKEV2")
1889 def test_ap_wpa2_eap_pax(dev
, apdev
):
1890 """WPA2-Enterprise connection using EAP-PAX"""
1891 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1892 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1893 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
1894 password_hex
="0123456789abcdef0123456789abcdef")
1895 eap_reauth(dev
[0], "PAX")
1897 logger
.info("Negative test with incorrect password")
1898 dev
[0].request("REMOVE_NETWORK all")
1899 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
1900 password_hex
="ff23456789abcdef0123456789abcdef",
1901 expect_failure
=True)
1903 def test_ap_wpa2_eap_psk(dev
, apdev
):
1904 """WPA2-Enterprise connection using EAP-PSK"""
1905 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1906 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
1907 params
["ieee80211w"] = "2"
1908 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1909 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
1910 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
1911 eap_reauth(dev
[0], "PSK", sha256
=True)
1912 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
1913 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
1915 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
1916 if 'flags' not in bss
:
1917 raise Exception("Could not get BSS flags from BSS table")
1918 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
1919 raise Exception("Unexpected BSS flags: " + bss
['flags'])
1921 logger
.info("Negative test with incorrect password")
1922 dev
[0].request("REMOVE_NETWORK all")
1923 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
1924 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
1925 expect_failure
=True)
1927 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
1928 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1929 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
1930 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1931 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1932 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
1933 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
1935 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
1936 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1937 eap_reauth(dev
[0], "PEAP", rsn
=False)
1938 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
1939 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
1940 status
= dev
[0].get_status(extra
="VERBOSE")
1941 if 'portControl' not in status
:
1942 raise Exception("portControl missing from STATUS-VERBOSE")
1943 if status
['portControl'] != 'Auto':
1944 raise Exception("Unexpected portControl value: " + status
['portControl'])
1945 if 'eap_session_id' not in status
:
1946 raise Exception("eap_session_id missing from STATUS-VERBOSE")
1947 if not status
['eap_session_id'].startswith("19"):
1948 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
1950 def test_ap_wpa2_eap_interactive(dev
, apdev
):
1951 """WPA2-Enterprise connection using interactive identity/password entry"""
1952 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1953 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1954 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
1956 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
1957 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
1959 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
1960 "TTLS", "ttls", None, "auth=MSCHAPV2",
1961 "DOMAIN\mschapv2 user", "password"),
1962 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
1963 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
1964 ("Connection with dynamic TTLS/EAP-MD5 password entry",
1965 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
1966 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
1967 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
1968 ("Connection with dynamic PEAP/EAP-GTC password entry",
1969 "PEAP", None, "user", "auth=GTC", None, "password") ]
1970 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
1972 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
1973 anonymous_identity
=anon
, identity
=identity
,
1974 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
1975 wait_connect
=False, scan_freq
="2412")
1977 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
1979 raise Exception("Request for identity timed out")
1980 id = ev
.split(':')[0].split('-')[-1]
1981 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
1982 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
1984 raise Exception("Request for password timed out")
1985 id = ev
.split(':')[0].split('-')[-1]
1986 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
1987 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
1988 dev
[0].wait_connected(timeout
=10)
1989 dev
[0].request("REMOVE_NETWORK all")
1991 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
1992 """WPA2-Enterprise connection using EAP vendor test"""
1993 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1994 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1995 eap_connect(dev
[0], apdev
[0], "VENDOR-TEST", "vendor-test")
1996 eap_reauth(dev
[0], "VENDOR-TEST")
1997 eap_connect(dev
[1], apdev
[0], "VENDOR-TEST", "vendor-test",
2000 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
2001 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2002 check_eap_capa(dev
[0], "FAST")
2003 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2004 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2005 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2006 anonymous_identity
="FAST", password
="password",
2007 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2008 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
2009 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2010 res
= eap_reauth(dev
[0], "FAST")
2011 if res
['tls_session_reused'] != '1':
2012 raise Exception("EAP-FAST could not use PAC session ticket")
2014 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
2015 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2016 check_eap_capa(dev
[0], "FAST")
2017 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
