]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2019, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
20 import socketserver
as SocketServer
25 from hwsim
import HWSimRadio
27 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
, require_under_vm
28 from wpasupplicant
import WpaSupplicant
29 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
33 openssl_imported
= True
35 openssl_imported
= False
37 def check_hlr_auc_gw_support():
38 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
39 raise HwsimSkip("No hlr_auc_gw available")
41 def check_eap_capa(dev
, method
):
42 res
= dev
.get_capability("eap")
44 raise HwsimSkip("EAP method %s not supported in the build" % method
)
46 def check_subject_match_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
49 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
51 def check_check_cert_subject_support(dev
):
52 tls
= dev
.request("GET tls_library")
53 if not tls
.startswith("OpenSSL"):
54 raise HwsimSkip("check_cert_subject not supported with this TLS library: " + tls
)
56 def check_altsubject_match_support(dev
):
57 tls
= dev
.request("GET tls_library")
58 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
59 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
61 def check_domain_match(dev
):
62 tls
= dev
.request("GET tls_library")
63 if tls
.startswith("internal"):
64 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
66 def check_domain_suffix_match(dev
):
67 tls
= dev
.request("GET tls_library")
68 if tls
.startswith("internal"):
69 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
71 def check_domain_match_full(dev
):
72 tls
= dev
.request("GET tls_library")
73 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
74 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
76 def check_cert_probe_support(dev
):
77 tls
= dev
.request("GET tls_library")
78 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
79 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
81 def check_ext_cert_check_support(dev
):
82 tls
= dev
.request("GET tls_library")
83 if not tls
.startswith("OpenSSL"):
84 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
86 def check_ocsp_support(dev
):
87 tls
= dev
.request("GET tls_library")
88 #if tls.startswith("internal"):
89 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
90 #if "BoringSSL" in tls:
91 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
92 if tls
.startswith("wolfSSL"):
93 raise HwsimSkip("OCSP not supported with this TLS library: " + tls
)
95 def check_pkcs5_v15_support(dev
):
96 tls
= dev
.request("GET tls_library")
97 if "BoringSSL" in tls
or "GnuTLS" in tls
:
98 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
100 def check_ocsp_multi_support(dev
):
101 tls
= dev
.request("GET tls_library")
102 if not tls
.startswith("internal"):
103 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
104 as_hapd
= hostapd
.Hostapd("as")
105 res
= as_hapd
.request("GET tls_library")
107 if not res
.startswith("internal"):
108 raise HwsimSkip("Authentication server does not support ocsp_multi")
110 def check_pkcs12_support(dev
):
111 tls
= dev
.request("GET tls_library")
112 #if tls.startswith("internal"):
113 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
114 if tls
.startswith("wolfSSL"):
115 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls
)
117 def check_dh_dsa_support(dev
):
118 tls
= dev
.request("GET tls_library")
119 if tls
.startswith("internal"):
120 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
123 with
open(fname
, "r") as f
:
124 lines
= f
.readlines()
132 if "-----BEGIN" in l
:
134 return base64
.b64decode(cert
)
136 def eap_connect(dev
, hapd
, method
, identity
,
137 sha256
=False, expect_failure
=False, local_error_report
=False,
138 maybe_local_error
=False, report_failure
=False,
139 expect_cert_error
=None, **kwargs
):
140 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
141 eap
=method
, identity
=identity
,
142 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
144 eap_check_auth(dev
, method
, True, sha256
=sha256
,
145 expect_failure
=expect_failure
,
146 local_error_report
=local_error_report
,
147 maybe_local_error
=maybe_local_error
,
148 report_failure
=report_failure
,
149 expect_cert_error
=expect_cert_error
)
152 ev
= hapd
.wait_event(["AP-STA-CONNECTED"], timeout
=5)
154 raise Exception("No connection event received from hostapd")
157 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
158 expect_failure
=False, local_error_report
=False,
159 maybe_local_error
=False, report_failure
=False,
160 expect_cert_error
=None):
161 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
163 raise Exception("Association and EAP start timed out")
164 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
165 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
167 raise Exception("EAP method selection timed out")
168 if "CTRL-EVENT-EAP-FAILURE" in ev
:
169 if maybe_local_error
:
171 raise Exception("Could not select EAP method")
173 raise Exception("Unexpected EAP method")
174 if expect_cert_error
is not None:
175 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
176 "CTRL-EVENT-EAP-FAILURE",
177 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
178 if ev
is None or "reason=%d " % expect_cert_error
not in ev
:
179 raise Exception("Expected certificate error not reported")
181 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE",
182 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
184 raise Exception("EAP failure timed out")
185 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
186 raise Exception("Unexpected EAP success")
187 ev
= dev
.wait_disconnected(timeout
=10)
188 if maybe_local_error
and "locally_generated=1" in ev
:
190 if not local_error_report
:
191 if "reason=23" not in ev
:
192 raise Exception("Proper reason code for disconnection not reported")
195 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
196 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
198 raise Exception("EAP success timed out")
199 if "CTRL-EVENT-EAP-SUCCESS" not in ev
:
200 raise Exception("EAP failed")
202 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
204 raise Exception("EAP success timed out")
207 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
209 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
211 raise Exception("Association with the AP timed out")
212 status
= dev
.get_status()
213 if status
["wpa_state"] != "COMPLETED":
214 raise Exception("Connection not completed")
216 if status
["suppPortStatus"] != "Authorized":
217 raise Exception("Port not authorized")
218 if "selectedMethod" not in status
:
219 logger
.info("Status: " + str(status
))
220 raise Exception("No selectedMethod in status")
221 if method
not in status
["selectedMethod"]:
222 raise Exception("Incorrect EAP method status")
224 e
= "WPA2-EAP-SHA256"
226 e
= "WPA2/IEEE 802.1X/EAP"
228 e
= "WPA/IEEE 802.1X/EAP"
229 if status
["key_mgmt"] != e
:
230 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
233 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
234 dev
.request("REAUTHENTICATE")
235 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
236 expect_failure
=expect_failure
)
238 def test_ap_wpa2_eap_sim(dev
, apdev
):
239 """WPA2-Enterprise connection using EAP-SIM"""
240 check_hlr_auc_gw_support()
241 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
242 hapd
= hostapd
.add_ap(apdev
[0], params
)
243 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
244 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
245 hwsim_utils
.test_connectivity(dev
[0], hapd
)
246 eap_reauth(dev
[0], "SIM")
248 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
249 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
250 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
251 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
254 logger
.info("Negative test with incorrect key")
255 dev
[0].request("REMOVE_NETWORK all")
256 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
257 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
260 logger
.info("Invalid GSM-Milenage key")
261 dev
[0].request("REMOVE_NETWORK all")
262 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
263 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
266 logger
.info("Invalid GSM-Milenage key(2)")
267 dev
[0].request("REMOVE_NETWORK all")
268 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
269 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
272 logger
.info("Invalid GSM-Milenage key(3)")
273 dev
[0].request("REMOVE_NETWORK all")
274 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
275 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
278 logger
.info("Invalid GSM-Milenage key(4)")
279 dev
[0].request("REMOVE_NETWORK all")
280 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
281 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
284 logger
.info("Missing key configuration")
285 dev
[0].request("REMOVE_NETWORK all")
286 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
289 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
290 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
291 check_hlr_auc_gw_support()
295 raise HwsimSkip("No sqlite3 module available")
296 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
297 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
298 params
['auth_server_port'] = "1814"
299 hapd
= hostapd
.add_ap(apdev
[0], params
)
300 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
301 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
303 logger
.info("SIM fast re-authentication")
304 eap_reauth(dev
[0], "SIM")
306 logger
.info("SIM full auth with pseudonym")
309 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
310 eap_reauth(dev
[0], "SIM")
312 logger
.info("SIM full auth with permanent identity")
315 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
316 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
317 eap_reauth(dev
[0], "SIM")
319 logger
.info("SIM reauth with mismatching MK")
322 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
323 eap_reauth(dev
[0], "SIM", expect_failure
=True)
324 dev
[0].request("REMOVE_NETWORK all")
326 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
327 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
330 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
331 eap_reauth(dev
[0], "SIM")
334 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
335 logger
.info("SIM reauth with mismatching counter")
336 eap_reauth(dev
[0], "SIM")
337 dev
[0].request("REMOVE_NETWORK all")
339 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
340 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
343 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
344 logger
.info("SIM reauth with max reauth count reached")
345 eap_reauth(dev
[0], "SIM")
347 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
348 """EAP-SIM configuration options"""
349 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
350 hapd
= hostapd
.add_ap(apdev
[0], params
)
351 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
352 identity
="1232010000000000",
353 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
354 phase1
="sim_min_num_chal=1",
355 wait_connect
=False, scan_freq
="2412")
356 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
358 raise Exception("No EAP error message seen")
359 dev
[0].request("REMOVE_NETWORK all")
361 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
362 identity
="1232010000000000",
363 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
364 phase1
="sim_min_num_chal=4",
365 wait_connect
=False, scan_freq
="2412")
366 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
368 raise Exception("No EAP error message seen (2)")
369 dev
[0].request("REMOVE_NETWORK all")
371 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
372 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
373 phase1
="sim_min_num_chal=2")
374 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
375 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
376 anonymous_identity
="345678")
378 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
379 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
381 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
383 dev
[0].request("SET external_sim 0")
385 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
386 check_hlr_auc_gw_support()
387 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
388 hostapd
.add_ap(apdev
[0], params
)
389 dev
[0].request("SET external_sim 1")
390 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
391 identity
="1232010000000000",
392 wait_connect
=False, scan_freq
="2412")
393 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
395 raise Exception("Network connected timed out")
397 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
399 raise Exception("Wait for external SIM processing request timed out")
401 if p
[1] != "GSM-AUTH":
402 raise Exception("Unexpected CTRL-REQ-SIM type")
403 rid
= p
[0].split('-')[3]
406 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
407 # This will fail during processing, but the ctrl_iface command succeeds
408 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
409 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
411 raise Exception("EAP failure not reported")
412 dev
[0].request("DISCONNECT")
413 dev
[0].wait_disconnected()
416 dev
[0].select_network(id, freq
="2412")
417 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
419 raise Exception("Wait for external SIM processing request timed out")
421 if p
[1] != "GSM-AUTH":
422 raise Exception("Unexpected CTRL-REQ-SIM type")
423 rid
= p
[0].split('-')[3]
424 # This will fail during GSM auth validation
425 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
426 raise Exception("CTRL-RSP-SIM failed")
427 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
429 raise Exception("EAP failure not reported")
430 dev
[0].request("DISCONNECT")
431 dev
[0].wait_disconnected()
434 dev
[0].select_network(id, freq
="2412")
435 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
437 raise Exception("Wait for external SIM processing request timed out")
439 if p
[1] != "GSM-AUTH":
440 raise Exception("Unexpected CTRL-REQ-SIM type")
441 rid
= p
[0].split('-')[3]
442 # This will fail during GSM auth validation
443 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
444 raise Exception("CTRL-RSP-SIM failed")
445 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
447 raise Exception("EAP failure not reported")
448 dev
[0].request("DISCONNECT")
449 dev
[0].wait_disconnected()
452 dev
[0].select_network(id, freq
="2412")
453 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
455 raise Exception("Wait for external SIM processing request timed out")
457 if p
[1] != "GSM-AUTH":
458 raise Exception("Unexpected CTRL-REQ-SIM type")
459 rid
= p
[0].split('-')[3]
460 # This will fail during GSM auth validation
461 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
462 raise Exception("CTRL-RSP-SIM failed")
463 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
465 raise Exception("EAP failure not reported")
466 dev
[0].request("DISCONNECT")
467 dev
[0].wait_disconnected()
470 dev
[0].select_network(id, freq
="2412")
471 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
473 raise Exception("Wait for external SIM processing request timed out")
475 if p
[1] != "GSM-AUTH":
476 raise Exception("Unexpected CTRL-REQ-SIM type")
477 rid
= p
[0].split('-')[3]
478 # This will fail during GSM auth validation
479 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
480 raise Exception("CTRL-RSP-SIM failed")
481 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
483 raise Exception("EAP failure not reported")
484 dev
[0].request("DISCONNECT")
485 dev
[0].wait_disconnected()
488 dev
[0].select_network(id, freq
="2412")
489 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
491 raise Exception("Wait for external SIM processing request timed out")
493 if p
[1] != "GSM-AUTH":
494 raise Exception("Unexpected CTRL-REQ-SIM type")
495 rid
= p
[0].split('-')[3]
496 # This will fail during GSM auth validation
497 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
498 raise Exception("CTRL-RSP-SIM failed")
499 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
501 raise Exception("EAP failure not reported")
502 dev
[0].request("DISCONNECT")
503 dev
[0].wait_disconnected()
506 dev
[0].select_network(id, freq
="2412")
507 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
509 raise Exception("Wait for external SIM processing request timed out")
511 if p
[1] != "GSM-AUTH":
512 raise Exception("Unexpected CTRL-REQ-SIM type")
513 rid
= p
[0].split('-')[3]
514 # This will fail during GSM auth validation
515 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
516 raise Exception("CTRL-RSP-SIM failed")
517 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
519 raise Exception("EAP failure not reported")
521 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
522 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
524 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
526 dev
[0].request("SET external_sim 0")
528 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
529 check_hlr_auc_gw_support()
530 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
531 hostapd
.add_ap(apdev
[0], params
)
532 dev
[0].request("SET external_sim 1")
533 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
534 identity
="1232010000000000",
535 wait_connect
=False, scan_freq
="2412")
537 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
539 raise Exception("Wait for external SIM processing request timed out")
541 if p
[1] != "GSM-AUTH":
542 raise Exception("Unexpected CTRL-REQ-SIM type")
543 rid
= p
[0].split('-')[3]
544 rand
= p
[2].split(' ')[0]
546 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
548 "auth_serv/hlr_auc_gw.milenage_db",
549 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
550 if "GSM-AUTH-RESP" not in res
:
551 raise Exception("Unexpected hlr_auc_gw response")
552 resp
= res
.split(' ')[2].rstrip()
554 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
555 dev
[0].wait_connected(timeout
=15)
556 dev
[0].request("DISCONNECT")
557 dev
[0].wait_disconnected()
559 # Replace SIM, but forget to drop the previous pseudonym identity
560 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
561 dev
[0].select_network(id, freq
="2412")
563 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
565 raise Exception("Wait for external SIM processing request timed out")
567 if p
[1] != "GSM-AUTH":
568 raise Exception("Unexpected CTRL-REQ-SIM type")
569 rid
= p
[0].split('-')[3]
570 rand
= p
[2].split(' ')[0]
572 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
574 "auth_serv/hlr_auc_gw.milenage_db",
575 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
576 if "GSM-AUTH-RESP" not in res
:
577 raise Exception("Unexpected hlr_auc_gw response")
578 resp
= res
.split(' ')[2].rstrip()
580 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
581 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
583 raise Exception("EAP-Failure not reported")
584 dev
[0].request("DISCONNECT")
585 dev
[0].wait_disconnected()
587 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
588 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
590 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
592 dev
[0].request("SET external_sim 0")
594 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
595 check_hlr_auc_gw_support()
596 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
597 hostapd
.add_ap(apdev
[0], params
)
598 dev
[0].request("SET external_sim 1")
599 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
600 identity
="1232010000000000",
601 wait_connect
=False, scan_freq
="2412")
603 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
605 raise Exception("Wait for external SIM processing request timed out")
607 if p
[1] != "GSM-AUTH":
608 raise Exception("Unexpected CTRL-REQ-SIM type")
609 rid
= p
[0].split('-')[3]
610 rand
= p
[2].split(' ')[0]
612 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
614 "auth_serv/hlr_auc_gw.milenage_db",
615 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
616 if "GSM-AUTH-RESP" not in res
:
617 raise Exception("Unexpected hlr_auc_gw response")
618 resp
= res
.split(' ')[2].rstrip()
620 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
621 dev
[0].wait_connected(timeout
=15)
622 dev
[0].request("DISCONNECT")
623 dev
[0].wait_disconnected()
625 # Replace SIM and drop the previous pseudonym identity
626 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
627 dev
[0].set_network(id, "anonymous_identity", "NULL")
628 dev
[0].select_network(id, freq
="2412")
630 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
632 raise Exception("Wait for external SIM processing request timed out")
634 if p
[1] != "GSM-AUTH":
635 raise Exception("Unexpected CTRL-REQ-SIM type")
636 rid
= p
[0].split('-')[3]
637 rand
= p
[2].split(' ')[0]
639 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
641 "auth_serv/hlr_auc_gw.milenage_db",
642 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
643 if "GSM-AUTH-RESP" not in res
:
644 raise Exception("Unexpected hlr_auc_gw response")
645 resp
= res
.split(' ')[2].rstrip()
647 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
648 dev
[0].wait_connected()
649 dev
[0].request("DISCONNECT")
650 dev
[0].wait_disconnected()
652 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
653 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
655 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
657 dev
[0].request("SET external_sim 0")
659 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
660 check_hlr_auc_gw_support()
661 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
662 hostapd
.add_ap(apdev
[0], params
)
663 dev
[0].request("SET external_sim 1")
664 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
665 wait_connect
=False, scan_freq
="2412")
667 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
669 raise Exception("Request for identity timed out")
670 rid
= ev
.split(':')[0].split('-')[-1]
671 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
673 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
675 raise Exception("Wait for external SIM processing request timed out")
677 if p
[1] != "GSM-AUTH":
678 raise Exception("Unexpected CTRL-REQ-SIM type")
679 rid
= p
[0].split('-')[3]
680 rand
= p
[2].split(' ')[0]
682 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
684 "auth_serv/hlr_auc_gw.milenage_db",
685 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
686 if "GSM-AUTH-RESP" not in res
:
687 raise Exception("Unexpected hlr_auc_gw response")
688 resp
= res
.split(' ')[2].rstrip()
690 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
691 dev
[0].wait_connected(timeout
=15)
692 dev
[0].request("DISCONNECT")
693 dev
[0].wait_disconnected()
695 # Replace SIM and drop the previous permanent and pseudonym identities
696 dev
[0].set_network(id, "identity", "NULL")
697 dev
[0].set_network(id, "anonymous_identity", "NULL")
698 dev
[0].select_network(id, freq
="2412")
700 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
702 raise Exception("Request for identity timed out")
703 rid
= ev
.split(':')[0].split('-')[-1]
704 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
706 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
708 raise Exception("Wait for external SIM processing request timed out")
710 if p
[1] != "GSM-AUTH":
711 raise Exception("Unexpected CTRL-REQ-SIM type")
712 rid
= p
[0].split('-')[3]
713 rand
= p
[2].split(' ')[0]
715 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
717 "auth_serv/hlr_auc_gw.milenage_db",
718 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
719 if "GSM-AUTH-RESP" not in res
:
720 raise Exception("Unexpected hlr_auc_gw response")
721 resp
= res
.split(' ')[2].rstrip()
723 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
724 dev
[0].wait_connected()
725 dev
[0].request("DISCONNECT")
726 dev
[0].wait_disconnected()
728 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
729 """EAP-SIM with external GSM auth and auth failing"""
731 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
733 dev
[0].request("SET external_sim 0")
735 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
736 check_hlr_auc_gw_support()
737 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
738 hostapd
.add_ap(apdev
[0], params
)
739 dev
[0].request("SET external_sim 1")
740 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
741 identity
="1232010000000000",
742 wait_connect
=False, scan_freq
="2412")
744 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
746 raise Exception("Wait for external SIM processing request timed out")
748 rid
= p
[0].split('-')[3]
749 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
750 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
752 raise Exception("EAP failure not reported")
753 dev
[0].request("REMOVE_NETWORK all")
754 dev
[0].wait_disconnected()
756 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
757 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
759 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
761 dev
[0].request("SET external_sim 0")
763 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
764 check_hlr_auc_gw_support()
765 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
766 hostapd
.add_ap(apdev
[0], params
)
767 dev
[0].request("SET external_sim 1")
768 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
769 identity
="1232010000000000",
770 wait_connect
=False, scan_freq
="2412")
772 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
774 raise Exception("Wait for external SIM processing request timed out")
776 if p
[1] != "GSM-AUTH":
777 raise Exception("Unexpected CTRL-REQ-SIM type")
778 rid
= p
[0].split('-')[3]
779 rand
= p
[2].split(' ')[0]
781 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
783 "auth_serv/hlr_auc_gw.milenage_db",
784 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
785 if "GSM-AUTH-RESP" not in res
:
786 raise Exception("Unexpected hlr_auc_gw response")
787 resp
= res
.split(' ')[2].rstrip()
789 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
790 dev
[0].wait_connected(timeout
=15)
792 # Verify that EAP-SIM Reauthentication can be used after a profile change
793 # that does not affect EAP parameters.
