]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2019, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
20 import socketserver
as SocketServer
25 from hwsim
import HWSimRadio
27 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
, require_under_vm
28 from wpasupplicant
import WpaSupplicant
29 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
33 openssl_imported
= True
35 openssl_imported
= False
37 def check_hlr_auc_gw_support():
38 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
39 raise HwsimSkip("No hlr_auc_gw available")
41 def check_eap_capa(dev
, method
):
42 res
= dev
.get_capability("eap")
44 raise HwsimSkip("EAP method %s not supported in the build" % method
)
46 def check_subject_match_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
49 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
51 def check_check_cert_subject_support(dev
):
52 tls
= dev
.request("GET tls_library")
53 if not tls
.startswith("OpenSSL"):
54 raise HwsimSkip("check_cert_subject not supported with this TLS library: " + tls
)
56 def check_altsubject_match_support(dev
):
57 tls
= dev
.request("GET tls_library")
58 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
59 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
61 def check_domain_match(dev
):
62 tls
= dev
.request("GET tls_library")
63 if tls
.startswith("internal"):
64 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
66 def check_domain_suffix_match(dev
):
67 tls
= dev
.request("GET tls_library")
68 if tls
.startswith("internal"):
69 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
71 def check_domain_match_full(dev
):
72 tls
= dev
.request("GET tls_library")
73 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
74 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
76 def check_cert_probe_support(dev
):
77 tls
= dev
.request("GET tls_library")
78 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
79 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
81 def check_ext_cert_check_support(dev
):
82 tls
= dev
.request("GET tls_library")
83 if not tls
.startswith("OpenSSL"):
84 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
86 def check_ocsp_support(dev
):
87 tls
= dev
.request("GET tls_library")
88 #if tls.startswith("internal"):
89 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
90 #if "BoringSSL" in tls:
91 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
92 if tls
.startswith("wolfSSL"):
93 raise HwsimSkip("OCSP not supported with this TLS library: " + tls
)
95 def check_pkcs5_v15_support(dev
):
96 tls
= dev
.request("GET tls_library")
97 if "BoringSSL" in tls
or "GnuTLS" in tls
:
98 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
100 def check_ocsp_multi_support(dev
):
101 tls
= dev
.request("GET tls_library")
102 if not tls
.startswith("internal"):
103 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
104 as_hapd
= hostapd
.Hostapd("as")
105 res
= as_hapd
.request("GET tls_library")
107 if not res
.startswith("internal"):
108 raise HwsimSkip("Authentication server does not support ocsp_multi")
110 def check_pkcs12_support(dev
):
111 tls
= dev
.request("GET tls_library")
112 #if tls.startswith("internal"):
113 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
114 if tls
.startswith("wolfSSL"):
115 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls
)
117 def check_dh_dsa_support(dev
):
118 tls
= dev
.request("GET tls_library")
119 if tls
.startswith("internal"):
120 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
123 with
open(fname
, "r") as f
:
124 lines
= f
.readlines()
132 if "-----BEGIN" in l
:
134 return base64
.b64decode(cert
)
136 def eap_connect(dev
, hapd
, method
, identity
,
137 sha256
=False, expect_failure
=False, local_error_report
=False,
138 maybe_local_error
=False, report_failure
=False,
139 expect_cert_error
=None, **kwargs
):
140 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
141 eap
=method
, identity
=identity
,
142 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
144 eap_check_auth(dev
, method
, True, sha256
=sha256
,
145 expect_failure
=expect_failure
,
146 local_error_report
=local_error_report
,
147 maybe_local_error
=maybe_local_error
,
148 report_failure
=report_failure
,
149 expect_cert_error
=expect_cert_error
)
153 ev
= hapd
.wait_event(["AP-STA-CONNECTED"], timeout
=5)
155 raise Exception("No connection event received from hostapd")
158 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
159 expect_failure
=False, local_error_report
=False,
160 maybe_local_error
=False, report_failure
=False,
161 expect_cert_error
=None):
162 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
164 raise Exception("Association and EAP start timed out")
165 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
166 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
168 raise Exception("EAP method selection timed out")
169 if "CTRL-EVENT-EAP-FAILURE" in ev
:
170 if maybe_local_error
:
172 raise Exception("Could not select EAP method")
174 raise Exception("Unexpected EAP method")
175 if expect_cert_error
is not None:
176 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
177 "CTRL-EVENT-EAP-FAILURE",
178 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
179 if ev
is None or "reason=%d " % expect_cert_error
not in ev
:
180 raise Exception("Expected certificate error not reported")
182 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE",
183 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
185 raise Exception("EAP failure timed out")
186 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
187 raise Exception("Unexpected EAP success")
188 ev
= dev
.wait_disconnected(timeout
=10)
189 if maybe_local_error
and "locally_generated=1" in ev
:
191 if not local_error_report
:
192 if "reason=23" not in ev
:
193 raise Exception("Proper reason code for disconnection not reported")
196 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
197 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
199 raise Exception("EAP success timed out")
200 if "CTRL-EVENT-EAP-SUCCESS" not in ev
:
201 raise Exception("EAP failed")
203 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
205 raise Exception("EAP success timed out")
208 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
210 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
212 raise Exception("Association with the AP timed out")
213 status
= dev
.get_status()
214 if status
["wpa_state"] != "COMPLETED":
215 raise Exception("Connection not completed")
217 if status
["suppPortStatus"] != "Authorized":
218 raise Exception("Port not authorized")
219 if "selectedMethod" not in status
:
220 logger
.info("Status: " + str(status
))
221 raise Exception("No selectedMethod in status")
222 if method
not in status
["selectedMethod"]:
223 raise Exception("Incorrect EAP method status")
225 e
= "WPA2-EAP-SHA256"
227 e
= "WPA2/IEEE 802.1X/EAP"
229 e
= "WPA/IEEE 802.1X/EAP"
230 if status
["key_mgmt"] != e
:
231 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
234 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
235 dev
.request("REAUTHENTICATE")
236 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
237 expect_failure
=expect_failure
)
239 def test_ap_wpa2_eap_sim(dev
, apdev
):
240 """WPA2-Enterprise connection using EAP-SIM"""
241 check_hlr_auc_gw_support()
242 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
243 hapd
= hostapd
.add_ap(apdev
[0], params
)
244 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
245 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
246 hwsim_utils
.test_connectivity(dev
[0], hapd
)
247 eap_reauth(dev
[0], "SIM")
249 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
250 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
251 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
252 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
255 logger
.info("Negative test with incorrect key")
256 dev
[0].request("REMOVE_NETWORK all")
257 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
258 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
261 logger
.info("Invalid GSM-Milenage key")
262 dev
[0].request("REMOVE_NETWORK all")
263 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
264 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
267 logger
.info("Invalid GSM-Milenage key(2)")
268 dev
[0].request("REMOVE_NETWORK all")
269 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
270 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
273 logger
.info("Invalid GSM-Milenage key(3)")
274 dev
[0].request("REMOVE_NETWORK all")
275 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
276 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
279 logger
.info("Invalid GSM-Milenage key(4)")
280 dev
[0].request("REMOVE_NETWORK all")
281 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
282 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
285 logger
.info("Missing key configuration")
286 dev
[0].request("REMOVE_NETWORK all")
287 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
290 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
291 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
292 check_hlr_auc_gw_support()
296 raise HwsimSkip("No sqlite3 module available")
297 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
298 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
299 params
['auth_server_port'] = "1814"
300 hapd
= hostapd
.add_ap(apdev
[0], params
)
301 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
302 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
304 logger
.info("SIM fast re-authentication")
305 eap_reauth(dev
[0], "SIM")
307 logger
.info("SIM full auth with pseudonym")
310 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
311 eap_reauth(dev
[0], "SIM")
313 logger
.info("SIM full auth with permanent identity")
316 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
317 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
318 eap_reauth(dev
[0], "SIM")
320 logger
.info("SIM reauth with mismatching MK")
323 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
324 eap_reauth(dev
[0], "SIM", expect_failure
=True)
325 dev
[0].request("REMOVE_NETWORK all")
327 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
328 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
331 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
332 eap_reauth(dev
[0], "SIM")
335 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
336 logger
.info("SIM reauth with mismatching counter")
337 eap_reauth(dev
[0], "SIM")
338 dev
[0].request("REMOVE_NETWORK all")
340 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
341 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
344 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
345 logger
.info("SIM reauth with max reauth count reached")
346 eap_reauth(dev
[0], "SIM")
348 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
349 """EAP-SIM configuration options"""
350 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
351 hapd
= hostapd
.add_ap(apdev
[0], params
)
352 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
353 identity
="1232010000000000",
354 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
355 phase1
="sim_min_num_chal=1",
356 wait_connect
=False, scan_freq
="2412")
357 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
359 raise Exception("No EAP error message seen")
360 dev
[0].request("REMOVE_NETWORK all")
362 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
363 identity
="1232010000000000",
364 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
365 phase1
="sim_min_num_chal=4",
366 wait_connect
=False, scan_freq
="2412")
367 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
369 raise Exception("No EAP error message seen (2)")
370 dev
[0].request("REMOVE_NETWORK all")
372 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
373 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
374 phase1
="sim_min_num_chal=2")
375 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
376 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
377 anonymous_identity
="345678")
379 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
380 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
382 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
384 dev
[0].request("SET external_sim 0")
386 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
387 check_hlr_auc_gw_support()
388 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
389 hostapd
.add_ap(apdev
[0], params
)
390 dev
[0].request("SET external_sim 1")
391 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
392 identity
="1232010000000000",
393 wait_connect
=False, scan_freq
="2412")
394 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
396 raise Exception("Network connected timed out")
398 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
400 raise Exception("Wait for external SIM processing request timed out")
402 if p
[1] != "GSM-AUTH":
403 raise Exception("Unexpected CTRL-REQ-SIM type")
404 rid
= p
[0].split('-')[3]
407 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
408 # This will fail during processing, but the ctrl_iface command succeeds
409 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
410 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
412 raise Exception("EAP failure not reported")
413 dev
[0].request("DISCONNECT")
414 dev
[0].wait_disconnected()
417 dev
[0].select_network(id, freq
="2412")
418 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
420 raise Exception("Wait for external SIM processing request timed out")
422 if p
[1] != "GSM-AUTH":
423 raise Exception("Unexpected CTRL-REQ-SIM type")
424 rid
= p
[0].split('-')[3]
425 # This will fail during GSM auth validation
426 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
427 raise Exception("CTRL-RSP-SIM failed")
428 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
430 raise Exception("EAP failure not reported")
431 dev
[0].request("DISCONNECT")
432 dev
[0].wait_disconnected()
435 dev
[0].select_network(id, freq
="2412")
436 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
438 raise Exception("Wait for external SIM processing request timed out")
440 if p
[1] != "GSM-AUTH":
441 raise Exception("Unexpected CTRL-REQ-SIM type")
442 rid
= p
[0].split('-')[3]
443 # This will fail during GSM auth validation
444 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
445 raise Exception("CTRL-RSP-SIM failed")
446 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
448 raise Exception("EAP failure not reported")
449 dev
[0].request("DISCONNECT")
450 dev
[0].wait_disconnected()
453 dev
[0].select_network(id, freq
="2412")
454 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
456 raise Exception("Wait for external SIM processing request timed out")
458 if p
[1] != "GSM-AUTH":
459 raise Exception("Unexpected CTRL-REQ-SIM type")
460 rid
= p
[0].split('-')[3]
461 # This will fail during GSM auth validation
462 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
463 raise Exception("CTRL-RSP-SIM failed")
464 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
466 raise Exception("EAP failure not reported")
467 dev
[0].request("DISCONNECT")
468 dev
[0].wait_disconnected()
471 dev
[0].select_network(id, freq
="2412")
472 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
474 raise Exception("Wait for external SIM processing request timed out")
476 if p
[1] != "GSM-AUTH":
477 raise Exception("Unexpected CTRL-REQ-SIM type")
478 rid
= p
[0].split('-')[3]
479 # This will fail during GSM auth validation
480 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
481 raise Exception("CTRL-RSP-SIM failed")
482 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
484 raise Exception("EAP failure not reported")
485 dev
[0].request("DISCONNECT")
486 dev
[0].wait_disconnected()
489 dev
[0].select_network(id, freq
="2412")
490 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
492 raise Exception("Wait for external SIM processing request timed out")
494 if p
[1] != "GSM-AUTH":
495 raise Exception("Unexpected CTRL-REQ-SIM type")
496 rid
= p
[0].split('-')[3]
497 # This will fail during GSM auth validation
498 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
499 raise Exception("CTRL-RSP-SIM failed")
500 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
502 raise Exception("EAP failure not reported")
503 dev
[0].request("DISCONNECT")
504 dev
[0].wait_disconnected()
507 dev
[0].select_network(id, freq
="2412")
508 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
510 raise Exception("Wait for external SIM processing request timed out")
512 if p
[1] != "GSM-AUTH":
513 raise Exception("Unexpected CTRL-REQ-SIM type")
514 rid
= p
[0].split('-')[3]
515 # This will fail during GSM auth validation
516 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
517 raise Exception("CTRL-RSP-SIM failed")
518 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
520 raise Exception("EAP failure not reported")
522 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
523 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
525 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
527 dev
[0].request("SET external_sim 0")
529 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
530 check_hlr_auc_gw_support()
531 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
532 hostapd
.add_ap(apdev
[0], params
)
533 dev
[0].request("SET external_sim 1")
534 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
535 identity
="1232010000000000",
536 wait_connect
=False, scan_freq
="2412")
538 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
540 raise Exception("Wait for external SIM processing request timed out")
542 if p
[1] != "GSM-AUTH":
543 raise Exception("Unexpected CTRL-REQ-SIM type")
544 rid
= p
[0].split('-')[3]
545 rand
= p
[2].split(' ')[0]
547 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
549 "auth_serv/hlr_auc_gw.milenage_db",
550 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
551 if "GSM-AUTH-RESP" not in res
:
552 raise Exception("Unexpected hlr_auc_gw response")
553 resp
= res
.split(' ')[2].rstrip()
555 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
556 dev
[0].wait_connected(timeout
=15)
557 dev
[0].request("DISCONNECT")
558 dev
[0].wait_disconnected()
560 # Replace SIM, but forget to drop the previous pseudonym identity
561 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
562 dev
[0].select_network(id, freq
="2412")
564 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
566 raise Exception("Wait for external SIM processing request timed out")
568 if p
[1] != "GSM-AUTH":
569 raise Exception("Unexpected CTRL-REQ-SIM type")
570 rid
= p
[0].split('-')[3]
571 rand
= p
[2].split(' ')[0]
573 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
575 "auth_serv/hlr_auc_gw.milenage_db",
576 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
577 if "GSM-AUTH-RESP" not in res
:
578 raise Exception("Unexpected hlr_auc_gw response")
579 resp
= res
.split(' ')[2].rstrip()
581 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
582 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
584 raise Exception("EAP-Failure not reported")
585 dev
[0].request("DISCONNECT")
586 dev
[0].wait_disconnected()
588 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
589 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
591 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
593 dev
[0].request("SET external_sim 0")
595 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
596 check_hlr_auc_gw_support()
597 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
598 hostapd
.add_ap(apdev
[0], params
)
599 dev
[0].request("SET external_sim 1")
600 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
601 identity
="1232010000000000",
602 wait_connect
=False, scan_freq
="2412")
604 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
606 raise Exception("Wait for external SIM processing request timed out")
608 if p
[1] != "GSM-AUTH":
609 raise Exception("Unexpected CTRL-REQ-SIM type")
610 rid
= p
[0].split('-')[3]
611 rand
= p
[2].split(' ')[0]
613 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
615 "auth_serv/hlr_auc_gw.milenage_db",
616 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
617 if "GSM-AUTH-RESP" not in res
:
618 raise Exception("Unexpected hlr_auc_gw response")
619 resp
= res
.split(' ')[2].rstrip()
621 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
622 dev
[0].wait_connected(timeout
=15)
623 dev
[0].request("DISCONNECT")
624 dev
[0].wait_disconnected()
626 # Replace SIM and drop the previous pseudonym identity
627 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
628 dev
[0].set_network(id, "anonymous_identity", "NULL")
629 dev
[0].select_network(id, freq
="2412")
631 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
633 raise Exception("Wait for external SIM processing request timed out")
635 if p
[1] != "GSM-AUTH":
636 raise Exception("Unexpected CTRL-REQ-SIM type")
637 rid
= p
[0].split('-')[3]
638 rand
= p
[2].split(' ')[0]
640 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
642 "auth_serv/hlr_auc_gw.milenage_db",
643 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
644 if "GSM-AUTH-RESP" not in res
:
645 raise Exception("Unexpected hlr_auc_gw response")
646 resp
= res
.split(' ')[2].rstrip()
648 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
649 dev
[0].wait_connected()
650 dev
[0].request("DISCONNECT")
651 dev
[0].wait_disconnected()
653 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
654 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
656 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
658 dev
[0].request("SET external_sim 0")
660 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
661 check_hlr_auc_gw_support()
662 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
663 hostapd
.add_ap(apdev
[0], params
)
664 dev
[0].request("SET external_sim 1")
665 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
666 wait_connect
=False, scan_freq
="2412")
668 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
670 raise Exception("Request for identity timed out")
671 rid
= ev
.split(':')[0].split('-')[-1]
672 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
674 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
676 raise Exception("Wait for external SIM processing request timed out")
678 if p
[1] != "GSM-AUTH":
679 raise Exception("Unexpected CTRL-REQ-SIM type")
680 rid
= p
[0].split('-')[3]
681 rand
= p
[2].split(' ')[0]
683 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
685 "auth_serv/hlr_auc_gw.milenage_db",
686 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
687 if "GSM-AUTH-RESP" not in res
:
688 raise Exception("Unexpected hlr_auc_gw response")
689 resp
= res
.split(' ')[2].rstrip()
691 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
692 dev
[0].wait_connected(timeout
=15)
693 dev
[0].request("DISCONNECT")
694 dev
[0].wait_disconnected()
696 # Replace SIM and drop the previous permanent and pseudonym identities
697 dev
[0].set_network(id, "identity", "NULL")
698 dev
[0].set_network(id, "anonymous_identity", "NULL")
699 dev
[0].select_network(id, freq
="2412")
701 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
703 raise Exception("Request for identity timed out")
704 rid
= ev
.split(':')[0].split('-')[-1]
705 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
707 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
709 raise Exception("Wait for external SIM processing request timed out")
711 if p
[1] != "GSM-AUTH":
712 raise Exception("Unexpected CTRL-REQ-SIM type")
713 rid
= p
[0].split('-')[3]
714 rand
= p
[2].split(' ')[0]
716 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
718 "auth_serv/hlr_auc_gw.milenage_db",
719 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
720 if "GSM-AUTH-RESP" not in res
:
721 raise Exception("Unexpected hlr_auc_gw response")
722 resp
= res
.split(' ')[2].rstrip()
724 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
725 dev
[0].wait_connected()
726 dev
[0].request("DISCONNECT")
727 dev
[0].wait_disconnected()
729 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
730 """EAP-SIM with external GSM auth and auth failing"""
732 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
734 dev
[0].request("SET external_sim 0")
736 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
737 check_hlr_auc_gw_support()
738 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
739 hostapd
.add_ap(apdev
[0], params
)
740 dev
[0].request("SET external_sim 1")
741 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
742 identity
="1232010000000000",
743 wait_connect
=False, scan_freq
="2412")
745 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
747 raise Exception("Wait for external SIM processing request timed out")
749 rid
= p
[0].split('-')[3]
750 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
751 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
753 raise Exception("EAP failure not reported")
754 dev
[0].request("REMOVE_NETWORK all")
755 dev
[0].wait_disconnected()
757 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
758 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
760 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
762 dev
[0].request("SET external_sim 0")
764 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
765 check_hlr_auc_gw_support()
766 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
767 hostapd
.add_ap(apdev
[0], params
)
768 dev
[0].request("SET external_sim 1")
769 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
770 identity
="1232010000000000",
771 wait_connect
=False, scan_freq
="2412")
773 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
775 raise Exception("Wait for external SIM processing request timed out")
777 if p
[1] != "GSM-AUTH":
778 raise Exception("Unexpected CTRL-REQ-SIM type")
779 rid
= p
[0].split('-')[3]
780 rand
= p
[2].split(' ')[0]
782 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
784 "auth_serv/hlr_auc_gw.milenage_db",
785 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
786 if "GSM-AUTH-RESP" not in res
:
787 raise Exception("Unexpected hlr_auc_gw response")
788 resp
= res
.split(' ')[2].rstrip()
790 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
791 dev
[0].wait_connected(timeout
=15)
793 # Verify that EAP-SIM Reauthentication can be used after a profile change
794 # that does not affect EAP parameters.
