]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: Make *_key_lifetime_in_memory more robust
[thirdparty/hostap.git] / tests / hwsim / test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
4 #
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
7
8 import base64
9 import binascii
10 import time
11 import subprocess
12 import logging
13 logger = logging.getLogger()
14 import os
15
16 import hwsim_utils
17 import hostapd
18 from utils import HwsimSkip, alloc_fail
19 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
20
21 def check_hlr_auc_gw_support():
22 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
23 raise HwsimSkip("No hlr_auc_gw available")
24
25 def check_eap_capa(dev, method):
26 res = dev.get_capability("eap")
27 if method not in res:
28 raise HwsimSkip("EAP method %s not supported in the build" % method)
29
30 def check_subject_match_support(dev):
31 tls = dev.request("GET tls_library")
32 if not tls.startswith("OpenSSL"):
33 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
34
35 def check_altsubject_match_support(dev):
36 tls = dev.request("GET tls_library")
37 if not tls.startswith("OpenSSL"):
38 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
39
40 def check_domain_match_full(dev):
41 tls = dev.request("GET tls_library")
42 if not tls.startswith("OpenSSL"):
43 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
44
45 def check_cert_probe_support(dev):
46 tls = dev.request("GET tls_library")
47 if not tls.startswith("OpenSSL"):
48 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
49
50 def read_pem(fname):
51 with open(fname, "r") as f:
52 lines = f.readlines()
53 copy = False
54 cert = ""
55 for l in lines:
56 if "-----END" in l:
57 break
58 if copy:
59 cert = cert + l
60 if "-----BEGIN" in l:
61 copy = True
62 return base64.b64decode(cert)
63
64 def eap_connect(dev, ap, method, identity,
65 sha256=False, expect_failure=False, local_error_report=False,
66 **kwargs):
67 hapd = hostapd.Hostapd(ap['ifname'])
68 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
69 eap=method, identity=identity,
70 wait_connect=False, scan_freq="2412", ieee80211w="1",
71 **kwargs)
72 eap_check_auth(dev, method, True, sha256=sha256,
73 expect_failure=expect_failure,
74 local_error_report=local_error_report)
75 if expect_failure:
76 return id
77 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
78 if ev is None:
79 raise Exception("No connection event received from hostapd")
80 return id
81
82 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
83 expect_failure=False, local_error_report=False):
84 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
85 if ev is None:
86 raise Exception("Association and EAP start timed out")
87 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
88 if ev is None:
89 raise Exception("EAP method selection timed out")
90 if method not in ev:
91 raise Exception("Unexpected EAP method")
92 if expect_failure:
93 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
94 if ev is None:
95 raise Exception("EAP failure timed out")
96 ev = dev.wait_disconnected(timeout=10)
97 if not local_error_report:
98 if "reason=23" not in ev:
99 raise Exception("Proper reason code for disconnection not reported")
100 return
101 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
102 if ev is None:
103 raise Exception("EAP success timed out")
104
105 if initial:
106 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
107 else:
108 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
109 if ev is None:
110 raise Exception("Association with the AP timed out")
111 status = dev.get_status()
112 if status["wpa_state"] != "COMPLETED":
113 raise Exception("Connection not completed")
114
115 if status["suppPortStatus"] != "Authorized":
116 raise Exception("Port not authorized")
117 if method not in status["selectedMethod"]:
118 raise Exception("Incorrect EAP method status")
119 if sha256:
120 e = "WPA2-EAP-SHA256"
121 elif rsn:
122 e = "WPA2/IEEE 802.1X/EAP"
123 else:
124 e = "WPA/IEEE 802.1X/EAP"
125 if status["key_mgmt"] != e:
126 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
127 return status
128
129 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
130 dev.request("REAUTHENTICATE")
131 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
132 expect_failure=expect_failure)
133
134 def test_ap_wpa2_eap_sim(dev, apdev):
135 """WPA2-Enterprise connection using EAP-SIM"""
136 check_hlr_auc_gw_support()
137 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
138 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
139 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
140 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
141 hwsim_utils.test_connectivity(dev[0], hapd)
142 eap_reauth(dev[0], "SIM")
143
144 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
145 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
146 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
147 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
148 expect_failure=True)
149
150 logger.info("Negative test with incorrect key")
151 dev[0].request("REMOVE_NETWORK all")
152 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
153 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
154 expect_failure=True)
155
156 logger.info("Invalid GSM-Milenage key")
157 dev[0].request("REMOVE_NETWORK all")
158 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
159 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
160 expect_failure=True)
161
162 logger.info("Invalid GSM-Milenage key(2)")
163 dev[0].request("REMOVE_NETWORK all")
164 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
165 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
166 expect_failure=True)
167
168 logger.info("Invalid GSM-Milenage key(3)")
169 dev[0].request("REMOVE_NETWORK all")
170 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
171 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
172 expect_failure=True)
173
174 logger.info("Invalid GSM-Milenage key(4)")
175 dev[0].request("REMOVE_NETWORK all")
176 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
177 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
178 expect_failure=True)
179
180 logger.info("Missing key configuration")
181 dev[0].request("REMOVE_NETWORK all")
182 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
183 expect_failure=True)
184
185 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
186 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
187 check_hlr_auc_gw_support()
188 try:
189 import sqlite3
190 except ImportError:
191 raise HwsimSkip("No sqlite3 module available")
192 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
193 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
194 params['auth_server_port'] = "1814"
195 hostapd.add_ap(apdev[0]['ifname'], params)
196 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
197 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
198
199 logger.info("SIM fast re-authentication")
200 eap_reauth(dev[0], "SIM")
201
202 logger.info("SIM full auth with pseudonym")
203 with con:
204 cur = con.cursor()
205 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
206 eap_reauth(dev[0], "SIM")
207
208 logger.info("SIM full auth with permanent identity")
209 with con:
210 cur = con.cursor()
211 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
212 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
213 eap_reauth(dev[0], "SIM")
214
215 logger.info("SIM reauth with mismatching MK")
216 with con:
217 cur = con.cursor()
218 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
219 eap_reauth(dev[0], "SIM", expect_failure=True)
220 dev[0].request("REMOVE_NETWORK all")
221
222 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
223 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
224 with con:
225 cur = con.cursor()
226 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
227 eap_reauth(dev[0], "SIM")
228 with con:
229 cur = con.cursor()
230 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
231 logger.info("SIM reauth with mismatching counter")
232 eap_reauth(dev[0], "SIM")
233 dev[0].request("REMOVE_NETWORK all")
234
235 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
236 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
237 with con:
238 cur = con.cursor()
239 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
240 logger.info("SIM reauth with max reauth count reached")
241 eap_reauth(dev[0], "SIM")
242
243 def test_ap_wpa2_eap_sim_config(dev, apdev):
244 """EAP-SIM configuration options"""
245 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
246 hostapd.add_ap(apdev[0]['ifname'], params)
247 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
248 identity="1232010000000000",
249 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
250 phase1="sim_min_num_chal=1",
251 wait_connect=False, scan_freq="2412")
252 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
253 if ev is None:
254 raise Exception("No EAP error message seen")
255 dev[0].request("REMOVE_NETWORK all")
256
257 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
258 identity="1232010000000000",
259 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
260 phase1="sim_min_num_chal=4",
261 wait_connect=False, scan_freq="2412")
262 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
263 if ev is None:
264 raise Exception("No EAP error message seen (2)")
265 dev[0].request("REMOVE_NETWORK all")
266
267 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
268 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
269 phase1="sim_min_num_chal=2")
270 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
271 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
272 anonymous_identity="345678")
273
274 def test_ap_wpa2_eap_sim_ext(dev, apdev):
275 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
276 try:
277 _test_ap_wpa2_eap_sim_ext(dev, apdev)
278 finally:
279 dev[0].request("SET external_sim 0")
280
281 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
282 check_hlr_auc_gw_support()
283 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
284 hostapd.add_ap(apdev[0]['ifname'], params)
285 dev[0].request("SET external_sim 1")
286 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
287 identity="1232010000000000",
288 wait_connect=False, scan_freq="2412")
289 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
290 if ev is None:
291 raise Exception("Network connected timed out")
292
293 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
294 if ev is None:
295 raise Exception("Wait for external SIM processing request timed out")
296 p = ev.split(':', 2)
297 if p[1] != "GSM-AUTH":
298 raise Exception("Unexpected CTRL-REQ-SIM type")
299 rid = p[0].split('-')[3]
300
301 # IK:CK:RES
302 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
303 # This will fail during processing, but the ctrl_iface command succeeds
304 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
305 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
306 if ev is None:
307 raise Exception("EAP failure not reported")
308 dev[0].request("DISCONNECT")
309 dev[0].wait_disconnected()
310 time.sleep(0.1)
311
312 dev[0].select_network(id, freq="2412")
313 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
314 if ev is None:
315 raise Exception("Wait for external SIM processing request timed out")
316 p = ev.split(':', 2)
317 if p[1] != "GSM-AUTH":
318 raise Exception("Unexpected CTRL-REQ-SIM type")
319 rid = p[0].split('-')[3]
320 # This will fail during GSM auth validation
321 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
322 raise Exception("CTRL-RSP-SIM failed")
323 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
324 if ev is None:
325 raise Exception("EAP failure not reported")
326 dev[0].request("DISCONNECT")
327 dev[0].wait_disconnected()
328 time.sleep(0.1)
329
330 dev[0].select_network(id, freq="2412")
331 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
332 if ev is None:
333 raise Exception("Wait for external SIM processing request timed out")
334 p = ev.split(':', 2)
335 if p[1] != "GSM-AUTH":
336 raise Exception("Unexpected CTRL-REQ-SIM type")
337 rid = p[0].split('-')[3]
338 # This will fail during GSM auth validation
339 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
340 raise Exception("CTRL-RSP-SIM failed")
341 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
342 if ev is None:
343 raise Exception("EAP failure not reported")
344 dev[0].request("DISCONNECT")
345 dev[0].wait_disconnected()
346 time.sleep(0.1)
347
348 dev[0].select_network(id, freq="2412")
349 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
350 if ev is None:
351 raise Exception("Wait for external SIM processing request timed out")
352 p = ev.split(':', 2)
353 if p[1] != "GSM-AUTH":
354 raise Exception("Unexpected CTRL-REQ-SIM type")
355 rid = p[0].split('-')[3]
356 # This will fail during GSM auth validation
357 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
358 raise Exception("CTRL-RSP-SIM failed")
359 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
360 if ev is None:
361 raise Exception("EAP failure not reported")
362 dev[0].request("DISCONNECT")
363 dev[0].wait_disconnected()
364 time.sleep(0.1)
365
366 dev[0].select_network(id, freq="2412")
367 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
368 if ev is None:
369 raise Exception("Wait for external SIM processing request timed out")
370 p = ev.split(':', 2)
371 if p[1] != "GSM-AUTH":
372 raise Exception("Unexpected CTRL-REQ-SIM type")
373 rid = p[0].split('-')[3]
374 # This will fail during GSM auth validation
375 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
376 raise Exception("CTRL-RSP-SIM failed")
377 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
378 if ev is None:
379 raise Exception("EAP failure not reported")
380 dev[0].request("DISCONNECT")
381 dev[0].wait_disconnected()
382 time.sleep(0.1)
383
384 dev[0].select_network(id, freq="2412")
385 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
386 if ev is None:
387 raise Exception("Wait for external SIM processing request timed out")
388 p = ev.split(':', 2)
389 if p[1] != "GSM-AUTH":
390 raise Exception("Unexpected CTRL-REQ-SIM type")
391 rid = p[0].split('-')[3]
392 # This will fail during GSM auth validation
393 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
394 raise Exception("CTRL-RSP-SIM failed")
395 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
396 if ev is None:
397 raise Exception("EAP failure not reported")