794 dev
[0].set_network(id, "bssid", "any")
795 eap_reauth(dev
[0], "SIM")
797 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
798 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
800 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
802 dev
[0].request("SET external_sim 0")
804 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
805 check_hlr_auc_gw_support()
806 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
807 hostapd
.add_ap(apdev
[0], params
)
808 dev
[0].request("SET external_sim 1")
809 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
810 identity
="1232010000000000",
811 wait_connect
=False, scan_freq
="2412")
813 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
815 raise Exception("Wait for external SIM processing request timed out")
817 if p
[1] != "GSM-AUTH":
818 raise Exception("Unexpected CTRL-REQ-SIM type")
819 rid
= p
[0].split('-')[3]
820 rand
= p
[2].split(' ')[0]
822 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
824 "auth_serv/hlr_auc_gw.milenage_db",
825 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
826 if "GSM-AUTH-RESP" not in res
:
827 raise Exception("Unexpected hlr_auc_gw response")
828 resp
= res
.split(' ')[2].rstrip()
830 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
831 dev
[0].wait_connected(timeout
=15)
833 # Verify that EAP-SIM Reauthentication can be used after network profile
834 # SET_NETWORK commands that do not actually change previously set
836 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
837 dev
[0].set_network(id, "eap", "SIM")
838 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
839 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
840 eap_reauth(dev
[0], "SIM")
842 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
843 """EAP-SIM and OOM"""
844 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
845 hostapd
.add_ap(apdev
[0], params
)
846 tests
= [(1, "milenage_f2345"),
847 (2, "milenage_f2345"),
848 (3, "milenage_f2345"),
849 (4, "milenage_f2345"),
850 (5, "milenage_f2345"),
851 (6, "milenage_f2345"),
852 (7, "milenage_f2345"),
853 (8, "milenage_f2345"),
854 (9, "milenage_f2345"),
855 (10, "milenage_f2345"),
856 (11, "milenage_f2345"),
857 (12, "milenage_f2345")]
858 for count
, func
in tests
:
859 with
fail_test(dev
[0], count
, func
):
860 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
861 identity
="1232010000000000",
862 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
863 wait_connect
=False, scan_freq
="2412")
864 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
866 raise Exception("EAP method not selected")
867 dev
[0].wait_disconnected()
868 dev
[0].request("REMOVE_NETWORK all")
870 def test_ap_wpa2_eap_aka(dev
, apdev
):
871 """WPA2-Enterprise connection using EAP-AKA"""
872 check_hlr_auc_gw_support()
873 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
874 hapd
= hostapd
.add_ap(apdev
[0], params
)
875 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
876 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
877 hwsim_utils
.test_connectivity(dev
[0], hapd
)
878 eap_reauth(dev
[0], "AKA")
880 logger
.info("Negative test with incorrect key")
881 dev
[0].request("REMOVE_NETWORK all")
882 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
883 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
886 logger
.info("Invalid Milenage key")
887 dev
[0].request("REMOVE_NETWORK all")
888 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
889 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
892 logger
.info("Invalid Milenage key(2)")
893 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
894 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
897 logger
.info("Invalid Milenage key(3)")
898 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
899 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
902 logger
.info("Invalid Milenage key(4)")
903 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
904 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
907 logger
.info("Invalid Milenage key(5)")
908 dev
[0].request("REMOVE_NETWORK all")
909 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
910 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
913 logger
.info("Invalid Milenage key(6)")
914 dev
[0].request("REMOVE_NETWORK all")
915 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
916 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
919 logger
.info("Missing key configuration")
920 dev
[0].request("REMOVE_NETWORK all")
921 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
924 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
925 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
926 check_hlr_auc_gw_support()
930 raise HwsimSkip("No sqlite3 module available")
931 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
932 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
933 params
['auth_server_port'] = "1814"
934 hapd
= hostapd
.add_ap(apdev
[0], params
)
935 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
936 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
938 logger
.info("AKA fast re-authentication")
939 eap_reauth(dev
[0], "AKA")
941 logger
.info("AKA full auth with pseudonym")
944 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
945 eap_reauth(dev
[0], "AKA")
947 logger
.info("AKA full auth with permanent identity")
950 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
951 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
952 eap_reauth(dev
[0], "AKA")
954 logger
.info("AKA reauth with mismatching MK")
957 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
958 eap_reauth(dev
[0], "AKA", expect_failure
=True)
959 dev
[0].request("REMOVE_NETWORK all")
961 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
962 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
965 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
966 eap_reauth(dev
[0], "AKA")
969 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
970 logger
.info("AKA reauth with mismatching counter")
971 eap_reauth(dev
[0], "AKA")
972 dev
[0].request("REMOVE_NETWORK all")
974 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
975 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
978 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
979 logger
.info("AKA reauth with max reauth count reached")
980 eap_reauth(dev
[0], "AKA")
982 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
983 """EAP-AKA configuration options"""
984 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
985 hapd
= hostapd
.add_ap(apdev
[0], params
)
986 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
987 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
988 anonymous_identity
="2345678")
990 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
991 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
993 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
995 dev
[0].request("SET external_sim 0")
997 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
998 check_hlr_auc_gw_support()
999 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1000 hostapd
.add_ap(apdev
[0], params
)
1001 dev
[0].request("SET external_sim 1")
1002 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1003 identity
="0232010000000000",
1004 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1005 wait_connect
=False, scan_freq
="2412")
1006 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1008 raise Exception("Network connected timed out")
1010 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1012 raise Exception("Wait for external SIM processing request timed out")
1013 p
= ev
.split(':', 2)
1014 if p
[1] != "UMTS-AUTH":
1015 raise Exception("Unexpected CTRL-REQ-SIM type")
1016 rid
= p
[0].split('-')[3]
1019 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
1020 # This will fail during processing, but the ctrl_iface command succeeds
1021 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1022 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1024 raise Exception("EAP failure not reported")
1025 dev
[0].request("DISCONNECT")
1026 dev
[0].wait_disconnected()
1028 dev
[0].dump_monitor()
1030 dev
[0].select_network(id, freq
="2412")
1031 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1033 raise Exception("Wait for external SIM processing request timed out")
1034 p
= ev
.split(':', 2)
1035 if p
[1] != "UMTS-AUTH":
1036 raise Exception("Unexpected CTRL-REQ-SIM type")
1037 rid
= p
[0].split('-')[3]
1038 # This will fail during UMTS auth validation
1039 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1040 raise Exception("CTRL-RSP-SIM failed")
1041 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1043 raise Exception("Wait for external SIM processing request timed out")
1044 p
= ev
.split(':', 2)
1045 if p
[1] != "UMTS-AUTH":
1046 raise Exception("Unexpected CTRL-REQ-SIM type")
1047 rid
= p
[0].split('-')[3]
1048 # This will fail during UMTS auth validation
1049 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1050 raise Exception("CTRL-RSP-SIM failed")
1051 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1053 raise Exception("EAP failure not reported")
1054 dev
[0].request("DISCONNECT")
1055 dev
[0].wait_disconnected()
1057 dev
[0].dump_monitor()
1059 tests
= [":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1061 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1062 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1063 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1064 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1065 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q"]
1067 dev
[0].select_network(id, freq
="2412")
1068 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1070 raise Exception("Wait for external SIM processing request timed out")
1071 p
= ev
.split(':', 2)
1072 if p
[1] != "UMTS-AUTH":
1073 raise Exception("Unexpected CTRL-REQ-SIM type")
1074 rid
= p
[0].split('-')[3]
1075 # This will fail during UMTS auth validation
1076 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1077 raise Exception("CTRL-RSP-SIM failed")
1078 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1080 raise Exception("EAP failure not reported")
1081 dev
[0].request("DISCONNECT")
1082 dev
[0].wait_disconnected()
1084 dev
[0].dump_monitor()
1086 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1087 """EAP-AKA with external UMTS auth and auth failing"""
1089 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1091 dev
[0].request("SET external_sim 0")
1093 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1094 check_hlr_auc_gw_support()
1095 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1096 hostapd
.add_ap(apdev
[0], params
)
1097 dev
[0].request("SET external_sim 1")
1098 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1099 identity
="0232010000000000",
1100 wait_connect
=False, scan_freq
="2412")
1102 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1104 raise Exception("Wait for external SIM processing request timed out")
1105 p
= ev
.split(':', 2)
1106 rid
= p
[0].split('-')[3]
1107 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1108 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1110 raise Exception("EAP failure not reported")
1111 dev
[0].request("REMOVE_NETWORK all")
1112 dev
[0].wait_disconnected()
1114 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1115 """WPA2-Enterprise connection using EAP-AKA'"""
1116 check_hlr_auc_gw_support()
1117 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1118 hapd
= hostapd
.add_ap(apdev
[0], params
)
1119 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1120 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1121 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1122 eap_reauth(dev
[0], "AKA'")
1124 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1125 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1126 identity
="6555444333222111@both",
1127 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1128 wait_connect
=False, scan_freq
="2412")
1129 dev
[1].wait_connected(timeout
=15)
1131 logger
.info("Negative test with incorrect key")
1132 dev
[0].request("REMOVE_NETWORK all")
1133 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1134 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1135 expect_failure
=True)
1137 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1138 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1139 check_hlr_auc_gw_support()
1143 raise HwsimSkip("No sqlite3 module available")
1144 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1145 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1146 params
['auth_server_port'] = "1814"
1147 hapd
= hostapd
.add_ap(apdev
[0], params
)
1148 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1149 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1151 logger
.info("AKA' fast re-authentication")
1152 eap_reauth(dev
[0], "AKA'")
1154 logger
.info("AKA' full auth with pseudonym")
1157 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1158 eap_reauth(dev
[0], "AKA'")
1160 logger
.info("AKA' full auth with permanent identity")
1163 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1164 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1165 eap_reauth(dev
[0], "AKA'")
1167 logger
.info("AKA' reauth with mismatching k_aut")
1170 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1171 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1172 dev
[0].request("REMOVE_NETWORK all")
1174 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1175 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1178 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1179 eap_reauth(dev
[0], "AKA'")
1182 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1183 logger
.info("AKA' reauth with mismatching counter")
1184 eap_reauth(dev
[0], "AKA'")
1185 dev
[0].request("REMOVE_NETWORK all")
1187 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1188 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1191 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1192 logger
.info("AKA' reauth with max reauth count reached")
1193 eap_reauth(dev
[0], "AKA'")
1195 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1196 """EAP-AKA' with external UMTS auth and auth failing"""
1198 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1200 dev
[0].request("SET external_sim 0")
1202 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1203 check_hlr_auc_gw_support()
1204 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1205 hostapd
.add_ap(apdev
[0], params
)
1206 dev
[0].request("SET external_sim 1")
1207 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1208 identity
="6555444333222111",
1209 wait_connect
=False, scan_freq
="2412")
1211 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1213 raise Exception("Wait for external SIM processing request timed out")
1214 p
= ev
.split(':', 2)
1215 rid
= p
[0].split('-')[3]
1216 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1217 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1219 raise Exception("EAP failure not reported")
1220 dev
[0].request("REMOVE_NETWORK all")
1221 dev
[0].wait_disconnected()
1223 def test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1224 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1226 _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
)
1228 dev
[0].request("SET external_sim 0")
1230 def _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1231 check_hlr_auc_gw_support()
1232 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1233 hostapd
.add_ap(apdev
[0], params
)
1234 dev
[0].request("SET external_sim 1")
1235 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1236 identity
="6555444333222111",
1237 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1238 wait_connect
=False, scan_freq
="2412")
1239 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1241 raise Exception("Network connected timed out")
1243 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1245 raise Exception("Wait for external SIM processing request timed out")
1246 p
= ev
.split(':', 2)
1247 if p
[1] != "UMTS-AUTH":
1248 raise Exception("Unexpected CTRL-REQ-SIM type")
1249 rid
= p
[0].split('-')[3]
1250 # This will fail during UMTS auth validation
1251 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1252 raise Exception("CTRL-RSP-SIM failed")
1253 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1255 raise Exception("Wait for external SIM processing request timed out")
1257 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1258 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1259 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1260 hapd
= hostapd
.add_ap(apdev
[0], params
)
1261 key_mgmt
= hapd
.get_config()['key_mgmt']
1262 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1263 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1264 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1265 anonymous_identity
="ttls", password
="password",
1266 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1267 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1268 eap_reauth(dev
[0], "TTLS")
1269 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1270 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1")])
1272 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1273 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1274 check_subject_match_support(dev
[0])
1275 check_altsubject_match_support(dev
[0])
1276 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1277 hapd
= hostapd
.add_ap(apdev
[0], params
)
1278 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1279 anonymous_identity
="ttls", password
="password",
1280 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1281 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1282 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1283 eap_reauth(dev
[0], "TTLS")
1285 def test_ap_wpa2_eap_ttls_pap_check_cert_subject(dev
, apdev
):
1286 """EAP-TTLS/PAP and check_cert_subject"""
1287 check_check_cert_subject_support(dev
[0])
1288 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1289 hapd
= hostapd
.add_ap(apdev
[0], params
)
1290 tests
= ["C=FI/O=w1.fi/CN=server.w1.fi",
1292 "C=FI/CN=server.w1.fi",
1293 "O=w1.fi/CN=server.w1.fi",
1300 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1301 anonymous_identity
="ttls", password
="password",
1302 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1303 check_cert_subject
=test
)
1304 dev
[0].request("REMOVE_NETWORK all")
1305 dev
[0].wait_disconnected()
1306 dev
[0].dump_monitor()
1308 def test_ap_wpa2_eap_ttls_pap_check_cert_subject_neg(dev
, apdev
):
1309 """EAP-TTLS/PAP and check_cert_subject (negative)"""
1310 check_check_cert_subject_support(dev
[0])
1311 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1312 hapd
= hostapd
.add_ap(apdev
[0], params
)
1322 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1323 anonymous_identity
="ttls", password
="password",
1324 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1325 expect_failure
=True, expect_cert_error
=12,
1326 check_cert_subject
=test
)
1327 dev
[0].request("REMOVE_NETWORK all")
1328 dev
[0].dump_monitor()
1330 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1331 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1332 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1333 hapd
= hostapd
.add_ap(apdev
[0], params
)
1334 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1335 anonymous_identity
="ttls", password
="wrong",
1336 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1337 expect_failure
=True)
1338 eap_connect(dev
[1], hapd
, "TTLS", "user",
1339 anonymous_identity
="ttls", password
="password",
1340 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1341 expect_failure
=True)
1343 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1344 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1345 skip_with_fips(dev
[0])
1346 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1347 hapd
= hostapd
.add_ap(apdev
[0], params
)
1348 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1349 anonymous_identity
="ttls", password
="password",
1350 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1351 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1352 eap_reauth(dev
[0], "TTLS")
1354 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1355 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1356 skip_with_fips(dev
[0])
1357 check_altsubject_match_support(dev
[0])
1358 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1359 hapd
= hostapd
.add_ap(apdev
[0], params
)
1360 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1361 anonymous_identity
="ttls", password
="password",
1362 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1363 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1364 eap_reauth(dev
[0], "TTLS")
1366 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1367 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1368 skip_with_fips(dev
[0])
1369 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1370 hapd
= hostapd
.add_ap(apdev
[0], params
)
1371 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1372 anonymous_identity
="ttls", password
="wrong",
1373 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1374 expect_failure
=True)
1375 eap_connect(dev
[1], hapd
, "TTLS", "user",
1376 anonymous_identity
="ttls", password
="password",
1377 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1378 expect_failure
=True)
1380 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1381 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1382 skip_with_fips(dev
[0])
1383 check_domain_suffix_match(dev
[0])
1384 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1385 hapd
= hostapd
.add_ap(apdev
[0], params
)
1386 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1387 anonymous_identity
="ttls", password
="password",
1388 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1389 domain_suffix_match
="server.w1.fi")
1390 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1391 eap_reauth(dev
[0], "TTLS")
1392 dev
[0].request("REMOVE_NETWORK all")
1393 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1394 anonymous_identity
="ttls", password
="password",
1395 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1396 fragment_size
="200")
1397 dev
[0].request("REMOVE_NETWORK all")
1398 dev
[0].wait_disconnected()
1399 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1400 anonymous_identity
="ttls",
1401 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1402 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1404 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1405 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1406 skip_with_fips(dev
[0])
1407 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1408 hapd
= hostapd
.add_ap(apdev
[0], params
)
1409 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1410 anonymous_identity
="ttls", password
="wrong",
1411 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1412 expect_failure
=True)
1413 eap_connect(dev
[1], hapd
, "TTLS", "user",
1414 anonymous_identity
="ttls", password
="password",
1415 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1416 expect_failure
=True)
1417 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1418 anonymous_identity
="ttls", password
="password",
1419 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1420 expect_failure
=True)
1422 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1423 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1424 check_domain_suffix_match(dev
[0])
1425 check_eap_capa(dev
[0], "MSCHAPV2")
1426 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1427 hapd
= hostapd
.add_ap(apdev
[0], params
)
1428 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1429 anonymous_identity
="ttls", password
="password",
1430 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1431 domain_suffix_match
="server.w1.fi")
1432 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1433 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1434 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1435 eap_reauth(dev
[0], "TTLS")
1436 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1437 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1438 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1439 raise Exception("dot1xAuthEapolFramesRx did not increase")
1440 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1441 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1442 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1443 raise Exception("backendAuthSuccesses did not increase")
1445 logger
.info("Password as hash value")
1446 dev
[0].request("REMOVE_NETWORK all")
1447 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1448 anonymous_identity
="ttls",
1449 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1450 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1452 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1453 """EAP-TTLS with invalid phase2 parameter values"""
1454 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1455 hostapd
.add_ap(apdev
[0], params
)
1456 tests
= ["auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1457 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1458 "autheap=MD5 autheap=FOO autheap=MSCHAPV2"]
1460 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1461 identity
="DOMAIN\mschapv2 user",
1462 anonymous_identity
="ttls", password
="password",
1463 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1464 wait_connect
=False, scan_freq
="2412")
1465 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1466 if ev
is None or "method=21" not in ev
:
1467 raise Exception("EAP-TTLS not started")
1468 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1469 "CTRL-EVENT-CONNECTED"], timeout
=5)
1470 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1471 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1472 dev
[0].request("REMOVE_NETWORK all")
1473 dev
[0].wait_disconnected()
1474 dev
[0].dump_monitor()
1476 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1477 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1478 check_domain_match_full(dev
[0])
1479 skip_with_fips(dev
[0])
1480 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1481 hapd
= hostapd
.add_ap(apdev
[0], params
)
1482 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1483 anonymous_identity
="ttls", password
="password",
1484 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1485 domain_suffix_match
="w1.fi")
1486 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1487 eap_reauth(dev
[0], "TTLS")
1489 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1490 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1491 check_domain_match(dev
[0])
1492 skip_with_fips(dev
[0])
1493 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1494 hapd
= hostapd
.add_ap(apdev
[0], params
)
1495 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1496 anonymous_identity
="ttls", password
="password",
1497 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1498 domain_match
="Server.w1.fi")
1499 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1500 eap_reauth(dev
[0], "TTLS")
1502 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1503 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1504 skip_with_fips(dev
[0])
1505 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1506 hapd
= hostapd
.add_ap(apdev
[0], params
)
1507 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1508 anonymous_identity
="ttls", password
="password1",
1509 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1510 expect_failure
=True)
1511 eap_connect(dev
[1], hapd
, "TTLS", "user",
1512 anonymous_identity
="ttls", password
="password",
1513 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1514 expect_failure
=True)
1516 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1517 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1518 skip_with_fips(dev
[0])
1519 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1520 hapd
= hostapd
.add_ap(apdev
[0], params
)
1521 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1522 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1523 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1524 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1525 anonymous_identity
="ttls",
1526 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1527 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1528 for p
in ["80", "41c041e04141e041", 257*"41"]:
1529 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1530 eap
="TTLS", identity
="utf8-user-hash",
1531 anonymous_identity
="ttls", password_hex
=p
,
1532 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1533 wait_connect
=False, scan_freq
="2412")
1534 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1536 raise Exception("No failure reported")
1537 dev
[2].request("REMOVE_NETWORK all")
1538 dev
[2].wait_disconnected()
1540 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1541 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1542 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1543 hapd
= hostapd
.add_ap(apdev
[0], params
)
1544 eap_connect(dev
[0], hapd
, "TTLS", "user",
1545 anonymous_identity
="ttls", password
="password",
1546 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1547 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1548 eap_reauth(dev
[0], "TTLS")
1550 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1551 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1552 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1553 hapd
= hostapd
.add_ap(apdev
[0], params
)
1554 eap_connect(dev
[0], hapd
, "TTLS", "user",
1555 anonymous_identity
="ttls", password
="wrong",
1556 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1557 expect_failure
=True)
1559 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1560 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1561 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1562 hapd
= hostapd
.add_ap(apdev
[0], params
)
1563 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1564 anonymous_identity
="ttls", password
="password",
1565 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1566 expect_failure
=True)
1568 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1569 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1570 params
= int_eap_server_params()
1571 hapd
= hostapd
.add_ap(apdev
[0], params
)
1572 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1573 eap_connect(dev
[0], hapd
, "TTLS", "user",
1574 anonymous_identity
="ttls", password
="password",
1575 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1576 expect_failure
=True)
1577 dev
[0].request("REMOVE_NETWORK all")
1579 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1580 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1581 eap
="TTLS", identity
="user",
1582 anonymous_identity
="ttls", password
="password",
1583 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1584 wait_connect
=False, scan_freq
="2412")
1585 # This would eventually time out, but we can stop after having reached
1586 # the allocation failure.
1589 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1592 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1593 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1594 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1595 hapd
= hostapd
.add_ap(apdev
[0], params
)
1597 tests
= ["eap_gtc_init",
1598 "eap_msg_alloc;eap_gtc_process"]
1600 with
alloc_fail(dev
[0], 1, func
):
1601 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1603 eap
="TTLS", identity
="user",
1604 anonymous_identity
="ttls", password
="password",
1605 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1607 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1608 dev
[0].request("REMOVE_NETWORK all")
1609 dev
[0].wait_disconnected()
1611 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1612 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1613 check_eap_capa(dev
[0], "MD5")
1614 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1615 hapd
= hostapd
.add_ap(apdev
[0], params
)
1616 eap_connect(dev
[0], hapd
, "TTLS", "user",
1617 anonymous_identity
="ttls", password
="password",
1618 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1619 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1620 eap_reauth(dev
[0], "TTLS")
1622 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1623 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1624 check_eap_capa(dev
[0], "MD5")
1625 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1626 hapd
= hostapd
.add_ap(apdev
[0], params
)
1627 eap_connect(dev
[0], hapd
, "TTLS", "user",
1628 anonymous_identity
="ttls", password
="wrong",
1629 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1630 expect_failure
=True)
1632 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1633 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1634 check_eap_capa(dev
[0], "MD5")
1635 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1636 hapd
= hostapd
.add_ap(apdev
[0], params
)
1637 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1638 anonymous_identity
="ttls", password
="password",
1639 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1640 expect_failure
=True)
1642 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1643 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1644 check_eap_capa(dev
[0], "MD5")
1645 params
= int_eap_server_params()
1646 hapd
= hostapd
.add_ap(apdev
[0], params
)
1647 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1648 eap_connect(dev
[0], hapd
, "TTLS", "user",
1649 anonymous_identity
="ttls", password
="password",
1650 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1651 expect_failure
=True)
1652 dev
[0].request("REMOVE_NETWORK all")
1654 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1655 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1656 eap
="TTLS", identity
="user",
1657 anonymous_identity
="ttls", password
="password",
1658 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1659 wait_connect
=False, scan_freq
="2412")
1660 # This would eventually time out, but we can stop after having reached
1661 # the allocation failure.
1664 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1667 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1668 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1669 check_eap_capa(dev
[0], "MSCHAPV2")
1670 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1671 hapd
= hostapd
.add_ap(apdev
[0], params
)
1672 eap_connect(dev
[0], hapd
, "TTLS", "user",
1673 anonymous_identity
="ttls", password
="password",
1674 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1675 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1676 eap_reauth(dev
[0], "TTLS")
1678 logger
.info("Negative test with incorrect password")
1679 dev
[0].request("REMOVE_NETWORK all")
1680 eap_connect(dev
[0], hapd
, "TTLS", "user",
1681 anonymous_identity
="ttls", password
="password1",
1682 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1683 expect_failure
=True)
1685 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1686 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1687 check_eap_capa(dev
[0], "MSCHAPV2")
1688 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1689 hapd
= hostapd
.add_ap(apdev
[0], params
)
1690 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1691 anonymous_identity
="ttls", password
="password",
1692 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1693 expect_failure
=True)
1695 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1696 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1697 check_eap_capa(dev
[0], "MSCHAPV2")
1698 params
= int_eap_server_params()
1699 hapd
= hostapd
.add_ap(apdev
[0], params
)
1700 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1701 eap_connect(dev
[0], hapd
, "TTLS", "user",
1702 anonymous_identity
="ttls", password
="password",
1703 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1704 expect_failure
=True)
1705 dev
[0].request("REMOVE_NETWORK all")
1707 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1708 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1709 eap
="TTLS", identity
="user",
1710 anonymous_identity
="ttls", password
="password",
1711 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1712 wait_connect
=False, scan_freq
="2412")
1713 # This would eventually time out, but we can stop after having reached
1714 # the allocation failure.
1717 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1719 dev
[0].request("REMOVE_NETWORK all")
1721 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1722 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1723 eap
="TTLS", identity
="user",
1724 anonymous_identity
="ttls", password
="password",
1725 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1726 wait_connect
=False, scan_freq
="2412")
1727 # This would eventually time out, but we can stop after having reached
1728 # the allocation failure.
1731 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1733 dev
[0].request("REMOVE_NETWORK all")
1735 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1736 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1737 eap
="TTLS", identity
="user",
1738 anonymous_identity
="ttls", password
="wrong",
1739 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1740 wait_connect
=False, scan_freq
="2412")
1741 # This would eventually time out, but we can stop after having reached
1742 # the allocation failure.
1745 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1747 dev
[0].request("REMOVE_NETWORK all")
1749 def test_ap_wpa2_eap_ttls_eap_sim(dev
, apdev
):
1750 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1751 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1752 hapd
= hostapd
.add_ap(apdev
[0], params
)
1753 eap_connect(dev
[0], hapd
, "TTLS", "1232010000000000",
1754 anonymous_identity
="1232010000000000@ttls",
1755 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1756 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM")
1757 eap_reauth(dev
[0], "TTLS")
1759 def run_ext_sim_auth(dev
):
1760 ev
= dev
.wait_event(["CTRL-REQ-SIM"], timeout
=15)
1762 raise Exception("Wait for external SIM processing request timed out")
1763 p
= ev
.split(':', 2)
1764 if p
[1] != "GSM-AUTH":
1765 raise Exception("Unexpected CTRL-REQ-SIM type")
1766 rid
= p
[0].split('-')[3]
1767 rand
= p
[2].split(' ')[0]
1769 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
1771 "auth_serv/hlr_auc_gw.milenage_db",
1772 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
1773 if "GSM-AUTH-RESP" not in res
:
1774 raise Exception("Unexpected hlr_auc_gw response")
1775 resp
= res
.split(' ')[2].rstrip()
1777 dev
.request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1778 dev
.wait_connected(timeout
=15)
1781 dev
.request("REAUTHENTICATE")
1782 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1784 raise Exception("EAP reauthentication did not succeed")
1785 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=5)
1787 raise Exception("Key negotiation did not complete")
1790 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1791 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1792 check_hlr_auc_gw_support()
1794 run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
)
1796 dev
[0].request("SET external_sim 0")
1798 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1799 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1800 hapd
= hostapd
.add_ap(apdev
[0], params
)
1801 dev
[0].request("SET external_sim 1")
1802 dev
[0].connect("test-wpa2-eap", eap
="TTLS", key_mgmt
="WPA-EAP",
1803 identity
="1232010000000000",
1804 anonymous_identity
="1232010000000000@ttls",
1805 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1806 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM",
1807 wait_connect
=False, scan_freq
="2412")
1808 run_ext_sim_auth(dev
[0])
1810 def test_ap_wpa2_eap_peap_eap_sim(dev
, apdev
):
1811 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1812 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1813 hapd
= hostapd
.add_ap(apdev
[0], params
)
1814 eap_connect(dev
[0], hapd
, "PEAP", "1232010000000000",
1815 anonymous_identity
="1232010000000000@peap",
1816 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1817 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1818 eap_reauth(dev
[0], "PEAP")
1820 def test_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1821 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1822 check_hlr_auc_gw_support()
1824 run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
)
1826 dev
[0].request("SET external_sim 0")
1828 def run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1829 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1830 hapd
= hostapd
.add_ap(apdev
[0], params
)
1831 dev
[0].request("SET external_sim 1")
1832 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1833 identity
="1232010000000000",
1834 anonymous_identity
="1232010000000000@peap",
1835 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1836 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1837 wait_connect
=False, scan_freq
="2412")
1838 run_ext_sim_auth(dev
[0])
1840 def test_ap_wpa2_eap_fast_eap_sim(dev
, apdev
):
1841 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1842 check_eap_capa(dev
[0], "FAST")
1843 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1844 hapd
= hostapd
.add_ap(apdev
[0], params
)
1845 eap_connect(dev
[0], hapd
, "FAST", "1232010000000000",
1846 anonymous_identity
="1232010000000000@fast",
1847 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1848 phase1
="fast_provisioning=2",
1849 pac_file
="blob://fast_pac_auth_sim",
1850 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1851 eap_reauth(dev
[0], "FAST")
1853 def test_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1854 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1855 check_hlr_auc_gw_support()
1857 run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
)
1859 dev
[0].request("SET external_sim 0")
1861 def run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1862 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1863 hapd
= hostapd
.add_ap(apdev
[0], params
)
1864 dev
[0].request("SET external_sim 1")
1865 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1866 identity
="1232010000000000",
1867 anonymous_identity
="1232010000000000@peap",
1868 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1869 phase1
="fast_provisioning=2",
1870 pac_file
="blob://fast_pac_auth_sim",
1871 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1872 wait_connect
=False, scan_freq
="2412")
1873 run_ext_sim_auth(dev
[0])
1875 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1876 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1877 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1878 hapd
= hostapd
.add_ap(apdev
[0], params
)
1879 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1880 anonymous_identity
="0232010000000000@ttls",
1881 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1882 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1883 eap_reauth(dev
[0], "TTLS")
1885 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1886 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1887 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1888 hapd
= hostapd
.add_ap(apdev
[0], params
)
1889 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1890 anonymous_identity
="0232010000000000@peap",
1891 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1892 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1893 eap_reauth(dev
[0], "PEAP")
1895 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1896 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1897 check_eap_capa(dev
[0], "FAST")
1898 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1899 hapd
= hostapd
.add_ap(apdev
[0], params
)
1900 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
1901 anonymous_identity
="0232010000000000@fast",
1902 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1903 phase1
="fast_provisioning=2",
1904 pac_file
="blob://fast_pac_auth_aka",
1905 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1906 eap_reauth(dev
[0], "FAST")
1908 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1909 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1910 check_eap_capa(dev
[0], "MSCHAPV2")
1911 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1912 hapd
= hostapd
.add_ap(apdev
[0], params
)
1913 eap_connect(dev
[0], hapd
, "PEAP", "user",
1914 anonymous_identity
="peap", password
="password",
1915 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1916 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1917 eap_reauth(dev
[0], "PEAP")
1918 dev
[0].request("REMOVE_NETWORK all")
1919 eap_connect(dev
[0], hapd
, "PEAP", "user",
1920 anonymous_identity
="peap", password
="password",
1921 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1922 fragment_size
="200")
1924 logger
.info("Password as hash value")
1925 dev
[0].request("REMOVE_NETWORK all")
1926 eap_connect(dev
[0], hapd
, "PEAP", "user",
1927 anonymous_identity
="peap",
1928 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1929 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1931 logger
.info("Negative test with incorrect password")
1932 dev
[0].request("REMOVE_NETWORK all")
1933 eap_connect(dev
[0], hapd
, "PEAP", "user",
1934 anonymous_identity
="peap", password
="password1",
1935 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1936 expect_failure
=True)
1938 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1939 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1940 check_eap_capa(dev
[0], "MSCHAPV2")
1941 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1942 hapd
= hostapd
.add_ap(apdev
[0], params
)
1943 eap_connect(dev
[0], hapd
, "PEAP", r
"DOMAIN\user3",
1944 anonymous_identity
="peap", password
="password",
1945 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1946 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1947 eap_reauth(dev
[0], "PEAP")
1949 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1950 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1951 check_eap_capa(dev
[0], "MSCHAPV2")
1952 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1953 hapd
= hostapd
.add_ap(apdev
[0], params
)
1954 eap_connect(dev
[0], hapd
, "PEAP", "user",
1955 anonymous_identity
="peap", password
="wrong",
1956 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1957 expect_failure
=True)
1959 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1960 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1961 check_eap_capa(dev
[0], "MSCHAPV2")
1962 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1963 hapd
= hostapd
.add_ap(apdev
[0], params
)
1964 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1965 ca_cert
="auth_serv/ca.pem",
1966 phase1
="peapver=0 crypto_binding=2",
1967 phase2
="auth=MSCHAPV2")
1968 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1969 eap_reauth(dev
[0], "PEAP")
1971 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1972 ca_cert
="auth_serv/ca.pem",
1973 phase1
="peapver=0 crypto_binding=1",
1974 phase2
="auth=MSCHAPV2")
1975 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1976 ca_cert
="auth_serv/ca.pem",
1977 phase1
="peapver=0 crypto_binding=0",
1978 phase2
="auth=MSCHAPV2")
1980 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1981 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1982 check_eap_capa(dev
[0], "MSCHAPV2")
1983 params
= int_eap_server_params()
1984 hapd
= hostapd
.add_ap(apdev
[0], params
)
1985 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1986 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1987 ca_cert
="auth_serv/ca.pem",
1988 phase1
="peapver=0 crypto_binding=2",
1989 phase2
="auth=MSCHAPV2",
1990 expect_failure
=True, local_error_report
=True)
1992 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1993 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1994 check_eap_capa(dev
[0], "MSCHAPV2")
1995 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1996 hapd
= hostapd
.add_ap(apdev
[0], params
)
1997 eap_connect(dev
[0], hapd
, "PEAP", "user",
1998 anonymous_identity
="peap", password
="password",
1999 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2000 phase1
="peapver=0 peaplabel=1",
2001 expect_failure
=True)
2002 dev
[0].request("REMOVE_NETWORK all")
2003 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2005 anonymous_identity
="peap", password
="password",
2006 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2007 phase1
="peap_outer_success=0",
2008 wait_connect
=False, scan_freq
="2412")
2009 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2011 raise Exception("No EAP success seen")
2012 # This won't succeed to connect with peap_outer_success=0, so stop here.