795 dev
[0].set_network(id, "bssid", "any")
796 eap_reauth(dev
[0], "SIM")
798 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
799 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
801 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
803 dev
[0].request("SET external_sim 0")
805 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
806 check_hlr_auc_gw_support()
807 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
808 hostapd
.add_ap(apdev
[0], params
)
809 dev
[0].request("SET external_sim 1")
810 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
811 identity
="1232010000000000",
812 wait_connect
=False, scan_freq
="2412")
814 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
816 raise Exception("Wait for external SIM processing request timed out")
818 if p
[1] != "GSM-AUTH":
819 raise Exception("Unexpected CTRL-REQ-SIM type")
820 rid
= p
[0].split('-')[3]
821 rand
= p
[2].split(' ')[0]
823 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
825 "auth_serv/hlr_auc_gw.milenage_db",
826 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
827 if "GSM-AUTH-RESP" not in res
:
828 raise Exception("Unexpected hlr_auc_gw response")
829 resp
= res
.split(' ')[2].rstrip()
831 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
832 dev
[0].wait_connected(timeout
=15)
834 # Verify that EAP-SIM Reauthentication can be used after network profile
835 # SET_NETWORK commands that do not actually change previously set
837 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
838 dev
[0].set_network(id, "eap", "SIM")
839 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
840 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
841 eap_reauth(dev
[0], "SIM")
843 def test_ap_wpa2_eap_sim_ext_anonymous(dev
, apdev
):
844 """EAP-SIM with external GSM auth and anonymous identity"""
845 check_hlr_auc_gw_support()
846 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
847 hostapd
.add_ap(apdev
[0], params
)
849 run_ap_wpa2_eap_sim_ext_anonymous(dev
, "anonymous@example.org")
850 run_ap_wpa2_eap_sim_ext_anonymous(dev
, "@example.org")
852 dev
[0].request("SET external_sim 0")
854 def run_ap_wpa2_eap_sim_ext_anonymous(dev
, anon
):
855 dev
[0].request("SET external_sim 1")
856 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
857 identity
="1232010000000000",
858 anonymous_identity
=anon
,
859 wait_connect
=False, scan_freq
="2412")
861 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
863 raise Exception("Wait for external SIM processing request timed out")
865 if p
[1] != "GSM-AUTH":
866 raise Exception("Unexpected CTRL-REQ-SIM type")
867 rid
= p
[0].split('-')[3]
868 rand
= p
[2].split(' ')[0]
870 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
872 "auth_serv/hlr_auc_gw.milenage_db",
873 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
874 if "GSM-AUTH-RESP" not in res
:
875 raise Exception("Unexpected hlr_auc_gw response")
876 resp
= res
.split(' ')[2].rstrip()
878 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
879 dev
[0].wait_connected(timeout
=5)
880 dev
[0].request("REMOVE_NETWORK all")
881 dev
[0].wait_disconnected()
882 dev
[0].dump_monitor()
884 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
885 """EAP-SIM and OOM"""
886 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
887 hostapd
.add_ap(apdev
[0], params
)
888 tests
= [(1, "milenage_f2345"),
889 (2, "milenage_f2345"),
890 (3, "milenage_f2345"),
891 (4, "milenage_f2345"),
892 (5, "milenage_f2345"),
893 (6, "milenage_f2345"),
894 (7, "milenage_f2345"),
895 (8, "milenage_f2345"),
896 (9, "milenage_f2345"),
897 (10, "milenage_f2345"),
898 (11, "milenage_f2345"),
899 (12, "milenage_f2345")]
900 for count
, func
in tests
:
901 with
fail_test(dev
[0], count
, func
):
902 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
903 identity
="1232010000000000",
904 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
905 wait_connect
=False, scan_freq
="2412")
906 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
908 raise Exception("EAP method not selected")
909 dev
[0].wait_disconnected()
910 dev
[0].request("REMOVE_NETWORK all")
912 def test_ap_wpa2_eap_aka(dev
, apdev
):
913 """WPA2-Enterprise connection using EAP-AKA"""
914 check_hlr_auc_gw_support()
915 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
916 hapd
= hostapd
.add_ap(apdev
[0], params
)
917 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
918 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
919 hwsim_utils
.test_connectivity(dev
[0], hapd
)
920 eap_reauth(dev
[0], "AKA")
922 logger
.info("Negative test with incorrect key")
923 dev
[0].request("REMOVE_NETWORK all")
924 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
925 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
928 logger
.info("Invalid Milenage key")
929 dev
[0].request("REMOVE_NETWORK all")
930 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
931 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
934 logger
.info("Invalid Milenage key(2)")
935 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
936 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
939 logger
.info("Invalid Milenage key(3)")
940 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
941 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
944 logger
.info("Invalid Milenage key(4)")
945 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
946 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
949 logger
.info("Invalid Milenage key(5)")
950 dev
[0].request("REMOVE_NETWORK all")
951 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
952 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
955 logger
.info("Invalid Milenage key(6)")
956 dev
[0].request("REMOVE_NETWORK all")
957 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
958 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
961 logger
.info("Missing key configuration")
962 dev
[0].request("REMOVE_NETWORK all")
963 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
966 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
967 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
968 check_hlr_auc_gw_support()
972 raise HwsimSkip("No sqlite3 module available")
973 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
974 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
975 params
['auth_server_port'] = "1814"
976 hapd
= hostapd
.add_ap(apdev
[0], params
)
977 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
978 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
980 logger
.info("AKA fast re-authentication")
981 eap_reauth(dev
[0], "AKA")
983 logger
.info("AKA full auth with pseudonym")
986 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
987 eap_reauth(dev
[0], "AKA")
989 logger
.info("AKA full auth with permanent identity")
992 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
993 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
994 eap_reauth(dev
[0], "AKA")
996 logger
.info("AKA reauth with mismatching MK")
999 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
1000 eap_reauth(dev
[0], "AKA", expect_failure
=True)
1001 dev
[0].request("REMOVE_NETWORK all")
1003 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1004 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1007 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
1008 eap_reauth(dev
[0], "AKA")
1011 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
1012 logger
.info("AKA reauth with mismatching counter")
1013 eap_reauth(dev
[0], "AKA")
1014 dev
[0].request("REMOVE_NETWORK all")
1016 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1017 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1020 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
1021 logger
.info("AKA reauth with max reauth count reached")
1022 eap_reauth(dev
[0], "AKA")
1024 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
1025 """EAP-AKA configuration options"""
1026 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1027 hapd
= hostapd
.add_ap(apdev
[0], params
)
1028 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1029 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1030 anonymous_identity
="2345678")
1032 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
1033 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
1035 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
1037 dev
[0].request("SET external_sim 0")
1039 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
1040 check_hlr_auc_gw_support()
1041 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1042 hostapd
.add_ap(apdev
[0], params
)
1043 dev
[0].request("SET external_sim 1")
1044 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1045 identity
="0232010000000000",
1046 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1047 wait_connect
=False, scan_freq
="2412")
1048 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1050 raise Exception("Network connected timed out")
1052 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1054 raise Exception("Wait for external SIM processing request timed out")
1055 p
= ev
.split(':', 2)
1056 if p
[1] != "UMTS-AUTH":
1057 raise Exception("Unexpected CTRL-REQ-SIM type")
1058 rid
= p
[0].split('-')[3]
1061 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
1062 # This will fail during processing, but the ctrl_iface command succeeds
1063 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1064 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1066 raise Exception("EAP failure not reported")
1067 dev
[0].request("DISCONNECT")
1068 dev
[0].wait_disconnected()
1070 dev
[0].dump_monitor()
1072 dev
[0].select_network(id, freq
="2412")
1073 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1075 raise Exception("Wait for external SIM processing request timed out")
1076 p
= ev
.split(':', 2)
1077 if p
[1] != "UMTS-AUTH":
1078 raise Exception("Unexpected CTRL-REQ-SIM type")
1079 rid
= p
[0].split('-')[3]
1080 # This will fail during UMTS auth validation
1081 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1082 raise Exception("CTRL-RSP-SIM failed")
1083 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1085 raise Exception("Wait for external SIM processing request timed out")
1086 p
= ev
.split(':', 2)
1087 if p
[1] != "UMTS-AUTH":
1088 raise Exception("Unexpected CTRL-REQ-SIM type")
1089 rid
= p
[0].split('-')[3]
1090 # This will fail during UMTS auth validation
1091 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1092 raise Exception("CTRL-RSP-SIM failed")
1093 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1095 raise Exception("EAP failure not reported")
1096 dev
[0].request("DISCONNECT")
1097 dev
[0].wait_disconnected()
1099 dev
[0].dump_monitor()
1101 tests
= [":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1103 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1104 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1105 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1106 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1107 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q"]
1109 dev
[0].select_network(id, freq
="2412")
1110 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1112 raise Exception("Wait for external SIM processing request timed out")
1113 p
= ev
.split(':', 2)
1114 if p
[1] != "UMTS-AUTH":
1115 raise Exception("Unexpected CTRL-REQ-SIM type")
1116 rid
= p
[0].split('-')[3]
1117 # This will fail during UMTS auth validation
1118 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1119 raise Exception("CTRL-RSP-SIM failed")
1120 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1122 raise Exception("EAP failure not reported")
1123 dev
[0].request("DISCONNECT")
1124 dev
[0].wait_disconnected()
1126 dev
[0].dump_monitor()
1128 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1129 """EAP-AKA with external UMTS auth and auth failing"""
1131 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1133 dev
[0].request("SET external_sim 0")
1135 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1136 check_hlr_auc_gw_support()
1137 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1138 hostapd
.add_ap(apdev
[0], params
)
1139 dev
[0].request("SET external_sim 1")
1140 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1141 identity
="0232010000000000",
1142 wait_connect
=False, scan_freq
="2412")
1144 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1146 raise Exception("Wait for external SIM processing request timed out")
1147 p
= ev
.split(':', 2)
1148 rid
= p
[0].split('-')[3]
1149 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1150 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1152 raise Exception("EAP failure not reported")
1153 dev
[0].request("REMOVE_NETWORK all")
1154 dev
[0].wait_disconnected()
1156 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1157 """WPA2-Enterprise connection using EAP-AKA'"""
1158 check_hlr_auc_gw_support()
1159 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1160 hapd
= hostapd
.add_ap(apdev
[0], params
)
1161 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1162 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1163 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1164 eap_reauth(dev
[0], "AKA'")
1166 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1167 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1168 identity
="6555444333222111@both",
1169 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1170 wait_connect
=False, scan_freq
="2412")
1171 dev
[1].wait_connected(timeout
=15)
1173 logger
.info("Negative test with incorrect key")
1174 dev
[0].request("REMOVE_NETWORK all")
1175 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1176 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1177 expect_failure
=True)
1179 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1180 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1181 check_hlr_auc_gw_support()
1185 raise HwsimSkip("No sqlite3 module available")
1186 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1187 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1188 params
['auth_server_port'] = "1814"
1189 hapd
= hostapd
.add_ap(apdev
[0], params
)
1190 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1191 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1193 logger
.info("AKA' fast re-authentication")
1194 eap_reauth(dev
[0], "AKA'")
1196 logger
.info("AKA' full auth with pseudonym")
1199 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1200 eap_reauth(dev
[0], "AKA'")
1202 logger
.info("AKA' full auth with permanent identity")
1205 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1206 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1207 eap_reauth(dev
[0], "AKA'")
1209 logger
.info("AKA' reauth with mismatching k_aut")
1212 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1213 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1214 dev
[0].request("REMOVE_NETWORK all")
1216 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1217 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1220 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1221 eap_reauth(dev
[0], "AKA'")
1224 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1225 logger
.info("AKA' reauth with mismatching counter")
1226 eap_reauth(dev
[0], "AKA'")
1227 dev
[0].request("REMOVE_NETWORK all")
1229 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1230 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1233 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1234 logger
.info("AKA' reauth with max reauth count reached")
1235 eap_reauth(dev
[0], "AKA'")
1237 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1238 """EAP-AKA' with external UMTS auth and auth failing"""
1240 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1242 dev
[0].request("SET external_sim 0")
1244 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1245 check_hlr_auc_gw_support()
1246 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1247 hostapd
.add_ap(apdev
[0], params
)
1248 dev
[0].request("SET external_sim 1")
1249 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1250 identity
="6555444333222111",
1251 wait_connect
=False, scan_freq
="2412")
1253 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1255 raise Exception("Wait for external SIM processing request timed out")
1256 p
= ev
.split(':', 2)
1257 rid
= p
[0].split('-')[3]
1258 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1259 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1261 raise Exception("EAP failure not reported")
1262 dev
[0].request("REMOVE_NETWORK all")
1263 dev
[0].wait_disconnected()
1265 def test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1266 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1268 _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
)
1270 dev
[0].request("SET external_sim 0")
1272 def _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1273 check_hlr_auc_gw_support()
1274 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1275 hostapd
.add_ap(apdev
[0], params
)
1276 dev
[0].request("SET external_sim 1")
1277 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1278 identity
="6555444333222111",
1279 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1280 wait_connect
=False, scan_freq
="2412")
1281 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1283 raise Exception("Network connected timed out")
1285 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1287 raise Exception("Wait for external SIM processing request timed out")
1288 p
= ev
.split(':', 2)
1289 if p
[1] != "UMTS-AUTH":
1290 raise Exception("Unexpected CTRL-REQ-SIM type")
1291 rid
= p
[0].split('-')[3]
1292 # This will fail during UMTS auth validation
1293 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1294 raise Exception("CTRL-RSP-SIM failed")
1295 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1297 raise Exception("Wait for external SIM processing request timed out")
1299 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1300 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1301 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1302 hapd
= hostapd
.add_ap(apdev
[0], params
)
1303 key_mgmt
= hapd
.get_config()['key_mgmt']
1304 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1305 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1306 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1307 anonymous_identity
="ttls", password
="password",
1308 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1309 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1310 eap_reauth(dev
[0], "TTLS")
1311 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1312 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1")])
1314 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1315 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1316 check_subject_match_support(dev
[0])
1317 check_altsubject_match_support(dev
[0])
1318 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1319 hapd
= hostapd
.add_ap(apdev
[0], params
)
1320 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1321 anonymous_identity
="ttls", password
="password",
1322 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1323 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1324 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1325 eap_reauth(dev
[0], "TTLS")
1327 def test_ap_wpa2_eap_ttls_pap_check_cert_subject(dev
, apdev
):
1328 """EAP-TTLS/PAP and check_cert_subject"""
1329 check_check_cert_subject_support(dev
[0])
1330 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1331 hapd
= hostapd
.add_ap(apdev
[0], params
)
1332 tests
= ["C=FI/O=w1.fi/CN=server.w1.fi",
1334 "C=FI/CN=server.w1.fi",
1335 "O=w1.fi/CN=server.w1.fi",
1342 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1343 anonymous_identity
="ttls", password
="password",
1344 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1345 check_cert_subject
=test
)
1346 dev
[0].request("REMOVE_NETWORK all")
1347 dev
[0].wait_disconnected()
1348 dev
[0].dump_monitor()
1350 def test_ap_wpa2_eap_ttls_pap_check_cert_subject_neg(dev
, apdev
):
1351 """EAP-TTLS/PAP and check_cert_subject (negative)"""
1352 check_check_cert_subject_support(dev
[0])
1353 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1354 hapd
= hostapd
.add_ap(apdev
[0], params
)
1364 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1365 anonymous_identity
="ttls", password
="password",
1366 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1367 expect_failure
=True, expect_cert_error
=12,
1368 check_cert_subject
=test
)
1369 dev
[0].request("REMOVE_NETWORK all")
1370 dev
[0].dump_monitor()
1372 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1373 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1374 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1375 hapd
= hostapd
.add_ap(apdev
[0], params
)
1376 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1377 anonymous_identity
="ttls", password
="wrong",
1378 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1379 expect_failure
=True)
1380 eap_connect(dev
[1], hapd
, "TTLS", "user",
1381 anonymous_identity
="ttls", password
="password",
1382 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1383 expect_failure
=True)
1385 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1386 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1387 skip_with_fips(dev
[0])
1388 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1389 hapd
= hostapd
.add_ap(apdev
[0], params
)
1390 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1391 anonymous_identity
="ttls", password
="password",
1392 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1393 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1394 eap_reauth(dev
[0], "TTLS")
1396 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1397 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1398 skip_with_fips(dev
[0])
1399 check_altsubject_match_support(dev
[0])
1400 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1401 hapd
= hostapd
.add_ap(apdev
[0], params
)
1402 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1403 anonymous_identity
="ttls", password
="password",
1404 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1405 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1406 eap_reauth(dev
[0], "TTLS")
1408 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1409 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1410 skip_with_fips(dev
[0])
1411 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1412 hapd
= hostapd
.add_ap(apdev
[0], params
)
1413 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1414 anonymous_identity
="ttls", password
="wrong",
1415 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1416 expect_failure
=True)
1417 eap_connect(dev
[1], hapd
, "TTLS", "user",
1418 anonymous_identity
="ttls", password
="password",
1419 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1420 expect_failure
=True)
1422 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1423 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1424 skip_with_fips(dev
[0])
1425 check_domain_suffix_match(dev
[0])
1426 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1427 hapd
= hostapd
.add_ap(apdev
[0], params
)
1428 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1429 anonymous_identity
="ttls", password
="password",
1430 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1431 domain_suffix_match
="server.w1.fi")
1432 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1433 eap_reauth(dev
[0], "TTLS")
1434 dev
[0].request("REMOVE_NETWORK all")
1435 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1436 anonymous_identity
="ttls", password
="password",
1437 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1438 fragment_size
="200")
1439 dev
[0].request("REMOVE_NETWORK all")
1440 dev
[0].wait_disconnected()
1441 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1442 anonymous_identity
="ttls",
1443 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1444 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1446 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1447 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1448 skip_with_fips(dev
[0])
1449 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1450 hapd
= hostapd
.add_ap(apdev
[0], params
)
1451 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1452 anonymous_identity
="ttls", password
="wrong",
1453 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1454 expect_failure
=True)
1455 eap_connect(dev
[1], hapd
, "TTLS", "user",
1456 anonymous_identity
="ttls", password
="password",
1457 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1458 expect_failure
=True)
1459 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1460 anonymous_identity
="ttls", password
="password",
1461 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1462 expect_failure
=True)
1464 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1465 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1466 check_domain_suffix_match(dev
[0])
1467 check_eap_capa(dev
[0], "MSCHAPV2")
1468 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1469 hapd
= hostapd
.add_ap(apdev
[0], params
)
1470 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1471 anonymous_identity
="ttls", password
="password",
1472 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1473 domain_suffix_match
="server.w1.fi")
1474 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1475 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1476 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1477 eap_reauth(dev
[0], "TTLS")
1478 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1479 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1480 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1481 raise Exception("dot1xAuthEapolFramesRx did not increase")
1482 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1483 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1484 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1485 raise Exception("backendAuthSuccesses did not increase")
1487 logger
.info("Password as hash value")
1488 dev
[0].request("REMOVE_NETWORK all")
1489 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1490 anonymous_identity
="ttls",
1491 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1492 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1494 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1495 """EAP-TTLS with invalid phase2 parameter values"""
1496 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1497 hostapd
.add_ap(apdev
[0], params
)
1498 tests
= ["auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1499 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1500 "autheap=MD5 autheap=FOO autheap=MSCHAPV2"]
1502 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1503 identity
="DOMAIN\mschapv2 user",
1504 anonymous_identity
="ttls", password
="password",
1505 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1506 wait_connect
=False, scan_freq
="2412")
1507 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1508 if ev
is None or "method=21" not in ev
:
1509 raise Exception("EAP-TTLS not started")
1510 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1511 "CTRL-EVENT-CONNECTED"], timeout
=5)
1512 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1513 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1514 dev
[0].request("REMOVE_NETWORK all")
1515 dev
[0].wait_disconnected()
1516 dev
[0].dump_monitor()
1518 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1519 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1520 check_domain_match_full(dev
[0])
1521 skip_with_fips(dev
[0])
1522 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1523 hapd
= hostapd
.add_ap(apdev
[0], params
)
1524 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1525 anonymous_identity
="ttls", password
="password",
1526 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1527 domain_suffix_match
="w1.fi")
1528 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1529 eap_reauth(dev
[0], "TTLS")
1531 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1532 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1533 check_domain_match(dev
[0])
1534 skip_with_fips(dev
[0])
1535 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1536 hapd
= hostapd
.add_ap(apdev
[0], params
)
1537 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1538 anonymous_identity
="ttls", password
="password",
1539 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1540 domain_match
="Server.w1.fi")
1541 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1542 eap_reauth(dev
[0], "TTLS")
1544 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1545 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1546 skip_with_fips(dev
[0])
1547 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1548 hapd
= hostapd
.add_ap(apdev
[0], params
)
1549 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1550 anonymous_identity
="ttls", password
="password1",
1551 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1552 expect_failure
=True)
1553 eap_connect(dev
[1], hapd
, "TTLS", "user",
1554 anonymous_identity
="ttls", password
="password",
1555 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1556 expect_failure
=True)
1558 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1559 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1560 skip_with_fips(dev
[0])
1561 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1562 hapd
= hostapd
.add_ap(apdev
[0], params
)
1563 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1564 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1565 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1566 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1567 anonymous_identity
="ttls",
1568 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1569 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1570 for p
in ["80", "41c041e04141e041", 257*"41"]:
1571 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1572 eap
="TTLS", identity
="utf8-user-hash",
1573 anonymous_identity
="ttls", password_hex
=p
,
1574 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1575 wait_connect
=False, scan_freq
="2412")
1576 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1578 raise Exception("No failure reported")
1579 dev
[2].request("REMOVE_NETWORK all")
1580 dev
[2].wait_disconnected()
1582 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1583 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1584 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1585 hapd
= hostapd
.add_ap(apdev
[0], params
)
1586 eap_connect(dev
[0], hapd
, "TTLS", "user",
1587 anonymous_identity
="ttls", password
="password",
1588 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1589 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1590 eap_reauth(dev
[0], "TTLS")
1592 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1593 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1594 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1595 hapd
= hostapd
.add_ap(apdev
[0], params
)
1596 eap_connect(dev
[0], hapd
, "TTLS", "user",
1597 anonymous_identity
="ttls", password
="wrong",
1598 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1599 expect_failure
=True)
1601 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1602 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1603 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1604 hapd
= hostapd
.add_ap(apdev
[0], params
)
1605 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1606 anonymous_identity
="ttls", password
="password",
1607 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1608 expect_failure
=True)
1610 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1611 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1612 params
= int_eap_server_params()
1613 hapd
= hostapd
.add_ap(apdev
[0], params
)
1614 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1615 eap_connect(dev
[0], hapd
, "TTLS", "user",
1616 anonymous_identity
="ttls", password
="password",
1617 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1618 expect_failure
=True)
1619 dev
[0].request("REMOVE_NETWORK all")
1621 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1622 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1623 eap
="TTLS", identity
="user",
1624 anonymous_identity
="ttls", password
="password",
1625 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1626 wait_connect
=False, scan_freq
="2412")
1627 # This would eventually time out, but we can stop after having reached
1628 # the allocation failure.