2018 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
2019 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2020 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2023 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2024 anonymous_identity
="FAST", password
="password",
2025 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2026 phase1
="fast_provisioning=1", pac_file
=pac_file
)
2027 with
open(pac_file
, "r") as f
:
2029 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
2030 raise Exception("PAC file header missing")
2031 if "PAC-Key=" not in data
:
2032 raise Exception("PAC-Key missing from PAC file")
2033 dev
[0].request("REMOVE_NETWORK all")
2034 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2035 anonymous_identity
="FAST", password
="password",
2036 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2039 eap_connect(dev
[1], apdev
[0], "FAST", "user",
2040 anonymous_identity
="FAST", password
="password",
2041 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2042 phase1
="fast_provisioning=1 fast_pac_format=binary",
2044 dev
[1].request("REMOVE_NETWORK all")
2045 eap_connect(dev
[1], apdev
[0], "FAST", "user",
2046 anonymous_identity
="FAST", password
="password",
2047 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2048 phase1
="fast_pac_format=binary",
2051 subprocess
.call(['sudo', 'rm', pac_file
])
2052 subprocess
.call(['sudo', 'rm', pac_file2
])
2054 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
2055 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2056 check_eap_capa(dev
[0], "FAST")
2057 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2058 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2059 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2060 anonymous_identity
="FAST", password
="password",
2061 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2062 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2063 pac_file
="blob://fast_pac_bin")
2064 res
= eap_reauth(dev
[0], "FAST")
2065 if res
['tls_session_reused'] != '1':
2066 raise Exception("EAP-FAST could not use PAC session ticket")
2068 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
2069 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2070 check_eap_capa(dev
[0], "FAST")
2071 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2072 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2074 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2075 identity
="user", anonymous_identity
="FAST",
2076 password
="password",
2077 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2078 pac_file
="blob://fast_pac_not_in_use",
2079 wait_connect
=False, scan_freq
="2412")
2080 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2082 raise Exception("Timeout on EAP failure report")
2083 dev
[0].request("REMOVE_NETWORK all")
2085 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2086 identity
="user", anonymous_identity
="FAST",
2087 password
="password",
2088 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2089 wait_connect
=False, scan_freq
="2412")
2090 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2092 raise Exception("Timeout on EAP failure report")
2094 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
2095 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2096 check_eap_capa(dev
[0], "FAST")
2097 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2098 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2099 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2100 anonymous_identity
="FAST", password
="password",
2101 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
2102 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
2103 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2104 res
= eap_reauth(dev
[0], "FAST")
2105 if res
['tls_session_reused'] != '1':
2106 raise Exception("EAP-FAST could not use PAC session ticket")
2108 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
2109 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2110 check_eap_capa(dev
[0], "FAST")
2111 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2112 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2113 id = eap_connect(dev
[0], apdev
[0], "FAST", "user",
2114 anonymous_identity
="FAST", password
="password",
2115 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
2116 phase1
="fast_provisioning=2",
2117 pac_file
="blob://fast_pac_auth")
2118 dev
[0].set_network_quoted(id, "identity", "user2")
2119 dev
[0].wait_disconnected()
2120 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
2122 raise Exception("EAP-FAST not started")
2123 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
2125 raise Exception("EAP failure not reported")
2126 dev
[0].wait_disconnected()
2128 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
2129 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2130 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2131 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2132 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2133 private_key
="auth_serv/user.pkcs12",
2134 private_key_passwd
="whatever", ocsp
=2)
2136 def int_eap_server_params():
2137 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2138 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2139 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2140 "ca_cert": "auth_serv/ca.pem",
2141 "server_cert": "auth_serv/server.pem",
2142 "private_key": "auth_serv/server.key" }
2145 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
2146 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2147 params
= int_eap_server_params()
2148 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2149 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2150 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2151 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2152 private_key
="auth_serv/user.pkcs12",
2153 private_key_passwd
="whatever", ocsp
=2,
2154 wait_connect
=False, scan_freq
="2412")
2157 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2159 raise Exception("Timeout on EAP status")
2160 if 'bad certificate status response' in ev