2013 dev
[0].request("REMOVE_NETWORK all")
2014 dev
[0].wait_disconnected()
2015 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
2016 ca_cert
="auth_serv/ca.pem",
2017 phase1
="peap_outer_success=1",
2018 phase2
="auth=MSCHAPV2")
2019 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
2020 ca_cert
="auth_serv/ca.pem",
2021 phase1
="peap_outer_success=2",
2022 phase2
="auth=MSCHAPV2")
2023 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2025 anonymous_identity
="peap", password
="password",
2026 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2027 phase1
="peapver=1 peaplabel=1",
2028 wait_connect
=False, scan_freq
="2412")
2029 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2031 raise Exception("No EAP success seen")
2032 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2033 "CTRL-EVENT-DISCONNECTED"], timeout
=1)
2034 if ev
and "CTRL-EVENT-CONNECTED" in ev
:
2035 raise Exception("Unexpected connection")
2036 dev
[0].request("REMOVE_NETWORK all")
2037 dev
[0].disconnect_and_stop_scan()
2039 tests
= [("peap-ver0", ""),
2041 ("peap-ver0", "peapver=0"),
2042 ("peap-ver1", "peapver=1")]
2043 for anon
, phase1
in tests
:
2044 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2045 identity
="user", anonymous_identity
=anon
,
2046 password
="password", phase1
=phase1
,
2047 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2049 dev
[0].request("REMOVE_NETWORK all")
2050 dev
[0].wait_disconnected()
2052 tests
= [("peap-ver0", "peapver=1"),
2053 ("peap-ver1", "peapver=0")]
2054 for anon
, phase1
in tests
:
2055 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2056 identity
="user", anonymous_identity
=anon
,
2057 password
="password", phase1
=phase1
,
2058 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2059 wait_connect
=False, scan_freq
="2412")
2060 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
2062 raise Exception("No EAP-Failure seen")
2063 dev
[0].request("REMOVE_NETWORK all")
2064 dev
[0].wait_disconnected()
2066 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2067 ca_cert
="auth_serv/ca.pem",
2068 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
2069 phase2
="auth=MSCHAPV2")
2071 def test_ap_wpa2_eap_peap_eap_gtc(dev
, apdev
, params
):
2072 """WPA2-Enterprise connection using EAP-PEAP/EAP-GTC"""
2073 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2074 hapd
= hostapd
.add_ap(apdev
[0], p
)
2075 eap_connect(dev
[0], hapd
, "PEAP", "user", phase1
="peapver=1",
2076 anonymous_identity
="peap", password
="password",
2077 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
2079 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
2080 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
2081 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2082 hapd
= hostapd
.add_ap(apdev
[0], params
)
2083 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
2084 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
2085 ca_cert2
="auth_serv/ca.pem",
2086 client_cert2
="auth_serv/user.pem",
2087 private_key2
="auth_serv/user.key")
2088 eap_reauth(dev
[0], "PEAP")
2090 def test_ap_wpa2_eap_tls(dev
, apdev
):
2091 """WPA2-Enterprise connection using EAP-TLS"""
2092 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2093 hapd
= hostapd
.add_ap(apdev
[0], params
)
2094 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2095 client_cert
="auth_serv/user.pem",
2096 private_key
="auth_serv/user.key")
2097 eap_reauth(dev
[0], "TLS")
2099 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
2100 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2101 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2102 hapd
= hostapd
.add_ap(apdev
[0], params
)
2103 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2104 client_cert
="auth_serv/user.pem",
2105 private_key
="auth_serv/user.key.pkcs8",
2106 private_key_passwd
="whatever")
2108 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
2109 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
2110 check_pkcs5_v15_support(dev
[0])
2111 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2112 hapd
= hostapd
.add_ap(apdev
[0], params
)
2113 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2114 client_cert
="auth_serv/user.pem",
2115 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
2116 private_key_passwd
="whatever")
2118 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
2119 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2120 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2121 hapd
= hostapd
.add_ap(apdev
[0], params
)
2122 cert
= read_pem("auth_serv/ca.pem")
2123 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2124 raise Exception("Could not set cacert blob")
2125 cert
= read_pem("auth_serv/user.pem")
2126 if "OK" not in dev
[0].request("SET blob usercert " + binascii
.hexlify(cert
).decode()):
2127 raise Exception("Could not set usercert blob")
2128 key
= read_pem("auth_serv/user.rsa-key")
2129 if "OK" not in dev
[0].request("SET blob userkey " + binascii
.hexlify(key
).decode()):
2130 raise Exception("Could not set cacert blob")
2131 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2132 client_cert
="blob://usercert",
2133 private_key
="blob://userkey")
2135 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
2136 """EAP-TLS and config blob missing"""
2137 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2138 hostapd
.add_ap(apdev
[0], params
)
2139 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2140 identity
="tls user",
2141 ca_cert
="blob://testing-blob-does-not-exist",
2142 client_cert
="blob://testing-blob-does-not-exist",
2143 private_key
="blob://testing-blob-does-not-exist",
2144 wait_connect
=False, scan_freq
="2412")
2145 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
2147 raise Exception("EAP failure not reported")
2148 dev
[0].request("REMOVE_NETWORK all")
2149 dev
[0].wait_disconnected()
2151 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
2152 """EAP-TLS and TLS Message Length in unfragmented packets"""
2153 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2154 hapd
= hostapd
.add_ap(apdev
[0], params
)
2155 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2156 phase1
="include_tls_length=1",
2157 client_cert
="auth_serv/user.pem",
2158 private_key
="auth_serv/user.key")
2160 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
2161 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2162 check_pkcs12_support(dev
[0])
2163 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2164 hapd
= hostapd
.add_ap(apdev
[0], params
)
2165 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2166 private_key
="auth_serv/user.pkcs12",
2167 private_key_passwd
="whatever")
2168 dev
[0].request("REMOVE_NETWORK all")
2169 dev
[0].wait_disconnected()
2171 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2172 identity
="tls user",
2173 ca_cert
="auth_serv/ca.pem",
2174 private_key
="auth_serv/user.pkcs12",
2175 wait_connect
=False, scan_freq
="2412")
2176 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2178 raise Exception("Request for private key passphrase timed out")
2179 id = ev
.split(':')[0].split('-')[-1]
2180 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2181 dev
[0].wait_connected(timeout
=10)
2182 dev
[0].request("REMOVE_NETWORK all")
2183 dev
[0].wait_disconnected()
2185 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2186 # different files to cover both cases of the extra certificate being the
2187 # one that signed the client certificate and it being unrelated to the
2188 # client certificate.
2189 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2191 eap_connect(dev
[0], hapd
, "TLS", "tls user",
2192 ca_cert
="auth_serv/ca.pem",
2194 private_key_passwd
="whatever")
2195 dev
[0].request("REMOVE_NETWORK all")
2196 dev
[0].wait_disconnected()
2198 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
2199 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2200 check_pkcs12_support(dev
[0])
2201 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2202 hapd
= hostapd
.add_ap(apdev
[0], params
)
2203 cert
= read_pem("auth_serv/ca.pem")
2204 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2205 raise Exception("Could not set cacert blob")
2206 with
open("auth_serv/user.pkcs12", "rb") as f
:
2207 if "OK" not in dev
[0].request("SET blob pkcs12 " + binascii
.hexlify(f
.read()).decode()):
2208 raise Exception("Could not set pkcs12 blob")
2209 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2210 private_key
="blob://pkcs12",
2211 private_key_passwd
="whatever")
2213 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
2214 """WPA2-Enterprise negative test - incorrect trust root"""
2215 check_eap_capa(dev
[0], "MSCHAPV2")
2216 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2217 hostapd
.add_ap(apdev
[0], params
)
2218 cert
= read_pem("auth_serv/ca-incorrect.pem")
2219 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2220 raise Exception("Could not set cacert blob")
2221 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2222 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2223 password
="password", phase2
="auth=MSCHAPV2",
2224 ca_cert
="blob://cacert",
2225 wait_connect
=False, scan_freq
="2412")
2226 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2227 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2228 password
="password", phase2
="auth=MSCHAPV2",
2229 ca_cert
="auth_serv/ca-incorrect.pem",
2230 wait_connect
=False, scan_freq
="2412")
2232 for dev
in (dev
[0], dev
[1]):
2233 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2235 raise Exception("Association and EAP start timed out")
2237 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2239 raise Exception("EAP method selection timed out")
2240 if "TTLS" not in ev
:
2241 raise Exception("Unexpected EAP method")
2243 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2244 "CTRL-EVENT-EAP-SUCCESS",
2245 "CTRL-EVENT-EAP-FAILURE",
2246 "CTRL-EVENT-CONNECTED",
2247 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2249 raise Exception("EAP result timed out")
2250 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2251 raise Exception("TLS certificate error not reported")
2253 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2254 "CTRL-EVENT-EAP-FAILURE",
2255 "CTRL-EVENT-CONNECTED",
2256 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2258 raise Exception("EAP result(2) timed out")
2259 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2260 raise Exception("EAP failure not reported")
2262 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2263 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2265 raise Exception("EAP result(3) timed out")
2266 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2267 raise Exception("Disconnection not reported")
2269 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2271 raise Exception("Network block disabling not reported")
2273 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2274 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2275 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2276 hapd
= hostapd
.add_ap(apdev
[0], params
)
2277 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2278 identity
="pap user", anonymous_identity
="ttls",
2279 password
="password", phase2
="auth=PAP",
2280 ca_cert
="auth_serv/ca.pem",
2281 wait_connect
=True, scan_freq
="2412")
2282 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2283 identity
="pap user", anonymous_identity
="ttls",
2284 password
="password", phase2
="auth=PAP",
2285 ca_cert
="auth_serv/ca-incorrect.pem",
2286 only_add_network
=True, scan_freq
="2412")
2288 dev
[0].request("DISCONNECT")
2289 dev
[0].wait_disconnected()
2290 dev
[0].dump_monitor()
2291 dev
[0].select_network(id, freq
="2412")
2293 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2295 raise Exception("EAP-TTLS not re-started")
2297 ev
= dev
[0].wait_disconnected(timeout
=15)
2298 if "reason=23" not in ev
:
2299 raise Exception("Proper reason code for disconnection not reported")
2301 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2302 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2303 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2304 hapd
= hostapd
.add_ap(apdev
[0], params
)
2305 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2306 identity
="pap user", anonymous_identity
="ttls",
2307 password
="password", phase2
="auth=PAP",
2308 wait_connect
=True, scan_freq
="2412")
2309 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2310 identity
="pap user", anonymous_identity
="ttls",
2311 password
="password", phase2
="auth=PAP",
2312 ca_cert
="auth_serv/ca-incorrect.pem",
2313 only_add_network
=True, scan_freq
="2412")
2315 dev
[0].request("DISCONNECT")
2316 dev
[0].wait_disconnected()
2317 dev
[0].dump_monitor()
2318 dev
[0].select_network(id, freq
="2412")
2320 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2322 raise Exception("EAP-TTLS not re-started")
2324 ev
= dev
[0].wait_disconnected(timeout
=15)
2325 if "reason=23" not in ev
:
2326 raise Exception("Proper reason code for disconnection not reported")
2328 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2329 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2330 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2331 hapd
= hostapd
.add_ap(apdev
[0], params
)
2332 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2333 identity
="pap user", anonymous_identity
="ttls",
2334 password
="password", phase2
="auth=PAP",
2335 ca_cert
="auth_serv/ca.pem",
2336 wait_connect
=True, scan_freq
="2412")
2337 dev
[0].request("DISCONNECT")
2338 dev
[0].wait_disconnected()
2339 dev
[0].dump_monitor()
2340 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2341 dev
[0].select_network(id, freq
="2412")
2343 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2345 raise Exception("EAP-TTLS not re-started")
2347 ev
= dev
[0].wait_disconnected(timeout
=15)
2348 if "reason=23" not in ev
:
2349 raise Exception("Proper reason code for disconnection not reported")
2351 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2352 """WPA2-Enterprise negative test - domain suffix mismatch"""
2353 check_domain_suffix_match(dev
[0])
2354 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2355 hostapd
.add_ap(apdev
[0], params
)
2356 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2357 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2358 password
="password", phase2
="auth=MSCHAPV2",
2359 ca_cert
="auth_serv/ca.pem",
2360 domain_suffix_match
="incorrect.example.com",
2361 wait_connect
=False, scan_freq
="2412")
2363 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2365 raise Exception("Association and EAP start timed out")
2367 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2369 raise Exception("EAP method selection timed out")
2370 if "TTLS" not in ev
:
2371 raise Exception("Unexpected EAP method")
2373 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2374 "CTRL-EVENT-EAP-SUCCESS",
2375 "CTRL-EVENT-EAP-FAILURE",
2376 "CTRL-EVENT-CONNECTED",
2377 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2379 raise Exception("EAP result timed out")
2380 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2381 raise Exception("TLS certificate error not reported")
2382 if "Domain suffix mismatch" not in ev
:
2383 raise Exception("Domain suffix mismatch not reported")
2385 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2386 "CTRL-EVENT-EAP-FAILURE",
2387 "CTRL-EVENT-CONNECTED",
2388 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2390 raise Exception("EAP result(2) timed out")
2391 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2392 raise Exception("EAP failure not reported")
2394 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2395 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2397 raise Exception("EAP result(3) timed out")
2398 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2399 raise Exception("Disconnection not reported")
2401 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2403 raise Exception("Network block disabling not reported")
2405 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2406 """WPA2-Enterprise negative test - domain mismatch"""
2407 check_domain_match(dev
[0])
2408 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2409 hostapd
.add_ap(apdev
[0], params
)
2410 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2411 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2412 password
="password", phase2
="auth=MSCHAPV2",
2413 ca_cert
="auth_serv/ca.pem",
2414 domain_match
="w1.fi",
2415 wait_connect
=False, scan_freq
="2412")
2417 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2419 raise Exception("Association and EAP start timed out")
2421 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2423 raise Exception("EAP method selection timed out")
2424 if "TTLS" not in ev
:
2425 raise Exception("Unexpected EAP method")
2427 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2428 "CTRL-EVENT-EAP-SUCCESS",
2429 "CTRL-EVENT-EAP-FAILURE",
2430 "CTRL-EVENT-CONNECTED",
2431 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2433 raise Exception("EAP result timed out")
2434 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2435 raise Exception("TLS certificate error not reported")
2436 if "Domain mismatch" not in ev
:
2437 raise Exception("Domain mismatch not reported")
2439 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2440 "CTRL-EVENT-EAP-FAILURE",
2441 "CTRL-EVENT-CONNECTED",
2442 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2444 raise Exception("EAP result(2) timed out")
2445 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2446 raise Exception("EAP failure not reported")
2448 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2449 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2451 raise Exception("EAP result(3) timed out")
2452 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2453 raise Exception("Disconnection not reported")
2455 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2457 raise Exception("Network block disabling not reported")
2459 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2460 """WPA2-Enterprise negative test - subject mismatch"""
2461 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2462 hostapd
.add_ap(apdev
[0], params
)
2463 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2464 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2465 password
="password", phase2
="auth=MSCHAPV2",
2466 ca_cert
="auth_serv/ca.pem",
2467 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2468 wait_connect
=False, scan_freq
="2412")
2470 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2472 raise Exception("Association and EAP start timed out")
2474 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2475 "EAP: Failed to initialize EAP method"], timeout
=10)
2477 raise Exception("EAP method selection timed out")
2478 if "EAP: Failed to initialize EAP method" in ev
:
2479 tls
= dev
[0].request("GET tls_library")
2480 if tls
.startswith("OpenSSL"):
2481 raise Exception("Failed to select EAP method")
2482 logger
.info("subject_match not supported - connection failed, so test succeeded")
2484 if "TTLS" not in ev
:
2485 raise Exception("Unexpected EAP method")
2487 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2488 "CTRL-EVENT-EAP-SUCCESS",
2489 "CTRL-EVENT-EAP-FAILURE",
2490 "CTRL-EVENT-CONNECTED",
2491 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2493 raise Exception("EAP result timed out")
2494 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2495 raise Exception("TLS certificate error not reported")
2496 if "Subject mismatch" not in ev
:
2497 raise Exception("Subject mismatch not reported")
2499 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2500 "CTRL-EVENT-EAP-FAILURE",
2501 "CTRL-EVENT-CONNECTED",
2502 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2504 raise Exception("EAP result(2) timed out")
2505 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2506 raise Exception("EAP failure not reported")
2508 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2509 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2511 raise Exception("EAP result(3) timed out")
2512 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2513 raise Exception("Disconnection not reported")
2515 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2517 raise Exception("Network block disabling not reported")
2519 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2520 """WPA2-Enterprise negative test - altsubject mismatch"""
2521 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2522 hostapd
.add_ap(apdev
[0], params
)
2524 tests
= ["incorrect.example.com",
2525 "DNS:incorrect.example.com",
2529 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2531 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2532 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2533 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2534 password
="password", phase2
="auth=MSCHAPV2",
2535 ca_cert
="auth_serv/ca.pem",
2536 altsubject_match
=match
,
2537 wait_connect
=False, scan_freq
="2412")
2539 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2541 raise Exception("Association and EAP start timed out")
2543 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2544 "EAP: Failed to initialize EAP method"], timeout
=10)
2546 raise Exception("EAP method selection timed out")
2547 if "EAP: Failed to initialize EAP method" in ev
:
2548 tls
= dev
[0].request("GET tls_library")
2549 if tls
.startswith("OpenSSL"):
2550 raise Exception("Failed to select EAP method")
2551 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2553 if "TTLS" not in ev
:
2554 raise Exception("Unexpected EAP method")
2556 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2557 "CTRL-EVENT-EAP-SUCCESS",
2558 "CTRL-EVENT-EAP-FAILURE",
2559 "CTRL-EVENT-CONNECTED",
2560 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2562 raise Exception("EAP result timed out")
2563 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2564 raise Exception("TLS certificate error not reported")
2565 if "AltSubject mismatch" not in ev
:
2566 raise Exception("altsubject mismatch not reported")
2568 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2569 "CTRL-EVENT-EAP-FAILURE",
2570 "CTRL-EVENT-CONNECTED",
2571 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2573 raise Exception("EAP result(2) timed out")
2574 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2575 raise Exception("EAP failure not reported")
2577 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2578 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2580 raise Exception("EAP result(3) timed out")
2581 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2582 raise Exception("Disconnection not reported")
2584 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2586 raise Exception("Network block disabling not reported")
2588 dev
[0].request("REMOVE_NETWORK all")
2590 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2591 """WPA2-Enterprise connection using UNAUTH-TLS"""
2592 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2593 hapd
= hostapd
.add_ap(apdev
[0], params
)
2594 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2595 ca_cert
="auth_serv/ca.pem")
2596 eap_reauth(dev
[0], "UNAUTH-TLS")
2598 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2599 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2600 check_cert_probe_support(dev
[0])
2601 skip_with_fips(dev
[0])
2602 srv_cert_hash
= "4704e62784f36cc5fd964c6410402f4938773bb471dce9d42939bf22fdbdb2dd"
2603 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2604 hapd
= hostapd
.add_ap(apdev
[0], params
)
2605 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2606 identity
="probe", ca_cert
="probe://",
2607 wait_connect
=False, scan_freq
="2412")
2608 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2610 raise Exception("Association and EAP start timed out")
2611 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2613 raise Exception("No peer server certificate event seen")
2614 if "hash=" + srv_cert_hash
not in ev
:
2615 raise Exception("Expected server certificate hash not reported")
2616 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2618 raise Exception("EAP result timed out")
2619 if "Server certificate chain probe" not in ev
:
2620 raise Exception("Server certificate probe not reported")
2621 dev
[0].wait_disconnected(timeout
=10)
2622 dev
[0].request("REMOVE_NETWORK all")
2624 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2625 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2626 password
="password", phase2
="auth=MSCHAPV2",
2627 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2628 wait_connect
=False, scan_freq
="2412")
2629 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2631 raise Exception("Association and EAP start timed out")
2632 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2634 raise Exception("EAP result timed out")
2635 if "Server certificate mismatch" not in ev
:
2636 raise Exception("Server certificate mismatch not reported")
2637 dev
[0].wait_disconnected(timeout
=10)
2638 dev
[0].request("REMOVE_NETWORK all")
2640 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2641 anonymous_identity
="ttls", password
="password",
2642 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2643 phase2
="auth=MSCHAPV2")
2645 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2646 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2647 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2648 hostapd
.add_ap(apdev
[0], params
)
2649 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2650 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2651 password
="password", phase2
="auth=MSCHAPV2",
2652 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2653 wait_connect
=False, scan_freq
="2412")
2654 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2655 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2656 password
="password", phase2
="auth=MSCHAPV2",
2657 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2658 wait_connect
=False, scan_freq
="2412")
2659 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2660 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2661 password
="password", phase2
="auth=MSCHAPV2",
2662 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2663 wait_connect
=False, scan_freq
="2412")
2664 for i
in range(0, 3):
2665 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2667 raise Exception("Association and EAP start timed out")
2668 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2670 raise Exception("Did not report EAP method initialization failure")
2672 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2673 """WPA2-Enterprise connection using EAP-pwd"""
2674 check_eap_capa(dev
[0], "PWD")
2675 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2676 hapd
= hostapd
.add_ap(apdev
[0], params
)
2677 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2678 eap_reauth(dev
[0], "PWD")
2679 dev
[0].request("REMOVE_NETWORK all")
2681 eap_connect(dev
[1], hapd
, "PWD",
2682 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2683 password
="secret password",
2686 logger
.info("Negative test with incorrect password")
2687 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2688 expect_failure
=True, local_error_report
=True)
2690 eap_connect(dev
[0], hapd
, "PWD",
2691 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2692 password
="secret password",
2695 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2696 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2697 check_eap_capa(dev
[0], "PWD")
2698 skip_with_fips(dev
[0])
2699 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2700 hapd
= hostapd
.add_ap(apdev
[0], params
)
2701 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2702 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2703 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2704 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2705 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2706 expect_failure
=True, local_error_report
=True)
2708 def test_ap_wpa2_eap_pwd_salt_sha1(dev
, apdev
):
2709 """WPA2-Enterprise connection using EAP-pwd and salted password SHA-1"""
2710 check_eap_capa(dev
[0], "PWD")
2711 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2712 hapd
= hostapd
.add_ap(apdev
[0], params
)
2713 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha1",
2714 password
="secret password")
2716 def test_ap_wpa2_eap_pwd_salt_sha256(dev
, apdev
):
2717 """WPA2-Enterprise connection using EAP-pwd and salted password SHA256"""
2718 check_eap_capa(dev
[0], "PWD")
2719 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2720 hapd
= hostapd
.add_ap(apdev
[0], params
)
2721 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha256",
2722 password
="secret password")
2724 def test_ap_wpa2_eap_pwd_salt_sha512(dev
, apdev
):
2725 """WPA2-Enterprise connection using EAP-pwd and salted password SHA512"""
2726 check_eap_capa(dev
[0], "PWD")
2727 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2728 hapd
= hostapd
.add_ap(apdev
[0], params
)
2729 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha512",
2730 password
="secret password")
2732 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2733 """WPA2-Enterprise connection using various EAP-pwd groups"""
2734 check_eap_capa(dev
[0], "PWD")
2735 tls
= dev
[0].request("GET tls_library")
2736 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2737 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2738 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2739 groups
= [19, 20, 21]
2740 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2741 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2742 groups
+= [28, 29, 30]
2743 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.1" in tls
and "run=OpenSSL 1.1" in tls
:
2744 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2745 groups
+= [28, 29, 30]
2747 logger
.info("Group %d" % i
)
2748 params
['pwd_group'] = str(i
)
2749 hapd
= hostapd
.add_ap(apdev
[0], params
)
2750 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2751 password
="secret password")
2752 dev
[0].request("REMOVE_NETWORK all")
2753 dev
[0].wait_disconnected()
2754 dev
[0].dump_monitor()
2757 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2758 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2759 check_eap_capa(dev
[0], "PWD")
2760 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2761 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2762 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2763 params
['pwd_group'] = "0"
2764 hostapd
.add_ap(apdev
[0], params
)
2765 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2766 identity
="pwd user", password
="secret password",
2767 scan_freq
="2412", wait_connect
=False)
2768 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2770 raise Exception("Timeout on EAP failure report")
2772 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2773 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2774 check_eap_capa(dev
[0], "PWD")
2775 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2776 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2777 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2778 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2779 "pwd_group": "19", "fragment_size": "40"}
2780 hapd
= hostapd
.add_ap(apdev
[0], params
)
2781 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2783 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2784 """WPA2-Enterprise connection using EAP-GPSK"""
2785 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2786 hapd
= hostapd
.add_ap(apdev
[0], params
)
2787 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2788 password
="abcdefghijklmnop0123456789abcdef")
2789 eap_reauth(dev
[0], "GPSK")
2791 logger
.info("Test forced algorithm selection")
2792 for phase1
in ["cipher=1", "cipher=2"]:
2793 dev
[0].set_network_quoted(id, "phase1", phase1
)
2794 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2796 raise Exception("EAP success timed out")
2797 dev
[0].wait_connected(timeout
=10)
2799 logger
.info("Test failed algorithm negotiation")
2800 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2801 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2803 raise Exception("EAP failure timed out")
2805 logger
.info("Negative test with incorrect password")
2806 dev
[0].request("REMOVE_NETWORK all")
2807 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2808 password
="ffcdefghijklmnop0123456789abcdef",
2809 expect_failure
=True)
2811 def test_ap_wpa2_eap_sake(dev
, apdev
):
2812 """WPA2-Enterprise connection using EAP-SAKE"""
2813 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2814 hapd
= hostapd
.add_ap(apdev
[0], params
)
2815 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2816 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2817 eap_reauth(dev
[0], "SAKE")
2819 logger
.info("Negative test with incorrect password")
2820 dev
[0].request("REMOVE_NETWORK all")
2821 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2822 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2823 expect_failure
=True)
2825 def test_ap_wpa2_eap_eke(dev
, apdev
):
2826 """WPA2-Enterprise connection using EAP-EKE"""
2827 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2828 hapd
= hostapd
.add_ap(apdev
[0], params
)
2829 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2830 eap_reauth(dev
[0], "EKE")
2832 logger
.info("Test forced algorithm selection")
2833 for phase1
in ["dhgroup=5 encr=1 prf=2 mac=2",
2834 "dhgroup=4 encr=1 prf=2 mac=2",
2835 "dhgroup=3 encr=1 prf=2 mac=2",
2836 "dhgroup=3 encr=1 prf=1 mac=1"]:
2837 dev
[0].set_network_quoted(id, "phase1", phase1
)
2838 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2840 raise Exception("EAP success timed out")
2841 dev
[0].wait_connected(timeout
=10)
2842 dev
[0].dump_monitor()
2844 logger
.info("Test failed algorithm negotiation")
2845 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2846 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2848 raise Exception("EAP failure timed out")
2849 dev
[0].dump_monitor()
2851 logger
.info("Test unsupported algorithm proposals")
2852 dev
[0].request("REMOVE_NETWORK all")
2853 dev
[0].dump_monitor()
2854 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2855 phase1
="dhgroup=2 encr=1 prf=1 mac=1", expect_failure
=True)
2856 dev
[0].request("REMOVE_NETWORK all")
2857 dev
[0].dump_monitor()
2858 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2859 phase1
="dhgroup=1 encr=1 prf=1 mac=1", expect_failure
=True)
2861 logger
.info("Negative test with incorrect password")
2862 dev
[0].request("REMOVE_NETWORK all")
2863 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
2864 expect_failure
=True)
2866 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2867 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2868 if not params
['long']:
2869 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2870 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2871 hostapd
.add_ap(apdev
[0], params
)
2874 for i
in range(100):
2876 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2877 identity
="eke user", password
="hello",
2878 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2879 scan_freq
="2412", wait_connect
=False)
2881 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2882 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2884 raise Exception("No connected/disconnected event")
2885 if "CTRL-EVENT-DISCONNECTED" in ev
:
2887 # The RADIUS server limits on active sessions can be hit when
2888 # going through this test case, so try to give some more time
2889 # for the server to remove sessions.