1631 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1634 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1635 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1636 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1637 hapd
= hostapd
.add_ap(apdev
[0], params
)
1639 tests
= ["eap_gtc_init",
1640 "eap_msg_alloc;eap_gtc_process"]
1642 with
alloc_fail(dev
[0], 1, func
):
1643 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1645 eap
="TTLS", identity
="user",
1646 anonymous_identity
="ttls", password
="password",
1647 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1649 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1650 dev
[0].request("REMOVE_NETWORK all")
1651 dev
[0].wait_disconnected()
1653 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1654 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1655 check_eap_capa(dev
[0], "MD5")
1656 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1657 hapd
= hostapd
.add_ap(apdev
[0], params
)
1658 eap_connect(dev
[0], hapd
, "TTLS", "user",
1659 anonymous_identity
="ttls", password
="password",
1660 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1661 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1662 eap_reauth(dev
[0], "TTLS")
1664 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1665 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1666 check_eap_capa(dev
[0], "MD5")
1667 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1668 hapd
= hostapd
.add_ap(apdev
[0], params
)
1669 eap_connect(dev
[0], hapd
, "TTLS", "user",
1670 anonymous_identity
="ttls", password
="wrong",
1671 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1672 expect_failure
=True)
1674 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1675 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1676 check_eap_capa(dev
[0], "MD5")
1677 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1678 hapd
= hostapd
.add_ap(apdev
[0], params
)
1679 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1680 anonymous_identity
="ttls", password
="password",
1681 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1682 expect_failure
=True)
1684 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1685 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1686 check_eap_capa(dev
[0], "MD5")
1687 params
= int_eap_server_params()
1688 hapd
= hostapd
.add_ap(apdev
[0], params
)
1689 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1690 eap_connect(dev
[0], hapd
, "TTLS", "user",
1691 anonymous_identity
="ttls", password
="password",
1692 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1693 expect_failure
=True)
1694 dev
[0].request("REMOVE_NETWORK all")
1696 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1697 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1698 eap
="TTLS", identity
="user",
1699 anonymous_identity
="ttls", password
="password",
1700 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1701 wait_connect
=False, scan_freq
="2412")
1702 # This would eventually time out, but we can stop after having reached
1703 # the allocation failure.
1706 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1709 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1710 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1711 check_eap_capa(dev
[0], "MSCHAPV2")
1712 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1713 hapd
= hostapd
.add_ap(apdev
[0], params
)
1714 eap_connect(dev
[0], hapd
, "TTLS", "user",
1715 anonymous_identity
="ttls", password
="password",
1716 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1717 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1718 eap_reauth(dev
[0], "TTLS")
1720 logger
.info("Negative test with incorrect password")
1721 dev
[0].request("REMOVE_NETWORK all")
1722 eap_connect(dev
[0], hapd
, "TTLS", "user",
1723 anonymous_identity
="ttls", password
="password1",
1724 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1725 expect_failure
=True)
1727 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1728 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1729 check_eap_capa(dev
[0], "MSCHAPV2")
1730 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1731 hapd
= hostapd
.add_ap(apdev
[0], params
)
1732 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1733 anonymous_identity
="ttls", password
="password",
1734 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1735 expect_failure
=True)
1737 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1738 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1739 check_eap_capa(dev
[0], "MSCHAPV2")
1740 params
= int_eap_server_params()
1741 hapd
= hostapd
.add_ap(apdev
[0], params
)
1742 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1743 eap_connect(dev
[0], hapd
, "TTLS", "user",
1744 anonymous_identity
="ttls", password
="password",
1745 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1746 expect_failure
=True)
1747 dev
[0].request("REMOVE_NETWORK all")
1749 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1750 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1751 eap
="TTLS", identity
="user",
1752 anonymous_identity
="ttls", password
="password",
1753 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1754 wait_connect
=False, scan_freq
="2412")
1755 # This would eventually time out, but we can stop after having reached
1756 # the allocation failure.
1759 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1761 dev
[0].request("REMOVE_NETWORK all")
1763 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1764 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1765 eap
="TTLS", identity
="user",
1766 anonymous_identity
="ttls", password
="password",
1767 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1768 wait_connect
=False, scan_freq
="2412")
1769 # This would eventually time out, but we can stop after having reached
1770 # the allocation failure.
1773 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1775 dev
[0].request("REMOVE_NETWORK all")
1777 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1778 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1779 eap
="TTLS", identity
="user",
1780 anonymous_identity
="ttls", password
="wrong",
1781 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1782 wait_connect
=False, scan_freq
="2412")
1783 # This would eventually time out, but we can stop after having reached
1784 # the allocation failure.
1787 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1789 dev
[0].request("REMOVE_NETWORK all")
1791 def test_ap_wpa2_eap_ttls_eap_sim(dev
, apdev
):
1792 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1793 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1794 hapd
= hostapd
.add_ap(apdev
[0], params
)
1795 eap_connect(dev
[0], hapd
, "TTLS", "1232010000000000",
1796 anonymous_identity
="1232010000000000@ttls",
1797 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1798 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM")
1799 eap_reauth(dev
[0], "TTLS")
1801 def run_ext_sim_auth(dev
):
1802 ev
= dev
.wait_event(["CTRL-REQ-SIM"], timeout
=15)
1804 raise Exception("Wait for external SIM processing request timed out")
1805 p
= ev
.split(':', 2)
1806 if p
[1] != "GSM-AUTH":
1807 raise Exception("Unexpected CTRL-REQ-SIM type")
1808 rid
= p
[0].split('-')[3]
1809 rand
= p
[2].split(' ')[0]
1811 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
1813 "auth_serv/hlr_auc_gw.milenage_db",
1814 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
1815 if "GSM-AUTH-RESP" not in res
:
1816 raise Exception("Unexpected hlr_auc_gw response")
1817 resp
= res
.split(' ')[2].rstrip()
1819 dev
.request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1820 dev
.wait_connected(timeout
=15)
1823 dev
.request("REAUTHENTICATE")
1824 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1826 raise Exception("EAP reauthentication did not succeed")
1827 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=5)
1829 raise Exception("Key negotiation did not complete")
1832 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1833 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1834 check_hlr_auc_gw_support()
1836 run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
)
1838 dev
[0].request("SET external_sim 0")
1840 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1841 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1842 hapd
= hostapd
.add_ap(apdev
[0], params
)
1843 dev
[0].request("SET external_sim 1")
1844 dev
[0].connect("test-wpa2-eap", eap
="TTLS", key_mgmt
="WPA-EAP",
1845 identity
="1232010000000000",
1846 anonymous_identity
="1232010000000000@ttls",
1847 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1848 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM",
1849 wait_connect
=False, scan_freq
="2412")
1850 run_ext_sim_auth(dev
[0])
1852 def test_ap_wpa2_eap_peap_eap_sim(dev
, apdev
):
1853 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1854 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1855 hapd
= hostapd
.add_ap(apdev
[0], params
)
1856 eap_connect(dev
[0], hapd
, "PEAP", "1232010000000000",
1857 anonymous_identity
="1232010000000000@peap",
1858 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1859 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1860 eap_reauth(dev
[0], "PEAP")
1862 def test_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1863 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1864 check_hlr_auc_gw_support()
1866 run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
)
1868 dev
[0].request("SET external_sim 0")
1870 def run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1871 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1872 hapd
= hostapd
.add_ap(apdev
[0], params
)
1873 dev
[0].request("SET external_sim 1")
1874 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1875 identity
="1232010000000000",
1876 anonymous_identity
="1232010000000000@peap",
1877 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1878 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1879 wait_connect
=False, scan_freq
="2412")
1880 run_ext_sim_auth(dev
[0])
1882 def test_ap_wpa2_eap_fast_eap_sim(dev
, apdev
):
1883 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1884 check_eap_capa(dev
[0], "FAST")
1885 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1886 hapd
= hostapd
.add_ap(apdev
[0], params
)
1887 eap_connect(dev
[0], hapd
, "FAST", "1232010000000000",
1888 anonymous_identity
="1232010000000000@fast",
1889 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1890 phase1
="fast_provisioning=2",
1891 pac_file
="blob://fast_pac_auth_sim",
1892 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1893 eap_reauth(dev
[0], "FAST")
1895 def test_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1896 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1897 check_hlr_auc_gw_support()
1899 run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
)
1901 dev
[0].request("SET external_sim 0")
1903 def run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1904 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1905 hapd
= hostapd
.add_ap(apdev
[0], params
)
1906 dev
[0].request("SET external_sim 1")
1907 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1908 identity
="1232010000000000",
1909 anonymous_identity
="1232010000000000@peap",
1910 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1911 phase1
="fast_provisioning=2",
1912 pac_file
="blob://fast_pac_auth_sim",
1913 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1914 wait_connect
=False, scan_freq
="2412")
1915 run_ext_sim_auth(dev
[0])
1917 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1918 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1919 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1920 hapd
= hostapd
.add_ap(apdev
[0], params
)
1921 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1922 anonymous_identity
="0232010000000000@ttls",
1923 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1924 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1925 eap_reauth(dev
[0], "TTLS")
1927 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1928 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1929 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1930 hapd
= hostapd
.add_ap(apdev
[0], params
)
1931 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1932 anonymous_identity
="0232010000000000@peap",
1933 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1934 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1935 eap_reauth(dev
[0], "PEAP")
1937 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1938 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1939 check_eap_capa(dev
[0], "FAST")
1940 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1941 hapd
= hostapd
.add_ap(apdev
[0], params
)
1942 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
1943 anonymous_identity
="0232010000000000@fast",
1944 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1945 phase1
="fast_provisioning=2",
1946 pac_file
="blob://fast_pac_auth_aka",
1947 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1948 eap_reauth(dev
[0], "FAST")
1950 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1951 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1952 check_eap_capa(dev
[0], "MSCHAPV2")
1953 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1954 hapd
= hostapd
.add_ap(apdev
[0], params
)
1955 eap_connect(dev
[0], hapd
, "PEAP", "user",
1956 anonymous_identity
="peap", password
="password",
1957 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1958 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1959 eap_reauth(dev
[0], "PEAP")
1960 dev
[0].request("REMOVE_NETWORK all")
1961 eap_connect(dev
[0], hapd
, "PEAP", "user",
1962 anonymous_identity
="peap", password
="password",
1963 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1964 fragment_size
="200")
1966 logger
.info("Password as hash value")
1967 dev
[0].request("REMOVE_NETWORK all")
1968 eap_connect(dev
[0], hapd
, "PEAP", "user",
1969 anonymous_identity
="peap",
1970 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1971 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1973 logger
.info("Negative test with incorrect password")
1974 dev
[0].request("REMOVE_NETWORK all")
1975 eap_connect(dev
[0], hapd
, "PEAP", "user",
1976 anonymous_identity
="peap", password
="password1",
1977 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1978 expect_failure
=True)
1980 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1981 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1982 check_eap_capa(dev
[0], "MSCHAPV2")
1983 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1984 hapd
= hostapd
.add_ap(apdev
[0], params
)
1985 eap_connect(dev
[0], hapd
, "PEAP", r
"DOMAIN\user3",
1986 anonymous_identity
="peap", password
="password",
1987 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1988 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1989 eap_reauth(dev
[0], "PEAP")
1991 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1992 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1993 check_eap_capa(dev
[0], "MSCHAPV2")
1994 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1995 hapd
= hostapd
.add_ap(apdev
[0], params
)
1996 eap_connect(dev
[0], hapd
, "PEAP", "user",
1997 anonymous_identity
="peap", password
="wrong",
1998 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1999 expect_failure
=True)
2001 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
2002 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
2003 check_eap_capa(dev
[0], "MSCHAPV2")
2004 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2005 hapd
= hostapd
.add_ap(apdev
[0], params
)
2006 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2007 ca_cert
="auth_serv/ca.pem",
2008 phase1
="peapver=0 crypto_binding=2",
2009 phase2
="auth=MSCHAPV2")
2010 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2011 eap_reauth(dev
[0], "PEAP")
2013 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
2014 ca_cert
="auth_serv/ca.pem",
2015 phase1
="peapver=0 crypto_binding=1",
2016 phase2
="auth=MSCHAPV2")
2017 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
2018 ca_cert
="auth_serv/ca.pem",
2019 phase1
="peapver=0 crypto_binding=0",
2020 phase2
="auth=MSCHAPV2")
2022 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
2023 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
2024 check_eap_capa(dev
[0], "MSCHAPV2")
2025 params
= int_eap_server_params()
2026 hapd
= hostapd
.add_ap(apdev
[0], params
)
2027 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
2028 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2029 ca_cert
="auth_serv/ca.pem",
2030 phase1
="peapver=0 crypto_binding=2",
2031 phase2
="auth=MSCHAPV2",
2032 expect_failure
=True, local_error_report
=True)
2034 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
2035 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
2036 check_eap_capa(dev
[0], "MSCHAPV2")
2037 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2038 hapd
= hostapd
.add_ap(apdev
[0], params
)
2039 eap_connect(dev
[0], hapd
, "PEAP", "user",
2040 anonymous_identity
="peap", password
="password",
2041 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2042 phase1
="peapver=0 peaplabel=1",
2043 expect_failure
=True)
2044 dev
[0].request("REMOVE_NETWORK all")
2045 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2047 anonymous_identity
="peap", password
="password",
2048 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2049 phase1
="peap_outer_success=0",
2050 wait_connect
=False, scan_freq
="2412")
2051 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2053 raise Exception("No EAP success seen")
2054 # This won't succeed to connect with peap_outer_success=0, so stop here.
2055 dev
[0].request("REMOVE_NETWORK all")
2056 dev
[0].wait_disconnected()
2057 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
2058 ca_cert
="auth_serv/ca.pem",
2059 phase1
="peap_outer_success=1",
2060 phase2
="auth=MSCHAPV2")
2061 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
2062 ca_cert
="auth_serv/ca.pem",
2063 phase1
="peap_outer_success=2",
2064 phase2
="auth=MSCHAPV2")
2065 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2067 anonymous_identity
="peap", password
="password",
2068 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2069 phase1
="peapver=1 peaplabel=1",
2070 wait_connect
=False, scan_freq
="2412")
2071 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2073 raise Exception("No EAP success seen")
2074 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2075 "CTRL-EVENT-DISCONNECTED"], timeout
=1)
2076 if ev
and "CTRL-EVENT-CONNECTED" in ev
:
2077 raise Exception("Unexpected connection")
2078 dev
[0].request("REMOVE_NETWORK all")
2079 dev
[0].disconnect_and_stop_scan()
2081 tests
= [("peap-ver0", ""),
2083 ("peap-ver0", "peapver=0"),
2084 ("peap-ver1", "peapver=1")]
2085 for anon
, phase1
in tests
:
2086 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2087 identity
="user", anonymous_identity
=anon
,
2088 password
="password", phase1
=phase1
,
2089 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2091 dev
[0].request("REMOVE_NETWORK all")
2092 dev
[0].wait_disconnected()
2094 tests
= [("peap-ver0", "peapver=1"),
2095 ("peap-ver1", "peapver=0")]
2096 for anon
, phase1
in tests
:
2097 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2098 identity
="user", anonymous_identity
=anon
,
2099 password
="password", phase1
=phase1
,
2100 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2101 wait_connect
=False, scan_freq
="2412")
2102 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
2104 raise Exception("No EAP-Failure seen")
2105 dev
[0].request("REMOVE_NETWORK all")
2106 dev
[0].wait_disconnected()
2108 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2109 ca_cert
="auth_serv/ca.pem",
2110 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
2111 phase2
="auth=MSCHAPV2")
2113 def test_ap_wpa2_eap_peap_eap_gtc(dev
, apdev
, params
):
2114 """WPA2-Enterprise connection using EAP-PEAP/EAP-GTC"""
2115 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2116 hapd
= hostapd
.add_ap(apdev
[0], p
)
2117 eap_connect(dev
[0], hapd
, "PEAP", "user", phase1
="peapver=1",
2118 anonymous_identity
="peap", password
="password",
2119 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
2121 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
2122 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
2123 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2124 hapd
= hostapd
.add_ap(apdev
[0], params
)
2125 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
2126 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
2127 ca_cert2
="auth_serv/ca.pem",
2128 client_cert2
="auth_serv/user.pem",
2129 private_key2
="auth_serv/user.key")
2130 eap_reauth(dev
[0], "PEAP")
2132 def test_ap_wpa2_eap_tls(dev
, apdev
):
2133 """WPA2-Enterprise connection using EAP-TLS"""
2134 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2135 hapd
= hostapd
.add_ap(apdev
[0], params
)
2136 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2137 client_cert
="auth_serv/user.pem",
2138 private_key
="auth_serv/user.key")
2139 eap_reauth(dev
[0], "TLS")
2141 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
2142 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2143 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2144 hapd
= hostapd
.add_ap(apdev
[0], params
)
2145 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2146 client_cert
="auth_serv/user.pem",
2147 private_key
="auth_serv/user.key.pkcs8",
2148 private_key_passwd
="whatever")
2150 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
2151 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
2152 check_pkcs5_v15_support(dev
[0])
2153 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2154 hapd
= hostapd
.add_ap(apdev
[0], params
)
2155 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2156 client_cert
="auth_serv/user.pem",
2157 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
2158 private_key_passwd
="whatever")
2160 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
2161 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2162 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2163 hapd
= hostapd
.add_ap(apdev
[0], params
)
2164 cert
= read_pem("auth_serv/ca.pem")
2165 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2166 raise Exception("Could not set cacert blob")
2167 cert
= read_pem("auth_serv/user.pem")
2168 if "OK" not in dev
[0].request("SET blob usercert " + binascii
.hexlify(cert
).decode()):
2169 raise Exception("Could not set usercert blob")
2170 key
= read_pem("auth_serv/user.rsa-key")
2171 if "OK" not in dev
[0].request("SET blob userkey " + binascii
.hexlify(key
).decode()):
2172 raise Exception("Could not set cacert blob")
2173 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2174 client_cert
="blob://usercert",
2175 private_key
="blob://userkey")
2177 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
2178 """EAP-TLS and config blob missing"""
2179 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2180 hostapd
.add_ap(apdev
[0], params
)
2181 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2182 identity
="tls user",
2183 ca_cert
="blob://testing-blob-does-not-exist",
2184 client_cert
="blob://testing-blob-does-not-exist",
2185 private_key
="blob://testing-blob-does-not-exist",
2186 wait_connect
=False, scan_freq
="2412")
2187 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
2189 raise Exception("EAP failure not reported")
2190 dev
[0].request("REMOVE_NETWORK all")
2191 dev
[0].wait_disconnected()
2193 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
2194 """EAP-TLS and TLS Message Length in unfragmented packets"""
2195 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2196 hapd
= hostapd
.add_ap(apdev
[0], params
)
2197 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2198 phase1
="include_tls_length=1",
2199 client_cert
="auth_serv/user.pem",
2200 private_key
="auth_serv/user.key")
2202 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
2203 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2204 check_pkcs12_support(dev
[0])
2205 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2206 hapd
= hostapd
.add_ap(apdev
[0], params
)
2207 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2208 private_key
="auth_serv/user.pkcs12",
2209 private_key_passwd
="whatever")
2210 dev
[0].request("REMOVE_NETWORK all")
2211 dev
[0].wait_disconnected()
2213 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2214 identity
="tls user",
2215 ca_cert
="auth_serv/ca.pem",
2216 private_key
="auth_serv/user.pkcs12",
2217 wait_connect
=False, scan_freq
="2412")
2218 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2220 raise Exception("Request for private key passphrase timed out")
2221 id = ev
.split(':')[0].split('-')[-1]
2222 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2223 dev
[0].wait_connected(timeout
=10)
2224 dev
[0].request("REMOVE_NETWORK all")
2225 dev
[0].wait_disconnected()
2227 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2228 # different files to cover both cases of the extra certificate being the
2229 # one that signed the client certificate and it being unrelated to the
2230 # client certificate.