398 dev[0].request("DISCONNECT")
399 dev[0].wait_disconnected()
400 time.sleep(0.1)
401
402 dev[0].select_network(id, freq="2412")
403 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
404 if ev is None:
405 raise Exception("Wait for external SIM processing request timed out")
406 p = ev.split(':', 2)
407 if p[1] != "GSM-AUTH":
408 raise Exception("Unexpected CTRL-REQ-SIM type")
409 rid = p[0].split('-')[3]
410 # This will fail during GSM auth validation
411 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
412 raise Exception("CTRL-RSP-SIM failed")
413 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
414 if ev is None:
415 raise Exception("EAP failure not reported")
416
417 def test_ap_wpa2_eap_aka(dev, apdev):
418 """WPA2-Enterprise connection using EAP-AKA"""
419 check_hlr_auc_gw_support()
420 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
421 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
422 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
423 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
424 hwsim_utils.test_connectivity(dev[0], hapd)
425 eap_reauth(dev[0], "AKA")
426
427 logger.info("Negative test with incorrect key")
428 dev[0].request("REMOVE_NETWORK all")
429 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
430 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
431 expect_failure=True)
432
433 logger.info("Invalid Milenage key")
434 dev[0].request("REMOVE_NETWORK all")
435 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
436 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
437 expect_failure=True)
438
439 logger.info("Invalid Milenage key(2)")
440 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
441 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
442 expect_failure=True)
443
444 logger.info("Invalid Milenage key(3)")
445 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
446 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
447 expect_failure=True)
448
449 logger.info("Invalid Milenage key(4)")
450 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
451 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
452 expect_failure=True)
453
454 logger.info("Invalid Milenage key(5)")
455 dev[0].request("REMOVE_NETWORK all")
456 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
457 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
458 expect_failure=True)
459
460 logger.info("Invalid Milenage key(6)")
461 dev[0].request("REMOVE_NETWORK all")
462 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
463 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
464 expect_failure=True)
465
466 logger.info("Missing key configuration")
467 dev[0].request("REMOVE_NETWORK all")
468 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
469 expect_failure=True)
470
471 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
472 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
473 check_hlr_auc_gw_support()
474 try:
475 import sqlite3
476 except ImportError:
477 raise HwsimSkip("No sqlite3 module available")
478 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
479 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
480 params['auth_server_port'] = "1814"
481 hostapd.add_ap(apdev[0]['ifname'], params)
482 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
483 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
484
485 logger.info("AKA fast re-authentication")
486 eap_reauth(dev[0], "AKA")
487
488 logger.info("AKA full auth with pseudonym")
489 with con:
490 cur = con.cursor()
491 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
492 eap_reauth(dev[0], "AKA")
493
494 logger.info("AKA full auth with permanent identity")
495 with con:
496 cur = con.cursor()
497 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
498 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
499 eap_reauth(dev[0], "AKA")
500
501 logger.info("AKA reauth with mismatching MK")
502 with con:
503 cur = con.cursor()
504 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
505 eap_reauth(dev[0], "AKA", expect_failure=True)
506 dev[0].request("REMOVE_NETWORK all")
507
508 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
509 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
510 with con:
511 cur = con.cursor()
512 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
513 eap_reauth(dev[0], "AKA")
514 with con:
515 cur = con.cursor()
516 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
517 logger.info("AKA reauth with mismatching counter")
518 eap_reauth(dev[0], "AKA")
519 dev[0].request("REMOVE_NETWORK all")
520
521 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
522 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
523 with con:
524 cur = con.cursor()
525 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
526 logger.info("AKA reauth with max reauth count reached")
527 eap_reauth(dev[0], "AKA")
528
529 def test_ap_wpa2_eap_aka_config(dev, apdev):
530 """EAP-AKA configuration options"""
531 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
532 hostapd.add_ap(apdev[0]['ifname'], params)
533 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
534 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
535 anonymous_identity="2345678")
536
537 def test_ap_wpa2_eap_aka_ext(dev, apdev):
538 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
539 try:
540 _test_ap_wpa2_eap_aka_ext(dev, apdev)
541 finally:
542 dev[0].request("SET external_sim 0")
543
544 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
545 check_hlr_auc_gw_support()
546 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
547 hostapd.add_ap(apdev[0]['ifname'], params)
548 dev[0].request("SET external_sim 1")
549 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
550 identity="0232010000000000",
551 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
552 wait_connect=False, scan_freq="2412")
553 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
554 if ev is None:
555 raise Exception("Network connected timed out")
556
557 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
558 if ev is None:
559 raise Exception("Wait for external SIM processing request timed out")
560 p = ev.split(':', 2)
561 if p[1] != "UMTS-AUTH":
562 raise Exception("Unexpected CTRL-REQ-SIM type")
563 rid = p[0].split('-')[3]
564
565 # IK:CK:RES
566 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
567 # This will fail during processing, but the ctrl_iface command succeeds
568 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
569 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
570 if ev is None:
571 raise Exception("EAP failure not reported")
572 dev[0].request("DISCONNECT")
573 dev[0].wait_disconnected()
574 time.sleep(0.1)
575
576 dev[0].select_network(id, freq="2412")
577 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
578 if ev is None:
579 raise Exception("Wait for external SIM processing request timed out")
580 p = ev.split(':', 2)
581 if p[1] != "UMTS-AUTH":
582 raise Exception("Unexpected CTRL-REQ-SIM type")
583 rid = p[0].split('-')[3]
584 # This will fail during UMTS auth validation
585 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
586 raise Exception("CTRL-RSP-SIM failed")
587 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
588 if ev is None:
589 raise Exception("Wait for external SIM processing request timed out")
590 p = ev.split(':', 2)
591 if p[1] != "UMTS-AUTH":
592 raise Exception("Unexpected CTRL-REQ-SIM type")
593 rid = p[0].split('-')[3]
594 # This will fail during UMTS auth validation
595 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
596 raise Exception("CTRL-RSP-SIM failed")
597 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
598 if ev is None:
599 raise Exception("EAP failure not reported")
600 dev[0].request("DISCONNECT")
601 dev[0].wait_disconnected()
602 time.sleep(0.1)
603
604 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
605 ":UMTS-AUTH:34",
606 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
607 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
608 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
609 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
610 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
611 for t in tests:
612 dev[0].select_network(id, freq="2412")
613 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
614 if ev is None:
615 raise Exception("Wait for external SIM processing request timed out")
616 p = ev.split(':', 2)
617 if p[1] != "UMTS-AUTH":
618 raise Exception("Unexpected CTRL-REQ-SIM type")
619 rid = p[0].split('-')[3]
620 # This will fail during UMTS auth validation
621 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
622 raise Exception("CTRL-RSP-SIM failed")
623 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
624 if ev is None:
625 raise Exception("EAP failure not reported")
626 dev[0].request("DISCONNECT")
627 dev[0].wait_disconnected()
628 time.sleep(0.1)
629
630 def test_ap_wpa2_eap_aka_prime(dev, apdev):
631 """WPA2-Enterprise connection using EAP-AKA'"""
632 check_hlr_auc_gw_support()
633 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
634 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
635 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
636 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
637 hwsim_utils.test_connectivity(dev[0], hapd)
638 eap_reauth(dev[0], "AKA'")
639
640 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
641 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
642 identity="6555444333222111@both",
643 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
644 wait_connect=False, scan_freq="2412")
645 dev[1].wait_connected(timeout=15)
646
647 logger.info("Negative test with incorrect key")
648 dev[0].request("REMOVE_NETWORK all")
649 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
650 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
651 expect_failure=True)
652
653 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
654 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
655 check_hlr_auc_gw_support()
656 try:
657 import sqlite3
658 except ImportError:
659 raise HwsimSkip("No sqlite3 module available")
660 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
661 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
662 params['auth_server_port'] = "1814"
663 hostapd.add_ap(apdev[0]['ifname'], params)
664 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
665 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
666
667 logger.info("AKA' fast re-authentication")
668 eap_reauth(dev[0], "AKA'")
669
670 logger.info("AKA' full auth with pseudonym")
671 with con:
672 cur = con.cursor()
673 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
674 eap_reauth(dev[0], "AKA'")
675
676 logger.info("AKA' full auth with permanent identity")
677 with con:
678 cur = con.cursor()
679 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
680 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
681 eap_reauth(dev[0], "AKA'")
682
683 logger.info("AKA' reauth with mismatching k_aut")
684 with con:
685 cur = con.cursor()
686 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
687 eap_reauth(dev[0], "AKA'", expect_failure=True)
688 dev[0].request("REMOVE_NETWORK all")
689
690 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
691 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
692 with con:
693 cur = con.cursor()
694 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
695 eap_reauth(dev[0], "AKA'")
696 with con:
697 cur = con.cursor()
698 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
699 logger.info("AKA' reauth with mismatching counter")
700 eap_reauth(dev[0], "AKA'")
701 dev[0].request("REMOVE_NETWORK all")
702
703 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
704 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
705 with con:
706 cur = con.cursor()
707 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
708 logger.info("AKA' reauth with max reauth count reached")
709 eap_reauth(dev[0], "AKA'")
710
711 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
712 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
713 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
714 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
715 key_mgmt = hapd.get_config()['key_mgmt']
716 if key_mgmt.split(' ')[0] != "WPA-EAP":
717 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
718 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
719 anonymous_identity="ttls", password="password",
720 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
721 hwsim_utils.test_connectivity(dev[0], hapd)
722 eap_reauth(dev[0], "TTLS")
723 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
724 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
725
726 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
727 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
728 check_subject_match_support(dev[0])
729 check_altsubject_match_support(dev[0])
730 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
731 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
732 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
733 anonymous_identity="ttls", password="password",
734 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
735 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
736 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
737 eap_reauth(dev[0], "TTLS")
738
739 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
740 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
741 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
742 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
743 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
744 anonymous_identity="ttls", password="wrong",
745 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
746 expect_failure=True)
747 eap_connect(dev[1], apdev[0], "TTLS", "user",
748 anonymous_identity="ttls", password="password",
749 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
750 expect_failure=True)
751
752 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
753 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
754 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
755 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
756 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
757 anonymous_identity="ttls", password="password",
758 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
759 hwsim_utils.test_connectivity(dev[0], hapd)
760 eap_reauth(dev[0], "TTLS")
761