2890 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2891 dev
[j
].request("REMOVE_NETWORK all")
2895 dev
[j
].request("REMOVE_NETWORK all")
2896 dev
[j
].wait_disconnected()
2897 dev
[j
].dump_monitor()
2898 logger
.info("Total success=%d failure=%d" % (success
, fail
))
2900 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2901 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2902 params
= int_eap_server_params()
2903 params
['server_id'] = 'example.server@w1.fi'
2904 hapd
= hostapd
.add_ap(apdev
[0], params
)
2905 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2907 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2908 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2909 params
= int_eap_server_params()
2910 hapd
= hostapd
.add_ap(apdev
[0], params
)
2911 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2913 for count
, func
in [(1, "eap_eke_build_commit"),
2914 (2, "eap_eke_build_commit"),
2915 (3, "eap_eke_build_commit"),
2916 (1, "eap_eke_build_confirm"),
2917 (2, "eap_eke_build_confirm"),
2918 (1, "eap_eke_process_commit"),
2919 (2, "eap_eke_process_commit"),
2920 (1, "eap_eke_process_confirm"),
2921 (1, "eap_eke_process_identity"),
2922 (2, "eap_eke_process_identity"),
2923 (3, "eap_eke_process_identity"),
2924 (4, "eap_eke_process_identity")]:
2925 with
alloc_fail(hapd
, count
, func
):
2926 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2927 expect_failure
=True)
2928 dev
[0].request("REMOVE_NETWORK all")
2930 for count
, func
, pw
in [(1, "eap_eke_init", "hello"),
2931 (1, "eap_eke_get_session_id", "hello"),
2932 (1, "eap_eke_getKey", "hello"),
2933 (1, "eap_eke_build_msg", "hello"),
2934 (1, "eap_eke_build_failure", "wrong"),
2935 (1, "eap_eke_build_identity", "hello"),
2936 (2, "eap_eke_build_identity", "hello")]:
2937 with
alloc_fail(hapd
, count
, func
):
2938 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2939 eap
="EKE", identity
="eke user", password
=pw
,
2940 wait_connect
=False, scan_freq
="2412")
2941 # This would eventually time out, but we can stop after having
2942 # reached the allocation failure.
2945 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2947 dev
[0].request("REMOVE_NETWORK all")
2949 for count
in range(1, 1000):
2951 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2952 dev
[0].connect("test-wpa2-eap",
2953 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2954 eap
="EKE", identity
="eke user", password
=pw
,
2955 wait_connect
=False, scan_freq
="2412")
2956 # This would eventually time out, but we can stop after having
2957 # reached the allocation failure.
2960 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2962 dev
[0].request("REMOVE_NETWORK all")
2963 except Exception as e
:
2964 if str(e
) == "Allocation failure did not trigger":
2966 raise Exception("Too few allocation failures")
2967 logger
.info("%d allocation failures tested" % (count
- 1))
2971 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
2972 """WPA2-Enterprise connection using EAP-IKEv2"""
2973 check_eap_capa(dev
[0], "IKEV2")
2974 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2975 hapd
= hostapd
.add_ap(apdev
[0], params
)
2976 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2977 password
="ike password")
2978 eap_reauth(dev
[0], "IKEV2")
2979 dev
[0].request("REMOVE_NETWORK all")
2980 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2981 password
="ike password", fragment_size
="50")
2983 logger
.info("Negative test with incorrect password")
2984 dev
[0].request("REMOVE_NETWORK all")
2985 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2986 password
="ike-password", expect_failure
=True)
2987 dev
[0].request("REMOVE_NETWORK all")
2989 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2990 password
="ike password", fragment_size
="0")
2991 dev
[0].request("REMOVE_NETWORK all")
2992 dev
[0].wait_disconnected()
2994 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
2995 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2996 check_eap_capa(dev
[0], "IKEV2")
2997 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2998 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2999 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3000 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3001 "fragment_size": "50"}
3002 hapd
= hostapd
.add_ap(apdev
[0], params
)
3003 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3004 password
="ike password")
3005 eap_reauth(dev
[0], "IKEV2")
3007 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
3008 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
3009 check_eap_capa(dev
[0], "IKEV2")
3010 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3011 hostapd
.add_ap(apdev
[0], params
)
3013 tests
= [(1, "dh_init"),
3015 (1, "dh_derive_shared")]
3016 for count
, func
in tests
:
3017 with
alloc_fail(dev
[0], count
, func
):
3018 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3019 identity
="ikev2 user", password
="ike password",
3020 wait_connect
=False, scan_freq
="2412")
3021 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3023 raise Exception("EAP method not selected")
3025 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
3028 dev
[0].request("REMOVE_NETWORK all")
3030 tls
= dev
[0].request("GET tls_library")
3031 if not tls
.startswith("wolfSSL"):
3032 tests
= [(1, "os_get_random;dh_init")]
3034 tests
= [(1, "crypto_dh_init;dh_init")]
3035 for count
, func
in tests
:
3036 with
fail_test(dev
[0], count
, func
):
3037 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3038 identity
="ikev2 user", password
="ike password",
3039 wait_connect
=False, scan_freq
="2412")
3040 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3042 raise Exception("EAP method not selected")
3044 if "0:" in dev
[0].request("GET_FAIL"):
3047 dev
[0].request("REMOVE_NETWORK all")
3049 def test_ap_wpa2_eap_pax(dev
, apdev
):
3050 """WPA2-Enterprise connection using EAP-PAX"""
3051 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3052 hapd
= hostapd
.add_ap(apdev
[0], params
)
3053 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3054 password_hex
="0123456789abcdef0123456789abcdef")
3055 eap_reauth(dev
[0], "PAX")
3057 logger
.info("Negative test with incorrect password")
3058 dev
[0].request("REMOVE_NETWORK all")
3059 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3060 password_hex
="ff23456789abcdef0123456789abcdef",
3061 expect_failure
=True)
3063 def test_ap_wpa2_eap_psk(dev
, apdev
):
3064 """WPA2-Enterprise connection using EAP-PSK"""
3065 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3066 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
3067 params
["ieee80211w"] = "2"
3068 hapd
= hostapd
.add_ap(apdev
[0], params
)
3069 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3070 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
3071 eap_reauth(dev
[0], "PSK", sha256
=True)
3072 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
3073 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5")])
3075 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
3076 if 'flags' not in bss
:
3077 raise Exception("Could not get BSS flags from BSS table")
3078 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
3079 raise Exception("Unexpected BSS flags: " + bss
['flags'])
3081 logger
.info("Negative test with incorrect password")
3082 dev
[0].request("REMOVE_NETWORK all")
3083 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3084 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
3085 expect_failure
=True)
3087 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
3088 """WPA2-Enterprise connection using EAP-PSK and OOM"""
3089 skip_with_fips(dev
[0])
3090 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3091 hostapd
.add_ap(apdev
[0], params
)
3092 tests
= [(1, "=aes_128_eax_encrypt"),
3093 (1, "=aes_128_eax_decrypt")]
3094 for count
, func
in tests
:
3095 with
alloc_fail(dev
[0], count
, func
):
3096 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3097 identity
="psk.user@example.com",
3098 password_hex
="0123456789abcdef0123456789abcdef",
3099 wait_connect
=False, scan_freq
="2412")
3100 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3102 raise Exception("EAP method not selected")
3103 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
3104 note
="Failure not triggered: %d:%s" % (count
, func
))
3105 dev
[0].request("REMOVE_NETWORK all")
3106 dev
[0].wait_disconnected()
3108 tests
= [(1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
3109 (1, "omac1_aes_128;aes_128_eax_encrypt"),
3110 (2, "omac1_aes_128;aes_128_eax_encrypt"),
3111 (3, "omac1_aes_128;aes_128_eax_encrypt"),
3112 (1, "omac1_aes_vector"),
3113 (1, "omac1_aes_128;aes_128_eax_decrypt"),
3114 (2, "omac1_aes_128;aes_128_eax_decrypt"),
3115 (3, "omac1_aes_128;aes_128_eax_decrypt"),
3116 (1, "aes_ctr_encrypt;aes_128_eax_decrypt")]
3117 for count
, func
in tests
:
3118 with
fail_test(dev
[0], count
, func
):
3119 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3120 identity
="psk.user@example.com",
3121 password_hex
="0123456789abcdef0123456789abcdef",
3122 wait_connect
=False, scan_freq
="2412")
3123 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3125 raise Exception("EAP method not selected")
3126 wait_fail_trigger(dev
[0], "GET_FAIL",
3127 note
="Failure not triggered: %d:%s" % (count
, func
))
3128 dev
[0].request("REMOVE_NETWORK all")
3129 dev
[0].wait_disconnected()
3131 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
3132 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3133 identity
="psk.user@example.com",
3134 password_hex
="0123456789abcdef0123456789abcdef",
3135 wait_connect
=False, scan_freq
="2412")
3136 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3138 raise Exception("EAP method failure not reported")
3139 dev
[0].request("REMOVE_NETWORK all")
3140 dev
[0].wait_disconnected()
3142 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
3143 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
3144 check_eap_capa(dev
[0], "MSCHAPV2")
3145 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
3146 hapd
= hostapd
.add_ap(apdev
[0], params
)
3147 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
3148 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
3149 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
3151 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
3152 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3153 eap_reauth(dev
[0], "PEAP", rsn
=False)
3154 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3155 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1")])
3156 status
= dev
[0].get_status(extra
="VERBOSE")
3157 if 'portControl' not in status
:
3158 raise Exception("portControl missing from STATUS-VERBOSE")
3159 if status
['portControl'] != 'Auto':
3160 raise Exception("Unexpected portControl value: " + status
['portControl'])
3161 if 'eap_session_id' not in status
:
3162 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3163 if not status
['eap_session_id'].startswith("19"):
3164 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
3166 def test_ap_wpa2_eap_interactive(dev
, apdev
):
3167 """WPA2-Enterprise connection using interactive identity/password entry"""
3168 check_eap_capa(dev
[0], "MSCHAPV2")
3169 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3170 hapd
= hostapd
.add_ap(apdev
[0], params
)
3172 tests
= [("Connection with dynamic TTLS/MSCHAPv2 password entry",
3173 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3175 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3176 "TTLS", "ttls", None, "auth=MSCHAPV2",
3177 "DOMAIN\mschapv2 user", "password"),
3178 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3179 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3180 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3181 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3182 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3183 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3184 ("Connection with dynamic PEAP/EAP-GTC password entry",
3185 "PEAP", None, "user", "auth=GTC", None, "password")]
3186 for [desc
, eap
, anon
, identity
, phase2
, req_id
, req_pw
] in tests
:
3188 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
3189 anonymous_identity
=anon
, identity
=identity
,
3190 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
3191 wait_connect
=False, scan_freq
="2412")
3193 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3195 raise Exception("Request for identity timed out")
3196 id = ev
.split(':')[0].split('-')[-1]
3197 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3198 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD", "CTRL-REQ-OTP"])
3200 raise Exception("Request for password timed out")
3201 id = ev
.split(':')[0].split('-')[-1]
3202 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
3203 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
3204 dev
[0].wait_connected(timeout
=10)
3205 dev
[0].request("REMOVE_NETWORK all")
3207 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
3208 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3209 check_eap_capa(dev
[0], "MSCHAPV2")
3210 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3211 hapd
= hostapd
.add_ap(apdev
[0], params
)
3213 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
3214 only_add_network
=True)
3216 req_id
= "DOMAIN\mschapv2 user"
3217 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3218 anonymous_identity
="ttls", identity
=None,
3219 password
="password",
3220 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3221 wait_connect
=False, scan_freq
="2412")
3222 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3224 raise Exception("Request for identity timed out")
3225 id = ev
.split(':')[0].split('-')[-1]
3226 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3227 dev
[0].wait_connected(timeout
=10)
3229 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
3230 raise Exception("Failed to enable network")
3231 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
3233 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3234 dev
[0].request("REMOVE_NETWORK all")
3236 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
3237 """WPA2-Enterprise connection using EAP vendor test"""
3238 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3239 hapd
= hostapd
.add_ap(apdev
[0], params
)
3240 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
3241 eap_reauth(dev
[0], "VENDOR-TEST")
3242 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
3245 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
3246 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3247 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3248 hostapd
.add_ap(apdev
[0], params
)
3250 tests
= ["eap_vendor_test_init",
3251 "eap_msg_alloc;eap_vendor_test_process",
3252 "eap_vendor_test_getKey"]
3254 with
alloc_fail(dev
[0], 1, func
):
3255 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
3257 eap
="VENDOR-TEST", identity
="vendor-test",
3259 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3260 dev
[0].request("REMOVE_NETWORK all")
3261 dev
[0].wait_disconnected()
3263 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
3264 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3265 check_eap_capa(dev
[0], "FAST")
3266 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3267 hapd
= hostapd
.add_ap(apdev
[0], params
)
3268 eap_connect(dev
[0], hapd
, "FAST", "user",
3269 anonymous_identity
="FAST", password
="password",
3270 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3271 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
3272 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3273 res
= eap_reauth(dev
[0], "FAST")
3274 if res
['tls_session_reused'] != '1':
3275 raise Exception("EAP-FAST could not use PAC session ticket")
3277 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
3278 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3279 check_eap_capa(dev
[0], "FAST")
3280 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
3281 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
3282 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3283 hapd
= hostapd
.add_ap(apdev
[0], params
)
3286 eap_connect(dev
[0], hapd
, "FAST", "user",
3287 anonymous_identity
="FAST", password
="password",
3288 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3289 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3290 with
open(pac_file
, "r") as f
:
3292 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3293 raise Exception("PAC file header missing")
3294 if "PAC-Key=" not in data
:
3295 raise Exception("PAC-Key missing from PAC file")
3296 dev
[0].request("REMOVE_NETWORK all")
3297 eap_connect(dev
[0], hapd
, "FAST", "user",
3298 anonymous_identity
="FAST", password
="password",
3299 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3302 eap_connect(dev
[1], hapd
, "FAST", "user",
3303 anonymous_identity
="FAST", password
="password",
3304 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3305 phase1
="fast_provisioning=1 fast_pac_format=binary",
3307 dev
[1].request("REMOVE_NETWORK all")
3308 eap_connect(dev
[1], hapd
, "FAST", "user",
3309 anonymous_identity
="FAST", password
="password",
3310 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3311 phase1
="fast_pac_format=binary",
3319 os
.remove(pac_file2
)
3323 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3324 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3325 check_eap_capa(dev
[0], "FAST")
3326 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3327 hapd
= hostapd
.add_ap(apdev
[0], params
)
3328 eap_connect(dev
[0], hapd
, "FAST", "user",
3329 anonymous_identity
="FAST", password
="password",
3330 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3331 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3332 pac_file
="blob://fast_pac_bin")
3333 res
= eap_reauth(dev
[0], "FAST")
3334 if res
['tls_session_reused'] != '1':
3335 raise Exception("EAP-FAST could not use PAC session ticket")
3337 # Verify fast_max_pac_list_len=0 special case
3338 dev
[0].request("REMOVE_NETWORK all")
3339 dev
[0].wait_disconnected()
3340 eap_connect(dev
[0], hapd
, "FAST", "user",
3341 anonymous_identity
="FAST", password
="password",
3342 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3343 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3344 pac_file
="blob://fast_pac_bin")
3346 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3347 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3348 check_eap_capa(dev
[0], "FAST")
3349 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3350 hostapd
.add_ap(apdev
[0], params
)
3352 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3353 identity
="user", anonymous_identity
="FAST",
3354 password
="password",
3355 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3356 pac_file
="blob://fast_pac_not_in_use",
3357 wait_connect
=False, scan_freq
="2412")
3358 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3360 raise Exception("Timeout on EAP failure report")
3361 dev
[0].request("REMOVE_NETWORK all")
3363 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3364 identity
="user", anonymous_identity
="FAST",
3365 password
="password",
3366 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3367 wait_connect
=False, scan_freq
="2412")
3368 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3370 raise Exception("Timeout on EAP failure report")
3372 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3373 """EAP-FAST and binary PAC errors"""
3374 check_eap_capa(dev
[0], "FAST")
3375 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3376 hapd
= hostapd
.add_ap(apdev
[0], params
)
3378 tests
= [(1, "=eap_fast_save_pac_bin"),
3379 (1, "eap_fast_write_pac"),
3380 (2, "eap_fast_write_pac"),]
3381 for count
, func
in tests
:
3382 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3383 raise Exception("Could not set blob")
3385 with
alloc_fail(dev
[0], count
, func
):
3386 eap_connect(dev
[0], hapd
, "FAST", "user",
3387 anonymous_identity
="FAST", password
="password",
3388 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3389 phase1
="fast_provisioning=1 fast_pac_format=binary",
3390 pac_file
="blob://fast_pac_bin_errors")
3391 dev
[0].request("REMOVE_NETWORK all")
3392 dev
[0].wait_disconnected()
3394 tests
= ["00", "000000000000", "6ae4920c0001",
3396 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3397 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3398 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3399 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3401 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3402 raise Exception("Could not set blob")
3404 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3405 identity
="user", anonymous_identity
="FAST",
3406 password
="password",
3407 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3408 phase1
="fast_provisioning=1 fast_pac_format=binary",
3409 pac_file
="blob://fast_pac_bin_errors",
3410 scan_freq
="2412", wait_connect
=False)
3411 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3414 raise Exception("Failure not reported")
3415 dev
[0].request("REMOVE_NETWORK all")
3416 dev
[0].wait_disconnected()
3418 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3419 tests
= [(1, "eap_fast_load_pac_bin"),
3420 (2, "eap_fast_load_pac_bin"),
3421 (3, "eap_fast_load_pac_bin")]
3422 for count
, func
in tests
:
3423 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3424 raise Exception("Could not set blob")
3426 with
alloc_fail(dev
[0], count
, func
):
3427 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3428 identity
="user", anonymous_identity
="FAST",
3429 password
="password",
3430 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3431 phase1
="fast_provisioning=1 fast_pac_format=binary",
3432 pac_file
="blob://fast_pac_bin_errors",
3433 scan_freq
="2412", wait_connect
=False)
3434 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3437 raise Exception("Failure not reported")
3438 dev
[0].request("REMOVE_NETWORK all")
3439 dev
[0].wait_disconnected()
3441 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3442 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3443 raise Exception("Could not set blob")
3445 eap_connect(dev
[0], hapd
, "FAST", "user",
3446 anonymous_identity
="FAST", password
="password",
3447 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3448 phase1
="fast_provisioning=1 fast_pac_format=binary",
3449 pac_file
="blob://fast_pac_bin_errors")
3450 dev
[0].request("REMOVE_NETWORK all")
3451 dev
[0].wait_disconnected()
3453 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3454 tests
= [(1, "eap_fast_pac_get_a_id"),
3455 (2, "eap_fast_pac_get_a_id")]
3456 for count
, func
in tests
:
3457 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3458 raise Exception("Could not set blob")
3459 with
alloc_fail(dev
[0], count
, func
):
3460 eap_connect(dev
[0], hapd
, "FAST", "user",
3461 anonymous_identity
="FAST", password
="password",
3462 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3463 phase1
="fast_provisioning=1 fast_pac_format=binary",
3464 pac_file
="blob://fast_pac_bin_errors")
3465 dev
[0].request("REMOVE_NETWORK all")
3466 dev
[0].wait_disconnected()
3468 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3469 """EAP-FAST and text PAC errors"""
3470 check_eap_capa(dev
[0], "FAST")
3471 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3472 hostapd
.add_ap(apdev
[0], params
)
3474 tests
= [(1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3475 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3476 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3477 (1, "eap_fast_parse_start"),
3478 (1, "eap_fast_save_pac")]
3479 for count
, func
in tests
:
3480 dev
[0].request("FLUSH")
3481 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3482 raise Exception("Could not set blob")
3484 with
alloc_fail(dev
[0], count
, func
):
3485 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3486 identity
="user", anonymous_identity
="FAST",
3487 password
="password",
3488 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3489 phase1
="fast_provisioning=1",
3490 pac_file
="blob://fast_pac_text_errors",
3491 scan_freq
="2412", wait_connect
=False)
3492 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3493 dev
[0].request("REMOVE_NETWORK all")
3494 dev
[0].wait_disconnected()
3496 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3500 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + binascii
.hexlify(pac
.encode()).decode()):
3501 raise Exception("Could not set blob")
3503 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3504 identity
="user", anonymous_identity
="FAST",
3505 password
="password",
3506 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3507 phase1
="fast_provisioning=1",
3508 pac_file
="blob://fast_pac_text_errors",
3509 scan_freq
="2412", wait_connect
=False)
3510 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3512 raise Exception("Failure not reported")
3513 dev
[0].request("REMOVE_NETWORK all")
3514 dev
[0].wait_disconnected()
3516 dev
[0].request("FLUSH")
3517 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3518 raise Exception("Could not set blob")
3520 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3522 params
= int_eap_server_params()
3523 params
['ssid'] = "test-wpa2-eap-2"
3524 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3525 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3526 params
['eap_fast_a_id_info'] = "test server %d" % i
3528 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3530 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3531 identity
="user", anonymous_identity
="FAST",
3532 password
="password",
3533 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3534 phase1
="fast_provisioning=1",
3535 pac_file
="blob://fast_pac_text_errors",
3536 scan_freq
="2412", wait_connect
=False)
3537 dev
[0].wait_connected()
3538 dev
[0].request("REMOVE_NETWORK all")
3539 dev
[0].wait_disconnected()
3543 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3544 """EAP-FAST and PAC list truncation"""
3545 check_eap_capa(dev
[0], "FAST")
3546 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3547 raise Exception("Could not set blob")
3549 params
= int_eap_server_params()
3550 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3551 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3552 params
['eap_fast_a_id_info'] = "test server %d" % i
3553 hapd
= hostapd
.add_ap(apdev
[0], params
)
3555 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3556 identity
="user", anonymous_identity
="FAST",
3557 password
="password",
3558 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3559 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3560 pac_file
="blob://fast_pac_truncate",
3561 scan_freq
="2412", wait_connect
=False)
3562 dev
[0].wait_connected()
3563 dev
[0].request("REMOVE_NETWORK all")
3564 dev
[0].wait_disconnected()
3568 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3569 """EAP-FAST and PAC refresh"""
3570 check_eap_capa(dev
[0], "FAST")
3571 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3572 raise Exception("Could not set blob")
3574 params
= int_eap_server_params()
3575 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3576 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3577 params
['eap_fast_a_id_info'] = "test server %d" % i
3578 params
['pac_key_refresh_time'] = "1"
3579 params
['pac_key_lifetime'] = "10"
3580 hapd
= hostapd
.add_ap(apdev
[0], params
)
3582 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3583 identity
="user", anonymous_identity
="FAST",
3584 password
="password",
3585 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3586 phase1
="fast_provisioning=1",
3587 pac_file
="blob://fast_pac_refresh",
3588 scan_freq
="2412", wait_connect
=False)
3589 dev
[0].wait_connected()
3590 dev
[0].request("REMOVE_NETWORK all")
3591 dev
[0].wait_disconnected()
3596 params
= int_eap_server_params()
3597 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3598 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3599 params
['eap_fast_a_id_info'] = "test server %d" % i
3600 params
['pac_key_refresh_time'] = "10"
3601 params
['pac_key_lifetime'] = "10"
3602 hapd
= hostapd
.add_ap(apdev
[0], params
)
3604 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3605 identity
="user", anonymous_identity
="FAST",
3606 password
="password",
3607 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3608 phase1
="fast_provisioning=1",
3609 pac_file
="blob://fast_pac_refresh",
3610 scan_freq
="2412", wait_connect
=False)
3611 dev
[0].wait_connected()
3612 dev
[0].request("REMOVE_NETWORK all")
3613 dev
[0].wait_disconnected()
3617 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3618 """EAP-FAST and PAC lifetime"""
3619 check_eap_capa(dev
[0], "FAST")
3620 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3621 raise Exception("Could not set blob")
3624 params
= int_eap_server_params()
3625 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3626 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3627 params
['eap_fast_a_id_info'] = "test server %d" % i
3628 params
['pac_key_refresh_time'] = "0"
3629 params
['pac_key_lifetime'] = "2"
3630 hapd
= hostapd
.add_ap(apdev
[0], params
)
3632 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3633 identity
="user", anonymous_identity
="FAST",
3634 password
="password",
3635 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3636 phase1
="fast_provisioning=2",
3637 pac_file
="blob://fast_pac_refresh",
3638 scan_freq
="2412", wait_connect
=False)
3639 dev
[0].wait_connected()
3640 dev
[0].request("DISCONNECT")
3641 dev
[0].wait_disconnected()
3644 dev
[0].request("PMKSA_FLUSH")
3645 dev
[0].request("RECONNECT")
3646 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3648 raise Exception("No EAP-Failure seen after expired PAC")
3649 dev
[0].request("DISCONNECT")
3650 dev
[0].wait_disconnected()
3652 dev
[0].select_network(id)
3653 dev
[0].wait_connected()
3654 dev
[0].request("REMOVE_NETWORK all")
3655 dev
[0].wait_disconnected()
3657 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3658 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3659 check_eap_capa(dev
[0], "FAST")
3660 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3661 hapd
= hostapd
.add_ap(apdev
[0], params
)
3662 eap_connect(dev
[0], hapd
, "FAST", "user",
3663 anonymous_identity
="FAST", password
="password",
3664 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3665 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3666 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3667 res