:
2164 raise Exception("Unexpected number of EAP status messages")
2166 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2168 raise Exception("Timeout on EAP failure report")
2170 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
2171 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2172 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
2173 if not os
.path
.exists(ocsp
):
2174 raise HwsimSkip("No OCSP response available")
2175 params
= int_eap_server_params()
2176 params
["ocsp_stapling_response"] = ocsp
2177 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2178 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2179 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2180 anonymous_identity
="ttls", password
="password",
2181 phase2
="auth=PAP", ocsp
=2,
2182 wait_connect
=False, scan_freq
="2412")
2185 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2187 raise Exception("Timeout on EAP status")
2188 if 'bad certificate status response' in ev
:
2190 if 'certificate revoked' in ev
:
2194 raise Exception("Unexpected number of EAP status messages")
2196 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2198 raise Exception("Timeout on EAP failure report")
2200 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
2201 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2202 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2203 if not os
.path
.exists(ocsp
):
2204 raise HwsimSkip("No OCSP response available")
2205 params
= int_eap_server_params()
2206 params
["ocsp_stapling_response"] = ocsp
2207 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2208 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2209 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2210 anonymous_identity
="ttls", password
="password",
2211 phase2
="auth=PAP", ocsp
=2,
2212 wait_connect
=False, scan_freq
="2412")
2215 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2217 raise Exception("Timeout on EAP status")
2218 if 'bad certificate status response' in ev
:
2222 raise Exception("Unexpected number of EAP status messages")
2224 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2226 raise Exception("Timeout on EAP failure report")
2228 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
2229 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2230 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2231 if not os
.path
.exists(ocsp
):
2232 raise HwsimSkip("No OCSP response available")
2233 params
= int_eap_server_params()
2234 params
["ocsp_stapling_response"] = ocsp
2235 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2236 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2237 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2238 anonymous_identity
="ttls", password
="password",
2239 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
2241 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
2242 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2243 params
= int_eap_server_params()
2244 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2245 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2246 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2247 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2248 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2249 private_key
="auth_serv/user.pkcs12",
2250 private_key_passwd
="whatever",
2251 domain_suffix_match
="server3.w1.fi",
2254 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
2255 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2256 params
= int_eap_server_params()
2257 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2258 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2259 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2260 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2261 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2262 private_key
="auth_serv/user.pkcs12",
2263 private_key_passwd
="whatever",
2264 domain_match
="server3.w1.fi",
2267 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
2268 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2269 check_domain_match_full(dev
[0])
2270 params
= int_eap_server_params()
2271 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2272 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2273 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2274 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2275 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2276 private_key
="auth_serv/user.pkcs12",
2277 private_key_passwd
="whatever",
2278 domain_suffix_match
="w1.fi",
2281 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
2282 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2283 params
= int_eap_server_params()
2284 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2285 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2286 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2287 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2288 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2289 private_key
="auth_serv/user.pkcs12",
2290 private_key_passwd
="whatever",
2291 domain_suffix_match
="example.com",
2294 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2295 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2296 private_key
="auth_serv/user.pkcs12",
2297 private_key_passwd
="whatever",
2298 domain_suffix_match
="erver3.w1.fi",
2301 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2303 raise Exception("Timeout on EAP failure report")
2304 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2306 raise Exception("Timeout on EAP failure report (2)")
2308 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
2309 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2310 params
= int_eap_server_params()
2311 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2312 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2313 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2314 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2315 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2316 private_key
="auth_serv/user.pkcs12",
2317 private_key_passwd