762 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
763 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
764 check_altsubject_match_support(dev[0])
765 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
766 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
767 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
768 anonymous_identity="ttls", password="password",
769 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
770 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
771 eap_reauth(dev[0], "TTLS")
772
773 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
774 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
775 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
776 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
777 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
778 anonymous_identity="ttls", password="wrong",
779 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
780 expect_failure=True)
781 eap_connect(dev[1], apdev[0], "TTLS", "user",
782 anonymous_identity="ttls", password="password",
783 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
784 expect_failure=True)
785
786 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
787 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
788 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
789 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
790 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
791 anonymous_identity="ttls", password="password",
792 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
793 domain_suffix_match="server.w1.fi")
794 hwsim_utils.test_connectivity(dev[0], hapd)
795 eap_reauth(dev[0], "TTLS")
796 dev[0].request("REMOVE_NETWORK all")
797 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
798 anonymous_identity="ttls", password="password",
799 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
800 fragment_size="200")
801
802 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
803 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
804 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
805 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
806 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
807 anonymous_identity="ttls", password="wrong",
808 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
809 expect_failure=True)
810 eap_connect(dev[1], apdev[0], "TTLS", "user",
811 anonymous_identity="ttls", password="password",
812 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
813 expect_failure=True)
814 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
815 anonymous_identity="ttls", password="password",
816 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
817 expect_failure=True)
818
819 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
820 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
821 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
822 hostapd.add_ap(apdev[0]['ifname'], params)
823 hapd = hostapd.Hostapd(apdev[0]['ifname'])
824 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
825 anonymous_identity="ttls", password="password",
826 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
827 domain_suffix_match="server.w1.fi")
828 hwsim_utils.test_connectivity(dev[0], hapd)
829 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
830 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
831 eap_reauth(dev[0], "TTLS")
832 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
833 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
834 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
835 raise Exception("dot1xAuthEapolFramesRx did not increase")
836 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
837 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
838 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
839 raise Exception("backendAuthSuccesses did not increase")
840
841 logger.info("Password as hash value")
842 dev[0].request("REMOVE_NETWORK all")
843 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
844 anonymous_identity="ttls",
845 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
846 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
847
848 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
849 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
850 check_domain_match_full(dev[0])
851 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
852 hostapd.add_ap(apdev[0]['ifname'], params)
853 hapd = hostapd.Hostapd(apdev[0]['ifname'])
854 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
855 anonymous_identity="ttls", password="password",
856 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
857 domain_suffix_match="w1.fi")
858 hwsim_utils.test_connectivity(dev[0], hapd)
859 eap_reauth(dev[0], "TTLS")
860
861 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
862 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
863 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
864 hostapd.add_ap(apdev[0]['ifname'], params)
865 hapd = hostapd.Hostapd(apdev[0]['ifname'])
866 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
867 anonymous_identity="ttls", password="password",
868 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
869 domain_match="Server.w1.fi")
870 hwsim_utils.test_connectivity(dev[0], hapd)
871 eap_reauth(dev[0], "TTLS")
872
873 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
874 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
875 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
876 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
877 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
878 anonymous_identity="ttls", password="password1",
879 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
880 expect_failure=True)
881 eap_connect(dev[1], apdev[0], "TTLS", "user",
882 anonymous_identity="ttls", password="password",
883 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
884 expect_failure=True)
885
886 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
887 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
888 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
889 hostapd.add_ap(apdev[0]['ifname'], params)
890 hapd = hostapd.Hostapd(apdev[0]['ifname'])
891 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
892 anonymous_identity="ttls", password="secret-åäö-€-password",
893 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
894 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
895 anonymous_identity="ttls",
896 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
897 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
898
899 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
900 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
901 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
902 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
903 eap_connect(dev[0], apdev[0], "TTLS", "user",
904 anonymous_identity="ttls", password="password",
905 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
906 hwsim_utils.test_connectivity(dev[0], hapd)
907 eap_reauth(dev[0], "TTLS")
908
909 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
910 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
911 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
912 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
913 eap_connect(dev[0], apdev[0], "TTLS", "user",
914 anonymous_identity="ttls", password="wrong",
915 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
916 expect_failure=True)
917
918 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
919 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
920 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
921 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
922 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
923 anonymous_identity="ttls", password="password",
924 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
925 expect_failure=True)
926
927 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
928 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
929 params = int_eap_server_params()
930 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
931 with alloc_fail(hapd, 1, "eap_gtc_init"):
932 eap_connect(dev[0], apdev[0], "TTLS", "user",
933 anonymous_identity="ttls", password="password",
934 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
935 expect_failure=True)
936 dev[0].request("REMOVE_NETWORK all")
937
938 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
939 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
940 eap="TTLS", identity="user",
941 anonymous_identity="ttls", password="password",
942 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
943 wait_connect=False, scan_freq="2412")
944 # This would eventually time out, but we can stop after having reached
945 # the allocation failure.
946 for i in range(20):
947 time.sleep(0.1)
948 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
949 break
950
951 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
952 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
953 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
954 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
955 eap_connect(dev[0], apdev[0], "TTLS", "user",
956 anonymous_identity="ttls", password="password",
957 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
958 hwsim_utils.test_connectivity(dev[0], hapd)
959 eap_reauth(dev[0], "TTLS")
960
961 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
962 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
963 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
964 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
965 eap_connect(dev[0], apdev[0], "TTLS", "user",
966 anonymous_identity="ttls", password="wrong",
967 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
968 expect_failure=True)
969
970 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
971 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
972 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
973 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
974 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
975 anonymous_identity="ttls", password="password",
976 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
977 expect_failure=True)
978
979 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
980 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
981 params = int_eap_server_params()
982 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
983 with alloc_fail(hapd, 1, "eap_md5_init"):
984 eap_connect(dev[0], apdev[0], "TTLS", "user",
985 anonymous_identity="ttls", password="password",
986 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
987 expect_failure=True)
988 dev[0].request("REMOVE_NETWORK all")
989
990 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
991 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
992 eap="TTLS", identity="user",
993 anonymous_identity="ttls", password="password",
994 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
995 wait_connect=False, scan_freq="2412")
996 # This would eventually time out, but we can stop after having reached
997 # the allocation failure.
998 for i in range(20):
999 time.sleep(0.1)
1000 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1001 break
1002
1003 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1004 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1005 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1006 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1007 eap_connect(dev[0], apdev[0], "TTLS", "user",
1008 anonymous_identity="ttls", password="password",
1009 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1010 hwsim_utils.test_connectivity(dev[0], hapd)
1011 eap_reauth(dev[0], "TTLS")
1012
1013 logger.info("Negative test with incorrect password")
1014 dev[0].request("REMOVE_NETWORK all")
1015 eap_connect(dev[0], apdev[0], "TTLS", "user",
1016 anonymous_identity="ttls", password="password1",
1017 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1018 expect_failure=True)
1019
1020 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1021 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1022 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1023 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1024 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1025 anonymous_identity="ttls", password="password",
1026 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1027 expect_failure=True)
1028
1029 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1030 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1031 params = int_eap_server_params()
1032 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1033 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1034 eap_connect(dev[0], apdev[0], "TTLS", "user",
1035 anonymous_identity="ttls", password="password",
1036 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1037 expect_failure=True)
1038 dev[0].request("REMOVE_NETWORK all")
1039
1040 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1041 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1042 eap="TTLS", identity="user",
1043 anonymous_identity="ttls", password="password",
1044 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1045 wait_connect=False, scan_freq="2412")
1046 # This would eventually time out, but we can stop after having reached
1047 # the allocation failure.
1048 for i in range(20):
1049 time.sleep(0.1)
1050 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1051 break
1052 dev[0].request("REMOVE_NETWORK all")
1053
1054 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1055 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1056 eap="TTLS", identity="user",
1057 anonymous_identity="ttls", password="password",
1058 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1059 wait_connect=False, scan_freq="2412")
1060 # This would eventually time out, but we can stop after having reached
1061 # the allocation failure.
1062 for i in range(20):
1063 time.sleep(0.1)
1064 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1065 break
1066 dev[0].request("REMOVE_NETWORK all")
1067
1068 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1069 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1070 eap="TTLS", identity="user",
1071 anonymous_identity="ttls", password="wrong",
1072 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1073 wait_connect=False, scan_freq="2412")
1074 # This would eventually time out, but we can stop after having reached
1075 # the allocation failure.