2231 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2233 eap_connect(dev
[0], hapd
, "TLS", "tls user",
2234 ca_cert
="auth_serv/ca.pem",
2236 private_key_passwd
="whatever")
2237 dev
[0].request("REMOVE_NETWORK all")
2238 dev
[0].wait_disconnected()
2240 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
2241 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2242 cert
= read_pem("auth_serv/ca.pem")
2243 cacert
= binascii
.hexlify(cert
).decode()
2244 run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
)
2246 def test_ap_wpa2_eap_tls_pkcs12_blob_pem(dev
, apdev
):
2247 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob and PEM ca_cert blob"""
2248 with
open("auth_serv/ca.pem", "r") as f
:
2249 lines
= f
.readlines()
2253 if "-----BEGIN" in l
:
2260 cacert
= binascii
.hexlify(cert
.encode()).decode()
2261 run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
)
2263 def run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
):
2264 check_pkcs12_support(dev
[0])
2265 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2266 hapd
= hostapd
.add_ap(apdev
[0], params
)
2267 if "OK" not in dev
[0].request("SET blob cacert " + cacert
):
2268 raise Exception("Could not set cacert blob")
2269 with
open("auth_serv/user.pkcs12", "rb") as f
:
2270 if "OK" not in dev
[0].request("SET blob pkcs12 " + binascii
.hexlify(f
.read()).decode()):
2271 raise Exception("Could not set pkcs12 blob")
2272 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2273 private_key
="blob://pkcs12",
2274 private_key_passwd
="whatever")
2276 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
2277 """WPA2-Enterprise negative test - incorrect trust root"""
2278 check_eap_capa(dev
[0], "MSCHAPV2")
2279 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2280 hostapd
.add_ap(apdev
[0], params
)
2281 cert
= read_pem("auth_serv/ca-incorrect.pem")
2282 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2283 raise Exception("Could not set cacert blob")
2284 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2285 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2286 password
="password", phase2
="auth=MSCHAPV2",
2287 ca_cert
="blob://cacert",
2288 wait_connect
=False, scan_freq
="2412")
2289 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2290 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2291 password
="password", phase2
="auth=MSCHAPV2",
2292 ca_cert
="auth_serv/ca-incorrect.pem",
2293 wait_connect
=False, scan_freq
="2412")
2295 for dev
in (dev
[0], dev
[1]):
2296 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2298 raise Exception("Association and EAP start timed out")
2300 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2302 raise Exception("EAP method selection timed out")
2303 if "TTLS" not in ev
:
2304 raise Exception("Unexpected EAP method")
2306 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2307 "CTRL-EVENT-EAP-SUCCESS",
2308 "CTRL-EVENT-EAP-FAILURE",
2309 "CTRL-EVENT-CONNECTED",
2310 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2312 raise Exception("EAP result timed out")
2313 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2314 raise Exception("TLS certificate error not reported")
2316 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2317 "CTRL-EVENT-EAP-FAILURE",
2318 "CTRL-EVENT-CONNECTED",
2319 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2321 raise Exception("EAP result(2) timed out")
2322 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2323 raise Exception("EAP failure not reported")
2325 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2326 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2328 raise Exception("EAP result(3) timed out")
2329 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2330 raise Exception("Disconnection not reported")
2332 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2334 raise Exception("Network block disabling not reported")
2336 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2337 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2338 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2339 hapd
= hostapd
.add_ap(apdev
[0], params
)
2340 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2341 identity
="pap user", anonymous_identity
="ttls",
2342 password
="password", phase2
="auth=PAP",
2343 ca_cert
="auth_serv/ca.pem",
2344 wait_connect
=True, scan_freq
="2412")
2345 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2346 identity
="pap user", anonymous_identity
="ttls",
2347 password
="password", phase2
="auth=PAP",
2348 ca_cert
="auth_serv/ca-incorrect.pem",
2349 only_add_network
=True, scan_freq
="2412")
2351 dev
[0].request("DISCONNECT")
2352 dev
[0].wait_disconnected()
2353 dev
[0].dump_monitor()
2354 dev
[0].select_network(id, freq
="2412")
2356 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2358 raise Exception("EAP-TTLS not re-started")
2360 ev
= dev
[0].wait_disconnected(timeout
=15)
2361 if "reason=23" not in ev
:
2362 raise Exception("Proper reason code for disconnection not reported")
2364 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2365 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2366 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2367 hapd
= hostapd
.add_ap(apdev
[0], params
)
2368 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2369 identity
="pap user", anonymous_identity
="ttls",
2370 password
="password", phase2
="auth=PAP",
2371 wait_connect
=True, scan_freq
="2412")
2372 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2373 identity
="pap user", anonymous_identity
="ttls",
2374 password
="password", phase2
="auth=PAP",
2375 ca_cert
="auth_serv/ca-incorrect.pem",
2376 only_add_network
=True, scan_freq
="2412")
2378 dev
[0].request("DISCONNECT")
2379 dev
[0].wait_disconnected()
2380 dev
[0].dump_monitor()
2381 dev
[0].select_network(id, freq
="2412")
2383 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2385 raise Exception("EAP-TTLS not re-started")
2387 ev
= dev
[0].wait_disconnected(timeout
=15)
2388 if "reason=23" not in ev
:
2389 raise Exception("Proper reason code for disconnection not reported")
2391 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2392 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2393 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2394 hapd
= hostapd
.add_ap(apdev
[0], params
)
2395 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2396 identity
="pap user", anonymous_identity
="ttls",
2397 password
="password", phase2
="auth=PAP",
2398 ca_cert
="auth_serv/ca.pem",
2399 wait_connect
=True, scan_freq
="2412")
2400 dev
[0].request("DISCONNECT")
2401 dev
[0].wait_disconnected()
2402 dev
[0].dump_monitor()
2403 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2404 dev
[0].select_network(id, freq
="2412")
2406 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2408 raise Exception("EAP-TTLS not re-started")
2410 ev
= dev
[0].wait_disconnected(timeout
=15)
2411 if "reason=23" not in ev
:
2412 raise Exception("Proper reason code for disconnection not reported")
2414 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2415 """WPA2-Enterprise negative test - domain suffix mismatch"""
2416 check_domain_suffix_match(dev
[0])
2417 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2418 hostapd
.add_ap(apdev
[0], params
)
2419 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2420 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2421 password
="password", phase2
="auth=MSCHAPV2",
2422 ca_cert
="auth_serv/ca.pem",
2423 domain_suffix_match
="incorrect.example.com",
2424 wait_connect
=False, scan_freq
="2412")
2426 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2428 raise Exception("Association and EAP start timed out")
2430 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2432 raise Exception("EAP method selection timed out")
2433 if "TTLS" not in ev
:
2434 raise Exception("Unexpected EAP method")
2436 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2437 "CTRL-EVENT-EAP-SUCCESS",
2438 "CTRL-EVENT-EAP-FAILURE",
2439 "CTRL-EVENT-CONNECTED",
2440 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2442 raise Exception("EAP result timed out")
2443 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2444 raise Exception("TLS certificate error not reported")
2445 if "Domain suffix mismatch" not in ev
:
2446 raise Exception("Domain suffix mismatch not reported")
2448 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2449 "CTRL-EVENT-EAP-FAILURE",
2450 "CTRL-EVENT-CONNECTED",
2451 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2453 raise Exception("EAP result(2) timed out")
2454 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2455 raise Exception("EAP failure not reported")
2457 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2458 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2460 raise Exception("EAP result(3) timed out")
2461 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2462 raise Exception("Disconnection not reported")
2464 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2466 raise Exception("Network block disabling not reported")
2468 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2469 """WPA2-Enterprise negative test - domain mismatch"""
2470 check_domain_match(dev
[0])
2471 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2472 hostapd
.add_ap(apdev
[0], params
)
2473 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2474 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2475 password
="password", phase2
="auth=MSCHAPV2",
2476 ca_cert
="auth_serv/ca.pem",
2477 domain_match
="w1.fi",
2478 wait_connect
=False, scan_freq
="2412")
2480 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2482 raise Exception("Association and EAP start timed out")
2484 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2486 raise Exception("EAP method selection timed out")
2487 if "TTLS" not in ev
:
2488 raise Exception("Unexpected EAP method")
2490 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2491 "CTRL-EVENT-EAP-SUCCESS",
2492 "CTRL-EVENT-EAP-FAILURE",
2493 "CTRL-EVENT-CONNECTED",
2494 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2496 raise Exception("EAP result timed out")
2497 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2498 raise Exception("TLS certificate error not reported")
2499 if "Domain mismatch" not in ev
:
2500 raise Exception("Domain mismatch not reported")
2502 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2503 "CTRL-EVENT-EAP-FAILURE",
2504 "CTRL-EVENT-CONNECTED",
2505 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2507 raise Exception("EAP result(2) timed out")
2508 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2509 raise Exception("EAP failure not reported")
2511 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2512 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2514 raise Exception("EAP result(3) timed out")
2515 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2516 raise Exception("Disconnection not reported")
2518 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2520 raise Exception("Network block disabling not reported")
2522 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2523 """WPA2-Enterprise negative test - subject mismatch"""
2524 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2525 hostapd
.add_ap(apdev
[0], params
)
2526 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2527 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2528 password
="password", phase2
="auth=MSCHAPV2",
2529 ca_cert
="auth_serv/ca.pem",
2530 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2531 wait_connect
=False, scan_freq
="2412")
2533 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2535 raise Exception("Association and EAP start timed out")
2537 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2538 "EAP: Failed to initialize EAP method"], timeout
=10)
2540 raise Exception("EAP method selection timed out")
2541 if "EAP: Failed to initialize EAP method" in ev
:
2542 tls
= dev
[0].request("GET tls_library")
2543 if tls
.startswith("OpenSSL"):
2544 raise Exception("Failed to select EAP method")
2545 logger
.info("subject_match not supported - connection failed, so test succeeded")
2547 if "TTLS" not in ev
:
2548 raise Exception("Unexpected EAP method")
2550 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2551 "CTRL-EVENT-EAP-SUCCESS",
2552 "CTRL-EVENT-EAP-FAILURE",
2553 "CTRL-EVENT-CONNECTED",
2554 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2556 raise Exception("EAP result timed out")
2557 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2558 raise Exception("TLS certificate error not reported")
2559 if "Subject mismatch" not in ev
:
2560 raise Exception("Subject mismatch not reported")
2562 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2563 "CTRL-EVENT-EAP-FAILURE",
2564 "CTRL-EVENT-CONNECTED",
2565 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2567 raise Exception("EAP result(2) timed out")
2568 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2569 raise Exception("EAP failure not reported")
2571 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2572 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2574 raise Exception("EAP result(3) timed out")
2575 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2576 raise Exception("Disconnection not reported")
2578 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2580 raise Exception("Network block disabling not reported")
2582 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2583 """WPA2-Enterprise negative test - altsubject mismatch"""
2584 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2585 hostapd
.add_ap(apdev
[0], params
)
2587 tests
= ["incorrect.example.com",
2588 "DNS:incorrect.example.com",
2592 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2594 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2595 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2596 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2597 password
="password", phase2
="auth=MSCHAPV2",
2598 ca_cert
="auth_serv/ca.pem",
2599 altsubject_match
=match
,
2600 wait_connect
=False, scan_freq
="2412")
2602 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2604 raise Exception("Association and EAP start timed out")
2606 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2607 "EAP: Failed to initialize EAP method"], timeout
=10)
2609 raise Exception("EAP method selection timed out")
2610 if "EAP: Failed to initialize EAP method" in ev
:
2611 tls
= dev
[0].request("GET tls_library")
2612 if tls
.startswith("OpenSSL"):
2613 raise Exception("Failed to select EAP method")
2614 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2616 if "TTLS" not in ev
:
2617 raise Exception("Unexpected EAP method")
2619 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2620 "CTRL-EVENT-EAP-SUCCESS",
2621 "CTRL-EVENT-EAP-FAILURE",
2622 "CTRL-EVENT-CONNECTED",
2623 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2625 raise Exception("EAP result timed out")
2626 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2627 raise Exception("TLS certificate error not reported")
2628 if "AltSubject mismatch" not in ev
:
2629 raise Exception("altsubject mismatch not reported")
2631 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2632 "CTRL-EVENT-EAP-FAILURE",
2633 "CTRL-EVENT-CONNECTED",
2634 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2636 raise Exception("EAP result(2) timed out")
2637 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2638 raise Exception("EAP failure not reported")
2640 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2641 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2643 raise Exception("EAP result(3) timed out")
2644 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2645 raise Exception("Disconnection not reported")
2647 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2649 raise Exception("Network block disabling not reported")
2651 dev
[0].request("REMOVE_NETWORK all")
2653 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2654 """WPA2-Enterprise connection using UNAUTH-TLS"""
2655 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2656 hapd
= hostapd
.add_ap(apdev
[0], params
)
2657 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2658 ca_cert
="auth_serv/ca.pem")
2659 eap_reauth(dev
[0], "UNAUTH-TLS")
2661 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2662 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2663 check_cert_probe_support(dev
[0])
2664 skip_with_fips(dev
[0])
2665 srv_cert_hash
= "4704e62784f36cc5fd964c6410402f4938773bb471dce9d42939bf22fdbdb2dd"
2666 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2667 hapd
= hostapd
.add_ap(apdev
[0], params
)
2668 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2669 identity
="probe", ca_cert
="probe://",
2670 wait_connect
=False, scan_freq
="2412")
2671 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2673 raise Exception("Association and EAP start timed out")
2674 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2676 raise Exception("No peer server certificate event seen")
2677 if "hash=" + srv_cert_hash
not in ev
:
2678 raise Exception("Expected server certificate hash not reported")
2679 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2681 raise Exception("EAP result timed out")
2682 if "Server certificate chain probe" not in ev
:
2683 raise Exception("Server certificate probe not reported")
2684 dev
[0].wait_disconnected(timeout
=10)
2685 dev
[0].request("REMOVE_NETWORK all")
2687 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2688 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2689 password
="password", phase2
="auth=MSCHAPV2",
2690 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2691 wait_connect
=False, scan_freq
="2412")
2692 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2694 raise Exception("Association and EAP start timed out")
2695 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2697 raise Exception("EAP result timed out")
2698 if "Server certificate mismatch" not in ev
:
2699 raise Exception("Server certificate mismatch not reported")
2700 dev
[0].wait_disconnected(timeout
=10)
2701 dev
[0].request("REMOVE_NETWORK all")
2703 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2704 anonymous_identity
="ttls", password
="password",
2705 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2706 phase2
="auth=MSCHAPV2")
2708 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2709 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2710 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2711 hostapd
.add_ap(apdev
[0], params
)
2712 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2713 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2714 password
="password", phase2
="auth=MSCHAPV2",
2715 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2716 wait_connect
=False, scan_freq
="2412")
2717 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2718 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2719 password
="password", phase2
="auth=MSCHAPV2",
2720 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2721 wait_connect
=False, scan_freq
="2412")
2722 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2723 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2724 password
="password", phase2
="auth=MSCHAPV2",
2725 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2726 wait_connect
=False, scan_freq
="2412")
2727 for i
in range(0, 3):
2728 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2730 raise Exception("Association and EAP start timed out")
2731 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2733 raise Exception("Did not report EAP method initialization failure")
2735 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2736 """WPA2-Enterprise connection using EAP-pwd"""
2737 check_eap_capa(dev
[0], "PWD")
2738 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2739 hapd
= hostapd
.add_ap(apdev
[0], params
)
2740 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2741 eap_reauth(dev
[0], "PWD")
2742 dev
[0].request("REMOVE_NETWORK all")
2744 eap_connect(dev
[1], hapd
, "PWD",
2745 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2746 password
="secret password",
2749 logger
.info("Negative test with incorrect password")
2750 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2751 expect_failure
=True, local_error_report
=True)
2753 eap_connect(dev
[0], hapd
, "PWD",
2754 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2755 password
="secret password",
2758 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2759 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2760 check_eap_capa(dev
[0], "PWD")
2761 skip_with_fips(dev
[0])
2762 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2763 hapd
= hostapd
.add_ap(apdev
[0], params
)
2764 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2765 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2766 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2767 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2768 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2769 expect_failure
=True, local_error_report
=True)
2771 def test_ap_wpa2_eap_pwd_salt_sha1(dev
, apdev
):
2772 """WPA2-Enterprise connection using EAP-pwd and salted password SHA-1"""
2773 check_eap_capa(dev
[0], "PWD")
2774 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2775 hapd
= hostapd
.add_ap(apdev
[0], params
)
2776 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha1",
2777 password
="secret password")
2779 def test_ap_wpa2_eap_pwd_salt_sha256(dev
, apdev
):
2780 """WPA2-Enterprise connection using EAP-pwd and salted password SHA256"""
2781 check_eap_capa(dev
[0], "PWD")
2782 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2783 hapd
= hostapd
.add_ap(apdev
[0], params
)
2784 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha256",
2785 password
="secret password")
2787 def test_ap_wpa2_eap_pwd_salt_sha512(dev
, apdev
):
2788 """WPA2-Enterprise connection using EAP-pwd and salted password SHA512"""
2789 check_eap_capa(dev
[0], "PWD")
2790 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2791 hapd
= hostapd
.add_ap(apdev
[0], params
)
2792 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha512",
2793 password
="secret password")
2795 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2796 """WPA2-Enterprise connection using various EAP-pwd groups"""
2797 check_eap_capa(dev
[0], "PWD")
2798 tls
= dev
[0].request("GET tls_library")
2799 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2800 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2801 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2802 groups
= [19, 20, 21]
2803 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2804 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2805 groups
+= [28, 29, 30]
2806 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.1" in tls
and "run=OpenSSL 1.1" in tls
:
2807 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2808 groups
+= [28, 29, 30]
2810 logger
.info("Group %d" % i
)
2811 params
['pwd_group'] = str(i
)
2812 hapd
= hostapd
.add_ap(apdev
[0], params
)
2813 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2814 password
="secret password",
2815 phase1
="eap_pwd_groups=0-65535")
2816 dev
[0].request("REMOVE_NETWORK all")
2817 dev
[0].wait_disconnected()
2818 dev
[0].dump_monitor()
2821 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2822 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2823 check_eap_capa(dev
[0], "PWD")
2824 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2825 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2826 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2827 for i
in [0, 25, 26, 27]:
2828 logger
.info("Group %d" % i
)
2829 params
['pwd_group'] = str(i
)
2830 hapd
= hostapd
.add_ap(apdev
[0], params
)
2831 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2832 identity
="pwd user", password
="secret password",
2833 phase1
="eap_pwd_groups=0-65535",
2834 scan_freq
="2412", wait_connect
=False)
2835 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2837 raise Exception("Timeout on EAP failure report (group %d)" % i
)
2838 dev
[0].request("REMOVE_NETWORK all")
2839 dev
[0].wait_disconnected()
2840 dev
[0].dump_monitor()
2843 def test_ap_wpa2_eap_pwd_disabled_group(dev
, apdev
):
2844 """WPA2-Enterprise connection using disabled EAP-pwd group"""
2845 check_eap_capa(dev
[0], "PWD")
2846 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2847 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2848 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2850 logger
.info("Group %d" % i
)
2851 params
['pwd_group'] = str(i
)
2852 hapd
= hostapd
.add_ap(apdev
[0], params
)
2853 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2854 identity
="pwd user", password
="secret password",
2855 phase1
="eap_pwd_groups=20",
2856 scan_freq
="2412", wait_connect
=False)
2857 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2859 raise Exception("Timeout on EAP failure report (group %d)" % i
)
2860 dev
[0].request("REMOVE_NETWORK all")
2861 dev
[0].wait_disconnected()
2862 dev
[0].dump_monitor()
2865 params
['pwd_group'] = "20"
2866 hapd
= hostapd
.add_ap(apdev
[0], params
)
2867 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2868 identity
="pwd user", password
="secret password",
2869 phase1
="eap_pwd_groups=20",
2872 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2873 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2874 check_eap_capa(dev
[0], "PWD")
2875 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2876 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2877 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2878 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2879 "pwd_group": "19", "fragment_size": "40"}
2880 hapd
= hostapd
.add_ap(apdev
[0], params
)
2881 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2883 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2884 """WPA2-Enterprise connection using EAP-GPSK"""
2885 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2886 hapd
= hostapd
.add_ap(apdev
[0], params
)
2887 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2888 password
="abcdefghijklmnop0123456789abcdef")
2889 eap_reauth(dev
[0], "GPSK")
2891 logger
.info("Test forced algorithm selection")
2892 for phase1
in ["cipher=1", "cipher=2"]:
2893 dev
[0].set_network_quoted(id, "phase1", phase1
)
2894 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2896 raise Exception("EAP success timed out")
2897 dev
[0].wait_connected(timeout
=10)
2899 logger
.info("Test failed algorithm negotiation")
2900 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2901 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2903 raise Exception("EAP failure timed out")
2905 logger
.info("Negative test with incorrect password")
2906 dev
[0].request("REMOVE_NETWORK all")
2907 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2908 password
="ffcdefghijklmnop0123456789abcdef",
2909 expect_failure
=True)
2911 def test_ap_wpa2_eap_sake(dev
, apdev
):
2912 """WPA2-Enterprise connection using EAP-SAKE"""
2913 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2914 hapd
= hostapd
.add_ap(apdev
[0], params
)
2915 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2916 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2917 eap_reauth(dev
[0], "SAKE")
2919 logger
.info("Negative test with incorrect password")
2920 dev
[0].request("REMOVE_NETWORK all")
2921 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2922 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2923 expect_failure
=True)
2925 def test_ap_wpa2_eap_eke(dev
, apdev
):
2926 """WPA2-Enterprise connection using EAP-EKE"""
2927 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2928 hapd
= hostapd
.add_ap(apdev
[0], params
)
2929 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2930 eap_reauth(dev
[0], "EKE")
2932 logger
.info("Test forced algorithm selection")
2933 for phase1
in ["dhgroup=5 encr=1 prf=2 mac=2",
2934 "dhgroup=4 encr=1 prf=2 mac=2",
2935 "dhgroup=3 encr=1 prf=2 mac=2",
2936 "dhgroup=3 encr=1 prf=1 mac=1"]:
2937 dev
[0].set_network_quoted(id, "phase1", phase1
)
2938 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2940 raise Exception("EAP success timed out")
2941 dev
[0].wait_connected(timeout
=10)
2942 dev
[0].dump_monitor()
2944 logger
.info("Test failed algorithm negotiation")
2945 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2946 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2948 raise Exception("EAP failure timed out")
2949 dev
[0].dump_monitor()
2951 logger
.info("Test unsupported algorithm proposals")
2952 dev
[0].request("REMOVE_NETWORK all")
2953 dev
[0].dump_monitor()
2954 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2955 phase1
="dhgroup=2 encr=1 prf=1 mac=1", expect_failure
=True)
2956 dev
[0].request("REMOVE_NETWORK all")
2957 dev
[0].dump_monitor()
2958 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2959 phase1
="dhgroup=1 encr=1 prf=1 mac=1", expect_failure
=True)
2961 logger
.info("Negative test with incorrect password")
2962 dev
[0].request("REMOVE_NETWORK all")
2963 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
2964 expect_failure
=True)
2966 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2967 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2968 if not params
['long']:
2969 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2970 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2971 hostapd
.add_ap(apdev
[0], params
)
2974 for i
in range(100):
2976 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2977 identity
="eke user", password
="hello",
2978 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2979 scan_freq
="2412", wait_connect
=False)
2981 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2982 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2984 raise Exception("No connected/disconnected event")
2985 if "CTRL-EVENT-DISCONNECTED" in ev
:
2987 # The RADIUS server limits on active sessions can be hit when
2988 # going through this test case, so try to give some more time
2989 # for the server to remove sessions.