="whatever",
2318 domain_match
="example.com",
2321 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2322 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2323 private_key
="auth_serv/user.pkcs12",
2324 private_key_passwd
="whatever",
2325 domain_match
="w1.fi",
2328 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2330 raise Exception("Timeout on EAP failure report")
2331 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2333 raise Exception("Timeout on EAP failure report (2)")
2335 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
2336 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2337 params
= int_eap_server_params()
2338 params
["server_cert"] = "auth_serv/server-expired.pem"
2339 params
["private_key"] = "auth_serv/server-expired.key"
2340 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2341 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2342 identity
="mschap user", password
="password",
2343 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2346 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2348 raise Exception("Timeout on EAP certificate error report")
2349 if "reason=4" not in ev
or "certificate has expired" not in ev
:
2350 raise Exception("Unexpected failure reason: " + ev
)
2351 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2353 raise Exception("Timeout on EAP failure report")
2355 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
2356 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2357 params
= int_eap_server_params()
2358 params
["server_cert"] = "auth_serv/server-expired.pem"
2359 params
["private_key"] = "auth_serv/server-expired.key"
2360 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2361 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2362 identity
="mschap user", password
="password",
2363 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2364 phase1
="tls_disable_time_checks=1",
2367 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
2368 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2369 params
= int_eap_server_params()
2370 params
["server_cert"] = "auth_serv/server-eku-client.pem"
2371 params
["private_key"] = "auth_serv/server-eku-client.key"
2372 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2373 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2374 identity
="mschap user", password
="password",
2375 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2378 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2380 raise Exception("Timeout on EAP failure report")
2382 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
2383 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2384 params
= int_eap_server_params()
2385 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
2386 params
["private_key"] = "auth_serv/server-eku-client-server.key"
2387 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2388 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2389 identity
="mschap user", password
="password",
2390 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2393 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
2394 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2395 params
= int_eap_server_params()
2396 del params
["server_cert"]
2397 params
["private_key"] = "auth_serv/server.pkcs12"
2398 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2399 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2400 identity
="mschap user", password
="password",
2401 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2404 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
2405 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2406 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2407 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2408 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
2409 anonymous_identity
="ttls", password
="password",
2410 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
2411 dh_file
="auth_serv/dh.conf")
2413 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
2414 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2415 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2416 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2417 dh
= read_pem("auth_serv/dh.conf")
2418 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
2419 raise Exception("Could not set dhparams blob")
2420 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
2421 anonymous_identity
="ttls", password
="password",
2422 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
2423 dh_file
="blob://dhparams")
2425 def test_ap_wpa2_eap_reauth(dev
, apdev
):
2426 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2427 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2428 params
['eap_reauth_period'] = '2'
2429 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2430 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2431 password_hex
="0123456789abcdef0123456789abcdef")
2432 logger
.info("Wait for reauthentication")
2433 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
2435 raise Exception("Timeout on reauthentication")
2436 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2438 raise Exception("Timeout on reauthentication")
2439 for i
in range(0, 20):
2440 state
= dev
[0].get_status_field("wpa_state")
2441 if state
== "COMPLETED":
2444 if state
!= "COMPLETED":
2445 raise Exception("Reauthentication did not complete")
2447 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
2448 """Optional displayable message in EAP Request-Identity"""
2449 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2450 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2451 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2452 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2453 password_hex
="0123456789abcdef0123456789abcdef")
2455 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
2456 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2457 check_hlr_auc_gw_support()
2458 params
= int_eap_server_params()
2459 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2460 params
['eap_sim_aka_result_ind'] = "1"