1076 for i in range(20):
1077 time.sleep(0.1)
1078 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1079 break
1080 dev[0].request("REMOVE_NETWORK all")
1081
1082 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1083 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1084 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1085 hostapd.add_ap(apdev[0]['ifname'], params)
1086 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1087 anonymous_identity="0232010000000000@ttls",
1088 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1089 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1090
1091 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1092 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1093 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1094 hostapd.add_ap(apdev[0]['ifname'], params)
1095 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1096 anonymous_identity="0232010000000000@peap",
1097 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1098 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1099
1100 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1101 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1102 check_eap_capa(dev[0], "FAST")
1103 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1104 hostapd.add_ap(apdev[0]['ifname'], params)
1105 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1106 anonymous_identity="0232010000000000@fast",
1107 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1108 phase1="fast_provisioning=2",
1109 pac_file="blob://fast_pac_auth_aka",
1110 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1111
1112 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1113 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1114 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1115 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1116 eap_connect(dev[0], apdev[0], "PEAP", "user",
1117 anonymous_identity="peap", password="password",
1118 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1119 hwsim_utils.test_connectivity(dev[0], hapd)
1120 eap_reauth(dev[0], "PEAP")
1121 dev[0].request("REMOVE_NETWORK all")
1122 eap_connect(dev[0], apdev[0], "PEAP", "user",
1123 anonymous_identity="peap", password="password",
1124 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1125 fragment_size="200")
1126
1127 logger.info("Password as hash value")
1128 dev[0].request("REMOVE_NETWORK all")
1129 eap_connect(dev[0], apdev[0], "PEAP", "user",
1130 anonymous_identity="peap",
1131 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1132 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1133
1134 logger.info("Negative test with incorrect password")
1135 dev[0].request("REMOVE_NETWORK all")
1136 eap_connect(dev[0], apdev[0], "PEAP", "user",
1137 anonymous_identity="peap", password="password1",
1138 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1139 expect_failure=True)
1140
1141 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1142 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1143 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1144 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1145 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1146 ca_cert="auth_serv/ca.pem",
1147 phase1="peapver=0 crypto_binding=2",
1148 phase2="auth=MSCHAPV2")
1149 hwsim_utils.test_connectivity(dev[0], hapd)
1150 eap_reauth(dev[0], "PEAP")
1151
1152 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1153 ca_cert="auth_serv/ca.pem",
1154 phase1="peapver=0 crypto_binding=1",
1155 phase2="auth=MSCHAPV2")
1156 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1157 ca_cert="auth_serv/ca.pem",
1158 phase1="peapver=0 crypto_binding=0",
1159 phase2="auth=MSCHAPV2")
1160
1161 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1162 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1163 params = int_eap_server_params()
1164 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1165 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1166 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1167 ca_cert="auth_serv/ca.pem",
1168 phase1="peapver=0 crypto_binding=2",
1169 phase2="auth=MSCHAPV2",
1170 expect_failure=True, local_error_report=True)
1171
1172 def test_ap_wpa2_eap_peap_params(dev, apdev):
1173 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1174 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1175 hostapd.add_ap(apdev[0]['ifname'], params)
1176 eap_connect(dev[0], apdev[0], "PEAP", "user",
1177 anonymous_identity="peap", password="password",
1178 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1179 phase1="peapver=0 peaplabel=1",
1180 expect_failure=True)
1181 dev[0].request("REMOVE_NETWORK all")
1182 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1183 ca_cert="auth_serv/ca.pem",
1184 phase1="peap_outer_success=1",
1185 phase2="auth=MSCHAPV2")
1186 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1187 ca_cert="auth_serv/ca.pem",
1188 phase1="peap_outer_success=2",
1189 phase2="auth=MSCHAPV2")
1190 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1191 identity="user",
1192 anonymous_identity="peap", password="password",
1193 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1194 phase1="peapver=1 peaplabel=1",
1195 wait_connect=False, scan_freq="2412")
1196 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1197 if ev is None:
1198 raise Exception("No EAP success seen")
1199 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1200 if ev is not None:
1201 raise Exception("Unexpected connection")
1202
1203 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1204 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1205 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1206 hostapd.add_ap(apdev[0]['ifname'], params)
1207 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1208 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1209 ca_cert2="auth_serv/ca.pem",
1210 client_cert2="auth_serv/user.pem",
1211 private_key2="auth_serv/user.key")
1212 eap_reauth(dev[0], "PEAP")
1213
1214 def test_ap_wpa2_eap_tls(dev, apdev):
1215 """WPA2-Enterprise connection using EAP-TLS"""
1216 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1217 hostapd.add_ap(apdev[0]['ifname'], params)
1218 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1219 client_cert="auth_serv/user.pem",
1220 private_key="auth_serv/user.key")
1221 eap_reauth(dev[0], "TLS")
1222
1223 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1224 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1225 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1226 hostapd.add_ap(apdev[0]['ifname'], params)
1227 cert = read_pem("auth_serv/ca.pem")
1228 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1229 raise Exception("Could not set cacert blob")
1230 cert = read_pem("auth_serv/user.pem")
1231 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1232 raise Exception("Could not set usercert blob")
1233 key = read_pem("auth_serv/user.rsa-key")
1234 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1235 raise Exception("Could not set cacert blob")
1236 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1237 client_cert="blob://usercert",
1238 private_key="blob://userkey")
1239
1240 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1241 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1242 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1243 hostapd.add_ap(apdev[0]['ifname'], params)
1244 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1245 private_key="auth_serv/user.pkcs12",
1246 private_key_passwd="whatever")
1247 dev[0].request("REMOVE_NETWORK all")
1248 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1249 identity="tls user",
1250 ca_cert="auth_serv/ca.pem",
1251 private_key="auth_serv/user.pkcs12",
1252 wait_connect=False, scan_freq="2412")
1253 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1254 if ev is None:
1255 raise Exception("Request for private key passphrase timed out")
1256 id = ev.split(':')[0].split('-')[-1]
1257 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1258 dev[0].wait_connected(timeout=10)
1259
1260 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1261 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1262 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1263 hostapd.add_ap(apdev[0]['ifname'], params)
1264 cert = read_pem("auth_serv/ca.pem")
1265 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1266 raise Exception("Could not set cacert blob")
1267 with open("auth_serv/user.pkcs12", "rb") as f:
1268 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1269 raise Exception("Could not set pkcs12 blob")
1270 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1271 private_key="blob://pkcs12",
1272 private_key_passwd="whatever")
1273
1274 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1275 """WPA2-Enterprise negative test - incorrect trust root"""
1276 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1277 hostapd.add_ap(apdev[0]['ifname'], params)
1278 cert = read_pem("auth_serv/ca-incorrect.pem")
1279 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1280 raise Exception("Could not set cacert blob")
1281 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1282 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1283 password="password", phase2="auth=MSCHAPV2",
1284 ca_cert="blob://cacert",
1285 wait_connect=False, scan_freq="2412")
1286 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1287 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1288 password="password", phase2="auth=MSCHAPV2",
1289 ca_cert="auth_serv/ca-incorrect.pem",
1290 wait_connect=False, scan_freq="2412")
1291
1292 for dev in (dev[0], dev[1]):
1293 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1294 if ev is None:
1295 raise Exception("Association and EAP start timed out")
1296
1297 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1298 if ev is None:
1299 raise Exception("EAP method selection timed out")
1300 if "TTLS" not in ev:
1301 raise Exception("Unexpected EAP method")
1302
1303 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1304 "CTRL-EVENT-EAP-SUCCESS",
1305 "CTRL-EVENT-EAP-FAILURE",
1306 "CTRL-EVENT-CONNECTED",
1307 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1308 if ev is None:
1309 raise Exception("EAP result timed out")
1310 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1311 raise Exception("TLS certificate error not reported")
1312
1313 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1314 "CTRL-EVENT-EAP-FAILURE",
1315 "CTRL-EVENT-CONNECTED",
1316 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1317 if ev is None:
1318 raise Exception("EAP result(2) timed out")
1319 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1320 raise Exception("EAP failure not reported")
1321
1322 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1323 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1324 if ev is None:
1325 raise Exception("EAP result(3) timed out")
1326 if "CTRL-EVENT-DISCONNECTED" not in ev:
1327 raise Exception("Disconnection not reported")
1328
1329 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1330 if ev is None:
1331 raise Exception("Network block disabling not reported")
1332
1333 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1334 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1335 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1336 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1337 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1338 identity="pap user", anonymous_identity="ttls",
1339 password="password", phase2="auth=PAP",
1340 ca_cert="auth_serv/ca.pem",
1341 wait_connect=True, scan_freq="2412")
1342 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1343 identity="pap user", anonymous_identity="ttls",
1344 password="password", phase2="auth=PAP",
1345 ca_cert="auth_serv/ca-incorrect.pem",
1346 only_add_network=True, scan_freq="2412")
1347
1348 dev[0].request("DISCONNECT")
1349 dev[0].wait_disconnected()
1350 dev[0].dump_monitor()
1351 dev[0].select_network(id, freq="2412")
1352
1353 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1354 if ev is None:
1355 raise Exception("EAP-TTLS not re-started")
1356
1357 ev = dev[0].wait_disconnected(timeout=15)
1358 if "reason=23" not in ev:
1359 raise Exception("Proper reason code for disconnection not reported")
1360
1361 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1362 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1363 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1364 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1365 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1366 identity="pap user", anonymous_identity="ttls",
1367 password="password", phase2="auth=PAP",
1368 wait_connect=True, scan_freq="2412")
1369 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1370 identity="pap user", anonymous_identity="ttls",
1371 password="password", phase2="auth=PAP",
1372 ca_cert="auth_serv/ca-incorrect.pem",
1373 only_add_network=True, scan_freq="2412")
1374
1375 dev[0].request("DISCONNECT")
1376 dev[0].wait_disconnected()
1377 dev[0].dump_monitor()
1378 dev[0].select_network(id, freq="2412")
1379
1380 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1381 if ev is None:
1382 raise Exception("EAP-TTLS not re-started")
1383
1384 ev = dev[0].wait_disconnected(timeout=15)
1385 if "reason=23" not in ev:
1386 raise Exception("Proper reason code for disconnection not reported")
1387
1388 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1389 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1390 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1391 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1392 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1393 identity="pap user", anonymous_identity="ttls",
1394 password="password", phase2="auth=PAP",
1395 ca_cert="auth_serv/ca.pem",
1396 wait_connect=True, scan_freq="2412")
1397 dev[0].request("DISCONNECT")
1398 dev[0].wait_disconnected()
1399 dev[0].dump_monitor()
1400 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1401 dev[0].select_network(id, freq="2412")
1402
1403 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1404 if ev is None:
1405 raise Exception("EAP-TTLS not re-started")
1406
1407 ev = dev[0].wait_disconnected(timeout=15)
1408 if "reason=23" not in ev:
1409 raise Exception("Proper reason code for disconnection not reported")
1410
1411 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1412 """WPA2-Enterprise negative test - domain suffix mismatch"""