= eap_reauth(dev
[0], "FAST")
3668 if res
['tls_session_reused'] != '1':
3669 raise Exception("EAP-FAST could not use PAC session ticket")
3671 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3672 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3673 check_eap_capa(dev
[0], "FAST")
3674 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3675 hapd
= hostapd
.add_ap(apdev
[0], params
)
3676 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3677 anonymous_identity
="FAST", password
="password",
3678 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3679 phase1
="fast_provisioning=2",
3680 pac_file
="blob://fast_pac_auth")
3681 dev
[0].set_network_quoted(id, "identity", "user2")
3682 dev
[0].wait_disconnected()
3683 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3685 raise Exception("EAP-FAST not started")
3686 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3688 raise Exception("EAP failure not reported")
3689 dev
[0].wait_disconnected()
3691 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3692 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3693 check_eap_capa(dev
[0], "FAST")
3694 tls
= dev
[0].request("GET tls_library")
3695 if tls
.startswith("OpenSSL"):
3696 func
= "tls_connection_get_eap_fast_key"
3698 elif tls
.startswith("internal"):
3699 func
= "tls_connection_prf"
3702 raise HwsimSkip("Unsupported TLS library")
3703 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3704 hapd
= hostapd
.add_ap(apdev
[0], params
)
3705 with
alloc_fail(dev
[0], count
, func
):
3706 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3707 identity
="user", anonymous_identity
="FAST",
3708 password
="password", ca_cert
="auth_serv/ca.pem",
3710 phase1
="fast_provisioning=2",
3711 pac_file
="blob://fast_pac_auth",
3712 wait_connect
=False, scan_freq
="2412")
3713 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3715 raise Exception("EAP failure not reported")
3716 dev
[0].request("DISCONNECT")
3718 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3719 """EAP-FAST/MSCHAPv2 and server OOM"""
3720 check_eap_capa(dev
[0], "FAST")
3722 params
= int_eap_server_params()
3723 params
['dh_file'] = 'auth_serv/dh.conf'
3724 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3725 params
['eap_fast_a_id'] = '1011'
3726 params
['eap_fast_a_id_info'] = 'another test server'
3727 hapd
= hostapd
.add_ap(apdev
[0], params
)
3729 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3730 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3731 anonymous_identity
="FAST", password
="password",
3732 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3733 phase1
="fast_provisioning=1",
3734 pac_file
="blob://fast_pac",
3735 expect_failure
=True)
3736 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3738 raise Exception("No EAP failure reported")
3739 dev
[0].wait_disconnected()
3740 dev
[0].request("DISCONNECT")
3742 dev
[0].select_network(id, freq
="2412")
3744 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3745 """EAP-FAST and different TLS cipher suites"""
3746 check_eap_capa(dev
[0], "FAST")
3747 tls
= dev
[0].request("GET tls_library")
3748 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
3749 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls
)
3751 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3752 hapd
= hostapd
.add_ap(apdev
[0], params
)
3754 dev
[0].request("SET blob fast_pac_ciphers ")
3755 eap_connect(dev
[0], hapd
, "FAST", "user",
3756 anonymous_identity
="FAST", password
="password",
3757 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3758 phase1
="fast_provisioning=2",
3759 pac_file
="blob://fast_pac_ciphers")
3760 res
= dev
[0].get_status_field('EAP TLS cipher')
3761 dev
[0].request("REMOVE_NETWORK all")
3762 dev
[0].wait_disconnected()
3763 if res
!= "DHE-RSA-AES256-SHA":
3764 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3766 tests
= ["DHE-RSA-AES128-SHA",
3770 "DHE-RSA-AES256-SHA"]
3771 for cipher
in tests
:
3772 dev
[0].dump_monitor()
3773 logger
.info("Testing " + cipher
)
3775 eap_connect(dev
[0], hapd
, "FAST", "user",
3776 openssl_ciphers
=cipher
,
3777 anonymous_identity
="FAST", password
="password",
3778 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3779 pac_file
="blob://fast_pac_ciphers",
3780 report_failure
=True)
3781 except Exception as e
:
3782 if cipher
== "RC4-SHA" and \
3783 ("Could not select EAP method" in str(e
) or \
3784 "EAP failed" in str(e
)):
3785 if "run=OpenSSL 1.1" in tls
:
3786 logger
.info("Allow failure due to missing TLS library support")
3787 dev
[0].request("REMOVE_NETWORK all")
3788 dev
[0].wait_disconnected()
3791 res
= dev
[0].get_status_field('EAP TLS cipher')
3792 dev
[0].request("REMOVE_NETWORK all")
3793 dev
[0].wait_disconnected()
3795 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3797 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3798 """EAP-FAST and provisioning options"""
3799 check_eap_capa(dev
[0], "FAST")
3800 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3801 raise Exception("Could not set blob")
3804 params
= int_eap_server_params()
3805 params
['disable_pmksa_caching'] = '1'
3806 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3807 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3808 params
['eap_fast_a_id_info'] = "test server %d" % i
3809 params
['eap_fast_prov'] = "0"
3810 hapd
= hostapd
.add_ap(apdev
[0], params
)
3812 logger
.info("Provisioning attempt while server has provisioning disabled")
3813 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3814 identity
="user", anonymous_identity
="FAST",
3815 password
="password",
3816 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3817 phase1
="fast_provisioning=2",
3818 pac_file
="blob://fast_pac_prov",
3819 scan_freq
="2412", wait_connect
=False)
3820 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3823 raise Exception("EAP result not reported")
3824 if "parameter='failure'" not in ev
:
3825 raise Exception("Unexpected EAP result: " + ev
)
3826 dev
[0].wait_disconnected()
3827 dev
[0].request("DISCONNECT")
3828 dev
[0].dump_monitor()
3831 logger
.info("Authenticated provisioning")
3832 hapd
.set("eap_fast_prov", "2")
3835 dev
[0].select_network(id, freq
="2412")
3836 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3839 raise Exception("EAP result not reported")
3840 if "parameter='success'" not in ev
:
3841 raise Exception("Unexpected EAP result: " + ev
)
3842 dev
[0].wait_connected()
3843 dev
[0].request("DISCONNECT")
3844 dev
[0].wait_disconnected()
3845 dev
[0].dump_monitor()
3848 logger
.info("Provisioning disabled - using previously provisioned PAC")
3849 hapd
.set("eap_fast_prov", "0")
3852 dev
[0].select_network(id, freq
="2412")
3853 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3856 raise Exception("EAP result not reported")
3857 if "parameter='success'" not in ev
:
3858 raise Exception("Unexpected EAP result: " + ev
)
3859 dev
[0].wait_connected()
3860 dev
[0].request("DISCONNECT")
3861 dev
[0].wait_disconnected()
3862 dev
[0].dump_monitor()
3864 logger
.info("Drop PAC and verify connection failure")
3865 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3866 raise Exception("Could not set blob")
3868 dev
[0].select_network(id, freq
="2412")
3869 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3872 raise Exception("EAP result not reported")
3873 if "parameter='failure'" not in ev
:
3874 raise Exception("Unexpected EAP result: " + ev
)
3875 dev
[0].wait_disconnected()
3876 dev
[0].request("DISCONNECT")
3877 dev
[0].dump_monitor()
3880 logger
.info("Anonymous provisioning")
3881 hapd
.set("eap_fast_prov", "1")
3883 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3884 dev
[0].select_network(id, freq
="2412")
3885 # Anonymous provisioning results in EAP-Failure first
3886 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3889 raise Exception("EAP result not reported")
3890 if "parameter='failure'" not in ev
:
3891 raise Exception("Unexpected EAP result: " + ev
)
3892 dev
[0].wait_disconnected()
3893 # And then the actual data connection
3894 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3897 raise Exception("EAP result not reported")
3898 if "parameter='success'" not in ev
:
3899 raise Exception("Unexpected EAP result: " + ev
)
3900 dev
[0].wait_connected()
3901 dev
[0].request("DISCONNECT")
3902 dev
[0].wait_disconnected()
3903 dev
[0].dump_monitor()
3906 logger
.info("Provisioning disabled - using previously provisioned PAC")
3907 hapd
.set("eap_fast_prov", "0")
3910 dev
[0].select_network(id, freq
="2412")
3911 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3914 raise Exception("EAP result not reported")
3915 if "parameter='success'" not in ev
:
3916 raise Exception("Unexpected EAP result: " + ev
)
3917 dev
[0].wait_connected()
3918 dev
[0].request("DISCONNECT")
3919 dev
[0].wait_disconnected()
3920 dev
[0].dump_monitor()
3922 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
3923 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3924 check_ocsp_support(dev
[0])
3925 check_pkcs12_support(dev
[0])
3926 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3927 hapd
= hostapd
.add_ap(apdev
[0], params
)
3928 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3929 private_key
="auth_serv/user.pkcs12",
3930 private_key_passwd
="whatever", ocsp
=2)
3932 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
3933 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3934 check_ocsp_multi_support(dev
[0])
3935 check_pkcs12_support(dev
[0])
3937 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3938 hapd
= hostapd
.add_ap(apdev
[0], params
)
3939 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3940 private_key
="auth_serv/user.pkcs12",
3941 private_key_passwd
="whatever", ocsp
=2)
3943 def int_eap_server_params():
3944 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3945 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3946 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3947 "ca_cert": "auth_serv/ca.pem",
3948 "server_cert": "auth_serv/server.pem",
3949 "private_key": "auth_serv/server.key",
3950 "dh_file": "auth_serv/dh.conf"}
3953 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
3954 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3955 check_ocsp_support(dev
[0])
3956 check_pkcs12_support(dev
[0])
3957 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
3958 if not os
.path
.exists(ocsp
):
3959 raise HwsimSkip("No OCSP response available")
3960 params
= int_eap_server_params()
3961 params
["ocsp_stapling_response"] = ocsp
3962 hostapd
.add_ap(apdev
[0], params
)
3963 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3964 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3965 private_key
="auth_serv/user.pkcs12",
3966 private_key_passwd
="whatever", ocsp
=2,
3969 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
3970 """EAP-TLS and CA signed OCSP response (good)"""
3971 check_ocsp_support(dev
[0])
3972 check_pkcs12_support(dev
[0])
3973 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
3974 if not os
.path
.exists(ocsp
):
3975 raise HwsimSkip("No OCSP response available")
3976 params
= int_eap_server_params()
3977 params
["ocsp_stapling_response"] = ocsp
3978 hostapd
.add_ap(apdev
[0], params
)
3979 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3980 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3981 private_key
="auth_serv/user.pkcs12",
3982 private_key_passwd
="whatever", ocsp
=2,
3985 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
3986 """EAP-TLS and CA signed OCSP response (revoked)"""
3987 check_ocsp_support(dev
[0])
3988 check_pkcs12_support(dev
[0])
3989 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
3990 if not os
.path
.exists(ocsp
):
3991 raise HwsimSkip("No OCSP response available")
3992 params
= int_eap_server_params()
3993 params
["ocsp_stapling_response"] = ocsp
3994 hostapd
.add_ap(apdev
[0], params
)
3995 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3996 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3997 private_key
="auth_serv/user.pkcs12",
3998 private_key_passwd
="whatever", ocsp
=2,
3999 wait_connect
=False, scan_freq
="2412")
4002 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4004 raise Exception("Timeout on EAP status")
4005 if 'bad certificate status response' in ev
:
4007 if 'certificate revoked' in ev
:
4011 raise Exception("Unexpected number of EAP status messages")
4013 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4015 raise Exception("Timeout on EAP failure report")
4017 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
4018 """EAP-TLS and CA signed OCSP response (unknown)"""
4019 check_ocsp_support(dev
[0])
4020 check_pkcs12_support(dev
[0])
4021 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
4022 if not os
.path
.exists(ocsp
):
4023 raise HwsimSkip("No OCSP response available")
4024 params
= int_eap_server_params()
4025 params
["ocsp_stapling_response"] = ocsp
4026 hostapd
.add_ap(apdev
[0], params
)
4027 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4028 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4029 private_key
="auth_serv/user.pkcs12",
4030 private_key_passwd
="whatever", ocsp
=2,
4031 wait_connect
=False, scan_freq
="2412")
4034 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4036 raise Exception("Timeout on EAP status")
4037 if 'bad certificate status response' in ev
:
4041 raise Exception("Unexpected number of EAP status messages")
4043 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4045 raise Exception("Timeout on EAP failure report")
4047 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
4048 """EAP-TLS and server signed OCSP response"""
4049 check_ocsp_support(dev
[0])
4050 check_pkcs12_support(dev
[0])
4051 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
4052 if not os
.path
.exists(ocsp
):
4053 raise HwsimSkip("No OCSP response available")
4054 params
= int_eap_server_params()
4055 params
["ocsp_stapling_response"] = ocsp
4056 hostapd
.add_ap(apdev
[0], params
)
4057 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4058 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4059 private_key
="auth_serv/user.pkcs12",
4060 private_key_passwd
="whatever", ocsp
=2,
4061 wait_connect
=False, scan_freq
="2412")
4064 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4066 raise Exception("Timeout on EAP status")
4067 if 'bad certificate status response' in ev
:
4071 raise Exception("Unexpected number of EAP status messages")
4073 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4075 raise Exception("Timeout on EAP failure report")
4077 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
4078 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
4079 check_ocsp_support(dev
[0])
4080 check_pkcs12_support(dev
[0])
4081 params
= int_eap_server_params()
4082 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
4083 hostapd
.add_ap(apdev
[0], params
)
4084 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4085 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4086 private_key
="auth_serv/user.pkcs12",
4087 private_key_passwd
="whatever", ocsp
=2,
4088 wait_connect
=False, scan_freq
="2412")
4091 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4093 raise Exception("Timeout on EAP status")
4094 if 'bad certificate status response' in ev
:
4098 raise Exception("Unexpected number of EAP status messages")
4100 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4102 raise Exception("Timeout on EAP failure report")
4104 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
4105 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
4106 check_ocsp_support(dev
[0])
4107 check_pkcs12_support(dev
[0])
4108 params
= int_eap_server_params()
4109 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
4110 hostapd
.add_ap(apdev
[0], params
)
4111 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4112 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4113 private_key
="auth_serv/user.pkcs12",
4114 private_key_passwd
="whatever", ocsp
=2,
4115 wait_connect
=False, scan_freq
="2412")
4118 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4120 raise Exception("Timeout on EAP status")
4121 if 'bad certificate status response' in ev
:
4125 raise Exception("Unexpected number of EAP status messages")
4127 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4129 raise Exception("Timeout on EAP failure report")
4131 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
4132 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
4133 check_ocsp_support(dev
[0])
4134 check_pkcs12_support(dev
[0])
4135 params
= int_eap_server_params()
4136 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
4137 hostapd
.add_ap(apdev
[0], params
)
4138 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4139 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4140 private_key
="auth_serv/user.pkcs12",
4141 private_key_passwd
="whatever", ocsp
=2,
4142 wait_connect
=False, scan_freq
="2412")
4145 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4147 raise Exception("Timeout on EAP status")
4148 if 'bad certificate status response' in ev
:
4152 raise Exception("Unexpected number of EAP status messages")
4154 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4156 raise Exception("Timeout on EAP failure report")
4158 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
4159 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4160 check_ocsp_support(dev
[0])
4161 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
4162 if not os
.path
.exists(ocsp
):
4163 raise HwsimSkip("No OCSP response available")
4164 params
= int_eap_server_params()
4165 params
["ocsp_stapling_response"] = ocsp
4166 hostapd
.add_ap(apdev
[0], params
)
4167 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4168 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4169 anonymous_identity
="ttls", password
="password",
4170 phase2
="auth=PAP", ocsp
=2,
4171 wait_connect
=False, scan_freq
="2412")
4174 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4176 raise Exception("Timeout on EAP status")
4177 if 'bad certificate status response' in ev
:
4179 if 'certificate revoked' in ev
:
4183 raise Exception("Unexpected number of EAP status messages")
4185 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4187 raise Exception("Timeout on EAP failure report")
4189 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
4190 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4191 check_ocsp_support(dev
[0])
4192 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4193 if not os
.path
.exists(ocsp
):
4194 raise HwsimSkip("No OCSP response available")
4195 params
= int_eap_server_params()
4196 params
["ocsp_stapling_response"] = ocsp
4197 hostapd
.add_ap(apdev
[0], params
)
4198 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4199 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4200 anonymous_identity
="ttls", password
="password",
4201 phase2
="auth=PAP", ocsp
=2,
4202 wait_connect
=False, scan_freq
="2412")
4205 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4207 raise Exception("Timeout on EAP status")
4208 if 'bad certificate status response' in ev
:
4212 raise Exception("Unexpected number of EAP status messages")
4214 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4216 raise Exception("Timeout on EAP failure report")
4218 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
4219 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4220 check_ocsp_support(dev
[0])
4221 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4222 if not os
.path
.exists(ocsp
):
4223 raise HwsimSkip("No OCSP response available")
4224 params
= int_eap_server_params()
4225 params
["ocsp_stapling_response"] = ocsp
4226 hostapd
.add_ap(apdev
[0], params
)
4227 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4228 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4229 anonymous_identity
="ttls", password
="password",
4230 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
4232 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
4233 """EAP-TLS with intermediate server/user CA"""
4234 params
= int_eap_server_params()
4235 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4236 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4237 params
["private_key"] = "auth_serv/iCA-server/server.key"
4238 hostapd
.add_ap(apdev
[0], params
)
4239 tls
= dev
[0].request("GET tls_library")
4240 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4241 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4242 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4244 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4245 client_cert
= "auth_serv/iCA-user/user.pem"
4246 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4247 identity
="tls user",
4249 client_cert
=client_cert
,
4250 private_key
="auth_serv/iCA-user/user.key",
4253 def root_ocsp(cert
):
4254 ca
= "auth_serv/ca.pem"
4256 fd2
, fn2
= tempfile
.mkstemp()
4259 arg
= ["openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-sha256",
4260 "-cert", cert
, "-no_nonce", "-text"]
4261 logger
.info(' '.join(arg
))
4262 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4263 stderr
=subprocess
.PIPE
)
4264 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4268 if cmd
.returncode
!= 0:
4269 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4270 logger
.info("OCSP request:\n" + res
)
4272 fd
, fn
= tempfile
.mkstemp()
4274 arg
= ["openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4275 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
4276 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4277 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4279 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4280 stderr
=subprocess
.PIPE
)
4281 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4285 if cmd
.returncode
!= 0:
4286 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4287 logger
.info("OCSP response:\n" + res
)
4291 def ica_ocsp(cert
, md
="-sha256"):
4292 prefix
= "auth_serv/iCA-server/"
4293 ca
= prefix
+ "cacert.pem"
4294 cert
= prefix
+ cert
4296 fd2
, fn2
= tempfile
.mkstemp()
4299 arg
= ["openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, md
,
4300 "-cert", cert
, "-no_nonce", "-text"]
4301 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4302 stderr
=subprocess
.PIPE
)
4303 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4307 if cmd
.returncode
!= 0:
4308 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4309 logger
.info("OCSP request:\n" + res
)
4311 fd
, fn
= tempfile
.mkstemp()
4313 arg
= ["openssl", "ocsp", "-index", prefix
+ "index.txt",
4314 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
4315 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4316 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4318 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4319 stderr
=subprocess
.PIPE
)
4320 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4324 if cmd
.returncode
!= 0:
4325 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4326 logger
.info("OCSP response:\n" + res
)
4330 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4331 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4332 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha256")
4334 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev
, apdev
, params
):
4335 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4336 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha1")
4338 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, md
):
4339 params
= int_eap_server_params()
4340 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4341 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4342 params
["private_key"] = "auth_serv/iCA-server/server.key"
4343 fn
= ica_ocsp("server.pem", md
)
4344 params
["ocsp_stapling_response"] = fn
4346 hostapd
.add_ap(apdev
[0], params
)
4347 tls
= dev
[0].request("GET tls_library")
4348 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4349 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4350 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4352 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4353 client_cert
= "auth_serv/iCA-user/user.pem"
4354 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4355 identity
="tls user",
4357 client_cert
=client_cert
,
4358 private_key
="auth_serv/iCA-user/user.key",
4359 scan_freq
="2412", ocsp
=2)
4363 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4364 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4365 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4368 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev
, apdev
, params
):
4369 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4370 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4373 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
, md
):
4374 check_ocsp_support(dev
[0])
4375 params
= int_eap_server_params()
4376 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4377 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4378 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4379 fn
= ica_ocsp("server-revoked.pem", md
)
4380 params
["ocsp_stapling_response"] = fn
4382 hostapd
.add_ap(apdev
[0], params
)
4383 tls
= dev
[0].request("GET tls_library")
4384 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4385 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4386 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4388 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4389 client_cert
= "auth_serv/iCA-user/user.pem"
4390 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4391 identity
="tls user",
4393 client_cert
=client_cert
,
4394 private_key
="auth_serv/iCA-user/user.key",
4395 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4398 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4399 "CTRL-EVENT-EAP-SUCCESS"])
4401 raise Exception("Timeout on EAP status")
4402 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4403 raise Exception("Unexpected EAP-Success")
4404 if 'bad certificate status response' in ev
:
4406 if 'certificate revoked' in ev
:
4410 raise Exception("Unexpected number of EAP status messages")
4412 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4414 raise Exception("Timeout on EAP failure report")
4415 dev
[0].request("REMOVE_NETWORK all")
4416 dev
[0].wait_disconnected()
4420 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4421 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4422 check_ocsp_support(dev
[0])
4423 check_ocsp_multi_support(dev
[0])
4425 params
= int_eap_server_params()
4426 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4427 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4428 params
["private_key"] = "auth_serv/iCA-server/server.key"
4429 fn
= ica_ocsp("server.pem")
4430 params
["ocsp_stapling_response"] = fn
4432 hostapd
.add_ap(apdev
[0], params
)
4433 tls
= dev
[0].request("GET tls_library")
4434 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4435 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4436 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4438 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4439 client_cert
= "auth_serv/iCA-user/user.pem"
4440 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4441 identity
="tls user",
4443 client_cert
=client_cert
,
4444 private_key
="auth_serv/iCA-user/user.key",
4445 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4448 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4449 "CTRL-EVENT-EAP-SUCCESS"])
4451 raise Exception("Timeout on EAP status")
4452 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4453 raise Exception("Unexpected EAP-Success")
4454 if 'bad certificate status response' in ev
:
4456 if 'certificate revoked' in ev
:
4460 raise Exception("Unexpected number of EAP status messages")
4462 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4464 raise Exception("Timeout on EAP failure report")
4465 dev
[0].request("REMOVE_NETWORK all")
4466 dev
[0].wait_disconnected()
4470 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4471 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4472 check_ocsp_support(dev
[0])
4473 check_ocsp_multi_support(dev
[0])
4475 params
= int_eap_server_params()
4476 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4477 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4478 params
["private_key"] = "auth_serv/iCA-server/server.key"
4479 fn
= ica_ocsp("server.pem")
4480 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4481 params
["ocsp_stapling_response"] = fn
4483 with
open(fn
, "rb") as f
:
4484 resp_server
= f
.read()
4485 with
open(fn2
, "rb") as f
:
4488 fd3
, fn3
= tempfile
.mkstemp()
4490 f
= os
.fdopen(fd3
, 'wb')
4491 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4492 f
.write(resp_server
)
4493 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4497 params
["ocsp_stapling_response_multi"] = fn3
4499 hostapd
.add_ap(apdev
[0], params
)
4500 tls
= dev
[0].request("GET tls_library")
4501 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4502 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4503 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4505 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4506 client_cert
= "auth_serv/iCA-user/user.pem"
4507 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4508 identity
="tls user",
4510 client_cert
=client_cert
,
4511 private_key
="auth_serv/iCA-user/user.key",
4512 scan_freq
="2412", ocsp
=3)
4513 dev
[0].request("REMOVE_NETWORK all")
4514 dev
[0].wait_disconnected()
4520 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4521 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4522 check_ocsp_support(dev
[0])
4523 check_ocsp_multi_support(dev
[0])
4524 check_pkcs12_support(dev
[0])
4526 ocsp_revoked
= os
.path
.join(params
['logdir'],
4527 "ocsp-resp-ca-signed-revoked.der")
4528 if not os
.path
.exists(ocsp_revoked
):
4529 raise HwsimSkip("No OCSP response (revoked) available")
4530 ocsp_unknown
= os
.path
.join(params
['logdir'],
4531 "ocsp-resp-ca-signed-unknown.der")
4532 if not os
.path
.exists(ocsp_unknown
):
4533 raise HwsimSkip("No OCSP response(unknown) available")
4535 with
open(ocsp_revoked
, "rb") as f
:
4536 resp_revoked
= f
.read()
4537 with
open(ocsp_unknown
, "rb") as f
:
4538 resp_unknown
= f
.read()
4540 fd
, fn
= tempfile
.mkstemp()
4542 # This is not really a valid order of the OCSPResponse items in the
4543 # list, but this works for now to verify parsing and processing of
4544 # multiple responses.