2990 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2991 dev
[j
].request("REMOVE_NETWORK all")
2995 dev
[j
].request("REMOVE_NETWORK all")
2996 dev
[j
].wait_disconnected()
2997 dev
[j
].dump_monitor()
2998 logger
.info("Total success=%d failure=%d" % (success
, fail
))
3000 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
3001 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
3002 params
= int_eap_server_params()
3003 params
['server_id'] = 'example.server@w1.fi'
3004 hapd
= hostapd
.add_ap(apdev
[0], params
)
3005 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
3007 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
3008 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
3009 params
= int_eap_server_params()
3010 hapd
= hostapd
.add_ap(apdev
[0], params
)
3011 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
3013 for count
, func
in [(1, "eap_eke_build_commit"),
3014 (2, "eap_eke_build_commit"),
3015 (3, "eap_eke_build_commit"),
3016 (1, "eap_eke_build_confirm"),
3017 (2, "eap_eke_build_confirm"),
3018 (1, "eap_eke_process_commit"),
3019 (2, "eap_eke_process_commit"),
3020 (1, "eap_eke_process_confirm"),
3021 (1, "eap_eke_process_identity"),
3022 (2, "eap_eke_process_identity"),
3023 (3, "eap_eke_process_identity"),
3024 (4, "eap_eke_process_identity")]:
3025 with
alloc_fail(hapd
, count
, func
):
3026 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
3027 expect_failure
=True)
3028 dev
[0].request("REMOVE_NETWORK all")
3030 for count
, func
, pw
in [(1, "eap_eke_init", "hello"),
3031 (1, "eap_eke_get_session_id", "hello"),
3032 (1, "eap_eke_getKey", "hello"),
3033 (1, "eap_eke_build_msg", "hello"),
3034 (1, "eap_eke_build_failure", "wrong"),
3035 (1, "eap_eke_build_identity", "hello"),
3036 (2, "eap_eke_build_identity", "hello")]:
3037 with
alloc_fail(hapd
, count
, func
):
3038 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3039 eap
="EKE", identity
="eke user", password
=pw
,
3040 wait_connect
=False, scan_freq
="2412")
3041 # This would eventually time out, but we can stop after having
3042 # reached the allocation failure.
3045 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
3047 dev
[0].request("REMOVE_NETWORK all")
3049 for count
in range(1, 1000):
3051 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
3052 dev
[0].connect("test-wpa2-eap",
3053 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3054 eap
="EKE", identity
="eke user", password
=pw
,
3055 wait_connect
=False, scan_freq
="2412")
3056 # This would eventually time out, but we can stop after having
3057 # reached the allocation failure.
3060 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
3062 dev
[0].request("REMOVE_NETWORK all")
3063 except Exception as e
:
3064 if str(e
) == "Allocation failure did not trigger":
3066 raise Exception("Too few allocation failures")
3067 logger
.info("%d allocation failures tested" % (count
- 1))
3071 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
3072 """WPA2-Enterprise connection using EAP-IKEv2"""
3073 check_eap_capa(dev
[0], "IKEV2")
3074 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3075 hapd
= hostapd
.add_ap(apdev
[0], params
)
3076 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3077 password
="ike password")
3078 eap_reauth(dev
[0], "IKEV2")
3079 dev
[0].request("REMOVE_NETWORK all")
3080 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3081 password
="ike password", fragment_size
="50")
3083 logger
.info("Negative test with incorrect password")
3084 dev
[0].request("REMOVE_NETWORK all")
3085 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3086 password
="ike-password", expect_failure
=True)
3087 dev
[0].request("REMOVE_NETWORK all")
3089 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3090 password
="ike password", fragment_size
="0")
3091 dev
[0].request("REMOVE_NETWORK all")
3092 dev
[0].wait_disconnected()
3094 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
3095 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
3096 check_eap_capa(dev
[0], "IKEV2")
3097 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3098 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3099 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3100 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3101 "fragment_size": "50"}
3102 hapd
= hostapd
.add_ap(apdev
[0], params
)
3103 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3104 password
="ike password")
3105 eap_reauth(dev
[0], "IKEV2")
3107 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
3108 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
3109 check_eap_capa(dev
[0], "IKEV2")
3110 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3111 hostapd
.add_ap(apdev
[0], params
)
3113 tests
= [(1, "dh_init"),
3115 (1, "dh_derive_shared")]
3116 for count
, func
in tests
:
3117 with
alloc_fail(dev
[0], count
, func
):
3118 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3119 identity
="ikev2 user", password
="ike password",
3120 wait_connect
=False, scan_freq
="2412")
3121 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3123 raise Exception("EAP method not selected")
3125 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
3128 dev
[0].request("REMOVE_NETWORK all")
3130 tls
= dev
[0].request("GET tls_library")
3131 if not tls
.startswith("wolfSSL"):
3132 tests
= [(1, "os_get_random;dh_init")]
3134 tests
= [(1, "crypto_dh_init;dh_init")]
3135 for count
, func
in tests
:
3136 with
fail_test(dev
[0], count
, func
):
3137 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3138 identity
="ikev2 user", password
="ike password",
3139 wait_connect
=False, scan_freq
="2412")
3140 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3142 raise Exception("EAP method not selected")
3144 if "0:" in dev
[0].request("GET_FAIL"):
3147 dev
[0].request("REMOVE_NETWORK all")
3149 def test_ap_wpa2_eap_pax(dev
, apdev
):
3150 """WPA2-Enterprise connection using EAP-PAX"""
3151 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3152 hapd
= hostapd
.add_ap(apdev
[0], params
)
3153 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3154 password_hex
="0123456789abcdef0123456789abcdef")
3155 eap_reauth(dev
[0], "PAX")
3157 logger
.info("Negative test with incorrect password")
3158 dev
[0].request("REMOVE_NETWORK all")
3159 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3160 password_hex
="ff23456789abcdef0123456789abcdef",
3161 expect_failure
=True)
3163 def test_ap_wpa2_eap_psk(dev
, apdev
):
3164 """WPA2-Enterprise connection using EAP-PSK"""
3165 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3166 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
3167 params
["ieee80211w"] = "2"
3168 hapd
= hostapd
.add_ap(apdev
[0], params
)
3169 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3170 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
3171 eap_reauth(dev
[0], "PSK", sha256
=True)
3172 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
3173 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5")])
3175 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
3176 if 'flags' not in bss
:
3177 raise Exception("Could not get BSS flags from BSS table")
3178 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
3179 raise Exception("Unexpected BSS flags: " + bss
['flags'])
3181 logger
.info("Negative test with incorrect password")
3182 dev
[0].request("REMOVE_NETWORK all")
3183 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3184 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
3185 expect_failure
=True)
3187 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
3188 """WPA2-Enterprise connection using EAP-PSK and OOM"""
3189 skip_with_fips(dev
[0])
3190 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3191 hostapd
.add_ap(apdev
[0], params
)
3192 tests
= [(1, "=aes_128_eax_encrypt"),
3193 (1, "=aes_128_eax_decrypt")]
3194 for count
, func
in tests
:
3195 with
alloc_fail(dev
[0], count
, func
):
3196 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3197 identity
="psk.user@example.com",
3198 password_hex
="0123456789abcdef0123456789abcdef",
3199 wait_connect
=False, scan_freq
="2412")
3200 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3202 raise Exception("EAP method not selected")
3203 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
3204 note
="Failure not triggered: %d:%s" % (count
, func
))
3205 dev
[0].request("REMOVE_NETWORK all")
3206 dev
[0].wait_disconnected()
3208 tests
= [(1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
3209 (1, "omac1_aes_128;aes_128_eax_encrypt"),
3210 (2, "omac1_aes_128;aes_128_eax_encrypt"),
3211 (3, "omac1_aes_128;aes_128_eax_encrypt"),
3212 (1, "omac1_aes_vector"),
3213 (1, "omac1_aes_128;aes_128_eax_decrypt"),
3214 (2, "omac1_aes_128;aes_128_eax_decrypt"),
3215 (3, "omac1_aes_128;aes_128_eax_decrypt"),
3216 (1, "aes_ctr_encrypt;aes_128_eax_decrypt")]
3217 for count
, func
in tests
:
3218 with
fail_test(dev
[0], count
, func
):
3219 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3220 identity
="psk.user@example.com",
3221 password_hex
="0123456789abcdef0123456789abcdef",
3222 wait_connect
=False, scan_freq
="2412")
3223 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3225 raise Exception("EAP method not selected")
3226 wait_fail_trigger(dev
[0], "GET_FAIL",
3227 note
="Failure not triggered: %d:%s" % (count
, func
))
3228 dev
[0].request("REMOVE_NETWORK all")
3229 dev
[0].wait_disconnected()
3231 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
3232 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3233 identity
="psk.user@example.com",
3234 password_hex
="0123456789abcdef0123456789abcdef",
3235 wait_connect
=False, scan_freq
="2412")
3236 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3238 raise Exception("EAP method failure not reported")
3239 dev
[0].request("REMOVE_NETWORK all")
3240 dev
[0].wait_disconnected()
3242 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
3243 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
3244 check_eap_capa(dev
[0], "MSCHAPV2")
3245 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
3246 hapd
= hostapd
.add_ap(apdev
[0], params
)
3247 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
3248 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
3249 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
3251 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
3252 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3253 eap_reauth(dev
[0], "PEAP", rsn
=False)
3254 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3255 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1")])
3256 status
= dev
[0].get_status(extra
="VERBOSE")
3257 if 'portControl' not in status
:
3258 raise Exception("portControl missing from STATUS-VERBOSE")
3259 if status
['portControl'] != 'Auto':
3260 raise Exception("Unexpected portControl value: " + status
['portControl'])
3261 if 'eap_session_id' not in status
:
3262 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3263 if not status
['eap_session_id'].startswith("19"):
3264 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
3266 def test_ap_wpa2_eap_interactive(dev
, apdev
):
3267 """WPA2-Enterprise connection using interactive identity/password entry"""
3268 check_eap_capa(dev
[0], "MSCHAPV2")
3269 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3270 hapd
= hostapd
.add_ap(apdev
[0], params
)
3272 tests
= [("Connection with dynamic TTLS/MSCHAPv2 password entry",
3273 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3275 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3276 "TTLS", "ttls", None, "auth=MSCHAPV2",
3277 "DOMAIN\mschapv2 user", "password"),
3278 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3279 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3280 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3281 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3282 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3283 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3284 ("Connection with dynamic PEAP/EAP-GTC password entry",
3285 "PEAP", None, "user", "auth=GTC", None, "password")]
3286 for [desc
, eap
, anon
, identity
, phase2
, req_id
, req_pw
] in tests
:
3288 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
3289 anonymous_identity
=anon
, identity
=identity
,
3290 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
3291 wait_connect
=False, scan_freq
="2412")
3293 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3295 raise Exception("Request for identity timed out")
3296 id = ev
.split(':')[0].split('-')[-1]
3297 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3298 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD", "CTRL-REQ-OTP"])
3300 raise Exception("Request for password timed out")
3301 id = ev
.split(':')[0].split('-')[-1]
3302 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
3303 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
3304 dev
[0].wait_connected(timeout
=10)
3305 dev
[0].request("REMOVE_NETWORK all")
3307 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
3308 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3309 check_eap_capa(dev
[0], "MSCHAPV2")
3310 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3311 hapd
= hostapd
.add_ap(apdev
[0], params
)
3313 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
3314 only_add_network
=True)
3316 req_id
= "DOMAIN\mschapv2 user"
3317 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3318 anonymous_identity
="ttls", identity
=None,
3319 password
="password",
3320 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3321 wait_connect
=False, scan_freq
="2412")
3322 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3324 raise Exception("Request for identity timed out")
3325 id = ev
.split(':')[0].split('-')[-1]
3326 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3327 dev
[0].wait_connected(timeout
=10)
3329 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
3330 raise Exception("Failed to enable network")
3331 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
3333 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3334 dev
[0].request("REMOVE_NETWORK all")
3336 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
3337 """WPA2-Enterprise connection using EAP vendor test"""
3338 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3339 hapd
= hostapd
.add_ap(apdev
[0], params
)
3340 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
3341 eap_reauth(dev
[0], "VENDOR-TEST")
3342 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
3345 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
3346 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3347 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3348 hostapd
.add_ap(apdev
[0], params
)
3350 tests
= ["eap_vendor_test_init",
3351 "eap_msg_alloc;eap_vendor_test_process",
3352 "eap_vendor_test_getKey"]
3354 with
alloc_fail(dev
[0], 1, func
):
3355 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
3357 eap
="VENDOR-TEST", identity
="vendor-test",
3359 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3360 dev
[0].request("REMOVE_NETWORK all")
3361 dev
[0].wait_disconnected()
3363 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
3364 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3365 check_eap_capa(dev
[0], "FAST")
3366 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3367 hapd
= hostapd
.add_ap(apdev
[0], params
)
3368 eap_connect(dev
[0], hapd
, "FAST", "user",
3369 anonymous_identity
="FAST", password
="password",
3370 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3371 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
3372 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3373 res
= eap_reauth(dev
[0], "FAST")
3374 if res
['tls_session_reused'] != '1':
3375 raise Exception("EAP-FAST could not use PAC session ticket")
3377 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
3378 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3379 check_eap_capa(dev
[0], "FAST")
3380 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
3381 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
3382 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3383 hapd
= hostapd
.add_ap(apdev
[0], params
)
3386 eap_connect(dev
[0], hapd
, "FAST", "user",
3387 anonymous_identity
="FAST", password
="password",
3388 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3389 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3390 with
open(pac_file
, "r") as f
:
3392 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3393 raise Exception("PAC file header missing")
3394 if "PAC-Key=" not in data
:
3395 raise Exception("PAC-Key missing from PAC file")
3396 dev
[0].request("REMOVE_NETWORK all")
3397 eap_connect(dev
[0], hapd
, "FAST", "user",
3398 anonymous_identity
="FAST", password
="password",
3399 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3402 eap_connect(dev
[1], hapd
, "FAST", "user",
3403 anonymous_identity
="FAST", password
="password",
3404 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3405 phase1
="fast_provisioning=1 fast_pac_format=binary",
3407 dev
[1].request("REMOVE_NETWORK all")
3408 eap_connect(dev
[1], hapd
, "FAST", "user",
3409 anonymous_identity
="FAST", password
="password",
3410 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3411 phase1
="fast_pac_format=binary",
3419 os
.remove(pac_file2
)
3423 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3424 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3425 check_eap_capa(dev
[0], "FAST")
3426 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3427 hapd
= hostapd
.add_ap(apdev
[0], params
)
3428 eap_connect(dev
[0], hapd
, "FAST", "user",
3429 anonymous_identity
="FAST", password
="password",
3430 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3431 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3432 pac_file
="blob://fast_pac_bin")
3433 res
= eap_reauth(dev
[0], "FAST")
3434 if res
['tls_session_reused'] != '1':
3435 raise Exception("EAP-FAST could not use PAC session ticket")
3437 # Verify fast_max_pac_list_len=0 special case
3438 dev
[0].request("REMOVE_NETWORK all")
3439 dev
[0].wait_disconnected()
3440 eap_connect(dev
[0], hapd
, "FAST", "user",
3441 anonymous_identity
="FAST", password
="password",
3442 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3443 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3444 pac_file
="blob://fast_pac_bin")
3446 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3447 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3448 check_eap_capa(dev
[0], "FAST")
3449 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3450 hostapd
.add_ap(apdev
[0], params
)
3452 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3453 identity
="user", anonymous_identity
="FAST",
3454 password
="password",
3455 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3456 pac_file
="blob://fast_pac_not_in_use",
3457 wait_connect
=False, scan_freq
="2412")
3458 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3460 raise Exception("Timeout on EAP failure report")
3461 dev
[0].request("REMOVE_NETWORK all")
3463 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3464 identity
="user", anonymous_identity
="FAST",
3465 password
="password",
3466 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3467 wait_connect
=False, scan_freq
="2412")
3468 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3470 raise Exception("Timeout on EAP failure report")
3472 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3473 """EAP-FAST and binary PAC errors"""
3474 check_eap_capa(dev
[0], "FAST")
3475 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3476 hapd
= hostapd
.add_ap(apdev
[0], params
)
3478 tests
= [(1, "=eap_fast_save_pac_bin"),
3479 (1, "eap_fast_write_pac"),
3480 (2, "eap_fast_write_pac"),]
3481 for count
, func
in tests
:
3482 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3483 raise Exception("Could not set blob")
3485 with
alloc_fail(dev
[0], count
, func
):
3486 eap_connect(dev
[0], hapd
, "FAST", "user",
3487 anonymous_identity
="FAST", password
="password",
3488 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3489 phase1
="fast_provisioning=1 fast_pac_format=binary",
3490 pac_file
="blob://fast_pac_bin_errors")
3491 dev
[0].request("REMOVE_NETWORK all")
3492 dev
[0].wait_disconnected()
3494 tests
= ["00", "000000000000", "6ae4920c0001",
3496 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3497 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3498 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3499 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3501 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3502 raise Exception("Could not set blob")
3504 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3505 identity
="user", anonymous_identity
="FAST",
3506 password
="password",
3507 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3508 phase1
="fast_provisioning=1 fast_pac_format=binary",
3509 pac_file
="blob://fast_pac_bin_errors",
3510 scan_freq
="2412", wait_connect
=False)
3511 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3514 raise Exception("Failure not reported")
3515 dev
[0].request("REMOVE_NETWORK all")
3516 dev
[0].wait_disconnected()
3518 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3519 tests
= [(1, "eap_fast_load_pac_bin"),
3520 (2, "eap_fast_load_pac_bin"),
3521 (3, "eap_fast_load_pac_bin")]
3522 for count
, func
in tests
:
3523 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3524 raise Exception("Could not set blob")
3526 with
alloc_fail(dev
[0], count
, func
):
3527 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3528 identity
="user", anonymous_identity
="FAST",
3529 password
="password",
3530 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3531 phase1
="fast_provisioning=1 fast_pac_format=binary",
3532 pac_file
="blob://fast_pac_bin_errors",
3533 scan_freq
="2412", wait_connect
=False)
3534 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3537 raise Exception("Failure not reported")
3538 dev
[0].request("REMOVE_NETWORK all")
3539 dev
[0].wait_disconnected()
3541 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3542 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3543 raise Exception("Could not set blob")
3545 eap_connect(dev
[0], hapd
, "FAST", "user",
3546 anonymous_identity
="FAST", password
="password",
3547 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3548 phase1
="fast_provisioning=1 fast_pac_format=binary",
3549 pac_file
="blob://fast_pac_bin_errors")
3550 dev
[0].request("REMOVE_NETWORK all")
3551 dev
[0].wait_disconnected()
3553 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3554 tests
= [(1, "eap_fast_pac_get_a_id"),
3555 (2, "eap_fast_pac_get_a_id")]
3556 for count
, func
in tests
:
3557 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3558 raise Exception("Could not set blob")
3559 with
alloc_fail(dev
[0], count
, func
):
3560 eap_connect(dev
[0], hapd
, "FAST", "user",
3561 anonymous_identity
="FAST", password
="password",
3562 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3563 phase1
="fast_provisioning=1 fast_pac_format=binary",
3564 pac_file
="blob://fast_pac_bin_errors")
3565 dev
[0].request("REMOVE_NETWORK all")
3566 dev
[0].wait_disconnected()
3568 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3569 """EAP-FAST and text PAC errors"""
3570 check_eap_capa(dev
[0], "FAST")
3571 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3572 hostapd
.add_ap(apdev
[0], params
)
3574 tests
= [(1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3575 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3576 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3577 (1, "eap_fast_parse_start"),
3578 (1, "eap_fast_save_pac")]
3579 for count
, func
in tests
:
3580 dev
[0].request("FLUSH")
3581 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3582 raise Exception("Could not set blob")
3584 with
alloc_fail(dev
[0], count
, func
):
3585 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3586 identity
="user", anonymous_identity
="FAST",
3587 password
="password",
3588 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3589 phase1
="fast_provisioning=1",
3590 pac_file
="blob://fast_pac_text_errors",
3591 scan_freq
="2412", wait_connect
=False)
3592 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3593 dev
[0].request("REMOVE_NETWORK all")
3594 dev
[0].wait_disconnected()
3596 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3600 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + binascii
.hexlify(pac
.encode()).decode()):
3601 raise Exception("Could not set blob")
3603 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3604 identity
="user", anonymous_identity
="FAST",
3605 password
="password",
3606 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3607 phase1
="fast_provisioning=1",
3608 pac_file
="blob://fast_pac_text_errors",
3609 scan_freq
="2412", wait_connect
=False)
3610 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3612 raise Exception("Failure not reported")
3613 dev
[0].request("REMOVE_NETWORK all")
3614 dev
[0].wait_disconnected()
3616 dev
[0].request("FLUSH")
3617 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3618 raise Exception("Could not set blob")
3620 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3622 params
= int_eap_server_params()
3623 params
['ssid'] = "test-wpa2-eap-2"
3624 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3625 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3626 params
['eap_fast_a_id_info'] = "test server %d" % i
3628 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3630 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3631 identity
="user", anonymous_identity
="FAST",
3632 password
="password",
3633 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3634 phase1
="fast_provisioning=1",
3635 pac_file
="blob://fast_pac_text_errors",
3636 scan_freq
="2412", wait_connect
=False)
3637 dev
[0].wait_connected()
3638 dev