1413 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1414 hostapd.add_ap(apdev[0]['ifname'], params)
1415 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1416 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1417 password="password", phase2="auth=MSCHAPV2",
1418 ca_cert="auth_serv/ca.pem",
1419 domain_suffix_match="incorrect.example.com",
1420 wait_connect=False, scan_freq="2412")
1421
1422 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1423 if ev is None:
1424 raise Exception("Association and EAP start timed out")
1425
1426 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1427 if ev is None:
1428 raise Exception("EAP method selection timed out")
1429 if "TTLS" not in ev:
1430 raise Exception("Unexpected EAP method")
1431
1432 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1433 "CTRL-EVENT-EAP-SUCCESS",
1434 "CTRL-EVENT-EAP-FAILURE",
1435 "CTRL-EVENT-CONNECTED",
1436 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1437 if ev is None:
1438 raise Exception("EAP result timed out")
1439 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1440 raise Exception("TLS certificate error not reported")
1441 if "Domain suffix mismatch" not in ev:
1442 raise Exception("Domain suffix mismatch not reported")
1443
1444 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1445 "CTRL-EVENT-EAP-FAILURE",
1446 "CTRL-EVENT-CONNECTED",
1447 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1448 if ev is None:
1449 raise Exception("EAP result(2) timed out")
1450 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1451 raise Exception("EAP failure not reported")
1452
1453 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1454 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1455 if ev is None:
1456 raise Exception("EAP result(3) timed out")
1457 if "CTRL-EVENT-DISCONNECTED" not in ev:
1458 raise Exception("Disconnection not reported")
1459
1460 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1461 if ev is None:
1462 raise Exception("Network block disabling not reported")
1463
1464 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1465 """WPA2-Enterprise negative test - domain mismatch"""
1466 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1467 hostapd.add_ap(apdev[0]['ifname'], params)
1468 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1469 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1470 password="password", phase2="auth=MSCHAPV2",
1471 ca_cert="auth_serv/ca.pem",
1472 domain_match="w1.fi",
1473 wait_connect=False, scan_freq="2412")
1474
1475 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1476 if ev is None:
1477 raise Exception("Association and EAP start timed out")
1478
1479 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1480 if ev is None:
1481 raise Exception("EAP method selection timed out")
1482 if "TTLS" not in ev:
1483 raise Exception("Unexpected EAP method")
1484
1485 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1486 "CTRL-EVENT-EAP-SUCCESS",
1487 "CTRL-EVENT-EAP-FAILURE",
1488 "CTRL-EVENT-CONNECTED",
1489 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1490 if ev is None:
1491 raise Exception("EAP result timed out")
1492 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1493 raise Exception("TLS certificate error not reported")
1494 if "Domain mismatch" not in ev:
1495 raise Exception("Domain mismatch not reported")
1496
1497 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1498 "CTRL-EVENT-EAP-FAILURE",
1499 "CTRL-EVENT-CONNECTED",
1500 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1501 if ev is None:
1502 raise Exception("EAP result(2) timed out")
1503 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1504 raise Exception("EAP failure not reported")
1505
1506 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1507 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1508 if ev is None:
1509 raise Exception("EAP result(3) timed out")
1510 if "CTRL-EVENT-DISCONNECTED" not in ev:
1511 raise Exception("Disconnection not reported")
1512
1513 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1514 if ev is None:
1515 raise Exception("Network block disabling not reported")
1516
1517 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1518 """WPA2-Enterprise negative test - subject mismatch"""
1519 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1520 hostapd.add_ap(apdev[0]['ifname'], params)
1521 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1522 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1523 password="password", phase2="auth=MSCHAPV2",
1524 ca_cert="auth_serv/ca.pem",
1525 subject_match="/C=FI/O=w1.fi/CN=example.com",
1526 wait_connect=False, scan_freq="2412")
1527
1528 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1529 if ev is None:
1530 raise Exception("Association and EAP start timed out")
1531
1532 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1533 "EAP: Failed to initialize EAP method"], timeout=10)
1534 if ev is None:
1535 raise Exception("EAP method selection timed out")
1536 if "EAP: Failed to initialize EAP method" in ev:
1537 tls = dev[0].request("GET tls_library")
1538 if tls.startswith("OpenSSL"):
1539 raise Exception("Failed to select EAP method")
1540 logger.info("subject_match not supported - connection failed, so test succeeded")
1541 return
1542 if "TTLS" not in ev:
1543 raise Exception("Unexpected EAP method")
1544
1545 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1546 "CTRL-EVENT-EAP-SUCCESS",
1547 "CTRL-EVENT-EAP-FAILURE",
1548 "CTRL-EVENT-CONNECTED",
1549 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1550 if ev is None:
1551 raise Exception("EAP result timed out")
1552 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1553 raise Exception("TLS certificate error not reported")
1554 if "Subject mismatch" not in ev:
1555 raise Exception("Subject mismatch not reported")
1556
1557 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1558 "CTRL-EVENT-EAP-FAILURE",
1559 "CTRL-EVENT-CONNECTED",
1560 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1561 if ev is None:
1562 raise Exception("EAP result(2) timed out")
1563 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1564 raise Exception("EAP failure not reported")
1565
1566 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1567 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1568 if ev is None:
1569 raise Exception("EAP result(3) timed out")
1570 if "CTRL-EVENT-DISCONNECTED" not in ev:
1571 raise Exception("Disconnection not reported")
1572
1573 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1574 if ev is None:
1575 raise Exception("Network block disabling not reported")
1576
1577 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1578 """WPA2-Enterprise negative test - altsubject mismatch"""
1579 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1580 hostapd.add_ap(apdev[0]['ifname'], params)
1581
1582 tests = [ "incorrect.example.com",
1583 "DNS:incorrect.example.com",
1584 "DNS:w1.fi",
1585 "DNS:erver.w1.fi" ]
1586 for match in tests:
1587 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1588
1589 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1590 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1591 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1592 password="password", phase2="auth=MSCHAPV2",
1593 ca_cert="auth_serv/ca.pem",
1594 altsubject_match=match,
1595 wait_connect=False, scan_freq="2412")
1596
1597 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1598 if ev is None:
1599 raise Exception("Association and EAP start timed out")
1600
1601 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1602 "EAP: Failed to initialize EAP method"], timeout=10)
1603 if ev is None:
1604 raise Exception("EAP method selection timed out")
1605 if "EAP: Failed to initialize EAP method" in ev:
1606 tls = dev[0].request("GET tls_library")
1607 if tls.startswith("OpenSSL"):
1608 raise Exception("Failed to select EAP method")
1609 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1610 return
1611 if "TTLS" not in ev:
1612 raise Exception("Unexpected EAP method")
1613
1614 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1615 "CTRL-EVENT-EAP-SUCCESS",
1616 "CTRL-EVENT-EAP-FAILURE",
1617 "CTRL-EVENT-CONNECTED",
1618 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1619 if ev is None:
1620 raise Exception("EAP result timed out")
1621 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1622 raise Exception("TLS certificate error not reported")
1623 if "AltSubject mismatch" not in ev:
1624 raise Exception("altsubject mismatch not reported")
1625
1626 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1627 "CTRL-EVENT-EAP-FAILURE",
1628 "CTRL-EVENT-CONNECTED",
1629 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1630 if ev is None:
1631 raise Exception("EAP result(2) timed out")
1632 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1633 raise Exception("EAP failure not reported")
1634
1635 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1636 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1637 if ev is None:
1638 raise Exception("EAP result(3) timed out")
1639 if "CTRL-EVENT-DISCONNECTED" not in ev:
1640 raise Exception("Disconnection not reported")
1641
1642 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1643 if ev is None:
1644 raise Exception("Network block disabling not reported")
1645
1646 dev[0].request("REMOVE_NETWORK all")
1647
1648 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1649 """WPA2-Enterprise connection using UNAUTH-TLS"""
1650 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1651 hostapd.add_ap(apdev[0]['ifname'], params)
1652 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1653 ca_cert="auth_serv/ca.pem")
1654 eap_reauth(dev[0], "UNAUTH-TLS")
1655
1656 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1657 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1658 check_cert_probe_support(dev[0])
1659 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1660 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1661 hostapd.add_ap(apdev[0]['ifname'], params)
1662 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1663 identity="probe", ca_cert="probe://",
1664 wait_connect=False, scan_freq="2412")
1665 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1666 if ev is None:
1667 raise Exception("Association and EAP start timed out")
1668 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1669 if ev is None:
1670 raise Exception("No peer server certificate event seen")
1671 if "hash=" + srv_cert_hash not in ev:
1672 raise Exception("Expected server certificate hash not reported")
1673 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1674 if ev is None:
1675 raise Exception("EAP result timed out")
1676 if "Server certificate chain probe" not in ev:
1677 raise Exception("Server certificate probe not reported")
1678 dev[0].wait_disconnected(timeout=10)
1679 dev[0].request("REMOVE_NETWORK all")
1680
1681 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1682 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1683 password="password", phase2="auth=MSCHAPV2",
1684 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1685 wait_connect=False, scan_freq="2412")
1686 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1687 if ev is None:
1688 raise Exception("Association and EAP start timed out")
1689 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1690 if ev is None:
1691 raise Exception("EAP result timed out")
1692 if "Server certificate mismatch" not in ev:
1693 raise Exception("Server certificate mismatch not reported")
1694 dev[0].wait_disconnected(timeout=10)
1695 dev[0].request("REMOVE_NETWORK all")
1696
1697 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1698 anonymous_identity="ttls", password="password",
1699 ca_cert="hash://server/sha256/" + srv_cert_hash,
1700 phase2="auth=MSCHAPV2")
1701
1702 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1703 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1704 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1705 hostapd.add_ap(apdev[0]['ifname'], params)
1706 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1707 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1708 password="password", phase2="auth=MSCHAPV2",
1709 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1710 wait_connect=False, scan_freq="2412")
1711 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1712 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1713 password="password", phase2="auth=MSCHAPV2",
1714 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1715 wait_connect=False, scan_freq="2412")
1716 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1717 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1718 password="password", phase2="auth=MSCHAPV2",
1719 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1720 wait_connect=False, scan_freq="2412")
1721 for i in range(0, 3):
1722 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1723 if ev is None:
1724 raise Exception("Association and EAP start timed out")
1725 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1726 if ev is None:
1727 raise Exception("Did not report EAP method initialization failure")
1728
1729 def test_ap_wpa2_eap_pwd(dev, apdev):
1730 """WPA2-Enterprise connection using EAP-pwd"""
1731 check_eap_capa(dev[0], "PWD")
1732 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1733 hostapd.add_ap(apdev[0]['ifname'], params)
1734 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1735 eap_reauth(dev[0], "PWD")
1736 dev[0].request("REMOVE_NETWORK all")
1737
1738 eap_connect(dev[1], apdev[0], "PWD",
1739 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1740 password="secret password",
1741 fragment_size="90")
1742
1743 logger.info("Negative test with incorrect password")
1744 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1745 expect_failure=True, local_error_report=True)
1746
1747 eap_connect(dev[0], apdev[0], "PWD",
1748 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1749 password="secret password",
1750 fragment_size="31")
1751
1752 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1753 """WPA2-Enterprise connection using various EAP-pwd groups"""
1754 check_eap_capa(dev[0], "PWD")
1755 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1756 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1757 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1758 for i in [ 19, 20, 21, 25, 26 ]:
1759 params['pwd_group'] = str(i)
1760 hostapd.add_ap(apdev[0]['ifname'], params)
1761 dev[0].request("REMOVE_NETWORK all")
1762 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1763