4545 f
= os
.fdopen(fd
, 'wb')
4546 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4547 f
.write(resp_unknown
)
4548 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4549 f
.write(resp_revoked
)
4550 f
.write(struct
.pack(">L", 0)[1:4])
4551 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4552 f
.write(resp_unknown
)
4555 params
= int_eap_server_params()
4556 params
["ocsp_stapling_response_multi"] = fn
4557 hostapd
.add_ap(apdev
[0], params
)
4558 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4559 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4560 private_key
="auth_serv/user.pkcs12",
4561 private_key_passwd
="whatever", ocsp
=1,
4562 wait_connect
=False, scan_freq
="2412")
4565 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4566 "CTRL-EVENT-EAP-SUCCESS"])
4568 raise Exception("Timeout on EAP status")
4569 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4570 raise Exception("Unexpected EAP-Success")
4571 if 'bad certificate status response' in ev
:
4573 if 'certificate revoked' in ev
:
4577 raise Exception("Unexpected number of EAP status messages")
4581 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4582 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4583 check_domain_match_full(dev
[0])
4584 check_pkcs12_support(dev
[0])
4585 params
= int_eap_server_params()
4586 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4587 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4588 hostapd
.add_ap(apdev
[0], params
)
4589 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4590 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4591 private_key
="auth_serv/user.pkcs12",
4592 private_key_passwd
="whatever",
4593 domain_suffix_match
="server3.w1.fi",
4596 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4597 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4598 check_domain_match(dev
[0])
4599 check_pkcs12_support(dev
[0])
4600 params
= int_eap_server_params()
4601 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4602 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4603 hostapd
.add_ap(apdev
[0], params
)
4604 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4605 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4606 private_key
="auth_serv/user.pkcs12",
4607 private_key_passwd
="whatever",
4608 domain_match
="server3.w1.fi",
4611 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4612 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4613 check_domain_match_full(dev
[0])
4614 check_pkcs12_support(dev
[0])
4615 params
= int_eap_server_params()
4616 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4617 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4618 hostapd
.add_ap(apdev
[0], params
)
4619 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4620 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4621 private_key
="auth_serv/user.pkcs12",
4622 private_key_passwd
="whatever",
4623 domain_suffix_match
="w1.fi",
4626 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4627 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4628 check_domain_suffix_match(dev
[0])
4629 check_pkcs12_support(dev
[0])
4630 params
= int_eap_server_params()
4631 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4632 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4633 hostapd
.add_ap(apdev
[0], params
)
4634 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4635 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4636 private_key
="auth_serv/user.pkcs12",
4637 private_key_passwd
="whatever",
4638 domain_suffix_match
="example.com",
4641 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4642 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4643 private_key
="auth_serv/user.pkcs12",
4644 private_key_passwd
="whatever",
4645 domain_suffix_match
="erver3.w1.fi",
4648 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4650 raise Exception("Timeout on EAP failure report")
4651 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4653 raise Exception("Timeout on EAP failure report (2)")
4655 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4656 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4657 check_domain_match(dev
[0])
4658 check_pkcs12_support(dev
[0])
4659 params
= int_eap_server_params()
4660 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4661 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4662 hostapd
.add_ap(apdev
[0], params
)
4663 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4664 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4665 private_key
="auth_serv/user.pkcs12",
4666 private_key_passwd
="whatever",
4667 domain_match
="example.com",
4670 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4671 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4672 private_key
="auth_serv/user.pkcs12",
4673 private_key_passwd
="whatever",
4674 domain_match
="w1.fi",
4677 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4679 raise Exception("Timeout on EAP failure report")
4680 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4682 raise Exception("Timeout on EAP failure report (2)")
4684 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4685 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4686 skip_with_fips(dev
[0])
4687 params
= int_eap_server_params()
4688 params
["server_cert"] = "auth_serv/server-expired.pem"
4689 params
["private_key"] = "auth_serv/server-expired.key"
4690 hostapd
.add_ap(apdev
[0], params
)
4691 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4692 identity
="mschap user", password
="password",
4693 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4696 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4698 raise Exception("Timeout on EAP certificate error report")
4699 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4700 raise Exception("Unexpected failure reason: " + ev
)
4701 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4703 raise Exception("Timeout on EAP failure report")
4705 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4706 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4707 skip_with_fips(dev
[0])
4708 params
= int_eap_server_params()
4709 params
["server_cert"] = "auth_serv/server-expired.pem"
4710 params
["private_key"] = "auth_serv/server-expired.key"
4711 hostapd
.add_ap(apdev
[0], params
)
4712 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4713 identity
="mschap user", password
="password",
4714 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4715 phase1
="tls_disable_time_checks=1",
4718 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4719 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4720 skip_with_fips(dev
[0])
4721 params
= int_eap_server_params()
4722 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4723 params
["private_key"] = "auth_serv/server-long-duration.key"
4724 hostapd
.add_ap(apdev
[0], params
)
4725 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4726 identity
="mschap user", password
="password",
4727 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4730 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4731 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4732 skip_with_fips(dev
[0])
4733 params
= int_eap_server_params()
4734 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4735 params
["private_key"] = "auth_serv/server-eku-client.key"
4736 hostapd
.add_ap(apdev
[0], params
)
4737 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4738 identity
="mschap user", password
="password",
4739 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4742 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4744 raise Exception("Timeout on EAP failure report")
4746 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4747 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4748 skip_with_fips(dev
[0])
4749 params
= int_eap_server_params()
4750 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4751 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4752 hostapd
.add_ap(apdev
[0], params
)
4753 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4754 identity
="mschap user", password
="password",
4755 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4758 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4759 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4760 skip_with_fips(dev
[0])
4761 params
= int_eap_server_params()
4762 del params
["server_cert"]
4763 params
["private_key"] = "auth_serv/server.pkcs12"
4764 hostapd
.add_ap(apdev
[0], params
)
4765 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4766 identity
="mschap user", password
="password",
4767 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4770 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
4771 """EAP-TTLS and server PKCS#12 file with extra certs"""
4772 skip_with_fips(dev
[0])
4773 params
= int_eap_server_params()
4774 del params
["server_cert"]
4775 params
["private_key"] = "auth_serv/server-extra.pkcs12"
4776 params
["private_key_passwd"] = "whatever"
4777 hostapd
.add_ap(apdev
[0], params
)
4778 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4779 identity
="mschap user", password
="password",
4780 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4783 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
4784 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4785 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4786 hapd
= hostapd
.add_ap(apdev
[0], params
)
4787 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4788 anonymous_identity
="ttls", password
="password",
4789 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4790 dh_file
="auth_serv/dh.conf")
4792 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
4793 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4794 check_dh_dsa_support(dev
[0])
4795 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4796 hapd
= hostapd
.add_ap(apdev
[0], params
)
4797 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4798 anonymous_identity
="ttls", password
="password",
4799 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4800 dh_file
="auth_serv/dsaparam.pem")
4802 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4803 """EAP-TTLS and DH params file not found"""
4804 skip_with_fips(dev
[0])
4805 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4806 hostapd
.add_ap(apdev
[0], params
)
4807 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4808 identity
="mschap user", password
="password",
4809 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4810 dh_file
="auth_serv/dh-no-such-file.conf",
4811 scan_freq
="2412", wait_connect
=False)
4812 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4814 raise Exception("EAP failure timed out")
4815 dev
[0].request("REMOVE_NETWORK all")
4816 dev
[0].wait_disconnected()
4818 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4819 """EAP-TTLS and invalid DH params file"""
4820 skip_with_fips(dev
[0])
4821 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4822 hostapd
.add_ap(apdev
[0], params
)
4823 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4824 identity
="mschap user", password
="password",
4825 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4826 dh_file
="auth_serv/ca.pem",
4827 scan_freq
="2412", wait_connect
=False)
4828 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4830 raise Exception("EAP failure timed out")
4831 dev
[0].request("REMOVE_NETWORK all")
4832 dev
[0].wait_disconnected()
4834 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
4835 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4836 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4837 hapd
= hostapd
.add_ap(apdev
[0], params
)
4838 dh
= read_pem("auth_serv/dh2.conf")
4839 if "OK" not in dev
[0].request("SET blob dhparams " + binascii
.hexlify(dh
).decode()):
4840 raise Exception("Could not set dhparams blob")
4841 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4842 anonymous_identity
="ttls", password
="password",
4843 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4844 dh_file
="blob://dhparams")
4846 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
4847 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4848 params
= int_eap_server_params()
4849 params
["dh_file"] = "auth_serv/dh2.conf"
4850 hapd
= hostapd
.add_ap(apdev
[0], params
)
4851 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4852 anonymous_identity
="ttls", password
="password",
4853 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4855 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
4856 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4857 params
= int_eap_server_params()
4858 params
["dh_file"] = "auth_serv/dsaparam.pem"
4859 hapd
= hostapd
.add_ap(apdev
[0], params
)
4860 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4861 anonymous_identity
="ttls", password
="password",
4862 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4864 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4865 """EAP-TLS server and dhparams file not found"""
4866 params
= int_eap_server_params()
4867 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
4868 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4869 if "FAIL" not in hapd
.request("ENABLE"):
4870 raise Exception("Invalid configuration accepted")
4872 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4873 """EAP-TLS server and invalid dhparams file"""
4874 params
= int_eap_server_params()
4875 params
["dh_file"] = "auth_serv/ca.pem"
4876 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4877 if "FAIL" not in hapd
.request("ENABLE"):
4878 raise Exception("Invalid configuration accepted")
4880 def test_ap_wpa2_eap_reauth(dev
, apdev
):
4881 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4882 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4883 params
['eap_reauth_period'] = '2'
4884 hapd
= hostapd
.add_ap(apdev
[0], params
)
4885 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4886 password_hex
="0123456789abcdef0123456789abcdef")
4887 logger
.info("Wait for reauthentication")
4888 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
4890 raise Exception("Timeout on reauthentication")
4891 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4893 raise Exception("Timeout on reauthentication")
4894 for i
in range(0, 20):
4895 state
= dev
[0].get_status_field("wpa_state")
4896 if state
== "COMPLETED":
4899 if state
!= "COMPLETED":
4900 raise Exception("Reauthentication did not complete")
4902 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
4903 """Optional displayable message in EAP Request-Identity"""
4904 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4905 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4906 hapd
= hostapd
.add_ap(apdev
[0], params
)
4907 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4908 password_hex
="0123456789abcdef0123456789abcdef")
4910 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
4911 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4912 check_hlr_auc_gw_support()
4913 params
= int_eap_server_params()
4914 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4915 params
['eap_sim_aka_result_ind'] = "1"
4916 hapd
= hostapd
.add_ap(apdev
[0], params
)
4918 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
4919 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4920 phase1
="result_ind=1")
4921 eap_reauth(dev
[0], "SIM")
4922 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
4923 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4925 dev
[0].request("REMOVE_NETWORK all")
4926 dev
[1].request("REMOVE_NETWORK all")
4928 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
4929 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4930 phase1
="result_ind=1")
4931 eap_reauth(dev
[0], "AKA")
4932 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
4933 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4935 dev
[0].request("REMOVE_NETWORK all")
4936 dev
[1].request("REMOVE_NETWORK all")
4938 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
4939 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4940 phase1
="result_ind=1")
4941 eap_reauth(dev
[0], "AKA'")
4942 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
4943 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4945 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
4946 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4947 check_hlr_auc_gw_support()
4948 params
= int_eap_server_params()
4949 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4950 params
['eap_sim_db_timeout'] = "0"
4951 params
['disable_pmksa_caching'] = '1'
4952 hapd
= hostapd
.add_ap(apdev
[0], params
)
4954 # Run multiple iterations to make it more likely to hit the case where the
4955 # DB request times out and response is lost.
4957 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
4958 identity
="1232010000000000",
4959 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4960 wait_connect
=False, scan_freq
="2412")
4961 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
4962 "CTRL-EVENT-DISCONNECTED"],
4965 raise Exception("No connection result")
4966 dev
[0].request("REMOVE_NETWORK all")
4967 if "CTRL-EVENT-DISCONNECTED" in ev
:
4969 dev
[0].wait_disconnected()
4972 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
4973 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4974 skip_with_fips(dev
[0])
4975 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4976 hostapd
.add_ap(apdev
[0], params
)
4977 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4978 eap
="TTLS", identity
="mschap user",
4979 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
4980 anonymous_identity
="ttls", password
="password",
4981 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4983 ev
= dev
[0].wait_event(["EAP: more than",
4984 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
4985 if ev
is None or "EAP: more than" not in ev
:
4986 raise Exception("EAP roundtrip limit not reached")
4988 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
4989 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4990 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4991 hostapd
.add_ap(apdev
[0], params
)
4992 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4993 eap
="PSK", identity
="vendor-test",
4994 password_hex
="ff23456789abcdef0123456789abcdef",
4998 for i
in range(0, 5):
4999 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
5001 raise Exception("Association and EAP start timed out")
5002 if "refuse proposed method" in ev
:
5006 raise Exception("Unexpected EAP status: " + ev
)
5008 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
5010 raise Exception("EAP failure timed out")
5012 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
5013 """WPA2-Enterprise connection using SQLite for user DB"""
5014 skip_with_fips(dev
[0])
5018 raise HwsimSkip("No sqlite3 module available")
5019 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
5024 con
= sqlite3
.connect(dbfile
)
5027 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
5028 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
5029 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
5030 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
5031 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
5032 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
5033 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
5034 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
5037 params
= int_eap_server_params()
5038 params
["eap_user_file"] = "sqlite:" + dbfile
5039 hapd
= hostapd
.add_ap(apdev
[0], params
)
5040 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
5041 anonymous_identity
="ttls", password
="password",
5042 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5043 dev
[0].request("REMOVE_NETWORK all")
5044 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
5045 anonymous_identity
="ttls", password
="password",
5046 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
5047 dev
[1].request("REMOVE_NETWORK all")
5048 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
5049 anonymous_identity
="ttls", password
="password",
5050 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
5051 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
5052 anonymous_identity
="ttls", password
="password",
5053 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5057 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
5058 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5059 params
= int_eap_server_params()
5060 hostapd
.add_ap(apdev
[0], params
)
5061 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5062 identity
="\x80", password
="password", wait_connect
=False)
5063 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5064 identity
="a\x80", password
="password", wait_connect
=False)
5065 for i
in range(0, 2):
5066 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5068 raise Exception("Association and EAP start timed out")
5069 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5071 raise Exception("EAP method selection timed out")
5073 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
5074 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5075 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5076 hostapd
.add_ap(apdev
[0], params
)
5077 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5078 identity
="\x80", password
="password", wait_connect
=False)
5079 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5080 identity
="a\x80", password
="password", wait_connect
=False)
5081 for i
in range(0, 2):
5082 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5084 raise Exception("Association and EAP start timed out")
5085 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5087 raise Exception("EAP method selection timed out")
5089 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
5090 """OpenSSL cipher suite configuration on wpa_supplicant"""
5091 tls
= dev
[0].request("GET tls_library")
5092 if not tls
.startswith("OpenSSL"):
5093 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
5094 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5095 hapd
= hostapd
.add_ap(apdev
[0], params
)
5096 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5097 anonymous_identity
="ttls", password
="password",
5098 openssl_ciphers
="AES128",
5099 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5100 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5101 anonymous_identity
="ttls", password
="password",
5102 openssl_ciphers
="EXPORT",
5103 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5104 expect_failure
=True, maybe_local_error
=True)
5105 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5106 identity
="pap user", anonymous_identity
="ttls",
5107 password
="password",
5108 openssl_ciphers
="FOO",
5109 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5111 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5113 raise Exception("EAP failure after invalid openssl_ciphers not reported")
5114 dev
[2].request("DISCONNECT")
5116 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
5117 """OpenSSL cipher suite configuration on hostapd"""
5118 tls
= dev
[0].request("GET tls_library")
5119 if not tls
.startswith("OpenSSL"):
5120 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
5121 params
= int_eap_server_params()
5122 params
['openssl_ciphers'] = "AES256"
5123 hapd
= hostapd
.add_ap(apdev
[0], params
)
5124 tls
= hapd
.request("GET tls_library")
5125 if not tls
.startswith("OpenSSL"):
5126 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5127 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5128 anonymous_identity
="ttls", password
="password",
5129 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5130 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5131 anonymous_identity
="ttls", password
="password",
5132 openssl_ciphers
="AES128",
5133 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5134 expect_failure
=True)
5135 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
5136 anonymous_identity
="ttls", password
="password",
5137 openssl_ciphers
="HIGH:!ADH",
5138 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5140 params
['openssl_ciphers'] = "FOO"
5141 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
5142 if "FAIL" not in hapd2
.request("ENABLE"):
5143 if "run=OpenSSL 1.1.1" in tls
:
5144 logger
.info("Ignore acceptance of an invalid openssl_ciphers value with OpenSSL 1.1.1")
5146 raise Exception("Invalid openssl_ciphers value accepted")
5148 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
5149 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5150 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5151 hapd
= hostapd
.add_ap(apdev
[0], p
)
5152 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5153 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
5154 anonymous_identity
="ttls", password
=password
,
5155 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5156 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5158 def test_wpa2_eap_peap_gtc_key_lifetime_in_memory(dev
, apdev
, params
):
5159 """Key lifetime in memory with WPA2-Enterprise using PEAP/GTC"""
5160 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5161 hapd
= hostapd
.add_ap(apdev
[0], p
)
5162 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5163 id = eap_connect(dev
[0], hapd
, "PEAP", "user-secret",
5164 anonymous_identity
="peap", password
=password
,
5165 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
5166 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5168 def run_eap_key_lifetime_in_memory(dev
, params
, id, password
):
5169 pid
= find_wpas_process(dev
[0])
5171 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5172 # event has been delivered, so verify that wpa_supplicant has returned to
5173 # eloop before reading process memory.