2461 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2463 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
2464 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2465 phase1
="result_ind=1")
2466 eap_reauth(dev
[0], "SIM")
2467 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
2468 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2470 dev
[0].request("REMOVE_NETWORK all")
2471 dev
[1].request("REMOVE_NETWORK all")
2473 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
2474 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2475 phase1
="result_ind=1")
2476 eap_reauth(dev
[0], "AKA")
2477 eap_connect(dev
[1], apdev
[0], "AKA", "0232010000000000",
2478 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2480 dev
[0].request("REMOVE_NETWORK all")
2481 dev
[1].request("REMOVE_NETWORK all")
2483 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
2484 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2485 phase1
="result_ind=1")
2486 eap_reauth(dev
[0], "AKA'")
2487 eap_connect(dev
[1], apdev
[0], "AKA'", "6555444333222111",
2488 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2490 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
2491 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2492 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2493 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2494 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2495 eap
="TTLS", identity
="mschap user",
2496 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
2497 anonymous_identity
="ttls", password
="password",
2498 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2500 ev
= dev
[0].wait_event(["EAP: more than"], timeout
=20)
2502 raise Exception("EAP roundtrip limit not reached")
2504 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
2505 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2506 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2507 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2508 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2509 eap
="PSK", identity
="vendor-test",
2510 password_hex
="ff23456789abcdef0123456789abcdef",
2514 for i
in range(0, 5):
2515 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=10)
2517 raise Exception("Association and EAP start timed out")
2518 if "refuse proposed method" in ev
:
2522 raise Exception("Unexpected EAP status: " + ev
)
2524 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2526 raise Exception("EAP failure timed out")
2528 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
2529 """WPA2-Enterprise connection using SQLite for user DB"""
2533 raise HwsimSkip("No sqlite3 module available")
2534 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
2539 con
= sqlite3
.connect(dbfile
)
2542 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2543 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2544 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2545 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2546 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2547 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2548 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2549 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2552 params
= int_eap_server_params()
2553 params
["eap_user_file"] = "sqlite:" + dbfile
2554 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2555 eap_connect(dev
[0], apdev
[0], "TTLS", "user-mschapv2",
2556 anonymous_identity
="ttls", password
="password",
2557 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
2558 dev
[0].request("REMOVE_NETWORK all")
2559 eap_connect(dev
[1], apdev
[0], "TTLS", "user-mschap",
2560 anonymous_identity
="ttls", password
="password",
2561 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
2562 dev
[1].request("REMOVE_NETWORK all")
2563 eap_connect(dev
[0], apdev
[0], "TTLS", "user-chap",
2564 anonymous_identity
="ttls", password
="password",
2565 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
2566 eap_connect(dev
[1], apdev
[0], "TTLS", "user-pap",
2567 anonymous_identity
="ttls", password
="password",
2568 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2572 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
2573 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2574 params
= int_eap_server_params()
2575 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2576 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2577 identity
="\x80", password
="password", wait_connect
=False)
2578 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2579 identity
="a\x80", password
="password", wait_connect
=False)
2580 for i
in range(0, 2):
2581 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
2583 raise Exception("Association and EAP start timed out")
2584 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2586 raise Exception("EAP method selection timed out")
2588 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
2589 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2590 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2591 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2592 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2593 identity
="\x80", password
="password", wait_connect
=False)
2594 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2595 identity
="a\x80", password
="password", wait_connect
=False)
2596 for i
in range(0, 2):
2597 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
2599 raise Exception("Association and EAP start timed out")
2600 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2602 raise Exception("EAP method selection timed out")
2604 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
2605 """OpenSSL cipher suite configuration on wpa_supplicant"""
2606 tls
= dev
[0].request("GET tls_library")
2607 if not tls
.startswith("OpenSSL"):
2608 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
2609 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2610 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2611 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
2612 anonymous_identity
="ttls", password
="password",
2613 openssl_ciphers
="AES128",