1764 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1765 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1766 check_eap_capa(dev[0], "PWD")
1767 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1768 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1769 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1770 params['pwd_group'] = "0"
1771 hostapd.add_ap(apdev[0]['ifname'], params)
1772 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1773 identity="pwd user", password="secret password",
1774 scan_freq="2412", wait_connect=False)
1775 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1776 if ev is None:
1777 raise Exception("Timeout on EAP failure report")
1778
1779 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1780 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1781 check_eap_capa(dev[0], "PWD")
1782 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1783 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1784 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1785 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1786 "pwd_group": "19", "fragment_size": "40" }
1787 hostapd.add_ap(apdev[0]['ifname'], params)
1788 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1789
1790 def test_ap_wpa2_eap_gpsk(dev, apdev):
1791 """WPA2-Enterprise connection using EAP-GPSK"""
1792 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1793 hostapd.add_ap(apdev[0]['ifname'], params)
1794 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1795 password="abcdefghijklmnop0123456789abcdef")
1796 eap_reauth(dev[0], "GPSK")
1797
1798 logger.info("Test forced algorithm selection")
1799 for phase1 in [ "cipher=1", "cipher=2" ]:
1800 dev[0].set_network_quoted(id, "phase1", phase1)
1801 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1802 if ev is None:
1803 raise Exception("EAP success timed out")
1804 dev[0].wait_connected(timeout=10)
1805
1806 logger.info("Test failed algorithm negotiation")
1807 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1808 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1809 if ev is None:
1810 raise Exception("EAP failure timed out")
1811
1812 logger.info("Negative test with incorrect password")
1813 dev[0].request("REMOVE_NETWORK all")
1814 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1815 password="ffcdefghijklmnop0123456789abcdef",
1816 expect_failure=True)
1817
1818 def test_ap_wpa2_eap_sake(dev, apdev):
1819 """WPA2-Enterprise connection using EAP-SAKE"""
1820 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1821 hostapd.add_ap(apdev[0]['ifname'], params)
1822 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1823 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1824 eap_reauth(dev[0], "SAKE")
1825
1826 logger.info("Negative test with incorrect password")
1827 dev[0].request("REMOVE_NETWORK all")
1828 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1829 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1830 expect_failure=True)
1831
1832 def test_ap_wpa2_eap_eke(dev, apdev):
1833 """WPA2-Enterprise connection using EAP-EKE"""
1834 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1835 hostapd.add_ap(apdev[0]['ifname'], params)
1836 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1837 eap_reauth(dev[0], "EKE")
1838
1839 logger.info("Test forced algorithm selection")
1840 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1841 "dhgroup=4 encr=1 prf=2 mac=2",
1842 "dhgroup=3 encr=1 prf=2 mac=2",
1843 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1844 dev[0].set_network_quoted(id, "phase1", phase1)
1845 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1846 if ev is None:
1847 raise Exception("EAP success timed out")
1848 dev[0].wait_connected(timeout=10)
1849
1850 logger.info("Test failed algorithm negotiation")
1851 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1852 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1853 if ev is None:
1854 raise Exception("EAP failure timed out")
1855
1856 logger.info("Negative test with incorrect password")
1857 dev[0].request("REMOVE_NETWORK all")
1858 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1859 expect_failure=True)
1860
1861 def test_ap_wpa2_eap_ikev2(dev, apdev):
1862 """WPA2-Enterprise connection using EAP-IKEv2"""
1863 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1864 hostapd.add_ap(apdev[0]['ifname'], params)
1865 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1866 password="ike password")
1867 eap_reauth(dev[0], "IKEV2")
1868 dev[0].request("REMOVE_NETWORK all")
1869 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1870 password="ike password", fragment_size="50")
1871
1872 logger.info("Negative test with incorrect password")
1873 dev[0].request("REMOVE_NETWORK all")
1874 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1875 password="ike-password", expect_failure=True)
1876
1877 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
1878 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1879 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1880 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1881 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1882 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1883 "fragment_size": "50" }
1884 hostapd.add_ap(apdev[0]['ifname'], params)
1885 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1886 password="ike password")
1887 eap_reauth(dev[0], "IKEV2")
1888
1889 def test_ap_wpa2_eap_pax(dev, apdev):
1890 """WPA2-Enterprise connection using EAP-PAX"""
1891 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1892 hostapd.add_ap(apdev[0]['ifname'], params)
1893 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1894 password_hex="0123456789abcdef0123456789abcdef")
1895 eap_reauth(dev[0], "PAX")
1896
1897 logger.info("Negative test with incorrect password")
1898 dev[0].request("REMOVE_NETWORK all")
1899 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1900 password_hex="ff23456789abcdef0123456789abcdef",
1901 expect_failure=True)
1902
1903 def test_ap_wpa2_eap_psk(dev, apdev):
1904 """WPA2-Enterprise connection using EAP-PSK"""
1905 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1906 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
1907 params["ieee80211w"] = "2"
1908 hostapd.add_ap(apdev[0]['ifname'], params)
1909 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1910 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
1911 eap_reauth(dev[0], "PSK", sha256=True)
1912 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
1913 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
1914
1915 bss = dev[0].get_bss(apdev[0]['bssid'])
1916 if 'flags' not in bss:
1917 raise Exception("Could not get BSS flags from BSS table")
1918 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
1919 raise Exception("Unexpected BSS flags: " + bss['flags'])
1920
1921 logger.info("Negative test with incorrect password")
1922 dev[0].request("REMOVE_NETWORK all")
1923 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1924 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
1925 expect_failure=True)
1926
1927 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
1928 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1929 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
1930 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1931 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
1932 identity="user", password="password", phase2="auth=MSCHAPV2",
1933 ca_cert="auth_serv/ca.pem", wait_connect=False,
1934 scan_freq="2412")
1935 eap_check_auth(dev[0], "PEAP", True, rsn=False)
1936 hwsim_utils.test_connectivity(dev[0], hapd)
1937 eap_reauth(dev[0], "PEAP", rsn=False)
1938 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
1939 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
1940 status = dev[0].get_status(extra="VERBOSE")
1941 if 'portControl' not in status:
1942 raise Exception("portControl missing from STATUS-VERBOSE")
1943 if status['portControl'] != 'Auto':
1944 raise Exception("Unexpected portControl value: " + status['portControl'])
1945 if 'eap_session_id' not in status:
1946 raise Exception("eap_session_id missing from STATUS-VERBOSE")
1947 if not status['eap_session_id'].startswith("19"):
1948 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
1949
1950 def test_ap_wpa2_eap_interactive(dev, apdev):
1951 """WPA2-Enterprise connection using interactive identity/password entry"""
1952 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1953 hostapd.add_ap(apdev[0]['ifname'], params)
1954 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1955
1956 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
1957 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
1958 None, "password"),
1959 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
1960 "TTLS", "ttls", None, "auth=MSCHAPV2",
1961 "DOMAIN\mschapv2 user", "password"),
1962 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
1963 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
1964 ("Connection with dynamic TTLS/EAP-MD5 password entry",
1965 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
1966 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
1967 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
1968 ("Connection with dynamic PEAP/EAP-GTC password entry",
1969 "PEAP", None, "user", "auth=GTC", None, "password") ]
1970 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
1971 logger.info(desc)
1972 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
1973 anonymous_identity=anon, identity=identity,
1974 ca_cert="auth_serv/ca.pem", phase2=phase2,
1975 wait_connect=False, scan_freq="2412")
1976 if req_id:
1977 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
1978 if ev is None:
1979 raise Exception("Request for identity timed out")
1980 id = ev.split(':')[0].split('-')[-1]
1981 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
1982 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
1983 if ev is None:
1984 raise Exception("Request for password timed out")
1985 id = ev.split(':')[0].split('-')[-1]
1986 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
1987 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
1988 dev[0].wait_connected(timeout=10)
1989 dev[0].request("REMOVE_NETWORK all")
1990
1991 def test_ap_wpa2_eap_vendor_test(dev, apdev):
1992 """WPA2-Enterprise connection using EAP vendor test"""
1993 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1994 hostapd.add_ap(apdev[0]['ifname'], params)
1995 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
1996 eap_reauth(dev[0], "VENDOR-TEST")
1997 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
1998 password="pending")
1999
2000 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2001 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2002 check_eap_capa(dev[0], "FAST")
2003 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2004 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2005 eap_connect(dev[0], apdev[0], "FAST", "user",
2006 anonymous_identity="FAST", password="password",
2007 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2008 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2009 hwsim_utils.test_connectivity(dev[0], hapd)
2010 res = eap_reauth(dev[0], "FAST")
2011 if res['tls_session_reused'] != '1':
2012 raise Exception("EAP-FAST could not use PAC session ticket")
2013
2014 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2015 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2016 check_eap_capa(dev[0], "FAST")
2017 pac_file = os.path.join(params['logdir'], "fast.pac")
2018 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2019 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2020 hostapd.add_ap(apdev[0]['ifname'], params)
2021
2022 try:
2023 eap_connect(dev[0], apdev[0], "FAST", "user",
2024 anonymous_identity="FAST", password="password",
2025 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2026 phase1="fast_provisioning=1", pac_file=pac_file)
2027 with open(pac_file, "r") as f:
2028 data = f.read()
2029 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2030 raise Exception("PAC file header missing")
2031 if "PAC-Key=" not in data:
2032 raise Exception("PAC-Key missing from PAC file")
2033 dev[0].request("REMOVE_NETWORK all")
2034 eap_connect(dev[0], apdev[0], "FAST", "user",
2035 anonymous_identity="FAST", password="password",
2036 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2037 pac_file=pac_file)
2038
2039 eap_connect(dev[1], apdev[0], "FAST", "user",
2040 anonymous_identity="FAST", password="password",
2041 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2042 phase1="fast_provisioning=1 fast_pac_format=binary",
2043 pac_file=pac_file2)
2044 dev[1].request("REMOVE_NETWORK all")
2045 eap_connect(dev[1], apdev[0], "FAST", "user",
2046 anonymous_identity="FAST", password="password",
2047 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2048 phase1="fast_pac_format=binary",
2049 pac_file=pac_file2)
2050 finally:
2051 subprocess.call(['sudo', 'rm', pac_file])
2052 subprocess.call(['sudo', 'rm', pac_file2])
2053
2054 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2055 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2056 check_eap_capa(dev[0], "FAST")
2057 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2058 hostapd.add_ap(apdev[0]['ifname'], params)
2059 eap_connect(dev[0], apdev[0], "FAST", "user",
2060 anonymous_identity="FAST", password="password",
2061 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2062 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2063 pac_file="blob://fast_pac_bin")
2064 res = eap_reauth(dev[0], "FAST")
2065 if res['tls_session_reused'] != '1':
2066 raise Exception("EAP-FAST could not use PAC session ticket")
2067
2068 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2069 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2070 check_eap_capa(dev[0], "FAST")
2071 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2072 hostapd.add_ap(apdev[0]['ifname'], params)
2073
2074 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2075 identity="user", anonymous_identity="FAST",
2076 password="password",
2077 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2078 pac_file="blob://fast_pac_not_in_use",
2079 wait_connect=False, scan_freq="2412")
2080 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2081 if ev is None:
2082 raise Exception("Timeout on EAP failure report")
2083 dev[0].request("REMOVE_NETWORK all")
2084
2085 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2086 identity="user", anonymous_identity="FAST",
2087 password="password",