[0].request("REMOVE_NETWORK all")
3639 dev
[0].wait_disconnected()
3643 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3644 """EAP-FAST and PAC list truncation"""
3645 check_eap_capa(dev
[0], "FAST")
3646 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3647 raise Exception("Could not set blob")
3649 params
= int_eap_server_params()
3650 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3651 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3652 params
['eap_fast_a_id_info'] = "test server %d" % i
3653 hapd
= hostapd
.add_ap(apdev
[0], params
)
3655 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3656 identity
="user", anonymous_identity
="FAST",
3657 password
="password",
3658 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3659 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3660 pac_file
="blob://fast_pac_truncate",
3661 scan_freq
="2412", wait_connect
=False)
3662 dev
[0].wait_connected()
3663 dev
[0].request("REMOVE_NETWORK all")
3664 dev
[0].wait_disconnected()
3668 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3669 """EAP-FAST and PAC refresh"""
3670 check_eap_capa(dev
[0], "FAST")
3671 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3672 raise Exception("Could not set blob")
3674 params
= int_eap_server_params()
3675 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3676 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3677 params
['eap_fast_a_id_info'] = "test server %d" % i
3678 params
['pac_key_refresh_time'] = "1"
3679 params
['pac_key_lifetime'] = "10"
3680 hapd
= hostapd
.add_ap(apdev
[0], params
)
3682 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3683 identity
="user", anonymous_identity
="FAST",
3684 password
="password",
3685 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3686 phase1
="fast_provisioning=1",
3687 pac_file
="blob://fast_pac_refresh",
3688 scan_freq
="2412", wait_connect
=False)
3689 dev
[0].wait_connected()
3690 dev
[0].request("REMOVE_NETWORK all")
3691 dev
[0].wait_disconnected()
3696 params
= int_eap_server_params()
3697 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3698 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3699 params
['eap_fast_a_id_info'] = "test server %d" % i
3700 params
['pac_key_refresh_time'] = "10"
3701 params
['pac_key_lifetime'] = "10"
3702 hapd
= hostapd
.add_ap(apdev
[0], params
)
3704 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3705 identity
="user", anonymous_identity
="FAST",
3706 password
="password",
3707 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3708 phase1
="fast_provisioning=1",
3709 pac_file
="blob://fast_pac_refresh",
3710 scan_freq
="2412", wait_connect
=False)
3711 dev
[0].wait_connected()
3712 dev
[0].request("REMOVE_NETWORK all")
3713 dev
[0].wait_disconnected()
3717 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3718 """EAP-FAST and PAC lifetime"""
3719 check_eap_capa(dev
[0], "FAST")
3720 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3721 raise Exception("Could not set blob")
3724 params
= int_eap_server_params()
3725 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3726 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3727 params
['eap_fast_a_id_info'] = "test server %d" % i
3728 params
['pac_key_refresh_time'] = "0"
3729 params
['pac_key_lifetime'] = "2"
3730 hapd
= hostapd
.add_ap(apdev
[0], params
)
3732 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3733 identity
="user", anonymous_identity
="FAST",
3734 password
="password",
3735 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3736 phase1
="fast_provisioning=2",
3737 pac_file
="blob://fast_pac_refresh",
3738 scan_freq
="2412", wait_connect
=False)
3739 dev
[0].wait_connected()
3740 dev
[0].request("DISCONNECT")
3741 dev
[0].wait_disconnected()
3744 dev
[0].request("PMKSA_FLUSH")
3745 dev
[0].request("RECONNECT")
3746 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3748 raise Exception("No EAP-Failure seen after expired PAC")
3749 dev
[0].request("DISCONNECT")
3750 dev
[0].wait_disconnected()
3752 dev
[0].select_network(id)
3753 dev
[0].wait_connected()
3754 dev
[0].request("REMOVE_NETWORK all")
3755 dev
[0].wait_disconnected()
3757 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3758 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3759 check_eap_capa(dev
[0], "FAST")
3760 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3761 hapd
= hostapd
.add_ap(apdev
[0], params
)
3762 eap_connect(dev
[0], hapd
, "FAST", "user",
3763 anonymous_identity
="FAST", password
="password",
3764 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3765 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3766 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3767 res
= eap_reauth(dev
[0], "FAST")
3768 if res
['tls_session_reused'] != '1':
3769 raise Exception("EAP-FAST could not use PAC session ticket")
3771 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3772 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3773 check_eap_capa(dev
[0], "FAST")
3774 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3775 hapd
= hostapd
.add_ap(apdev
[0], params
)
3776 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3777 anonymous_identity
="FAST", password
="password",
3778 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3779 phase1
="fast_provisioning=2",
3780 pac_file
="blob://fast_pac_auth")
3781 dev
[0].set_network_quoted(id, "identity", "user2")
3782 dev
[0].wait_disconnected()
3783 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3785 raise Exception("EAP-FAST not started")
3786 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3788 raise Exception("EAP failure not reported")
3789 dev
[0].wait_disconnected()
3791 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3792 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3793 check_eap_capa(dev
[0], "FAST")
3794 tls
= dev
[0].request("GET tls_library")
3795 if tls
.startswith("OpenSSL"):
3796 func
= "tls_connection_get_eap_fast_key"
3798 elif tls
.startswith("internal"):
3799 func
= "tls_connection_prf"
3802 raise HwsimSkip("Unsupported TLS library")
3803 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3804 hapd
= hostapd
.add_ap(apdev
[0], params
)
3805 with
alloc_fail(dev
[0], count
, func
):
3806 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3807 identity
="user", anonymous_identity
="FAST",
3808 password
="password", ca_cert
="auth_serv/ca.pem",
3810 phase1
="fast_provisioning=2",
3811 pac_file
="blob://fast_pac_auth",
3812 wait_connect
=False, scan_freq
="2412")
3813 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3815 raise Exception("EAP failure not reported")
3816 dev
[0].request("DISCONNECT")
3818 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3819 """EAP-FAST/MSCHAPv2 and server OOM"""
3820 check_eap_capa(dev
[0], "FAST")
3822 params
= int_eap_server_params()
3823 params
['dh_file'] = 'auth_serv/dh.conf'
3824 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3825 params
['eap_fast_a_id'] = '1011'
3826 params
['eap_fast_a_id_info'] = 'another test server'
3827 hapd
= hostapd
.add_ap(apdev
[0], params
)
3829 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3830 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3831 anonymous_identity
="FAST", password
="password",
3832 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3833 phase1
="fast_provisioning=1",
3834 pac_file
="blob://fast_pac",
3835 expect_failure
=True)
3836 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3838 raise Exception("No EAP failure reported")
3839 dev
[0].wait_disconnected()
3840 dev
[0].request("DISCONNECT")
3842 dev
[0].select_network(id, freq
="2412")
3844 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3845 """EAP-FAST and different TLS cipher suites"""
3846 check_eap_capa(dev
[0], "FAST")
3847 tls
= dev
[0].request("GET tls_library")
3848 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
3849 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls
)
3851 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3852 hapd
= hostapd
.add_ap(apdev
[0], params
)
3854 dev
[0].request("SET blob fast_pac_ciphers ")
3855 eap_connect(dev
[0], hapd
, "FAST", "user",
3856 anonymous_identity
="FAST", password
="password",
3857 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3858 phase1
="fast_provisioning=2",
3859 pac_file
="blob://fast_pac_ciphers")
3860 res
= dev
[0].get_status_field('EAP TLS cipher')
3861 dev
[0].request("REMOVE_NETWORK all")
3862 dev
[0].wait_disconnected()
3863 if res
!= "DHE-RSA-AES256-SHA":
3864 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3866 tests
= ["DHE-RSA-AES128-SHA",
3870 "DHE-RSA-AES256-SHA"]
3871 for cipher
in tests
:
3872 dev
[0].dump_monitor()
3873 logger
.info("Testing " + cipher
)
3875 eap_connect(dev
[0], hapd
, "FAST", "user",
3876 openssl_ciphers
=cipher
,
3877 anonymous_identity
="FAST", password
="password",
3878 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3879 pac_file
="blob://fast_pac_ciphers",
3880 report_failure
=True)
3881 except Exception as e
:
3882 if cipher
== "RC4-SHA" and \
3883 ("Could not select EAP method" in str(e
) or \
3884 "EAP failed" in str(e
)):
3885 if "run=OpenSSL 1.1" in tls
:
3886 logger
.info("Allow failure due to missing TLS library support")
3887 dev
[0].request("REMOVE_NETWORK all")
3888 dev
[0].wait_disconnected()
3891 res
= dev
[0].get_status_field('EAP TLS cipher')
3892 dev
[0].request("REMOVE_NETWORK all")
3893 dev
[0].wait_disconnected()
3895 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3897 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3898 """EAP-FAST and provisioning options"""
3899 check_eap_capa(dev
[0], "FAST")
3900 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3901 raise Exception("Could not set blob")
3904 params
= int_eap_server_params()
3905 params
['disable_pmksa_caching'] = '1'
3906 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3907 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3908 params
['eap_fast_a_id_info'] = "test server %d" % i
3909 params
['eap_fast_prov'] = "0"
3910 hapd
= hostapd
.add_ap(apdev
[0], params
)
3912 logger
.info("Provisioning attempt while server has provisioning disabled")
3913 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3914 identity
="user", anonymous_identity
="FAST",
3915 password
="password",
3916 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3917 phase1
="fast_provisioning=2",
3918 pac_file
="blob://fast_pac_prov",
3919 scan_freq
="2412", wait_connect
=False)
3920 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3923 raise Exception("EAP result not reported")
3924 if "parameter='failure'" not in ev
:
3925 raise Exception("Unexpected EAP result: " + ev
)
3926 dev
[0].wait_disconnected()
3927 dev
[0].request("DISCONNECT")
3928 dev
[0].dump_monitor()
3931 logger
.info("Authenticated provisioning")
3932 hapd
.set("eap_fast_prov", "2")
3935 dev
[0].select_network(id, freq
="2412")
3936 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3939 raise Exception("EAP result not reported")
3940 if "parameter='success'" not in ev
:
3941 raise Exception("Unexpected EAP result: " + ev
)
3942 dev
[0].wait_connected()
3943 dev
[0].request("DISCONNECT")
3944 dev
[0].wait_disconnected()
3945 dev
[0].dump_monitor()
3948 logger
.info("Provisioning disabled - using previously provisioned PAC")
3949 hapd
.set("eap_fast_prov", "0")
3952 dev
[0].select_network(id, freq
="2412")
3953 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3956 raise Exception("EAP result not reported")
3957 if "parameter='success'" not in ev
:
3958 raise Exception("Unexpected EAP result: " + ev
)
3959 dev
[0].wait_connected()
3960 dev
[0].request("DISCONNECT")
3961 dev
[0].wait_disconnected()
3962 dev
[0].dump_monitor()
3964 logger
.info("Drop PAC and verify connection failure")
3965 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3966 raise Exception("Could not set blob")
3968 dev
[0].select_network(id, freq
="2412")
3969 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3972 raise Exception("EAP result not reported")
3973 if "parameter='failure'" not in ev
:
3974 raise Exception("Unexpected EAP result: " + ev
)
3975 dev
[0].wait_disconnected()
3976 dev
[0].request("DISCONNECT")
3977 dev
[0].dump_monitor()
3980 logger
.info("Anonymous provisioning")
3981 hapd
.set("eap_fast_prov", "1")
3983 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3984 dev
[0].select_network(id, freq
="2412")
3985 # Anonymous provisioning results in EAP-Failure first
3986 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3989 raise Exception("EAP result not reported")
3990 if "parameter='failure'" not in ev
:
3991 raise Exception("Unexpected EAP result: " + ev
)
3992 dev
[0].wait_disconnected()
3993 # And then the actual data connection
3994 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3997 raise Exception("EAP result not reported")
3998 if "parameter='success'" not in ev
:
3999 raise Exception("Unexpected EAP result: " + ev
)
4000 dev
[0].wait_connected()
4001 dev
[0].request("DISCONNECT")
4002 dev
[0].wait_disconnected()
4003 dev
[0].dump_monitor()
4006 logger
.info("Provisioning disabled - using previously provisioned PAC")
4007 hapd
.set("eap_fast_prov", "0")
4010 dev
[0].select_network(id, freq
="2412")
4011 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
4014 raise Exception("EAP result not reported")
4015 if "parameter='success'" not in ev
:
4016 raise Exception("Unexpected EAP result: " + ev
)
4017 dev
[0].wait_connected()
4018 dev
[0].request("DISCONNECT")
4019 dev
[0].wait_disconnected()
4020 dev
[0].dump_monitor()
4022 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
4023 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
4024 check_ocsp_support(dev
[0])
4025 check_pkcs12_support(dev
[0])
4026 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4027 hapd
= hostapd
.add_ap(apdev
[0], params
)
4028 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4029 private_key
="auth_serv/user.pkcs12",
4030 private_key_passwd
="whatever", ocsp
=2)
4032 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
4033 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
4034 check_ocsp_multi_support(dev
[0])
4035 check_pkcs12_support(dev
[0])
4037 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4038 hapd
= hostapd
.add_ap(apdev
[0], params
)
4039 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4040 private_key
="auth_serv/user.pkcs12",
4041 private_key_passwd
="whatever", ocsp
=2)
4043 def int_eap_server_params():
4044 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
4045 "rsn_pairwise": "CCMP", "ieee8021x": "1",
4046 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
4047 "ca_cert": "auth_serv/ca.pem",
4048 "server_cert": "auth_serv/server.pem",
4049 "private_key": "auth_serv/server.key",
4050 "dh_file": "auth_serv/dh.conf"}
4053 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
4054 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
4055 check_ocsp_support(dev
[0])
4056 check_pkcs12_support(dev
[0])
4057 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
4058 if not os
.path
.exists(ocsp
):
4059 raise HwsimSkip("No OCSP response available")
4060 params
= int_eap_server_params()
4061 params
["ocsp_stapling_response"] = ocsp
4062 hostapd
.add_ap(apdev
[0], params
)
4063 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4064 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4065 private_key
="auth_serv/user.pkcs12",
4066 private_key_passwd
="whatever", ocsp
=2,
4069 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
4070 """EAP-TLS and CA signed OCSP response (good)"""
4071 check_ocsp_support(dev
[0])
4072 check_pkcs12_support(dev
[0])
4073 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
4074 if not os
.path
.exists(ocsp
):
4075 raise HwsimSkip("No OCSP response available")
4076 params
= int_eap_server_params()
4077 params
["ocsp_stapling_response"] = ocsp
4078 hostapd
.add_ap(apdev
[0], params
)
4079 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4080 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4081 private_key
="auth_serv/user.pkcs12",
4082 private_key_passwd
="whatever", ocsp
=2,
4085 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
4086 """EAP-TLS and CA signed OCSP response (revoked)"""
4087 check_ocsp_support(dev
[0])
4088 check_pkcs12_support(dev
[0])
4089 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
4090 if not os
.path
.exists(ocsp
):
4091 raise HwsimSkip("No OCSP response available")
4092 params
= int_eap_server_params()
4093 params
["ocsp_stapling_response"] = ocsp
4094 hostapd
.add_ap(apdev
[0], params
)
4095 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4096 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4097 private_key
="auth_serv/user.pkcs12",
4098 private_key_passwd
="whatever", ocsp
=2,
4099 wait_connect
=False, scan_freq
="2412")
4102 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4104 raise Exception("Timeout on EAP status")
4105 if 'bad certificate status response' in ev
:
4107 if 'certificate revoked' in ev
:
4111 raise Exception("Unexpected number of EAP status messages")
4113 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4115 raise Exception("Timeout on EAP failure report")
4117 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
4118 """EAP-TLS and CA signed OCSP response (unknown)"""
4119 check_ocsp_support(dev
[0])
4120 check_pkcs12_support(dev
[0])
4121 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
4122 if not os
.path
.exists(ocsp
):
4123 raise HwsimSkip("No OCSP response available")
4124 params
= int_eap_server_params()
4125 params
["ocsp_stapling_response"] = ocsp
4126 hostapd
.add_ap(apdev
[0], params
)
4127 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4128 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4129 private_key
="auth_serv/user.pkcs12",
4130 private_key_passwd
="whatever", ocsp
=2,
4131 wait_connect
=False, scan_freq
="2412")
4134 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4136 raise Exception("Timeout on EAP status")
4137 if 'bad certificate status response' in ev
:
4141 raise Exception("Unexpected number of EAP status messages")
4143 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4145 raise Exception("Timeout on EAP failure report")
4147 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
4148 """EAP-TLS and server signed OCSP response"""
4149 check_ocsp_support(dev
[0])
4150 check_pkcs12_support(dev
[0])
4151 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
4152 if not os
.path
.exists(ocsp
):
4153 raise HwsimSkip("No OCSP response available")
4154 params
= int_eap_server_params()
4155 params
["ocsp_stapling_response"] = ocsp
4156 hostapd
.add_ap(apdev
[0], params
)
4157 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4158 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4159 private_key
="auth_serv/user.pkcs12",
4160 private_key_passwd
="whatever", ocsp
=2,
4161 wait_connect
=False, scan_freq
="2412")
4164 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4166 raise Exception("Timeout on EAP status")
4167 if 'bad certificate status response' in ev
:
4171 raise Exception("Unexpected number of EAP status messages")
4173 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4175 raise Exception("Timeout on EAP failure report")
4177 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
4178 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
4179 check_ocsp_support(dev
[0])
4180 check_pkcs12_support(dev
[0])
4181 params
= int_eap_server_params()
4182 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
4183 hostapd
.add_ap(apdev
[0], params
)
4184 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4185 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4186 private_key
="auth_serv/user.pkcs12",
4187 private_key_passwd
="whatever", ocsp
=2,
4188 wait_connect
=False, scan_freq
="2412")
4191 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4193 raise Exception("Timeout on EAP status")
4194 if 'bad certificate status response' in ev
:
4198 raise Exception("Unexpected number of EAP status messages")
4200 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4202 raise Exception("Timeout on EAP failure report")
4204 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
4205 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
4206 check_ocsp_support(dev
[0])
4207 check_pkcs12_support(dev
[0])
4208 params
= int_eap_server_params()
4209 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
4210 hostapd
.add_ap(apdev
[0], params
)
4211 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4212 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4213 private_key
="auth_serv/user.pkcs12",
4214 private_key_passwd
="whatever", ocsp
=2,
4215 wait_connect
=False, scan_freq
="2412")
4218 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4220 raise Exception("Timeout on EAP status")
4221 if 'bad certificate status response' in ev
:
4225 raise Exception("Unexpected number of EAP status messages")
4227 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4229 raise Exception("Timeout on EAP failure report")
4231 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
4232 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
4233 check_ocsp_support(dev
[0])
4234 check_pkcs12_support(dev
[0])
4235 params
= int_eap_server_params()
4236 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
4237 hostapd
.add_ap(apdev
[0], params
)
4238 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4239 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4240 private_key
="auth_serv/user.pkcs12",
4241 private_key_passwd
="whatever", ocsp
=2,
4242 wait_connect
=False, scan_freq
="2412")
4245 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4247 raise Exception("Timeout on EAP status")
4248 if 'bad certificate status response' in ev
:
4252 raise Exception("Unexpected number of EAP status messages")
4254 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4256 raise Exception("Timeout on EAP failure report")
4258 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
4259 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4260 check_ocsp_support(dev
[0])
4261 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
4262 if not os
.path
.exists(ocsp
):
4263 raise HwsimSkip("No OCSP response available")
4264 params
= int_eap_server_params()
4265 params
["ocsp_stapling_response"] = ocsp
4266 hostapd
.add_ap(apdev
[0], params
)
4267 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4268 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4269 anonymous_identity
="ttls", password
="password",
4270 phase2
="auth=PAP", ocsp
=2,
4271 wait_connect
=False, scan_freq
="2412")
4274 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4276 raise Exception("Timeout on EAP status")
4277 if 'bad certificate status response' in ev
:
4279 if 'certificate revoked' in ev
:
4283 raise Exception("Unexpected number of EAP status messages")
4285 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4287 raise Exception("Timeout on EAP failure report")
4289 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
4290 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4291 check_ocsp_support(dev
[0])
4292 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4293 if not os
.path
.exists(ocsp
):
4294 raise HwsimSkip("No OCSP response available")
4295 params
= int_eap_server_params()
4296 params
["ocsp_stapling_response"] = ocsp
4297 hostapd
.add_ap(apdev
[0], params
)
4298 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4299 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4300 anonymous_identity
="ttls", password
="password",
4301 phase2
="auth=PAP", ocsp
=2,
4302 wait_connect
=False, scan_freq
="2412")
4305 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4307 raise Exception("Timeout on EAP status")
4308 if 'bad certificate status response' in ev
:
4312 raise Exception("Unexpected number of EAP status messages")
4314 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4316 raise Exception("Timeout on EAP failure report")
4318 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
4319 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4320 check_ocsp_support(dev
[0])
4321 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4322 if not os
.path
.exists(ocsp
):
4323 raise HwsimSkip("No OCSP response available")
4324 params
= int_eap_server_params()
4325 params
["ocsp_stapling_response"] = ocsp
4326 hostapd
.add_ap(apdev
[0], params
)
4327 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4328 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4329 anonymous_identity
="ttls", password
="password",
4330 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
4332 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
4333 """EAP-TLS with intermediate server/user CA"""
4334 params
= int_eap_server_params()
4335 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4336 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4337 params
["private_key"] = "auth_serv/iCA-server/server.key"
4338 hostapd
.add_ap(apdev
[0], params
)
4339 tls
= dev
[0].request("GET tls_library")
4340 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4341 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4342 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4344 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4345 client_cert
= "auth_serv/iCA-user/user.pem"
4346 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4347 identity
="tls user",
4349 client_cert
=client_cert
,
4350 private_key
="auth_serv/iCA-user/user.key",
4353 def root_ocsp(cert
):
4354 ca
= "auth_serv/ca.pem"
4356 fd2
, fn2
= tempfile
.mkstemp()
4359 arg
= ["openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-sha256",
4360 "-cert", cert
, "-no_nonce", "-text"]
4361 logger
.info(' '.join(arg
))
4362 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4363 stderr
=subprocess
.PIPE
)
4364 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4368 if cmd
.returncode
!= 0:
4369 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4370 logger
.info("OCSP request:\n" + res
)
4372 fd
, fn
= tempfile
.mkstemp()
4374 arg
= ["openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4375 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
4376 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4377 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4379 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4380 stderr
=subprocess
.PIPE
)
4381 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4385 if cmd
.returncode
!= 0:
4386 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4387 logger
.info("OCSP response:\n" + res
)
4391 def ica_ocsp(cert
, md
="-sha256"):
4392 prefix
= "auth_serv/iCA-server/"
4393 ca
= prefix
+ "cacert.pem"
4394 cert
= prefix
+ cert
4396 fd2
, fn2
= tempfile
.mkstemp()
4399 arg
= ["openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, md
,
4400 "-cert", cert
, "-no_nonce", "-text"]
4401 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4402 stderr
=subprocess
.PIPE
)
4403 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4407 if cmd
.returncode
!= 0:
4408 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4409 logger
.info("OCSP request:\n" + res
)
4411 fd
, fn
= tempfile
.mkstemp()
4413 arg
= ["openssl", "ocsp", "-index", prefix
+ "index.txt",
4414 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
4415 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4416 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4418 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4419 stderr
=subprocess
.PIPE
)
4420 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4424 if cmd
.returncode
!= 0:
4425 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4426 logger
.info("OCSP response:\n" + res
)
4430 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4431 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4432 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha256")
4434 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev
, apdev
, params
):
4435 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4436 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha1")
4438 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, md
):
4439 params
= int_eap_server_params()
4440 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4441 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4442 params
["private_key"] = "auth_serv/iCA-server/server.key"
4443 fn
= ica_ocsp("server.pem", md
)
4444 params
["ocsp_stapling_response"] = fn
4446 hostapd
.add_ap(apdev
[0], params
)
4447 tls
= dev
[0].request("GET tls_library")
4448 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4449 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4450 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4452 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4453 client_cert
= "auth_serv/iCA-user/user.pem"
4454 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4455 identity
="tls user",
4457 client_cert
=client_cert
,
4458 private_key
="auth_serv/iCA-user/user.key",
4459 scan_freq
="2412", ocsp
=2)
4463 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4464 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4465 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4468 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev
, apdev
, params
):
4469 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4470 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4473 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
, md
):
4474 check_ocsp_support(dev
[0])
4475 params
= int_eap_server_params()
4476 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4477 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4478 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4479 fn
= ica_ocsp("server-revoked.pem", md
)
4480 params
["ocsp_stapling_response"] = fn
4482 hostapd
.add_ap(apdev
[0], params
)
4483 tls
= dev
[0].request("GET tls_library")
4484 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4485 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4486 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4488 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4489 client_cert
= "auth_serv/iCA-user/user.pem"
4490 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4491 identity
="tls user",
4493 client_cert
=client_cert
,
4494 private_key
="auth_serv/iCA-user/user.key",
4495 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4498 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4499 "CTRL-EVENT-EAP-SUCCESS"])
4501 raise Exception("Timeout on EAP status")
4502 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4503 raise Exception("Unexpected EAP-Success")
4504 if 'bad certificate status response' in ev
:
4506 if 'certificate revoked' in ev
:
4510 raise Exception("Unexpected number of EAP status messages")
4512 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4514 raise Exception("Timeout on EAP failure report")
4515 dev
[0].request("REMOVE_NETWORK all")
4516 dev
[0].wait_disconnected()
4520 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4521 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4522 check_ocsp_support(dev
[0])
4523 check_ocsp_multi_support(dev
[0])
4525 params
= int_eap_server_params()
4526 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4527 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4528 params
["private_key"] = "auth_serv/iCA-server/server.key"
4529 fn
= ica_ocsp("server.pem")
4530 params
["ocsp_stapling_response"] = fn
4532 hostapd
.add_ap(apdev
[0], params
)
4533 tls
= dev
[0].request("GET tls_library")
4534 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4535 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4536 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4538 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4539 client_cert
= "auth_serv/iCA-user/user.pem"
4540 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4541 identity
="tls user",
4543 client_cert
=client_cert
,
4544 private_key
="auth_serv/iCA-user/user.key",
4545 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4548 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4549 "CTRL-EVENT-EAP-SUCCESS"])
4551 raise Exception("Timeout on EAP status")
4552 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4553 raise Exception("Unexpected EAP-Success")
4554 if 'bad certificate status response' in ev
:
4556 if 'certificate revoked' in ev
:
4560 raise Exception("Unexpected number of EAP status messages")
4562 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4564 raise Exception("Timeout on EAP failure report")
4565 dev
[0].request("REMOVE_NETWORK all")
4566 dev
[0].wait_disconnected()
4570 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4571 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4572 check_ocsp_support(dev
[0])
4573 check_ocsp_multi_support(dev
[0])
4575 params
= int_eap_server_params()
4576 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4577 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4578 params
["private_key"] = "auth_serv/iCA-server/server.key"
4579 fn
= ica_ocsp("server.pem")
4580 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4581 params
["ocsp_stapling_response"] = fn
4583 with
open(fn
, "rb") as f
:
4584 resp_server
= f
.read()
4585 with
open(fn2
, "rb") as f
:
4588 fd3
, fn3
= tempfile
.mkstemp()
4590 f
= os
.fdopen(fd3
, 'wb')
4591 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4592 f
.write(resp_server
)
4593 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4597 params
["ocsp_stapling_response_multi"] = fn3
4599 hostapd
.add_ap(apdev
[0], params
)
4600 tls
= dev
[0].request("GET tls_library")
4601 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4602 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4603 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4605 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4606 client_cert
= "auth_serv/iCA-user/user.pem"
4607 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4608 identity
="tls user",
4610 client_cert
=client_cert
,
4611 private_key
="auth_serv/iCA-user/user.key",
4612 scan_freq
="2412", ocsp
=3)
4613 dev
[0].request("REMOVE_NETWORK all")
4614 dev
[0].wait_disconnected()
4620 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4621 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4622 check_ocsp_support(dev
[0])
4623 check_ocsp_multi_support(dev
[0])
4624 check_pkcs12_support(dev
[0])
4626 ocsp_revoked
= os
.path
.join(params
['logdir'],
4627 "ocsp-resp-ca-signed-revoked.der")
4628 if not os
.path
.exists(ocsp_revoked
):
4629 raise HwsimSkip("No OCSP response (revoked) available")
4630 ocsp_unknown
= os
.path
.join(params
['logdir'],
4631 "ocsp-resp-ca-signed-unknown.der")
4632 if not os
.path
.exists(ocsp_unknown
):
4633 raise HwsimSkip("No OCSP response(unknown) available")
4635 with
open(ocsp_revoked
, "rb") as f
:
4636 resp_revoked
= f
.read()
4637 with
open(ocsp_unknown
, "rb") as f
:
4638 resp_unknown
= f
.read()
4640 fd
, fn
= tempfile
.mkstemp()
4642 # This is not really a valid order of the OCSPResponse items in the
4643 # list, but this works for now to verify parsing and processing of
4644 # multiple responses.
4645 f
= os
.fdopen(fd
, 'wb')
4646 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4647 f
.write(resp_unknown
)
4648 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4649 f
.write(resp_revoked
)
4650 f
.write(struct
.pack(">L", 0)[1:4])
4651 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4652 f
.write(resp_unknown
)
4655 params
= int_eap_server_params()
4656 params
["ocsp_stapling_response_multi"] = fn
4657 hostapd
.add_ap(apdev
[0], params
)
4658 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4659 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4660 private_key
="auth_serv/user.pkcs12",
4661 private_key_passwd
="whatever", ocsp
=1,
4662 wait_connect
=False, scan_freq
="2412")
4665 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4666 "CTRL-EVENT-EAP-SUCCESS"])
4668 raise Exception("Timeout on EAP status")
4669 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4670 raise Exception("Unexpected EAP-Success")
4671 if 'bad certificate status response' in ev
:
4673 if 'certificate revoked' in ev
:
4677 raise Exception("Unexpected number of EAP status messages")
4681 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4682 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4683 check_domain_match_full(dev
[0])
4684 check_pkcs12_support(dev
[0])
4685 params
= int_eap_server_params()
4686 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4687 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4688 hostapd
.add_ap(apdev
[0], params
)
4689 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4690 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4691 private_key
="auth_serv/user.pkcs12",
4692 private_key_passwd
="whatever",
4693 domain_suffix_match
="server3.w1.fi",
4696 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4697 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4698 check_domain_match(dev
[0])
4699 check_pkcs12_support(dev
[0])
4700 params
= int_eap_server_params()
4701 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4702 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4703 hostapd
.add_ap(apdev
[0], params
)
4704 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4705 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4706 private_key
="auth_serv/user.pkcs12",
4707 private_key_passwd
="whatever",
4708 domain_match
="server3.w1.fi",
4711 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4712 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4713 check_domain_match_full(dev
[0])
4714 check_pkcs12_support(dev
[0])
4715 params
= int_eap_server_params()
4716 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4717 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4718 hostapd
.add_ap(apdev
[0], params
)
4719 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4720 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4721 private_key
="auth_serv/user.pkcs12",
4722 private_key_passwd
="whatever",
4723 domain_suffix_match
="w1.fi",
4726 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4727 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4728 check_domain_suffix_match(dev
[0])
4729 check_pkcs12_support(dev
[0])
4730 params
= int_eap_server_params()
4731 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4732 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4733 hostapd
.add_ap(apdev
[0], params
)
4734 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4735 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4736 private_key
="auth_serv/user.pkcs12",
4737 private_key_passwd
="whatever",
4738 domain_suffix_match
="example.com",
4741 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4742 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4743 private_key
="auth_serv/user.pkcs12",
4744 private_key_passwd
="whatever",
4745 domain_suffix_match
="erver3.w1.fi",
4748 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4750 raise Exception("Timeout on EAP failure report")
4751 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4753 raise Exception("Timeout on EAP failure report (2)")
4755 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4756 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4757 check_domain_match(dev
[0])
4758 check_pkcs12_support(dev
[0])
4759 params
= int_eap_server_params()
4760 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4761 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4762 hostapd
.add_ap(apdev
[0], params
)
4763 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4764 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4765 private_key
="auth_serv/user.pkcs12",
4766 private_key_passwd
="whatever",
4767 domain_match
="example.com",
4770 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4771 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4772 private_key
="auth_serv/user.pkcs12",
4773 private_key_passwd
="whatever",
4774 domain_match
="w1.fi",
4777 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4779 raise Exception("Timeout on EAP failure report")
4780 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4782 raise Exception("Timeout on EAP failure report (2)")
4784 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4785 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4786 skip_with_fips(dev
[0])
4787 params
= int_eap_server_params()
4788 params
["server_cert"] = "auth_serv/server-expired.pem"
4789 params
["private_key"] = "auth_serv/server-expired.key"
4790 hostapd
.add_ap(apdev
[0], params
)
4791 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4792 identity
="mschap user", password
="password",
4793 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4796 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4798 raise Exception("Timeout on EAP certificate error report")
4799 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4800 raise Exception("Unexpected failure reason: " + ev
)
4801 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4803 raise Exception("Timeout on EAP failure report")
4805 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4806 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4807 skip_with_fips(dev
[0])
4808 params
= int_eap_server_params()
4809 params
["server_cert"] = "auth_serv/server-expired.pem"
4810 params
["private_key"] = "auth_serv/server-expired.key"
4811 hostapd
.add_ap(apdev
[0], params
)
4812 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4813 identity
="mschap user", password
="password",
4814 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4815 phase1
="tls_disable_time_checks=1",
4818 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4819 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4820 skip_with_fips(dev
[0])
4821 params
= int_eap_server_params()
4822 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4823 params
["private_key"] = "auth_serv/server-long-duration.key"
4824 hostapd
.add_ap(apdev
[0], params
)
4825 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4826 identity
="mschap user", password
="password",
4827 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4830 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4831 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4832 skip_with_fips(dev
[0])
4833 params
= int_eap_server_params()
4834 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4835 params
["private_key"] = "auth_serv/server-eku-client.key"
4836 hostapd
.add_ap(apdev
[0], params
)
4837 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4838 identity
="mschap user", password
="password",
4839 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4842 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4844 raise Exception("Timeout on EAP failure report")
4846 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4847 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4848 skip_with_fips(dev
[0])
4849 params
= int_eap_server_params()
4850 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4851 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4852 hostapd
.add_ap(apdev
[0], params
)
4853 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4854 identity
="mschap user", password
="password",
4855 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4858 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4859 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4860 skip_with_fips(dev
[0])
4861 params
= int_eap_server_params()
4862 del params
["server_cert"]
4863 params
["private_key"] = "auth_serv/server.pkcs12"
4864 hostapd
.add_ap(apdev
[0], params
)
4865 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4866 identity
="mschap user", password
="password",
4867 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4870 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
4871 """EAP-TTLS and server PKCS#12 file with extra certs"""
4872 skip_with_fips(dev
[0])
4873 params
= int_eap_server_params()
4874 del params
["server_cert"]
4875 params
["private_key"] = "auth_serv/server-extra.pkcs12"
4876 params
["private_key_passwd"] = "whatever"
4877 hostapd
.add_ap(apdev
[0], params
)
4878 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4879 identity
="mschap user", password
="password",
4880 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4883 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
4884 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4885 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4886 hapd
= hostapd
.add_ap(apdev
[0], params
)
4887 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4888 anonymous_identity
="ttls", password
="password",
4889 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4890 dh_file
="auth_serv/dh.conf")
4892 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
4893 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4894 check_dh_dsa_support(dev
[0])
4895 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4896 hapd
= hostapd
.add_ap(apdev
[0], params
)
4897 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4898 anonymous_identity
="ttls", password
="password",
4899 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4900 dh_file
="auth_serv/dsaparam.pem")
4902 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4903 """EAP-TTLS and DH params file not found"""
4904 skip_with_fips(dev
[0])
4905 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4906 hostapd
.add_ap(apdev
[0], params
)
4907 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4908 identity
="mschap user", password
="password",
4909 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4910 dh_file
="auth_serv/dh-no-such-file.conf",
4911 scan_freq
="2412", wait_connect
=False)
4912 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4914 raise Exception("EAP failure timed out")
4915 dev
[0].request("REMOVE_NETWORK all")
4916 dev
[0].wait_disconnected()
4918 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4919 """EAP-TTLS and invalid DH params file"""
4920 skip_with_fips(dev
[0])
4921 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4922 hostapd
.add_ap(apdev
[0], params
)
4923 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4924 identity
="mschap user", password
="password",
4925 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4926 dh_file
="auth_serv/ca.pem",
4927 scan_freq
="2412", wait_connect
=False)
4928 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4930 raise Exception("EAP failure timed out")
4931 dev
[0].request("REMOVE_NETWORK all")
4932 dev
[0].wait_disconnected()
4934 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
4935 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4936 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4937 hapd
= hostapd
.add_ap(apdev
[0], params
)
4938 dh
= read_pem("auth_serv/dh2.conf")
4939 if "OK" not in dev
[0].request("SET blob dhparams " + binascii
.hexlify(dh
).decode()):
4940 raise Exception("Could not set dhparams blob")
4941 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4942 anonymous_identity
="ttls", password
="password",
4943 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4944 dh_file
="blob://dhparams")
4946 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
4947 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4948 params
= int_eap_server_params()
4949 params
["dh_file"] = "auth_serv/dh2.conf"
4950 hapd
= hostapd
.add_ap(apdev
[0], params
)
4951 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4952 anonymous_identity
="ttls", password
="password",
4953 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4955 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
4956 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4957 params
= int_eap_server_params()
4958 params
["dh_file"] = "auth_serv/dsaparam.pem"
4959 hapd
= hostapd
.add_ap(apdev
[0], params
)
4960 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4961 anonymous_identity
="ttls", password
="password",
4962 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4964 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4965 """EAP-TLS server and dhparams file not found"""
4966 params
= int_eap_server_params()
4967 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
4968 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4969 if "FAIL" not in hapd
.request("ENABLE"):
4970 raise Exception("Invalid configuration accepted")
4972 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4973 """EAP-TLS server and invalid dhparams file"""
4974 params
= int_eap_server_params()
4975 params
["dh_file"] = "auth_serv/ca.pem"
4976 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4977 if "FAIL" not in hapd
.request("ENABLE"):
4978 raise Exception("Invalid configuration accepted")
4980 def test_ap_wpa2_eap_reauth(dev
, apdev
):
4981 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4982 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4983 params
['eap_reauth_period'] = '2'
4984 hapd
= hostapd
.add_ap(apdev
[0], params
)
4985 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4986 password_hex
="0123456789abcdef0123456789abcdef")
4987 logger
.info("Wait for reauthentication")
4988 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
4990 raise Exception("Timeout on reauthentication")
4991 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4993 raise Exception("Timeout on reauthentication")
4994 for i
in range(0, 20):
4995 state
= dev
[0].get_status_field("wpa_state")
4996 if state
== "COMPLETED":
4999 if state
!= "COMPLETED":
5000 raise Exception("Reauthentication did not complete")
5002 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
5003 """Optional displayable message in EAP Request-Identity"""
5004 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5005 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
5006 hapd
= hostapd
.add_ap(apdev
[0], params
)
5007 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
5008 password_hex
="0123456789abcdef0123456789abcdef")
5010 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
5011 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
5012 check_hlr_auc_gw_support()
5013 params
= int_eap_server_params()
5014 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
5015 params
['eap_sim_aka_result_ind'] = "1"
5016 hapd
= hostapd
.add_ap(apdev
[0], params
)
5018 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
5019 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5020 phase1
="result_ind=1")
5021 eap_reauth(dev
[0], "SIM")
5022 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
5023 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
5025 dev
[0].request("REMOVE_NETWORK all")
5026 dev
[1].request("REMOVE_NETWORK all")
5028 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
5029 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
5030 phase1
="result_ind=1")
5031 eap_reauth(dev
[0], "AKA")
5032 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
5033 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
5035 dev
[0].request("REMOVE_NETWORK all")
5036 dev
[1].request("REMOVE_NETWORK all")
5038 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
5039 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
5040 phase1
="result_ind=1")
5041 eap_reauth(dev
[0], "AKA'")
5042 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
5043 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
5045 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
5046 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
5047 check_hlr_auc_gw_support()
5048 params
= int_eap_server_params()
5049 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
5050 params
['eap_sim_db_timeout'] = "0"
5051 params
['disable_pmksa_caching'] = '1'
5052 hapd
= hostapd
.add_ap(apdev
[0], params
)
5054 # Run multiple iterations to make it more likely to hit the case where the
5055 # DB request times out and response is lost.