5176 password
= password
.encode()
5177 buf
= read_process_memory(pid
, password
)
5179 dev
[0].request("DISCONNECT")
5180 dev
[0].wait_disconnected()
5188 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
5189 for l
in f
.readlines():
5190 if "EAP-TTLS: Derived key - hexdump" in l
or \
5191 "EAP-PEAP: Derived key - hexdump" in l
:
5192 val
= l
.strip().split(':')[3].replace(' ', '')
5193 msk
= binascii
.unhexlify(val
)
5194 if "EAP-TTLS: Derived EMSK - hexdump" in l
or \
5195 "EAP-PEAP: Derived EMSK - hexdump" in l
:
5196 val
= l
.strip().split(':')[3].replace(' ', '')
5197 emsk
= binascii
.unhexlify(val
)
5198 if "WPA: PMK - hexdump" in l
:
5199 val
= l
.strip().split(':')[3].replace(' ', '')
5200 pmk
= binascii
.unhexlify(val
)
5201 if "WPA: PTK - hexdump" in l
:
5202 val
= l
.strip().split(':')[3].replace(' ', '')
5203 ptk
= binascii
.unhexlify(val
)
5204 if "WPA: Group Key - hexdump" in l
:
5205 val
= l
.strip().split(':')[3].replace(' ', '')
5206 gtk
= binascii
.unhexlify(val
)
5207 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
5208 raise Exception("Could not find keys from debug log")
5210 raise Exception("Unexpected GTK length")
5216 fname
= os
.path
.join(params
['logdir'],
5217 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5219 logger
.info("Checking keys in memory while associated")
5220 get_key_locations(buf
, password
, "Password")
5221 get_key_locations(buf
, pmk
, "PMK")
5222 get_key_locations(buf
, msk
, "MSK")
5223 get_key_locations(buf
, emsk
, "EMSK")
5224 if password
not in buf
:
5225 raise HwsimSkip("Password not found while associated")
5227 raise HwsimSkip("PMK not found while associated")
5229 raise Exception("KCK not found while associated")
5231 raise Exception("KEK not found while associated")
5233 # raise Exception("TK found from memory")
5235 logger
.info("Checking keys in memory after disassociation")
5236 buf
= read_process_memory(pid
, password
)
5238 # Note: Password is still present in network configuration
5239 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5241 get_key_locations(buf
, password
, "Password")
5242 get_key_locations(buf
, pmk
, "PMK")
5243 get_key_locations(buf
, msk
, "MSK")
5244 get_key_locations(buf
, emsk
, "EMSK")
5245 verify_not_present(buf
, kck
, fname
, "KCK")
5246 verify_not_present(buf
, kek
, fname
, "KEK")
5247 verify_not_present(buf
, tk
, fname
, "TK")
5249 get_key_locations(buf
, gtk
, "GTK")
5250 verify_not_present(buf
, gtk
, fname
, "GTK")
5252 dev
[0].request("PMKSA_FLUSH")
5253 dev
[0].set_network_quoted(id, "identity", "foo")
5254 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5255 buf
= read_process_memory(pid
, password
)
5256 get_key_locations(buf
, password
, "Password")
5257 get_key_locations(buf
, pmk
, "PMK")
5258 get_key_locations(buf
, msk
, "MSK")
5259 get_key_locations(buf
, emsk
, "EMSK")
5260 verify_not_present(buf
, pmk
, fname
, "PMK")
5262 dev
[0].request("REMOVE_NETWORK all")
5264 logger
.info("Checking keys in memory after network profile removal")
5265 buf
= read_process_memory(pid
, password
)
5267 get_key_locations(buf
, password
, "Password")
5268 get_key_locations(buf
, pmk
, "PMK")
5269 get_key_locations(buf
, msk
, "MSK")
5270 get_key_locations(buf
, emsk
, "EMSK")
5271 verify_not_present(buf
, password
, fname
, "password")
5272 verify_not_present(buf
, pmk
, fname
, "PMK")
5273 verify_not_present(buf
, kck
, fname
, "KCK")
5274 verify_not_present(buf
, kek
, fname
, "KEK")
5275 verify_not_present(buf
, tk
, fname
, "TK")
5276 verify_not_present(buf
, gtk
, fname
, "GTK")
5277 verify_not_present(buf
, msk
, fname
, "MSK")
5278 verify_not_present(buf
, emsk
, fname
, "EMSK")
5280 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
5281 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5282 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5283 hapd
= hostapd
.add_ap(apdev
[0], params
)
5284 bssid
= apdev
[0]['bssid']
5285 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5286 anonymous_identity
="ttls", password
="password",
5287 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5289 # Send unexpected WEP EAPOL-Key; this gets dropped
5290 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5292 raise Exception("EAPOL_RX to wpa_supplicant failed")
5294 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5295 """WPA2-EAP and wpas interface in a bridge"""
5296 br_ifname
= 'sta-br0'
5299 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
5301 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
5302 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
5303 subprocess
.call(['brctl', 'delbr', br_ifname
])
5304 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
5306 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5307 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5308 hapd
= hostapd
.add_ap(apdev
[0], params
)
5310 br_ifname
= 'sta-br0'
5312 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
5313 subprocess
.call(['brctl', 'addbr', br_ifname
])
5314 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
5315 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
5316 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
5317 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
5318 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
5321 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
5322 password_hex
="0123456789abcdef0123456789abcdef")
5324 eap_reauth(wpas
, "PAX")
5326 # Try again as a regression test for packet socket workaround
5327 eap_reauth(wpas
, "PAX")
5329 wpas
.request("DISCONNECT")
5330 wpas
.wait_disconnected()
5332 wpas
.request("RECONNECT")
5333 wpas
.wait_connected()
5336 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
5337 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5338 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5339 hapd
= hostapd
.add_ap(apdev
[0], params
)
5340 key_mgmt
= hapd
.get_config()['key_mgmt']
5341 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5342 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5343 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5344 anonymous_identity
="ttls", password
="password",
5345 ca_cert
="auth_serv/ca.pem",
5346 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
5347 eap_reauth(dev
[0], "TTLS")
5349 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
5350 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5351 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5352 hapd
= hostapd
.add_ap(apdev
[0], params
)
5353 key_mgmt
= hapd
.get_config()['key_mgmt']
5354 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5355 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5356 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5357 anonymous_identity
="ttls", password
="password",
5358 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5360 eap_reauth(dev
[0], "TTLS")
5362 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
5363 """EAP-TLS and server checking CRL"""
5364 params
= int_eap_server_params()
5365 params
['check_crl'] = '1'
5366 hapd
= hostapd
.add_ap(apdev
[0], params
)
5368 # check_crl=1 and no CRL available --> reject connection
5369 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5370 client_cert
="auth_serv/user.pem",
5371 private_key
="auth_serv/user.key", expect_failure
=True)
5372 dev
[0].request("REMOVE_NETWORK all")
5375 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
5378 # check_crl=1 and valid CRL --> accept
5379 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5380 client_cert
="auth_serv/user.pem",
5381 private_key
="auth_serv/user.key")
5382 dev
[0].request("REMOVE_NETWORK all")
5385 hapd
.set("check_crl", "2")
5388 # check_crl=2 and valid CRL --> accept
5389 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5390 client_cert
="auth_serv/user.pem",
5391 private_key
="auth_serv/user.key")
5392 dev
[0].request("REMOVE_NETWORK all")
5394 def test_ap_wpa2_eap_tls_crl_reload(dev
, apdev
, params
):
5395 """EAP-TLS and server reloading CRL from ca_cert"""
5396 ca_cert
= os
.path
.join(params
['logdir'],
5397 "ap_wpa2_eap_tls_crl_reload.ca_cert")
5398 with
open('auth_serv/ca.pem', 'r') as f
:
5399 only_cert
= f
.read()
5400 with
open('auth_serv/ca-and-crl.pem', 'r') as f
:
5401 cert_and_crl
= f
.read()
5402 with
open(ca_cert
, 'w') as f
:
5404 params
= int_eap_server_params()
5405 params
['ca_cert'] = ca_cert
5406 params
['check_crl'] = '1'
5407 params
['crl_reload_interval'] = '1'
5408 hapd
= hostapd
.add_ap(apdev
[0], params
)
5410 # check_crl=1 and no CRL available --> reject connection
5411 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5412 client_cert
="auth_serv/user.pem",
5413 private_key
="auth_serv/user.key", expect_failure
=True)
5414 dev
[0].request("REMOVE_NETWORK all")
5415 dev
[0].dump_monitor()
5417 with
open(ca_cert
, 'w') as f
:
5418 f
.write(cert_and_crl
)
5421 # check_crl=1 and valid CRL --> accept
5422 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5423 client_cert
="auth_serv/user.pem",
5424 private_key
="auth_serv/user.key")
5425 dev
[0].request("REMOVE_NETWORK all")
5426 dev
[0].wait_disconnected()
5428 def test_ap_wpa2_eap_tls_check_cert_subject(dev
, apdev
):
5429 """EAP-TLS and server checking client subject name"""
5430 params
= int_eap_server_params()
5431 params
['check_cert_subject'] = 'C=FI/O=w1.fi/CN=Test User'
5432 hapd
= hostapd
.add_ap(apdev
[0], params
)
5433 check_check_cert_subject_support(hapd
)
5435 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5436 client_cert
="auth_serv/user.pem",
5437 private_key
="auth_serv/user.key")
5439 def test_ap_wpa2_eap_tls_check_cert_subject_neg(dev
, apdev
):
5440 """EAP-TLS and server checking client subject name (negative)"""
5441 params
= int_eap_server_params()
5442 params
['check_cert_subject'] = 'C=FI/O=example'
5443 hapd
= hostapd
.add_ap(apdev
[0], params
)
5444 check_check_cert_subject_support(hapd
)
5446 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5447 client_cert
="auth_serv/user.pem",
5448 private_key
="auth_serv/user.key", expect_failure
=True)
5450 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5451 """EAP-TLS and OOM"""
5452 check_subject_match_support(dev
[0])
5453 check_altsubject_match_support(dev
[0])
5454 check_domain_match(dev
[0])
5455 check_domain_match_full(dev
[0])
5457 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5458 hostapd
.add_ap(apdev
[0], params
)
5460 tests
= [(1, "tls_connection_set_subject_match"),
5461 (2, "tls_connection_set_subject_match"),
5462 (3, "tls_connection_set_subject_match"),
5463 (4, "tls_connection_set_subject_match")]
5464 for count
, func
in tests
:
5465 with
alloc_fail(dev
[0], count
, func
):
5466 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5467 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5468 client_cert
="auth_serv/user.pem",
5469 private_key
="auth_serv/user.key",
5470 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5471 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5472 domain_suffix_match
="server.w1.fi",
5473 domain_match
="server.w1.fi",
5474 wait_connect
=False, scan_freq
="2412")
5475 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5476 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5478 raise Exception("No passphrase request")
5479 dev
[0].request("REMOVE_NETWORK all")
5480 dev
[0].wait_disconnected()
5482 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5483 """WPA2-Enterprise connection using MAC ACL"""
5484 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5485 params
["macaddr_acl"] = "2"
5486 hapd
= hostapd
.add_ap(apdev
[0], params
)
5487 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5488 client_cert
="auth_serv/user.pem",
5489 private_key
="auth_serv/user.key")
5491 def test_ap_wpa2_eap_oom(dev
, apdev
):
5492 """EAP server and OOM"""
5493 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5494 hapd
= hostapd
.add_ap(apdev
[0], params
)
5495 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5497 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5498 # The first attempt fails, but STA will send EAPOL-Start to retry and
5500 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5501 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5502 client_cert
="auth_serv/user.pem",
5503 private_key
="auth_serv/user.key",
5506 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5507 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5508 client_cert
="auth_serv/user.pem",
5509 private_key
="auth_serv/user.key",
5511 ver
= dev
.get_status_field("eap_tls_version")
5513 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5515 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5516 """EAP-TLS and TLS version configuration"""
5517 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5518 hapd
= hostapd
.add_ap(apdev
[0], params
)
5520 tls
= dev
[0].request("GET tls_library")
5521 if tls
.startswith("OpenSSL"):
5522 if "build=OpenSSL 1.0.1" not in tls
and "run=OpenSSL 1.0.1" not in tls
:
5523 check_tls_ver(dev
[0], hapd
,
5524 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5526 if tls
.startswith("wolfSSL"):
5527 if ("build=3.10.0" in tls
and "run=3.10.0" in tls
) or \
5528 ("build=3.13.0" in tls
and "run=3.13.0" in tls
):
5529 check_tls_ver(dev
[0], hapd
,
5530 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5532 elif tls
.startswith("internal"):
5533 check_tls_ver(dev
[0], hapd
,
5534 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5535 check_tls_ver(dev
[1], hapd
,
5536 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5537 check_tls_ver(dev
[2], hapd
,
5538 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5539 if "run=OpenSSL 1.1.1" in tls
:
5540 check_tls_ver(dev
[0], hapd
,
5541 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
5543 def test_ap_wpa2_eap_tls_13(dev
, apdev
):
5544 """EAP-TLS and TLS 1.3"""
5545 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5546 hapd
= hostapd
.add_ap(apdev
[0], params
)
5548 tls
= dev
[0].request("GET tls_library")
5549 if "run=OpenSSL 1.1.1" not in tls
:
5550 raise HwsimSkip("TLS v1.3 not supported")
5551 id = eap_connect(dev
[0], hapd
, "TLS", "tls user",
5552 ca_cert
="auth_serv/ca.pem",
5553 client_cert
="auth_serv/user.pem",
5554 private_key
="auth_serv/user.key",
5555 phase1
="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0")
5556 ver
= dev
[0].get_status_field("eap_tls_version")
5557 if ver
!= "TLSv1.3":
5558 raise Exception("Unexpected TLS version")
5560 eap_reauth(dev
[0], "TLS")
5561 dev
[0].request("DISCONNECT")
5562 dev
[0].wait_disconnected()
5563 dev
[0].request("PMKSA_FLUSH")
5564 dev
[0].request("RECONNECT")
5565 dev
[0].wait_connected()
5567 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
5568 """RSN element protocol testing for EAP cases on STA side"""
5569 bssid
= apdev
[0]['bssid']
5570 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5571 # This is the RSN element used normally by hostapd
5572 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5573 hapd
= hostapd
.add_ap(apdev
[0], params
)
5574 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5575 identity
="gpsk user",
5576 password
="abcdefghijklmnop0123456789abcdef",
5579 tests
= [('No RSN Capabilities field',
5580 '30120100000fac040100000fac040100000fac01'),
5581 ('No AKM Suite fields',
5582 '300c0100000fac040100000fac04'),
5583 ('No Pairwise Cipher Suite fields',
5584 '30060100000fac04'),
5585 ('No Group Data Cipher Suite field',
5587 for txt
, ie
in tests
:
5588 dev
[0].request("DISCONNECT")
5589 dev
[0].wait_disconnected()
5592 hapd
.set('own_ie_override', ie
)
5594 dev
[0].request("BSS_FLUSH 0")
5595 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
5596 dev
[0].select_network(id, freq
=2412)
5597 dev
[0].wait_connected()
5599 dev
[0].request("DISCONNECT")
5600 dev
[0].wait_disconnected()
5601 dev
[0].flush_scan_cache()
5603 def check_tls_session_resumption_capa(dev
, hapd
):
5604 tls
= hapd
.request("GET tls_library")
5605 if not tls
.startswith("OpenSSL"):
5606 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls
)
5608 tls
= dev
.request("GET tls_library")
5609 if not tls
.startswith("OpenSSL"):
5610 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
5612 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
5613 """EAP-TTLS/PAP session resumption"""
5614 params
= int_eap_server_params()
5615 params
['tls_session_lifetime'] = '60'
5616 hapd
= hostapd
.add_ap(apdev
[0], params
)
5617 check_tls_session_resumption_capa(dev
[0], hapd
)
5618 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5619 anonymous_identity
="ttls", password
="password",
5620 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5622 if dev
[0].get_status_field("tls_session_reused") != '0':
5623 raise Exception("Unexpected session resumption on the first connection")
5625 dev
[0].request("REAUTHENTICATE")
5626 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5628 raise Exception("EAP success timed out")
5629 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5631 raise Exception("Key handshake with the AP timed out")
5632 if dev
[0].get_status_field("tls_session_reused") != '1':
5633 raise Exception("Session resumption not used on the second connection")
5634 hwsim_utils
.test_connectivity(dev
[0], hapd
)
5636 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
5637 """EAP-TTLS/CHAP session resumption"""
5638 params
= int_eap_server_params()
5639 params
['tls_session_lifetime'] = '60'
5640 hapd
= hostapd
.add_ap(apdev
[0], params
)
5641 check_tls_session_resumption_capa(dev
[0], hapd
)
5642 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
5643 anonymous_identity
="ttls", password
="password",
5644 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
5645 if dev
[0].get_status_field("tls_session_reused") != '0':
5646 raise Exception("Unexpected session resumption on the first connection")
5648 dev
[0].request("REAUTHENTICATE")
5649 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5651 raise Exception("EAP success timed out")
5652 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5654 raise Exception("Key handshake with the AP timed out")
5655 if dev
[0].get_status_field("tls_session_reused") != '1':
5656 raise Exception("Session resumption not used on the second connection")
5658 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
5659 """EAP-TTLS/MSCHAP session resumption"""
5660 check_domain_suffix_match(dev
[0])
5661 params
= int_eap_server_params()
5662 params
['tls_session_lifetime'] = '60'
5663 hapd
= hostapd
.add_ap(apdev
[0], params
)
5664 check_tls_session_resumption_capa(dev
[0], hapd
)
5665 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
5666 anonymous_identity
="ttls", password
="password",
5667 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5668 domain_suffix_match
="server.w1.fi")
5669 if dev
[0].get_status_field("tls_session_reused") != '0':
5670 raise Exception("Unexpected session resumption on the first connection")
5672 dev
[0].request("REAUTHENTICATE")
5673 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5675 raise Exception("EAP success timed out")
5676 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5678 raise Exception("Key handshake with the AP timed out")
5679 if dev
[0].get_status_field("tls_session_reused") != '1':
5680 raise Exception("Session resumption not used on the second connection")
5682 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
5683 """EAP-TTLS/MSCHAPv2 session resumption"""
5684 check_domain_suffix_match(dev
[0])
5685 check_eap_capa(dev
[0], "MSCHAPV2")
5686 params
= int_eap_server_params()
5687 params
['tls_session_lifetime'] = '60'
5688 hapd
= hostapd
.add_ap(apdev
[0], params
)
5689 check_tls_session_resumption_capa(dev
[0], hapd
)
5690 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
5691 anonymous_identity
="ttls", password
="password",
5692 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5693 domain_suffix_match
="server.w1.fi")
5694 if dev
[0].get_status_field("tls_session_reused") != '0':
5695 raise Exception("Unexpected session resumption on the first connection")
5697 dev
[0].request("REAUTHENTICATE")
5698 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5700 raise Exception("EAP success timed out")
5701 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5703 raise Exception("Key handshake with the AP timed out")
5704 if dev
[0].get_status_field("tls_session_reused") != '1':
5705 raise Exception("Session resumption not used on the second connection")
5707 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
5708 """EAP-TTLS/EAP-GTC session resumption"""
5709 params
= int_eap_server_params()
5710 params
['tls_session_lifetime'] = '60'
5711 hapd
= hostapd
.add_ap(apdev
[0], params
)
5712 check_tls_session_resumption_capa(dev
[0], hapd
)
5713 eap_connect(dev
[0], hapd
, "TTLS", "user",
5714 anonymous_identity
="ttls", password
="password",
5715 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
5716 if dev
[0].get_status_field("tls_session_reused") != '0':
5717 raise Exception("Unexpected session resumption on the first connection")
5719 dev
[0].request("REAUTHENTICATE")
5720 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5722 raise Exception("EAP success timed out")
5723 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5725 raise Exception("Key handshake with the AP timed out")
5726 if dev
[0].get_status_field("tls_session_reused") != '1':
5727 raise Exception("Session resumption not used on the second connection")
5729 def test_eap_ttls_no_session_resumption(dev
, apdev
):
5730 """EAP-TTLS session resumption disabled on server"""
5731 params
= int_eap_server_params()
5732 params
['tls_session_lifetime'] = '0'
5733 hapd
= hostapd
.add_ap(apdev
[0], params
)
5734 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5735 anonymous_identity
="ttls", password
="password",
5736 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5738 if dev
[0].get_status_field("tls_session_reused") != '0':
5739 raise Exception("Unexpected session resumption on the first connection")
5741 dev
[0].request("REAUTHENTICATE")
5742 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5744 raise Exception("EAP success timed out")
5745 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5747 raise Exception("Key handshake with the AP timed out")
5748 if dev
[0].get_status_field("tls_session_reused") != '0':
5749 raise Exception("Unexpected session resumption on the second connection")
5751 def test_eap_peap_session_resumption(dev
, apdev
):
5752 """EAP-PEAP session resumption"""
5753 check_eap_capa(dev
[0], "MSCHAPV2")
5754 params
= int_eap_server_params()
5755 params
['tls_session_lifetime'] = '60'
5756 hapd
= hostapd
.add_ap(apdev
[0], params
)
5757 check_tls_session_resumption_capa(dev
[0], hapd
)
5758 eap_connect(dev
[0], hapd
, "PEAP", "user",
5759 anonymous_identity
="peap", password
="password",
5760 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5761 if dev
[0].get_status_field("tls_session_reused") != '0':
5762 raise Exception("Unexpected session resumption on the first connection")
5764 dev
[0].request("REAUTHENTICATE")
5765 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5767 raise Exception("EAP success timed out")
5768 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5770 raise Exception("Key handshake with the AP timed out")
5771 if dev
[0].get_status_field("tls_session_reused") != '1':
5772 raise Exception("Session resumption not used on the second connection")
5774 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
5775 """EAP-PEAP session resumption with crypto binding"""
5776 params
= int_eap_server_params()
5777 params
['tls_session_lifetime'] = '60'
5778 hapd
= hostapd
.add_ap(apdev
[0], params
)
5779 check_tls_session_resumption_capa(dev
[0], hapd
)
5780 eap_connect(dev
[0], hapd
, "PEAP", "user",
5781 anonymous_identity
="peap", password
="password",
5782 phase1
="peapver=0 crypto_binding=2",
5783 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5784 if dev
[0].get_status_field("tls_session_reused") != '0':
5785 raise Exception("Unexpected session resumption on the first connection")
5787 dev
[0].request("REAUTHENTICATE")
5788 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5790 raise Exception("EAP success timed out")
5791 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5793 raise Exception("Key handshake with the AP timed out")
5794 if dev
[0].get_status_field("tls_session_reused") != '1':
5795 raise Exception("Session resumption not used on the second connection")
5797 def test_eap_peap_no_session_resumption(dev
, apdev
):
5798 """EAP-PEAP session resumption disabled on server"""
5799 params
= int_eap_server_params()
5800 hapd
= hostapd
.add_ap(apdev
[0], params
)
5801 eap_connect(dev
[0], hapd
, "PEAP", "user",
5802 anonymous_identity
="peap", password
="password",
5803 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5804 if dev
[0].get_status_field("tls_session_reused") != '0':
5805 raise Exception("Unexpected session resumption on the first connection")
5807 dev
[0].request("REAUTHENTICATE")
5808 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5810 raise Exception("EAP success timed out")
5811 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5813 raise Exception("Key handshake with the AP timed out")
5814 if dev
[0].get_status_field("tls_session_reused") != '0':
5815 raise Exception("Unexpected session resumption on the second connection")
5817 def test_eap_tls_session_resumption(dev
, apdev
):
5818 """EAP-TLS session resumption"""
5819 params
= int_eap_server_params()
5820 params
['tls_session_lifetime'] = '60'
5821 hapd
= hostapd
.add_ap(apdev
[0], params
)
5822 check_tls_session_resumption_capa(dev
[0], hapd
)
5823 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5824 client_cert
="auth_serv/user.pem",
5825 private_key
="auth_serv/user.key")
5826 if dev
[0].get_status_field("tls_session_reused") != '0':
5827 raise Exception("Unexpected session resumption on the first connection")
5829 dev
[0].request("REAUTHENTICATE")
5830 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5832 raise Exception("EAP success timed out")
5833 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5835 raise Exception("Key handshake with the AP timed out")
5836 if dev
[0].get_status_field("tls_session_reused") != '1':
5837 raise Exception("Session resumption not used on the second connection")
5839 dev
[0].request("REAUTHENTICATE")
5840 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5842 raise Exception("EAP success timed out")
5843 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5845 raise Exception("Key handshake with the AP timed out")
5846 if dev
[0].get_status_field("tls_session_reused") != '1':
5847 raise Exception("Session resumption not used on the third connection")
5849 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
5850 """EAP-TLS session resumption"""
5851 params
= int_eap_server_params()
5852 params
['tls_session_lifetime'] = '1'
5853 hapd
= hostapd
.add_ap(apdev
[0], params
)
5854 check_tls_session_resumption_capa(dev
[0], hapd
)
5855 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5856 client_cert
="auth_serv/user.pem",
5857 private_key
="auth_serv/user.key")
5858 if dev
[0].get_status_field("tls_session_reused") != '0':
5859 raise Exception("Unexpected session resumption on the first connection")
5861 # Allow multiple attempts since OpenSSL may not expire the cached entry
5866 dev
[0].request("REAUTHENTICATE")
5867 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5869 raise Exception("EAP success timed out")
5870 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5872 raise Exception("Key handshake with the AP timed out")
5873 if dev
[0].get_status_field("tls_session_reused") == '0':
5875 if dev
[0].get_status_field("tls_session_reused") != '0':
5876 raise Exception("Session resumption used after lifetime expiration")
5878 def test_eap_tls_no_session_resumption(dev
, apdev
):
5879 """EAP-TLS session resumption disabled on server"""
5880 params
= int_eap_server_params()
5881 hapd
= hostapd
.add_ap(apdev
[0], params
)
5882 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5883 client_cert
="auth_serv/user.pem",
5884 private_key
="auth_serv/user.key")
5885 if dev
[0].get_status_field("tls_session_reused") != '0':
5886 raise Exception("Unexpected session resumption on the first connection")
5888 dev
[0].request("REAUTHENTICATE")
5889 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5891 raise Exception("EAP success timed out")
5892 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5894 raise Exception("Key handshake with the AP timed out")
5895 if dev
[0].get_status_field("tls_session_reused") != '0':
5896 raise Exception("Unexpected session resumption on the second connection")
5898 def test_eap_tls_session_resumption_radius(dev
, apdev
):
5899 """EAP-TLS session resumption (RADIUS)"""
5900 params
= {"ssid": "as", "beacon_int": "2000",
5901 "radius_server_clients": "auth_serv/radius_clients.conf",
5902 "radius_server_auth_port": '18128',
5904 "eap_user_file": "auth_serv/eap_user.conf",
5905 "ca_cert": "auth_serv/ca.pem",
5906 "server_cert": "auth_serv/server.pem",
5907 "private_key": "auth_serv/server.key",
5908 "tls_session_lifetime": "60"}
5909 authsrv
= hostapd
.add_ap(apdev
[1], params
)
5910 check_tls_session_resumption_capa(dev
[0], authsrv
)
5912 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5913 params
['auth_server_port'] = "18128"
5914 hapd
= hostapd
.add_ap(apdev
[0], params
)
5915 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5916 client_cert
="auth_serv/user.pem",
5917 private_key
="auth_serv/user.key")
5918 if dev
[0].get_status_field("tls_session_reused") != '0':
5919 raise Exception("Unexpected session resumption on the first connection")
5921 dev
[0].request("REAUTHENTICATE")
5922 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5924 raise Exception("EAP success timed out")
5925 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5927 raise Exception("Key handshake with the AP timed out")
5928 if dev
[0].get_status_field("tls_session_reused") != '1':
5929 raise Exception("Session resumption not used on the second connection")
5931 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
5932 """EAP-TLS session resumption disabled (RADIUS)"""
5933 params
= {"ssid": "as", "beacon_int": "2000",
5934 "radius_server_clients": "auth_serv/radius_clients.conf",
5935 "radius_server_auth_port": '18128',
5937 "eap_user_file": "auth_serv/eap_user.conf",
5938 "ca_cert": "auth_serv/ca.pem",
5939 "server_cert": "auth_serv/server.pem",
5940 "private_key": "auth_serv/server.key",
5941 "tls_session_lifetime": "0"}
5942 hostapd
.add_ap(apdev
[1], params
)
5944 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5945 params
['auth_server_port'] = "18128"
5946 hapd
= hostapd
.add_ap(apdev
[0], params
)
5947 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5948 client_cert
="auth_serv/user.pem",
5949 private_key
="auth_serv/user.key")
5950 if dev
[0].get_status_field("tls_session_reused") != '0':
5951 raise Exception("Unexpected session resumption on the first connection")
5953 dev
[0].request("REAUTHENTICATE")