2088 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2089 wait_connect=False, scan_freq="2412")
2090 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2091 if ev is None:
2092 raise Exception("Timeout on EAP failure report")
2093
2094 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2095 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2096 check_eap_capa(dev[0], "FAST")
2097 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2098 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2099 eap_connect(dev[0], apdev[0], "FAST", "user",
2100 anonymous_identity="FAST", password="password",
2101 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2102 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2103 hwsim_utils.test_connectivity(dev[0], hapd)
2104 res = eap_reauth(dev[0], "FAST")
2105 if res['tls_session_reused'] != '1':
2106 raise Exception("EAP-FAST could not use PAC session ticket")
2107
2108 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2109 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2110 check_eap_capa(dev[0], "FAST")
2111 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2112 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2113 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2114 anonymous_identity="FAST", password="password",
2115 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2116 phase1="fast_provisioning=2",
2117 pac_file="blob://fast_pac_auth")
2118 dev[0].set_network_quoted(id, "identity", "user2")
2119 dev[0].wait_disconnected()
2120 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2121 if ev is None:
2122 raise Exception("EAP-FAST not started")
2123 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2124 if ev is None:
2125 raise Exception("EAP failure not reported")
2126 dev[0].wait_disconnected()
2127
2128 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2129 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2130 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2131 hostapd.add_ap(apdev[0]['ifname'], params)
2132 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2133 private_key="auth_serv/user.pkcs12",
2134 private_key_passwd="whatever", ocsp=2)
2135
2136 def int_eap_server_params():
2137 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2138 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2139 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2140 "ca_cert": "auth_serv/ca.pem",
2141 "server_cert": "auth_serv/server.pem",
2142 "private_key": "auth_serv/server.key" }
2143 return params
2144
2145 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2146 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2147 params = int_eap_server_params()
2148 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2149 hostapd.add_ap(apdev[0]['ifname'], params)
2150 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2151 identity="tls user", ca_cert="auth_serv/ca.pem",
2152 private_key="auth_serv/user.pkcs12",
2153 private_key_passwd="whatever", ocsp=2,
2154 wait_connect=False, scan_freq="2412")
2155 count = 0
2156 while True:
2157 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2158 if ev is None:
2159 raise Exception("Timeout on EAP status")
2160 if 'bad certificate status response' in ev:
2161 break
2162 count = count + 1
2163 if count > 10:
2164 raise Exception("Unexpected number of EAP status messages")
2165
2166 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2167 if ev is None:
2168 raise Exception("Timeout on EAP failure report")
2169
2170 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2171 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2172 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2173 if not os.path.exists(ocsp):
2174 raise HwsimSkip("No OCSP response available")
2175 params = int_eap_server_params()
2176 params["ocsp_stapling_response"] = ocsp
2177 hostapd.add_ap(apdev[0]['ifname'], params)
2178 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2179 identity="pap user", ca_cert="auth_serv/ca.pem",
2180 anonymous_identity="ttls", password="password",
2181 phase2="auth=PAP", ocsp=2,
2182 wait_connect=False, scan_freq="2412")
2183 count = 0
2184 while True:
2185 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2186 if ev is None:
2187 raise Exception("Timeout on EAP status")
2188 if 'bad certificate status response' in ev:
2189 break
2190 if 'certificate revoked' in ev:
2191 break
2192 count = count + 1
2193 if count > 10:
2194 raise Exception("Unexpected number of EAP status messages")
2195
2196 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2197 if ev is None:
2198 raise Exception("Timeout on EAP failure report")
2199
2200 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2201 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2202 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2203 if not os.path.exists(ocsp):
2204 raise HwsimSkip("No OCSP response available")
2205 params = int_eap_server_params()
2206 params["ocsp_stapling_response"] = ocsp
2207 hostapd.add_ap(apdev[0]['ifname'], params)
2208 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2209 identity="pap user", ca_cert="auth_serv/ca.pem",
2210 anonymous_identity="ttls", password="password",
2211 phase2="auth=PAP", ocsp=2,
2212 wait_connect=False, scan_freq="2412")
2213 count = 0
2214 while True:
2215 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2216 if ev is None:
2217 raise Exception("Timeout on EAP status")
2218 if 'bad certificate status response' in ev:
2219 break
2220 count = count + 1
2221 if count > 10:
2222 raise Exception("Unexpected number of EAP status messages")
2223
2224 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2225 if ev is None:
2226 raise Exception("Timeout on EAP failure report")
2227
2228 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2229 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2230 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2231 if not os.path.exists(ocsp):
2232 raise HwsimSkip("No OCSP response available")
2233 params = int_eap_server_params()
2234 params["ocsp_stapling_response"] = ocsp
2235 hostapd.add_ap(apdev[0]['ifname'], params)
2236 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2237 identity="pap user", ca_cert="auth_serv/ca.pem",
2238 anonymous_identity="ttls", password="password",
2239 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2240
2241 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2242 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2243 params = int_eap_server_params()
2244 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2245 params["private_key"] = "auth_serv/server-no-dnsname.key"
2246 hostapd.add_ap(apdev[0]['ifname'], params)
2247 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2248 identity="tls user", ca_cert="auth_serv/ca.pem",
2249 private_key="auth_serv/user.pkcs12",
2250 private_key_passwd="whatever",
2251 domain_suffix_match="server3.w1.fi",
2252 scan_freq="2412")
2253
2254 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2255 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2256 params = int_eap_server_params()
2257 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2258 params["private_key"] = "auth_serv/server-no-dnsname.key"
2259 hostapd.add_ap(apdev[0]['ifname'], params)
2260 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2261 identity="tls user", ca_cert="auth_serv/ca.pem",
2262 private_key="auth_serv/user.pkcs12",
2263 private_key_passwd="whatever",
2264 domain_match="server3.w1.fi",
2265 scan_freq="2412")
2266
2267 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2268 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2269 check_domain_match_full(dev[0])
2270 params = int_eap_server_params()
2271 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2272 params["private_key"] = "auth_serv/server-no-dnsname.key"
2273 hostapd.add_ap(apdev[0]['ifname'], params)
2274 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2275 identity="tls user", ca_cert="auth_serv/ca.pem",
2276 private_key="auth_serv/user.pkcs12",
2277 private_key_passwd="whatever",
2278 domain_suffix_match="w1.fi",
2279 scan_freq="2412")
2280
2281 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2282 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2283 params = int_eap_server_params()
2284 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2285 params["private_key"] = "auth_serv/server-no-dnsname.key"
2286 hostapd.add_ap(apdev[0]['ifname'], params)
2287 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2288 identity="tls user", ca_cert="auth_serv/ca.pem",
2289 private_key="auth_serv/user.pkcs12",
2290 private_key_passwd="whatever",
2291 domain_suffix_match="example.com",
2292 wait_connect=False,
2293 scan_freq="2412")
2294 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2295 identity="tls user", ca_cert="auth_serv/ca.pem",
2296 private_key="auth_serv/user.pkcs12",
2297 private_key_passwd="whatever",
2298 domain_suffix_match="erver3.w1.fi",
2299 wait_connect=False,
2300 scan_freq="2412")
2301 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2302 if ev is None:
2303 raise Exception("Timeout on EAP failure report")
2304 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2305 if ev is None:
2306 raise Exception("Timeout on EAP failure report (2)")
2307
2308 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2309 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2310 params = int_eap_server_params()
2311 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2312 params["private_key"] = "auth_serv/server-no-dnsname.key"
2313 hostapd.add_ap(apdev[0]['ifname'], params)
2314 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2315 identity="tls user", ca_cert="auth_serv/ca.pem",
2316 private_key="auth_serv/user.pkcs12",
2317 private_key_passwd="whatever",
2318 domain_match="example.com",
2319 wait_connect=False,
2320 scan_freq="2412")
2321 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2322 identity="tls user", ca_cert="auth_serv/ca.pem",
2323 private_key="auth_serv/user.pkcs12",
2324 private_key_passwd="whatever",
2325 domain_match="w1.fi",
2326 wait_connect=False,
2327 scan_freq="2412")
2328 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2329 if ev is None:
2330 raise Exception("Timeout on EAP failure report")
2331 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2332 if ev is None:
2333 raise Exception("Timeout on EAP failure report (2)")
2334
2335 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2336 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2337 params = int_eap_server_params()
2338 params["server_cert"] = "auth_serv/server-expired.pem"
2339 params["private_key"] = "auth_serv/server-expired.key"
2340 hostapd.add_ap(apdev[0]['ifname'], params)
2341 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2342 identity="mschap user", password="password",
2343 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2344 wait_connect=False,
2345 scan_freq="2412")
2346 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2347 if ev is None:
2348 raise Exception("Timeout on EAP certificate error report")
2349 if "reason=4" not in ev or "certificate has expired" not in ev:
2350 raise Exception("Unexpected failure reason: " + ev)
2351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2352 if ev is None:
2353 raise Exception("Timeout on EAP failure report")
2354
2355 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2356 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2357 params = int_eap_server_params()
2358 params["server_cert"] = "auth_serv/server-expired.pem"
2359 params["private_key"] = "auth_serv/server-expired.key"
2360 hostapd.add_ap(apdev[0]['ifname'], params)
2361 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2362 identity="mschap user", password="password",
2363 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2364 phase1="tls_disable_time_checks=1",
2365 scan_freq="2412")
2366
2367 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2368 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2369 params = int_eap_server_params()
2370 params["server_cert"] = "auth_serv/server-eku-client.pem"
2371 params["private_key"] = "auth_serv/server-eku-client.key"
2372 hostapd.add_ap(apdev[0]['ifname'], params)
2373 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2374 identity="mschap user", password="password",
2375 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2376 wait_connect=False,
2377 scan_freq="2412")
2378 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2379 if ev is None:
2380 raise Exception("Timeout on EAP failure report")
2381
2382 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2383 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2384 params = int_eap_server_params()
2385 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2386 params["private_key"] = "auth_serv/server-eku-client-server.key"
2387 hostapd.add_ap(apdev[0]['ifname'], params)
2388 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2389 identity="mschap user", password="password",
2390 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2391 scan_freq="2412")
2392
2393 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2394 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2395 params = int_eap_server_params()
2396 del params["server_cert"]
2397 params["private_key"] = "auth_serv/server.pkcs12"
2398 hostapd.add_ap(apdev[0]['ifname'], params)
2399 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2400 identity="mschap user", password="password",
2401 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2402 scan_freq="2412")
2403
2404 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2405 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2406 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2407 hostapd.add_ap(apdev[0]['ifname'], params)
2408 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2409 anonymous_identity="ttls", password="password",
2410 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2411 dh_file="auth_serv/dh.conf")
2412
2413 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2414 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2415 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2416 hostapd.add_ap(apdev[0]['ifname'], params)
2417 dh = read_pem("auth_serv/dh.conf")
2418 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2419 raise Exception("Could not set dhparams blob")
2420 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2421 anonymous_identity="ttls", password="password",
2422 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2423 dh_file="blob://dhparams")