2614 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2615 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
2616 anonymous_identity
="ttls", password
="password",
2617 openssl_ciphers
="EXPORT",
2618 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
2619 expect_failure
=True)
2621 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
2622 """OpenSSL cipher suite configuration on hostapd"""
2623 tls
= dev
[0].request("GET tls_library")
2624 if not tls
.startswith("OpenSSL"):
2625 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
2626 params
= int_eap_server_params()
2627 params
['openssl_ciphers'] = "AES256"
2628 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2629 tls
= hapd
.request("GET tls_library")
2630 if not tls
.startswith("OpenSSL"):
2631 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
2632 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
2633 anonymous_identity
="ttls", password
="password",
2634 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2635 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
2636 anonymous_identity
="ttls", password
="password",
2637 openssl_ciphers
="AES128",
2638 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
2639 expect_failure
=True)
2640 eap_connect(dev
[2], apdev
[0], "TTLS", "pap user",
2641 anonymous_identity
="ttls", password
="password",
2642 openssl_ciphers
="HIGH:!ADH",
2643 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2645 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
2646 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
2647 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2648 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], p
)
2649 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
2650 pid
= find_wpas_process(dev
[0])
2651 id = eap_connect(dev
[0], apdev
[0], "TTLS", "pap-secret",
2652 anonymous_identity
="ttls", password
=password
,
2653 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2655 buf
= read_process_memory(pid
, password
)
2657 dev
[0].request("DISCONNECT")
2658 dev
[0].wait_disconnected()
2666 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
2667 for l
in f
.readlines():
2668 if "EAP-TTLS: Derived key - hexdump" in l
:
2669 val
= l
.strip().split(':')[3].replace(' ', '')
2670 msk
= binascii
.unhexlify(val
)
2671 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
2672 val
= l
.strip().split(':')[3].replace(' ', '')
2673 emsk
= binascii
.unhexlify(val
)
2674 if "WPA: PMK - hexdump" in l
:
2675 val
= l
.strip().split(':')[3].replace(' ', '')
2676 pmk
= binascii
.unhexlify(val
)
2677 if "WPA: PTK - hexdump" in l
:
2678 val
= l
.strip().split(':')[3].replace(' ', '')
2679 ptk
= binascii
.unhexlify(val
)
2680 if "WPA: Group Key - hexdump" in l
:
2681 val
= l
.strip().split(':')[3].replace(' ', '')
2682 gtk
= binascii
.unhexlify(val
)
2683 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
2684 raise Exception("Could not find keys from debug log")
2686 raise Exception("Unexpected GTK length")
2692 fname
= os
.path
.join(params
['logdir'],
2693 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
2695 logger
.info("Checking keys in memory while associated")
2696 get_key_locations(buf
, password
, "Password")
2697 get_key_locations(buf
, pmk
, "PMK")
2698 get_key_locations(buf
, msk
, "MSK")
2699 get_key_locations(buf
, emsk
, "EMSK")
2700 if password
not in buf
:
2701 raise HwsimSkip("Password not found while associated")
2703 raise HwsimSkip("PMK not found while associated")
2705 raise Exception("KCK not found while associated")
2707 raise Exception("KEK not found while associated")
2709 raise Exception("TK found from memory")
2711 raise Exception("GTK found from memory")
2713 logger
.info("Checking keys in memory after disassociation")
2714 buf
= read_process_memory(pid
, password
)
2716 # Note: Password is still present in network configuration
2717 # Note: PMK is in PMKSA cache and EAP fast re-auth data
2719 get_key_locations(buf
, password
, "Password")
2720 get_key_locations(buf
, pmk
, "PMK")
2721 get_key_locations(buf
, msk
, "MSK")
2722 get_key_locations(buf
, emsk
, "EMSK")
2723 verify_not_present(buf
, kck
, fname
, "KCK")
2724 verify_not_present(buf
, kek
, fname
, "KEK")
2725 verify_not_present(buf
, tk
, fname
, "TK")
2726 verify_not_present(buf
, gtk
, fname
, "GTK")
2728 dev
[0].request("PMKSA_FLUSH")
2729 dev
[0].set_network_quoted(id, "identity", "foo")
2730 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
2731 buf
= read_process_memory(pid
, password
)
2732 get_key_locations(buf
, password
, "Password")
2733 get_key_locations(buf
, pmk
, "PMK")
2734 get_key_locations(buf
, msk
, "MSK")
2735 get_key_locations(buf
, emsk
, "EMSK")
2736 verify_not_present(buf
, pmk
, fname
, "PMK")
2738 dev
[0].request("REMOVE_NETWORK all")
2740 logger
.info("Checking keys in memory after network profile removal")
2741 buf
= read_process_memory(pid
, password
)
2743 get_key_locations(buf
, password
, "Password")
2744 get_key_locations(buf
, pmk
, "PMK")
2745 get_key_locations(buf
, msk
, "MSK")
2746 get_key_locations(buf
, emsk
, "EMSK")
2747 verify_not_present(buf
, password
, fname
, "password")
2748 verify_not_present(buf
, pmk
, fname
, "PMK")
2749 verify_not_present(buf
, kck
, fname
, "KCK")
2750 verify_not_present(buf
, kek
, fname
, "KEK")
2751 verify_not_present(buf
, tk
, fname
, "TK")
2752 verify_not_present(buf
, gtk
, fname
, "GTK")
2753 verify_not_present(buf
, msk
, fname
, "MSK")
2754 verify_not_present(buf
, emsk
, fname
, "EMSK")
2756 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
2757 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
2758 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2759 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2760 bssid
= apdev
[0]['bssid']
2761 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
2762 anonymous_identity
="ttls", password
="password",
2763 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2765 # Send unexpected WEP EAPOL-Key; this gets dropped
2766 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
2768 raise Exception("EAPOL_RX to wpa_supplicant failed")