5954 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5956 raise Exception("EAP success timed out")
5957 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5959 raise Exception("Key handshake with the AP timed out")
5960 if dev
[0].get_status_field("tls_session_reused") != '0':
5961 raise Exception("Unexpected session resumption on the second connection")
5963 def test_eap_mschapv2_errors(dev
, apdev
):
5964 """EAP-MSCHAPv2 error cases"""
5965 check_eap_capa(dev
[0], "MSCHAPV2")
5966 check_eap_capa(dev
[0], "FAST")
5968 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5969 hapd
= hostapd
.add_ap(apdev
[0], params
)
5970 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5971 identity
="phase1-user", password
="password",
5973 dev
[0].request("REMOVE_NETWORK all")
5974 dev
[0].wait_disconnected()
5976 tests
= [(1, "hash_nt_password_hash;mschapv2_derive_response"),
5977 (1, "nt_password_hash;mschapv2_derive_response"),
5978 (1, "nt_password_hash;=mschapv2_derive_response"),
5979 (1, "generate_nt_response;mschapv2_derive_response"),
5980 (1, "generate_authenticator_response;mschapv2_derive_response"),
5981 (1, "nt_password_hash;=mschapv2_derive_response"),
5982 (1, "get_master_key;mschapv2_derive_response"),
5983 (1, "os_get_random;eap_mschapv2_challenge_reply")]
5984 for count
, func
in tests
:
5985 with
fail_test(dev
[0], count
, func
):
5986 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5987 identity
="phase1-user", password
="password",
5988 wait_connect
=False, scan_freq
="2412")
5989 wait_fail_trigger(dev
[0], "GET_FAIL")
5990 dev
[0].request("REMOVE_NETWORK all")
5991 dev
[0].wait_disconnected()
5993 tests
= [(1, "hash_nt_password_hash;mschapv2_derive_response"),
5994 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5995 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5996 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response")]
5997 for count
, func
in tests
:
5998 with
fail_test(dev
[0], count
, func
):
5999 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6000 identity
="phase1-user",
6001 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
6002 wait_connect
=False, scan_freq
="2412")
6003 wait_fail_trigger(dev
[0], "GET_FAIL")
6004 dev
[0].request("REMOVE_NETWORK all")
6005 dev
[0].wait_disconnected()
6007 tests
= [(1, "eap_mschapv2_init"),
6008 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
6009 (1, "eap_msg_alloc;eap_mschapv2_success"),
6010 (1, "eap_mschapv2_getKey")]
6011 for count
, func
in tests
:
6012 with
alloc_fail(dev
[0], count
, func
):
6013 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6014 identity
="phase1-user", password
="password",
6015 wait_connect
=False, scan_freq
="2412")
6016 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6017 dev
[0].request("REMOVE_NETWORK all")
6018 dev
[0].wait_disconnected()
6020 tests
= [(1, "eap_msg_alloc;eap_mschapv2_failure")]
6021 for count
, func
in tests
:
6022 with
alloc_fail(dev
[0], count
, func
):
6023 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6024 identity
="phase1-user", password
="wrong password",
6025 wait_connect
=False, scan_freq
="2412")
6026 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6027 dev
[0].request("REMOVE_NETWORK all")
6028 dev
[0].wait_disconnected()
6030 tests
= [(2, "eap_mschapv2_init"),
6031 (3, "eap_mschapv2_init")]
6032 for count
, func
in tests
:
6033 with
alloc_fail(dev
[0], count
, func
):
6034 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6035 anonymous_identity
="FAST", identity
="user",
6036 password
="password",
6037 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
6038 phase1
="fast_provisioning=1",
6039 pac_file
="blob://fast_pac",
6040 wait_connect
=False, scan_freq
="2412")
6041 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6042 dev
[0].request("REMOVE_NETWORK all")
6043 dev
[0].wait_disconnected()
6045 def test_eap_gpsk_errors(dev
, apdev
):
6046 """EAP-GPSK error cases"""
6047 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
6048 hapd
= hostapd
.add_ap(apdev
[0], params
)
6049 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6050 identity
="gpsk user",
6051 password
="abcdefghijklmnop0123456789abcdef",
6053 dev
[0].request("REMOVE_NETWORK all")
6054 dev
[0].wait_disconnected()
6056 tests
= [(1, "os_get_random;eap_gpsk_send_gpsk_2", None),
6057 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6059 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6061 (1, "eap_gpsk_derive_keys_helper", None),
6062 (2, "eap_gpsk_derive_keys_helper", None),
6063 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6065 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6067 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
6068 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
6069 (1, "eap_gpsk_derive_mid_helper", None)]
6070 for count
, func
, phase1
in tests
:
6071 with
fail_test(dev
[0], count
, func
):
6072 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6073 identity
="gpsk user",
6074 password
="abcdefghijklmnop0123456789abcdef",
6076 wait_connect
=False, scan_freq
="2412")
6077 wait_fail_trigger(dev
[0], "GET_FAIL")
6078 dev
[0].request("REMOVE_NETWORK all")
6079 dev
[0].wait_disconnected()
6081 tests
= [(1, "eap_gpsk_init"),
6082 (2, "eap_gpsk_init"),
6083 (3, "eap_gpsk_init"),
6084 (1, "eap_gpsk_process_id_server"),
6085 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
6086 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6087 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6088 (1, "eap_gpsk_derive_keys"),
6089 (1, "eap_gpsk_derive_keys_helper"),
6090 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
6091 (1, "eap_gpsk_getKey"),
6092 (1, "eap_gpsk_get_emsk"),
6093 (1, "eap_gpsk_get_session_id")]
6094 for count
, func
in tests
:
6095 with
alloc_fail(dev
[0], count
, func
):
6096 dev
[0].request("ERP_FLUSH")
6097 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6098 identity
="gpsk user@domain", erp
="1",
6099 password
="abcdefghijklmnop0123456789abcdef",
6100 wait_connect
=False, scan_freq
="2412")
6101 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6102 dev
[0].request("REMOVE_NETWORK all")
6103 dev
[0].wait_disconnected()
6105 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
6106 """EAP-SIM DB error cases"""
6107 sockpath
= '/tmp/hlr_auc_gw.sock-test'
6112 hparams
= int_eap_server_params()
6113 hparams
['eap_sim_db'] = 'unix:' + sockpath
6114 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
6116 # Initial test with hlr_auc_gw socket not available
6117 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
6118 eap
="SIM", identity
="1232010000000000",
6119 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
6120 scan_freq
="2412", wait_connect
=False)
6121 ev
= dev
[0].wait_event(["EAP-ERROR-CODE"], timeout
=10)
6123 raise Exception("EAP method specific error code not reported")
6124 if int(ev
.split()[1]) != 16384:
6125 raise Exception("Unexpected EAP method specific error code: " + ev
)
6126 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6128 raise Exception("EAP-Failure not reported")
6129 dev
[0].wait_disconnected()
6130 dev
[0].request("DISCONNECT")
6132 # Test with invalid responses and response timeout
6134 class test_handler(SocketServer
.DatagramRequestHandler
):
6136 data
= self
.request
[0].decode().strip()
6137 socket
= self
.request
[1]
6138 logger
.debug("Received hlr_auc_gw request: " + data
)
6139 # EAP-SIM DB: Failed to parse response string
6140 socket
.sendto(b
"FOO", self
.client_address
)
6141 # EAP-SIM DB: Failed to parse response string
6142 socket
.sendto(b
"FOO 1", self
.client_address
)
6143 # EAP-SIM DB: Unknown external response
6144 socket
.sendto(b
"FOO 1 2", self
.client_address
)
6145 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
6147 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
6150 dev
[0].select_network(id)
6151 server
.handle_request()
6152 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6154 raise Exception("EAP-Failure not reported")
6155 dev
[0].wait_disconnected()
6156 dev
[0].request("DISCONNECT")
6158 # Test with a valid response
6160 class test_handler2(SocketServer
.DatagramRequestHandler
):
6162 data
= self
.request
[0].decode().strip()
6163 socket
= self
.request
[1]
6164 logger
.debug("Received hlr_auc_gw request: " + data
)
6165 fname
= os
.path
.join(params
['logdir'],
6166 'hlr_auc_gw.milenage_db')
6167 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
6169 stdout
=subprocess
.PIPE
)
6170 res
= cmd
.stdout
.read().decode().strip()
6172 logger
.debug("hlr_auc_gw response: " + res
)
6173 socket
.sendto(res
.encode(), self
.client_address
)
6175 server
.RequestHandlerClass
= test_handler2
6177 dev
[0].select_network(id)
6178 server
.handle_request()
6179 dev
[0].wait_connected()
6180 dev
[0].request("DISCONNECT")
6181 dev
[0].wait_disconnected()
6183 def test_eap_tls_sha512(dev
, apdev
, params
):
6184 """EAP-TLS with SHA512 signature"""
6185 params
= int_eap_server_params()
6186 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6187 params
["server_cert"] = "auth_serv/sha512-server.pem"
6188 params
["private_key"] = "auth_serv/sha512-server.key"
6189 hostapd
.add_ap(apdev
[0], params
)
6191 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6192 identity
="tls user sha512",
6193 ca_cert
="auth_serv/sha512-ca.pem",
6194 client_cert
="auth_serv/sha512-user.pem",
6195 private_key
="auth_serv/sha512-user.key",
6197 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6198 identity
="tls user sha512",
6199 ca_cert
="auth_serv/sha512-ca.pem",
6200 client_cert
="auth_serv/sha384-user.pem",
6201 private_key
="auth_serv/sha384-user.key",
6204 def test_eap_tls_sha384(dev
, apdev
, params
):
6205 """EAP-TLS with SHA384 signature"""
6206 params
= int_eap_server_params()
6207 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6208 params
["server_cert"] = "auth_serv/sha384-server.pem"
6209 params
["private_key"] = "auth_serv/sha384-server.key"
6210 hostapd
.add_ap(apdev
[0], params
)
6212 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6213 identity
="tls user sha512",
6214 ca_cert
="auth_serv/sha512-ca.pem",
6215 client_cert
="auth_serv/sha512-user.pem",
6216 private_key
="auth_serv/sha512-user.key",
6218 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6219 identity
="tls user sha512",
6220 ca_cert
="auth_serv/sha512-ca.pem",
6221 client_cert
="auth_serv/sha384-user.pem",
6222 private_key
="auth_serv/sha384-user.key",
6225 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
6226 """WPA2-Enterprise AP and association request RSN IE differences"""
6227 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6228 hostapd
.add_ap(apdev
[0], params
)
6230 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
6231 params
["ieee80211w"] = "2"
6232 hostapd
.add_ap(apdev
[1], params
)
6234 # Success cases with optional RSN IE fields removed one by one
6235 tests
= [("Normal wpa_supplicant assoc req RSN IE",
6236 "30140100000fac040100000fac040100000fac010000"),
6237 ("Extra PMKIDCount field in RSN IE",
6238 "30160100000fac040100000fac040100000fac0100000000"),
6239 ("Extra Group Management Cipher Suite in RSN IE",
6240 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6241 ("Extra undefined extension field in RSN IE",
6242 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6243 ("RSN IE without RSN Capabilities",
6244 "30120100000fac040100000fac040100000fac01"),
6245 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6246 ("RSN IE without pairwise", "30060100000fac04"),
6247 ("RSN IE without group", "30020100")]
6248 for title
, ie
in tests
:
6250 set_test_assoc_ie(dev
[0], ie
)
6251 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6252 identity
="gpsk user",
6253 password
="abcdefghijklmnop0123456789abcdef",
6255 dev
[0].request("REMOVE_NETWORK all")
6256 dev
[0].wait_disconnected()
6258 tests
= [("Normal wpa_supplicant assoc req RSN IE",
6259 "30140100000fac040100000fac040100000fac01cc00"),
6260 ("Group management cipher included in assoc req RSN IE",
6261 "301a0100000fac040100000fac040100000fac01cc000000000fac06")]
6262 for title
, ie
in tests
:
6264 set_test_assoc_ie(dev
[0], ie
)
6265 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6266 eap
="GPSK", identity
="gpsk user",
6267 password
="abcdefghijklmnop0123456789abcdef",
6269 dev
[0].request("REMOVE_NETWORK all")
6270 dev
[0].wait_disconnected()
6272 tests
= [("Invalid group cipher", "30060100000fac02", 41),
6273 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42)]
6274 for title
, ie
, status
in tests
:
6276 set_test_assoc_ie(dev
[0], ie
)
6277 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6278 identity
="gpsk user",
6279 password
="abcdefghijklmnop0123456789abcdef",
6280 scan_freq
="2412", wait_connect
=False)
6281 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6283 raise Exception("Association rejection not reported")
6284 if "status_code=" + str(status
) not in ev
:
6285 raise Exception("Unexpected status code: " + ev
)
6286 dev
[0].request("REMOVE_NETWORK all")
6287 dev
[0].dump_monitor()
6289 tests
= [("Management frame protection not enabled",
6290 "30140100000fac040100000fac040100000fac010000", 31),
6291 ("Unsupported management group cipher",
6292 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46)]
6293 for title
, ie
, status
in tests
:
6295 set_test_assoc_ie(dev
[0], ie
)
6296 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6297 eap
="GPSK", identity
="gpsk user",
6298 password
="abcdefghijklmnop0123456789abcdef",
6299 scan_freq
="2412", wait_connect
=False)
6300 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6302 raise Exception("Association rejection not reported")
6303 if "status_code=" + str(status
) not in ev
:
6304 raise Exception("Unexpected status code: " + ev
)
6305 dev
[0].request("REMOVE_NETWORK all")
6306 dev
[0].dump_monitor()
6308 def test_eap_tls_ext_cert_check(dev
, apdev
):
6309 """EAP-TLS and external server certification validation"""
6310 # With internal server certificate chain validation
6311 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6312 identity
="tls user",
6313 ca_cert
="auth_serv/ca.pem",
6314 client_cert
="auth_serv/user.pem",
6315 private_key
="auth_serv/user.key",
6316 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6317 only_add_network
=True)
6318 run_ext_cert_check(dev
, apdev
, id)
6320 def test_eap_ttls_ext_cert_check(dev
, apdev
):
6321 """EAP-TTLS and external server certification validation"""
6322 # Without internal server certificate chain validation
6323 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6324 identity
="pap user", anonymous_identity
="ttls",
6325 password
="password", phase2
="auth=PAP",
6326 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6327 only_add_network
=True)
6328 run_ext_cert_check(dev
, apdev
, id)
6330 def test_eap_peap_ext_cert_check(dev
, apdev
):
6331 """EAP-PEAP and external server certification validation"""
6332 # With internal server certificate chain validation
6333 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6334 identity
="user", anonymous_identity
="peap",
6335 ca_cert
="auth_serv/ca.pem",
6336 password
="password", phase2
="auth=MSCHAPV2",
6337 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6338 only_add_network
=True)
6339 run_ext_cert_check(dev
, apdev
, id)
6341 def test_eap_fast_ext_cert_check(dev
, apdev
):
6342 """EAP-FAST and external server certification validation"""
6343 check_eap_capa(dev
[0], "FAST")
6344 # With internal server certificate chain validation
6345 dev
[0].request("SET blob fast_pac_auth_ext ")
6346 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6347 identity
="user", anonymous_identity
="FAST",
6348 ca_cert
="auth_serv/ca.pem",
6349 password
="password", phase2
="auth=GTC",
6350 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
6351 pac_file
="blob://fast_pac_auth_ext",
6353 only_add_network
=True)
6354 run_ext_cert_check(dev
, apdev
, id)
6356 def run_ext_cert_check(dev
, apdev
, net_id
):
6357 check_ext_cert_check_support(dev
[0])
6358 if not openssl_imported
:
6359 raise HwsimSkip("OpenSSL python method not available")
6361 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6362 hapd
= hostapd
.add_ap(apdev
[0], params
)
6364 dev
[0].select_network(net_id
)
6367 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6368 "CTRL-REQ-EXT_CERT_CHECK",
6369 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6371 raise Exception("No peer server certificate event seen")
6372 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
6375 vals
= ev
.split(' ')
6377 if v
.startswith("depth="):
6378 depth
= int(v
.split('=')[1])
6379 elif v
.startswith("cert="):
6380 cert
= v
.split('=')[1]
6381 if depth
is not None and cert
:
6382 certs
[depth
] = binascii
.unhexlify(cert
)
6383 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
6384 raise Exception("Unexpected EAP-Success")
6385 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
6386 id = ev
.split(':')[0].split('-')[-1]
6389 raise Exception("Server certificate not received")
6391 raise Exception("Server certificate issuer not received")
6393 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6395 cn
= cert
.get_subject().commonName
6396 logger
.info("Server certificate CN=" + cn
)
6398 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6400 icn
= issuer
.get_subject().commonName
6401 logger
.info("Issuer certificate CN=" + icn
)
6403 if cn
!= "server.w1.fi":
6404 raise Exception("Unexpected server certificate CN: " + cn
)
6405 if icn
!= "Root CA":
6406 raise Exception("Unexpected server certificate issuer CN: " + icn
)
6408 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
6410 raise Exception("Unexpected EAP-Success before external check result indication")
6412 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6413 dev
[0].wait_connected()
6415 dev
[0].request("DISCONNECT")
6416 dev
[0].wait_disconnected()
6417 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
6418 raise Exception("PMKSA_FLUSH failed")
6419 dev
[0].request("SET blob fast_pac_auth_ext ")
6420 dev
[0].request("RECONNECT")
6422 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
6424 raise Exception("No peer server certificate event seen (2)")
6425 id = ev
.split(':')[0].split('-')[-1]
6426 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6427 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
6429 raise Exception("EAP-Failure not reported")
6430 dev
[0].request("REMOVE_NETWORK all")
6431 dev
[0].wait_disconnected()
6433 def test_eap_tls_errors(dev
, apdev
):
6434 """EAP-TLS error cases"""
6435 params
= int_eap_server_params()
6436 params
['fragment_size'] = '100'
6437 hostapd
.add_ap(apdev
[0], params
)
6438 with
alloc_fail(dev
[0], 1,
6439 "eap_peer_tls_reassemble_fragment"):
6440 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6441 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6442 client_cert
="auth_serv/user.pem",
6443 private_key
="auth_serv/user.key",
6444 wait_connect
=False, scan_freq
="2412")
6445 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6446 dev
[0].request("REMOVE_NETWORK all")
6447 dev
[0].wait_disconnected()
6449 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
6450 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6451 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6452 client_cert
="auth_serv/user.pem",
6453 private_key
="auth_serv/user.key",
6454 wait_connect
=False, scan_freq
="2412")
6455 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6456 dev
[0].request("REMOVE_NETWORK all")
6457 dev
[0].wait_disconnected()
6459 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
6460 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6461 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6462 client_cert
="auth_serv/user.pem",
6463 private_key
="auth_serv/user.key",
6465 wait_connect
=False, scan_freq
="2412")
6466 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6467 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
6469 raise Exception("No CTRL-REQ-PIN seen")
6470 dev
[0].request("REMOVE_NETWORK all")
6471 dev
[0].wait_disconnected()
6473 tests
= ["eap_peer_tls_derive_key;eap_tls_success",
6474 "eap_peer_tls_derive_session_id;eap_tls_success",
6477 "eap_tls_get_session_id"]
6479 with
alloc_fail(dev
[0], 1, func
):
6480 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6481 identity
="tls user@domain",
6482 ca_cert
="auth_serv/ca.pem",
6483 client_cert
="auth_serv/user.pem",
6484 private_key
="auth_serv/user.key",
6486 wait_connect
=False, scan_freq
="2412")
6487 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6488 dev
[0].request("REMOVE_NETWORK all")
6489 dev
[0].wait_disconnected()
6491 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6492 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6493 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6494 wait_connect
=False, scan_freq
="2412")
6495 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6496 dev
[0].request("REMOVE_NETWORK all")
6497 dev
[0].wait_disconnected()
6499 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6500 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6501 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6502 wait_connect
=False, scan_freq
="2412")
6503 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6504 dev
[0].request("REMOVE_NETWORK all")
6505 dev
[0].wait_disconnected()
6507 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6508 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6509 eap
="WFA-UNAUTH-TLS",
6510 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6511 wait_connect
=False, scan_freq
="2412")
6512 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6513 dev
[0].request("REMOVE_NETWORK all")
6514 dev
[0].wait_disconnected()
6516 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6517 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6518 eap
="WFA-UNAUTH-TLS",
6519 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6520 wait_connect
=False, scan_freq
="2412")
6521 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6522 dev
[0].request("REMOVE_NETWORK all")
6523 dev
[0].wait_disconnected()
6525 def test_ap_wpa2_eap_status(dev
, apdev
):
6526 """EAP state machine status information"""
6527 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6528 hostapd
.add_ap(apdev
[0], params
)
6529 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6530 identity
="cert user",
6531 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6532 ca_cert2
="auth_serv/ca.pem",
6533 client_cert2
="auth_serv/user.pem",
6534 private_key2
="auth_serv/user.key",
6535 scan_freq
="2412", wait_connect
=False)
6541 selected_methods
= []
6542 for i
in range(100000):
6543 s
= dev
[0].get_status(extra
="VERBOSE")
6544 if 'EAP state' in s
:
6545 state
= s
['EAP state']
6547 if state
not in states
:
6548 states
.append(state
)
6549 if state
== "SUCCESS":
6552 if 'methodState' in s
:
6553 val
= s
['methodState']
6554 if val
not in method_states
:
6555 method_states
.append(val
)
6558 if val
not in decisions
:
6559 decisions
.append(val
)
6560 if 'reqMethod' in s
:
6561 val
= s
['reqMethod']
6562 if val
not in req_methods
:
6563 req_methods
.append(val
)
6564 if 'selectedMethod' in s
:
6565 val
= s
['selectedMethod']
6566 if val
not in selected_methods
:
6567 selected_methods
.append(val
)
6568 logger
.info("Iterations: %d" % i
)
6569 logger
.info("EAP states: " + str(states
))
6570 logger
.info("methodStates: " + str(method_states
))
6571 logger
.info("decisions: " + str(decisions
))
6572 logger
.info("reqMethods: " + str(req_methods
))
6573 logger
.info("selectedMethods: " + str(selected_methods
))
6575 raise Exception("EAP did not succeed")
6576 dev
[0].wait_connected()
6577 dev
[0].request("REMOVE_NETWORK all")
6578 dev
[0].wait_disconnected()
6580 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
6581 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6582 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6583 params
['wpa_ptk_rekey'] = '2'
6584 hapd
= hostapd
.add_ap(apdev
[0], params
)
6585 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
6586 password
="abcdefghijklmnop0123456789abcdef")
6587 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
6589 raise Exception("PTK rekey timed out")
6590 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6592 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
6593 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6594 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6595 hapd
= hostapd
.add_ap(apdev
[0], params
)
6596 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
6597 identity
="gpsk user",
6598 password
="abcdefghijklmnop0123456789abcdef",
6601 def test_ap_wpa2_eap_psk_mac_addr_change(dev
, apdev
):
6602 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
6603 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6604 hapd
= hostapd
.add_ap(apdev
[0], params
)
6606 cmd
= subprocess
.Popen(['ps', '-eo', 'pid,command'], stdout
=subprocess
.PIPE
)
6607 res
= cmd
.stdout
.read().decode()
6610 for p
in res
.splitlines():
6611 if "wpa_supplicant" not in p
:
6613 if dev
[0].ifname
not in p
:
6615 pid
= int(p
.strip().split(' ')[0])
6617 logger
.info("Could not find wpa_supplicant PID")
6619 logger
.info("wpa_supplicant PID %d" % pid
)
6621 addr
= dev
[0].get_status_field("address")
6622 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6623 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6624 '02:11:22:33:44:55'])
6625 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6626 addr1
= dev
[0].get_status_field("address")
6627 if addr1
!= '02:11:22:33:44:55':
6628 raise Exception("Failed to change MAC address")
6630 # Scan using the externally set MAC address, stop the wpa_supplicant
6631 # process to avoid it from processing the ifdown event before the interface
6632 # is already UP, change the MAC address back, allow the wpa_supplicant
6633 # process to continue. This will result in the ifdown + ifup sequence of
6634 # RTM_NEWLINK events to be processed while the interface is already UP.
6636 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
6637 os
.kill(pid
, signal
.SIGSTOP
)
6640 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6641 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6643 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6645 os
.kill(pid
, signal
.SIGCONT
)
6647 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
6648 password_hex
="0123456789abcdef0123456789abcdef")
6650 addr2
= dev
[0].get_status_field("address")
6652 raise Exception("Failed to restore MAC address")
6654 def test_ap_wpa2_eap_server_get_id(dev
, apdev
):
6655 """Internal EAP server and dot1xAuthSessionUserName"""
6656 params
= int_eap_server_params()
6657 hapd
= hostapd
.add_ap(apdev
[0], params
)
6658 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6659 client_cert
="auth_serv/user.pem",
6660 private_key
="auth_serv/user.key")
6661 sta
= hapd
.get_sta(dev
[0].own_addr())
6662 if 'dot1xAuthSessionUserName' not in sta
:
6663 raise Exception("No dot1xAuthSessionUserName included")
6664 user
= sta
['dot1xAuthSessionUserName']
6665 if user
!= "tls user":
6666 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6668 def test_ap_wpa2_radius_server_get_id(dev
, apdev
):
6669 """External RADIUS server and dot1xAuthSessionUserName"""
6670 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6671 hapd
= hostapd
.add_ap(apdev
[0], params
)
6672 eap_connect(dev
[0], hapd
, "TTLS", "test-user",
6673 anonymous_identity
="ttls", password
="password",
6674 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
6675 sta
= hapd
.get_sta(dev
[0].own_addr())
6676 if 'dot1xAuthSessionUserName' not in sta
:
6677 raise Exception("No dot1xAuthSessionUserName included")
6678 user
= sta
['dot1xAuthSessionUserName']
6679 if user
!= "real-user":
6680 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6682 def test_openssl_systemwide_policy(dev
, apdev
, test_params
):
6683 """OpenSSL systemwide policy and overrides"""
6684 prefix
= "openssl_systemwide_policy"
6685 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
6687 with
HWSimRadio() as (radio
, iface
):
6688 run_openssl_systemwide_policy(iface
, apdev
, test_params
)
6690 if os
.path
.exists(pidfile
):
6691 with
open(pidfile
, 'r') as f
:
6692 pid
= int(f
.read().strip())
6693 os
.kill(pid
, signal
.SIGTERM
)
6695 def write_openssl_cnf(cnf
, MinProtocol
=None, CipherString
=None):
6696 with
open(cnf
, "w") as f
:
6697 f
.write("""openssl_conf = default_conf
6701 system_default = system_default_sect
6702 [system_default_sect]
6705 f
.write("MinProtocol = %s\n" % MinProtocol
)
6707 f
.write("CipherString = %s\n" % CipherString
)
6709 def run_openssl_systemwide_policy(iface
, apdev
, test_params
):
6710 prefix
= "openssl_systemwide_policy"
6711 logfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.log-wpas')
6712 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
6713 conffile
= os
.path
.join(test_params
['logdir'], prefix
+ '.conf')
6714 openssl_cnf
= os
.path
.join(test_params
['logdir'], prefix
+ '.openssl.cnf')
6716 write_openssl_cnf(openssl_cnf
, "TLSv1.2", "DEFAULT@SECLEVEL=2")
6718 with
open(conffile
, 'w') as f
:
6719 f
.write("ctrl_interface=DIR=/var/run/wpa_supplicant\n")
6721 params
= int_eap_server_params()
6722 params
['tls_flags'] = "[DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"
6724 hapd
= hostapd
.add_ap(apdev
[0], params
)
6726 prg
= os
.path
.join(test_params
['logdir'],
6727 'alt-wpa_supplicant/wpa_supplicant/wpa_supplicant')
6728 if not os
.path
.exists(prg
):
6729 prg
= '../../wpa_supplicant/wpa_supplicant'
6730 arg
= [prg
, '-BddtK', '-P', pidfile
, '-f', logfile
,
6731 '-Dnl80211', '-c', conffile
, '-i', iface
]
6732 logger
.info("Start wpa_supplicant: " + str(arg
))
6733 subprocess
.call(arg
, env
={'OPENSSL_CONF': openssl_cnf
})
6734 wpas
= WpaSupplicant(ifname
=iface
)
6735 if "PONG" not in wpas
.request("PING"):
6736 raise Exception("Could not PING wpa_supplicant")
6737 tls
= wpas
.request("GET tls_library")
6738 if not tls
.startswith("OpenSSL"):
6739 raise HwsimSkip("Not using OpenSSL")
6741 # Use default configuration without any TLS version overrides. This should
6742 # end up using OpenSSL systemwide policy and result in failure to find a
6743 # compatible protocol version.
6744 ca_file
= os
.path
.join(os
.getcwd(), "auth_serv/ca.pem")
6745 id = wpas
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6746 identity
="pap user", anonymous_identity
="ttls",
6747 password
="password", phase2
="auth=PAP",
6749 scan_freq
="2412", wait_connect
=False)
6750 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
6752 raise Exception("EAP not started")
6753 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'"],
6756 raise HwsimSkip("OpenSSL systemwide policy not supported")
6757 wpas
.request("DISCONNECT")
6758 wpas
.wait_disconnected()
6761 # Explicitly allow TLSv1.0 to be used to override OpenSSL systemwide policy
6762 wpas
.set_network_quoted(id, "openssl_ciphers", "DEFAULT@SECLEVEL=1")
6763 wpas
.set_network_quoted(id, "phase1", "tls_disable_tlsv1_0=0")
6764 wpas
.select_network(id, freq
="2412")
6765 wpas
.wait_connected()
6767 wpas
.request("TERMINATE")