2424
2425 def test_ap_wpa2_eap_reauth(dev, apdev):
2426 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2427 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2428 params['eap_reauth_period'] = '2'
2429 hostapd.add_ap(apdev[0]['ifname'], params)
2430 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2431 password_hex="0123456789abcdef0123456789abcdef")
2432 logger.info("Wait for reauthentication")
2433 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2434 if ev is None:
2435 raise Exception("Timeout on reauthentication")
2436 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2437 if ev is None:
2438 raise Exception("Timeout on reauthentication")
2439 for i in range(0, 20):
2440 state = dev[0].get_status_field("wpa_state")
2441 if state == "COMPLETED":
2442 break
2443 time.sleep(0.1)
2444 if state != "COMPLETED":
2445 raise Exception("Reauthentication did not complete")
2446
2447 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2448 """Optional displayable message in EAP Request-Identity"""
2449 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2450 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2451 hostapd.add_ap(apdev[0]['ifname'], params)
2452 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2453 password_hex="0123456789abcdef0123456789abcdef")
2454
2455 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2456 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2457 check_hlr_auc_gw_support()
2458 params = int_eap_server_params()
2459 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2460 params['eap_sim_aka_result_ind'] = "1"
2461 hostapd.add_ap(apdev[0]['ifname'], params)
2462
2463 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2464 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2465 phase1="result_ind=1")
2466 eap_reauth(dev[0], "SIM")
2467 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2468 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2469
2470 dev[0].request("REMOVE_NETWORK all")
2471 dev[1].request("REMOVE_NETWORK all")
2472
2473 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2474 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2475 phase1="result_ind=1")
2476 eap_reauth(dev[0], "AKA")
2477 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2478 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2479
2480 dev[0].request("REMOVE_NETWORK all")
2481 dev[1].request("REMOVE_NETWORK all")
2482
2483 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2484 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2485 phase1="result_ind=1")
2486 eap_reauth(dev[0], "AKA'")
2487 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2488 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2489
2490 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2491 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2492 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2493 hostapd.add_ap(apdev[0]['ifname'], params)
2494 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2495 eap="TTLS", identity="mschap user",
2496 wait_connect=False, scan_freq="2412", ieee80211w="1",
2497 anonymous_identity="ttls", password="password",
2498 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2499 fragment_size="10")
2500 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2501 if ev is None:
2502 raise Exception("EAP roundtrip limit not reached")
2503
2504 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2505 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2506 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2507 hostapd.add_ap(apdev[0]['ifname'], params)
2508 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2509 eap="PSK", identity="vendor-test",
2510 password_hex="ff23456789abcdef0123456789abcdef",
2511 wait_connect=False)
2512
2513 found = False
2514 for i in range(0, 5):
2515 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2516 if ev is None:
2517 raise Exception("Association and EAP start timed out")
2518 if "refuse proposed method" in ev:
2519 found = True
2520 break
2521 if not found:
2522 raise Exception("Unexpected EAP status: " + ev)
2523
2524 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2525 if ev is None:
2526 raise Exception("EAP failure timed out")
2527
2528 def test_ap_wpa2_eap_sql(dev, apdev, params):
2529 """WPA2-Enterprise connection using SQLite for user DB"""
2530 try:
2531 import sqlite3
2532 except ImportError:
2533 raise HwsimSkip("No sqlite3 module available")
2534 dbfile = os.path.join(params['logdir'], "eap-user.db")
2535 try:
2536 os.remove(dbfile)
2537 except:
2538 pass
2539 con = sqlite3.connect(dbfile)
2540 with con:
2541 cur = con.cursor()
2542 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2543 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2544 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2545 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2546 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2547 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2548 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2549 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2550
2551 try:
2552 params = int_eap_server_params()
2553 params["eap_user_file"] = "sqlite:" + dbfile
2554 hostapd.add_ap(apdev[0]['ifname'], params)
2555 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2556 anonymous_identity="ttls", password="password",
2557 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
2558 dev[0].request("REMOVE_NETWORK all")
2559 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
2560 anonymous_identity="ttls", password="password",
2561 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
2562 dev[1].request("REMOVE_NETWORK all")
2563 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
2564 anonymous_identity="ttls", password="password",
2565 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
2566 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
2567 anonymous_identity="ttls", password="password",
2568 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2569 finally:
2570 os.remove(dbfile)
2571
2572 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
2573 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2574 params = int_eap_server_params()
2575 hostapd.add_ap(apdev[0]['ifname'], params)
2576 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2577 identity="\x80", password="password", wait_connect=False)
2578 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2579 identity="a\x80", password="password", wait_connect=False)
2580 for i in range(0, 2):
2581 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2582 if ev is None:
2583 raise Exception("Association and EAP start timed out")
2584 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2585 if ev is None:
2586 raise Exception("EAP method selection timed out")
2587
2588 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
2589 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2590 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2591 hostapd.add_ap(apdev[0]['ifname'], params)
2592 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2593 identity="\x80", password="password", wait_connect=False)
2594 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2595 identity="a\x80", password="password", wait_connect=False)
2596 for i in range(0, 2):
2597 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2598 if ev is None:
2599 raise Exception("Association and EAP start timed out")
2600 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2601 if ev is None:
2602 raise Exception("EAP method selection timed out")
2603
2604 def test_openssl_cipher_suite_config_wpas(dev, apdev):
2605 """OpenSSL cipher suite configuration on wpa_supplicant"""
2606 tls = dev[0].request("GET tls_library")
2607 if not tls.startswith("OpenSSL"):
2608 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
2609 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2610 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2611 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2612 anonymous_identity="ttls", password="password",
2613 openssl_ciphers="AES128",
2614 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2615 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2616 anonymous_identity="ttls", password="password",
2617 openssl_ciphers="EXPORT",
2618 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2619 expect_failure=True)
2620
2621 def test_openssl_cipher_suite_config_hapd(dev, apdev):
2622 """OpenSSL cipher suite configuration on hostapd"""
2623 tls = dev[0].request("GET tls_library")
2624 if not tls.startswith("OpenSSL"):
2625 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
2626 params = int_eap_server_params()
2627 params['openssl_ciphers'] = "AES256"
2628 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2629 tls = hapd.request("GET tls_library")
2630 if not tls.startswith("OpenSSL"):
2631 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
2632 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2633 anonymous_identity="ttls", password="password",
2634 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2635 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2636 anonymous_identity="ttls", password="password",
2637 openssl_ciphers="AES128",
2638 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2639 expect_failure=True)
2640 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
2641 anonymous_identity="ttls", password="password",
2642 openssl_ciphers="HIGH:!ADH",
2643 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2644
2645 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
2646 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
2647 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2648 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
2649 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
2650 pid = find_wpas_process(dev[0])
2651 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
2652 anonymous_identity="ttls", password=password,
2653 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2654 time.sleep(1)
2655 buf = read_process_memory(pid, password)
2656
2657 dev[0].request("DISCONNECT")
2658 dev[0].wait_disconnected()
2659
2660 dev[0].relog()
2661 msk = None
2662 emsk = None
2663 pmk = None
2664 ptk = None
2665 gtk = None
2666 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
2667 for l in f.readlines():
2668 if "EAP-TTLS: Derived key - hexdump" in l:
2669 val = l.strip().split(':')[3].replace(' ', '')
2670 msk = binascii.unhexlify(val)
2671 if "EAP-TTLS: Derived EMSK - hexdump" in l:
2672 val = l.strip().split(':')[3].replace(' ', '')
2673 emsk = binascii.unhexlify(val)
2674 if "WPA: PMK - hexdump" in l:
2675 val = l.strip().split(':')[3].replace(' ', '')
2676 pmk = binascii.unhexlify(val)
2677 if "WPA: PTK - hexdump" in l:
2678 val = l.strip().split(':')[3].replace(' ', '')
2679 ptk = binascii.unhexlify(val)
2680 if "WPA: Group Key - hexdump" in l:
2681 val = l.strip().split(':')[3].replace(' ', '')
2682 gtk = binascii.unhexlify(val)
2683 if not msk or not emsk or not pmk or not ptk or not gtk:
2684 raise Exception("Could not find keys from debug log")
2685 if len(gtk) != 16:
2686 raise Exception("Unexpected GTK length")
2687
2688 kck = ptk[0:16]
2689 kek = ptk[16:32]
2690 tk = ptk[32:48]
2691
2692 fname = os.path.join(params['logdir'],
2693 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
2694
2695 logger.info("Checking keys in memory while associated")
2696 get_key_locations(buf, password, "Password")
2697 get_key_locations(buf, pmk, "PMK")
2698 get_key_locations(buf, msk, "MSK")
2699 get_key_locations(buf, emsk, "EMSK")
2700 if password not in buf:
2701 raise HwsimSkip("Password not found while associated")
2702 if pmk not in buf:
2703 raise HwsimSkip("PMK not found while associated")
2704 if kck not in buf:
2705 raise Exception("KCK not found while associated")
2706 if kek not in buf:
2707 raise Exception("KEK not found while associated")
2708 if tk in buf:
2709 raise Exception("TK found from memory")
2710 if gtk in buf:
2711 raise Exception("GTK found from memory")
2712
2713 logger.info("Checking keys in memory after disassociation")
2714 buf = read_process_memory(pid, password)
2715
2716 # Note: Password is still present in network configuration
2717 # Note: PMK is in PMKSA cache and EAP fast re-auth data
2718
2719 get_key_locations(buf, password, "Password")
2720 get_key_locations(buf, pmk, "PMK")
2721 get_key_locations(buf, msk, "MSK")
2722 get_key_locations(buf, emsk, "EMSK")
2723 verify_not_present(buf, kck, fname, "KCK")
2724 verify_not_present(buf, kek, fname, "KEK")
2725 verify_not_present(buf, tk, fname, "TK")
2726 verify_not_present(buf, gtk, fname, "GTK")
2727
2728 dev[0].request("PMKSA_FLUSH")
2729 dev[0].set_network_quoted(id, "identity", "foo")
2730 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
2731 buf = read_process_memory(pid, password)
2732 get_key_locations(buf, password, "Password")
2733 get_key_locations(buf, pmk, "PMK")
2734 get_key_locations(buf, msk, "MSK")
2735 get_key_locations(buf, emsk, "EMSK")
2736 verify_not_present(buf, pmk, fname, "PMK")
2737
2738 dev[0].request("REMOVE_NETWORK all")
2739
2740 logger.info("Checking keys in memory after network profile removal")
2741 buf = read_process_memory(pid, password)
2742
2743 get_key_locations(buf, password, "Password")
2744 get_key_locations(buf, pmk, "PMK")
2745 get_key_locations(buf, msk, "MSK")
2746 get_key_locations(buf, emsk, "EMSK")
2747 verify_not_present(buf, password, fname, "password")
2748 verify_not_present(buf, pmk, fname, "PMK")
2749 verify_not_present(buf, kck, fname, "KCK")
2750 verify_not_present(buf, kek, fname, "KEK")
2751 verify_not_present(buf, tk, fname, "TK")
2752 verify_not_present(buf, gtk, fname, "GTK")
2753 verify_not_present(buf, msk, fname, "MSK")
2754 verify_not_present(buf, emsk, fname, "EMSK")
2755
2756 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
2757 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
2758 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2759 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2760 bssid = apdev[0]['bssid']
2761 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2762 anonymous_identity="ttls", password="password",
2763 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2764
2765 # Send unexpected WEP EAPOL-Key; this gets dropped
2766 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
2767 if "OK" not in res:
2768 raise Exception("EAPOL_RX to wpa_supplicant failed")
Unnamed repository; edit this file 'description' to name the repository.