5057 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
5058 identity
="1232010000000000",
5059 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5060 wait_connect
=False, scan_freq
="2412")
5061 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
5062 "CTRL-EVENT-DISCONNECTED"],
5065 raise Exception("No connection result")
5066 dev
[0].request("REMOVE_NETWORK all")
5067 if "CTRL-EVENT-DISCONNECTED" in ev
:
5069 dev
[0].wait_disconnected()
5072 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
5073 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
5074 skip_with_fips(dev
[0])
5075 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5076 hostapd
.add_ap(apdev
[0], params
)
5077 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5078 eap
="TTLS", identity
="mschap user",
5079 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
5080 anonymous_identity
="ttls", password
="password",
5081 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5083 ev
= dev
[0].wait_event(["EAP: more than",
5084 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
5085 if ev
is None or "EAP: more than" not in ev
:
5086 raise Exception("EAP roundtrip limit not reached")
5088 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
5089 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
5090 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5091 hostapd
.add_ap(apdev
[0], params
)
5092 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5093 eap
="PSK", identity
="vendor-test",
5094 password_hex
="ff23456789abcdef0123456789abcdef",
5098 for i
in range(0, 5):
5099 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
5101 raise Exception("Association and EAP start timed out")
5102 if "refuse proposed method" in ev
:
5106 raise Exception("Unexpected EAP status: " + ev
)
5108 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
5110 raise Exception("EAP failure timed out")
5112 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
5113 """WPA2-Enterprise connection using SQLite for user DB"""
5114 skip_with_fips(dev
[0])
5118 raise HwsimSkip("No sqlite3 module available")
5119 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
5124 con
= sqlite3
.connect(dbfile
)
5127 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
5128 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
5129 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
5130 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
5131 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
5132 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
5133 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
5134 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
5137 params
= int_eap_server_params()
5138 params
["eap_user_file"] = "sqlite:" + dbfile
5139 hapd
= hostapd
.add_ap(apdev
[0], params
)
5140 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
5141 anonymous_identity
="ttls", password
="password",
5142 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5143 dev
[0].request("REMOVE_NETWORK all")
5144 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
5145 anonymous_identity
="ttls", password
="password",
5146 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
5147 dev
[1].request("REMOVE_NETWORK all")
5148 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
5149 anonymous_identity
="ttls", password
="password",
5150 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
5151 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
5152 anonymous_identity
="ttls", password
="password",
5153 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5157 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
5158 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5159 params
= int_eap_server_params()
5160 hostapd
.add_ap(apdev
[0], params
)
5161 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5162 identity
="\x80", password
="password", wait_connect
=False)
5163 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5164 identity
="a\x80", password
="password", wait_connect
=False)
5165 for i
in range(0, 2):
5166 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5168 raise Exception("Association and EAP start timed out")
5169 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5171 raise Exception("EAP method selection timed out")
5173 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
5174 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5175 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5176 hostapd
.add_ap(apdev
[0], params
)
5177 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5178 identity
="\x80", password
="password", wait_connect
=False)
5179 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5180 identity
="a\x80", password
="password", wait_connect
=False)
5181 for i
in range(0, 2):
5182 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5184 raise Exception("Association and EAP start timed out")
5185 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5187 raise Exception("EAP method selection timed out")
5189 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
5190 """OpenSSL cipher suite configuration on wpa_supplicant"""
5191 tls
= dev
[0].request("GET tls_library")
5192 if not tls
.startswith("OpenSSL"):
5193 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
5194 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5195 hapd
= hostapd
.add_ap(apdev
[0], params
)
5196 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5197 anonymous_identity
="ttls", password
="password",
5198 openssl_ciphers
="AES128",
5199 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5200 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5201 anonymous_identity
="ttls", password
="password",
5202 openssl_ciphers
="EXPORT",
5203 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5204 expect_failure
=True, maybe_local_error
=True)
5205 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5206 identity
="pap user", anonymous_identity
="ttls",
5207 password
="password",
5208 openssl_ciphers
="FOO",
5209 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5211 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5213 raise Exception("EAP failure after invalid openssl_ciphers not reported")
5214 dev
[2].request("DISCONNECT")
5216 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
5217 """OpenSSL cipher suite configuration on hostapd"""
5218 tls
= dev
[0].request("GET tls_library")
5219 if not tls
.startswith("OpenSSL"):
5220 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
5221 params
= int_eap_server_params()
5222 params
['openssl_ciphers'] = "AES256"
5223 hapd
= hostapd
.add_ap(apdev
[0], params
)
5224 tls
= hapd
.request("GET tls_library")
5225 if not tls
.startswith("OpenSSL"):
5226 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5227 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5228 anonymous_identity
="ttls", password
="password",
5229 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5230 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5231 anonymous_identity
="ttls", password
="password",
5232 openssl_ciphers
="AES128",
5233 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5234 expect_failure
=True)
5235 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
5236 anonymous_identity
="ttls", password
="password",
5237 openssl_ciphers
="HIGH:!ADH",
5238 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5240 params
['openssl_ciphers'] = "FOO"
5241 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
5242 if "FAIL" not in hapd2
.request("ENABLE"):
5243 if "run=OpenSSL 1.1.1" in tls
:
5244 logger
.info("Ignore acceptance of an invalid openssl_ciphers value with OpenSSL 1.1.1")
5246 raise Exception("Invalid openssl_ciphers value accepted")
5248 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
5249 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5250 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5251 hapd
= hostapd
.add_ap(apdev
[0], p
)
5252 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5253 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
5254 anonymous_identity
="ttls", password
=password
,
5255 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5256 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5258 def test_wpa2_eap_peap_gtc_key_lifetime_in_memory(dev
, apdev
, params
):
5259 """Key lifetime in memory with WPA2-Enterprise using PEAP/GTC"""
5260 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5261 hapd
= hostapd
.add_ap(apdev
[0], p
)
5262 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5263 id = eap_connect(dev
[0], hapd
, "PEAP", "user-secret",
5264 anonymous_identity
="peap", password
=password
,
5265 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
5266 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5268 def run_eap_key_lifetime_in_memory(dev
, params
, id, password
):
5269 pid
= find_wpas_process(dev
[0])
5271 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5272 # event has been delivered, so verify that wpa_supplicant has returned to
5273 # eloop before reading process memory.
5276 password
= password
.encode()
5277 buf
= read_process_memory(pid
, password
)
5279 dev
[0].request("DISCONNECT")
5280 dev
[0].wait_disconnected()
5288 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
5289 for l
in f
.readlines():
5290 if "EAP-TTLS: Derived key - hexdump" in l
or \
5291 "EAP-PEAP: Derived key - hexdump" in l
:
5292 val
= l
.strip().split(':')[3].replace(' ', '')
5293 msk
= binascii
.unhexlify(val
)
5294 if "EAP-TTLS: Derived EMSK - hexdump" in l
or \
5295 "EAP-PEAP: Derived EMSK - hexdump" in l
:
5296 val
= l
.strip().split(':')[3].replace(' ', '')
5297 emsk
= binascii
.unhexlify(val
)
5298 if "WPA: PMK - hexdump" in l
:
5299 val
= l
.strip().split(':')[3].replace(' ', '')
5300 pmk
= binascii
.unhexlify(val
)
5301 if "WPA: PTK - hexdump" in l
:
5302 val
= l
.strip().split(':')[3].replace(' ', '')
5303 ptk
= binascii
.unhexlify(val
)
5304 if "WPA: Group Key - hexdump" in l
:
5305 val
= l
.strip().split(':')[3].replace(' ', '')
5306 gtk
= binascii
.unhexlify(val
)
5307 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
5308 raise Exception("Could not find keys from debug log")
5310 raise Exception("Unexpected GTK length")
5316 fname
= os
.path
.join(params
['logdir'],
5317 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5319 logger
.info("Checking keys in memory while associated")
5320 get_key_locations(buf
, password
, "Password")
5321 get_key_locations(buf
, pmk
, "PMK")
5322 get_key_locations(buf
, msk
, "MSK")
5323 get_key_locations(buf
, emsk
, "EMSK")
5324 if password
not in buf
:
5325 raise HwsimSkip("Password not found while associated")
5327 raise HwsimSkip("PMK not found while associated")
5329 raise Exception("KCK not found while associated")
5331 raise Exception("KEK not found while associated")
5333 # raise Exception("TK found from memory")
5335 logger
.info("Checking keys in memory after disassociation")
5336 buf
= read_process_memory(pid
, password
)
5338 # Note: Password is still present in network configuration
5339 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5341 get_key_locations(buf
, password
, "Password")
5342 get_key_locations(buf
, pmk
, "PMK")
5343 get_key_locations(buf
, msk
, "MSK")
5344 get_key_locations(buf
, emsk
, "EMSK")
5345 verify_not_present(buf
, kck
, fname
, "KCK")
5346 verify_not_present(buf
, kek
, fname
, "KEK")
5347 verify_not_present(buf
, tk
, fname
, "TK")
5349 get_key_locations(buf
, gtk
, "GTK")
5350 verify_not_present(buf
, gtk
, fname
, "GTK")
5352 dev
[0].request("PMKSA_FLUSH")
5353 dev
[0].set_network_quoted(id, "identity", "foo")
5354 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5355 buf
= read_process_memory(pid
, password
)
5356 get_key_locations(buf
, password
, "Password")
5357 get_key_locations(buf
, pmk
, "PMK")
5358 get_key_locations(buf
, msk
, "MSK")
5359 get_key_locations(buf
, emsk
, "EMSK")
5360 verify_not_present(buf
, pmk
, fname
, "PMK")
5362 dev
[0].request("REMOVE_NETWORK all")
5364 logger
.info("Checking keys in memory after network profile removal")
5365 buf
= read_process_memory(pid
, password
)
5367 get_key_locations(buf
, password
, "Password")
5368 get_key_locations(buf
, pmk
, "PMK")
5369 get_key_locations(buf
, msk
, "MSK")
5370 get_key_locations(buf
, emsk
, "EMSK")
5371 verify_not_present(buf
, password
, fname
, "password")
5372 verify_not_present(buf
, pmk
, fname
, "PMK")
5373 verify_not_present(buf
, kck
, fname
, "KCK")
5374 verify_not_present(buf
, kek
, fname
, "KEK")
5375 verify_not_present(buf
, tk
, fname
, "TK")
5376 verify_not_present(buf
, gtk
, fname
, "GTK")
5377 verify_not_present(buf
, msk
, fname
, "MSK")
5378 verify_not_present(buf
, emsk
, fname
, "EMSK")
5380 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
5381 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5382 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5383 hapd
= hostapd
.add_ap(apdev
[0], params
)
5384 bssid
= apdev
[0]['bssid']
5385 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5386 anonymous_identity
="ttls", password
="password",
5387 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5389 # Send unexpected WEP EAPOL-Key; this gets dropped
5390 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5392 raise Exception("EAPOL_RX to wpa_supplicant failed")
5394 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5395 """WPA2-EAP and wpas interface in a bridge"""
5396 br_ifname
= 'sta-br0'
5399 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
5401 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
5402 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
5403 subprocess
.call(['brctl', 'delbr', br_ifname
])
5404 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
5406 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5407 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5408 hapd
= hostapd
.add_ap(apdev
[0], params
)
5410 br_ifname
= 'sta-br0'
5412 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
5413 subprocess
.call(['brctl', 'addbr', br_ifname
])
5414 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
5415 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
5416 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
5417 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
5418 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
5421 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
5422 password_hex
="0123456789abcdef0123456789abcdef")
5424 eap_reauth(wpas
, "PAX")
5426 # Try again as a regression test for packet socket workaround
5427 eap_reauth(wpas
, "PAX")
5429 wpas
.request("DISCONNECT")
5430 wpas
.wait_disconnected()
5432 wpas
.request("RECONNECT")
5433 wpas
.wait_connected()
5436 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
5437 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5438 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5439 hapd
= hostapd
.add_ap(apdev
[0], params
)
5440 key_mgmt
= hapd
.get_config()['key_mgmt']
5441 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5442 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5443 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5444 anonymous_identity
="ttls", password
="password",
5445 ca_cert
="auth_serv/ca.pem",
5446 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
5447 eap_reauth(dev
[0], "TTLS")
5449 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
5450 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5451 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5452 hapd
= hostapd
.add_ap(apdev
[0], params
)
5453 key_mgmt
= hapd
.get_config()['key_mgmt']
5454 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5455 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5456 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5457 anonymous_identity
="ttls", password
="password",
5458 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5460 eap_reauth(dev
[0], "TTLS")
5462 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
5463 """EAP-TLS and server checking CRL"""
5464 params
= int_eap_server_params()
5465 params
['check_crl'] = '1'
5466 hapd
= hostapd
.add_ap(apdev
[0], params
)
5468 # check_crl=1 and no CRL available --> reject connection
5469 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5470 client_cert
="auth_serv/user.pem",
5471 private_key
="auth_serv/user.key", expect_failure
=True)
5472 dev
[0].request("REMOVE_NETWORK all")
5475 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
5478 # check_crl=1 and valid CRL --> accept
5479 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5480 client_cert
="auth_serv/user.pem",
5481 private_key
="auth_serv/user.key")
5482 dev
[0].request("REMOVE_NETWORK all")
5485 hapd
.set("check_crl", "2")
5488 # check_crl=2 and valid CRL --> accept
5489 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5490 client_cert
="auth_serv/user.pem",
5491 private_key
="auth_serv/user.key")
5492 dev
[0].request("REMOVE_NETWORK all")
5494 def test_ap_wpa2_eap_tls_crl_reload(dev
, apdev
, params
):
5495 """EAP-TLS and server reloading CRL from ca_cert"""
5496 ca_cert
= os
.path
.join(params
['logdir'],
5497 "ap_wpa2_eap_tls_crl_reload.ca_cert")
5498 with
open('auth_serv/ca.pem', 'r') as f
:
5499 only_cert
= f
.read()
5500 with
open('auth_serv/ca-and-crl.pem', 'r') as f
:
5501 cert_and_crl
= f
.read()
5502 with
open(ca_cert
, 'w') as f
:
5504 params
= int_eap_server_params()
5505 params
['ca_cert'] = ca_cert
5506 params
['check_crl'] = '1'
5507 params
['crl_reload_interval'] = '1'
5508 hapd
= hostapd
.add_ap(apdev
[0], params
)
5510 # check_crl=1 and no CRL available --> reject connection
5511 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5512 client_cert
="auth_serv/user.pem",
5513 private_key
="auth_serv/user.key", expect_failure
=True)
5514 dev
[0].request("REMOVE_NETWORK all")
5515 dev
[0].dump_monitor()
5517 with
open(ca_cert
, 'w') as f
:
5518 f
.write(cert_and_crl
)
5521 # check_crl=1 and valid CRL --> accept
5522 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5523 client_cert
="auth_serv/user.pem",
5524 private_key
="auth_serv/user.key")
5525 dev
[0].request("REMOVE_NETWORK all")
5526 dev
[0].wait_disconnected()
5528 def test_ap_wpa2_eap_tls_check_cert_subject(dev
, apdev
):
5529 """EAP-TLS and server checking client subject name"""
5530 params
= int_eap_server_params()
5531 params
['check_cert_subject'] = 'C=FI/O=w1.fi/CN=Test User'
5532 hapd
= hostapd
.add_ap(apdev
[0], params
)
5533 check_check_cert_subject_support(hapd
)
5535 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5536 client_cert
="auth_serv/user.pem",
5537 private_key
="auth_serv/user.key")
5539 def test_ap_wpa2_eap_tls_check_cert_subject_neg(dev
, apdev
):
5540 """EAP-TLS and server checking client subject name (negative)"""
5541 params
= int_eap_server_params()
5542 params
['check_cert_subject'] = 'C=FI/O=example'
5543 hapd
= hostapd
.add_ap(apdev
[0], params
)
5544 check_check_cert_subject_support(hapd
)
5546 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5547 client_cert
="auth_serv/user.pem",
5548 private_key
="auth_serv/user.key", expect_failure
=True)
5550 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5551 """EAP-TLS and OOM"""
5552 check_subject_match_support(dev
[0])
5553 check_altsubject_match_support(dev
[0])
5554 check_domain_match(dev
[0])
5555 check_domain_match_full(dev
[0])
5557 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5558 hostapd
.add_ap(apdev
[0], params
)
5560 tests
= [(1, "tls_connection_set_subject_match"),
5561 (2, "tls_connection_set_subject_match"),
5562 (3, "tls_connection_set_subject_match"),
5563 (4, "tls_connection_set_subject_match")]
5564 for count
, func
in tests
:
5565 with
alloc_fail(dev
[0], count
, func
):
5566 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5567 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5568 client_cert
="auth_serv/user.pem",
5569 private_key
="auth_serv/user.key",
5570 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5571 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5572 domain_suffix_match
="server.w1.fi",
5573 domain_match
="server.w1.fi",
5574 wait_connect
=False, scan_freq
="2412")
5575 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5576 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5578 raise Exception("No passphrase request")
5579 dev
[0].request("REMOVE_NETWORK all")
5580 dev
[0].wait_disconnected()
5582 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5583 """WPA2-Enterprise connection using MAC ACL"""
5584 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5585 params
["macaddr_acl"] = "2"
5586 hapd
= hostapd
.add_ap(apdev
[0], params
)
5587 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5588 client_cert
="auth_serv/user.pem",
5589 private_key
="auth_serv/user.key")
5591 def test_ap_wpa2_eap_oom(dev
, apdev
):
5592 """EAP server and OOM"""
5593 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5594 hapd
= hostapd
.add_ap(apdev
[0], params
)
5595 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5597 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5598 # The first attempt fails, but STA will send EAPOL-Start to retry and
5600 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5601 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5602 client_cert
="auth_serv/user.pem",
5603 private_key
="auth_serv/user.key",
5606 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5607 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5608 client_cert
="auth_serv/user.pem",
5609 private_key
="auth_serv/user.key",
5611 ver
= dev
.get_status_field("eap_tls_version")
5613 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5615 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5616 """EAP-TLS and TLS version configuration"""
5617 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5618 hapd
= hostapd
.add_ap(apdev
[0], params
)
5620 tls
= dev
[0].request("GET tls_library")
5621 if tls
.startswith("OpenSSL"):
5622 if "build=OpenSSL 1.0.1" not in tls
and "run=OpenSSL 1.0.1" not in tls
:
5623 check_tls_ver(dev
[0], hapd
,
5624 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5626 if tls
.startswith("wolfSSL"):
5627 if ("build=3.10.0" in tls
and "run=3.10.0" in tls
) or \
5628 ("build=3.13.0" in tls
and "run=3.13.0" in tls
):
5629 check_tls_ver(dev
[0], hapd
,
5630 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5632 elif tls
.startswith("internal"):
5633 check_tls_ver(dev
[0], hapd
,
5634 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5635 check_tls_ver(dev
[1], hapd
,
5636 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5637 check_tls_ver(dev
[2], hapd
,
5638 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5639 if "run=OpenSSL 1.1.1" in tls
:
5640 check_tls_ver(dev
[0], hapd
,
5641 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
5643 def test_ap_wpa2_eap_tls_13(dev
, apdev
):
5644 """EAP-TLS and TLS 1.3"""
5645 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5646 hapd
= hostapd
.add_ap(apdev
[0], params
)
5648 tls
= dev
[0].request("GET tls_library")
5649 if "run=OpenSSL 1.1.1" not in tls
:
5650 raise HwsimSkip("TLS v1.3 not supported")
5651 id = eap_connect(dev
[0], hapd
, "TLS", "tls user",
5652 ca_cert
="auth_serv/ca.pem",
5653 client_cert
="auth_serv/user.pem",
5654 private_key
="auth_serv/user.key",
5655 phase1
="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0")
5656 ver
= dev
[0].get_status_field("eap_tls_version")
5657 if ver
!= "TLSv1.3":
5658 raise Exception("Unexpected TLS version")
5660 eap_reauth(dev
[0], "TLS")
5661 dev
[0].request("DISCONNECT")
5662 dev
[0].wait_disconnected()
5663 dev
[0].request("PMKSA_FLUSH")
5664 dev
[0].request("RECONNECT")
5665 dev
[0].wait_connected()
5667 def test_ap_wpa2_eap_tls_13_ec(dev
, apdev
):
5668 """EAP-TLS and TLS 1.3 (EC certificates)"""
5669 params
= {"ssid": "test-wpa2-eap",
5671 "wpa_key_mgmt": "WPA-EAP",
5672 "rsn_pairwise": "CCMP",
5675 "eap_user_file": "auth_serv/eap_user.conf",
5676 "ca_cert": "auth_serv/ec-ca.pem",
5677 "server_cert": "auth_serv/ec-server.pem",
5678 "private_key": "auth_serv/ec-server.key",
5679 "tls_flags": "[ENABLE-TLSv1.3]"}
5680 hapd
= hostapd
.add_ap(apdev
[0], params
)
5681 tls
= hapd
.request("GET tls_library")
5682 if "run=OpenSSL 1.1.1" not in tls
:
5683 raise HwsimSkip("TLS v1.3 not supported")
5685 tls
= dev
[0].request("GET tls_library")
5686 if "run=OpenSSL 1.1.1" not in tls
:
5687 raise HwsimSkip("TLS v1.3 not supported")
5688 id = eap_connect(dev
[0], hapd
, "TLS", "tls user",
5689 ca_cert
="auth_serv/ec-ca.pem",
5690 client_cert
="auth_serv/ec-user.pem",
5691 private_key
="auth_serv/ec-user.key",
5692 phase1
="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0")
5693 ver
= dev
[0].get_status_field("eap_tls_version")
5694 if ver
!= "TLSv1.3":
5695 raise Exception("Unexpected TLS version")
5697 def test_ap_wpa2_eap_tls_rsa_and_ec(dev
, apdev
, params
):
5698 """EAP-TLS and both RSA and EC sertificates certificates"""
5699 ca
= os
.path
.join(params
['logdir'], "ap_wpa2_eap_tls_rsa_and_ec.ca.pem")
5700 with
open(ca
, "w") as f
:
5701 with
open("auth_serv/ca.pem", "r") as f2
:
5703 with
open("auth_serv/ec-ca.pem", "r") as f2
:
5705 params
= {"ssid": "test-wpa2-eap",
5707 "wpa_key_mgmt": "WPA-EAP",
5708 "rsn_pairwise": "CCMP",
5711 "eap_user_file": "auth_serv/eap_user.conf",
5713 "server_cert": "auth_serv/server.pem",
5714 "private_key": "auth_serv/server.key",
5715 "server_cert2": "auth_serv/ec-server.pem",
5716 "private_key2": "auth_serv/ec-server.key"}
5717 hapd
= hostapd
.add_ap(apdev
[0], params
)
5719 eap_connect(dev
[0], hapd
, "TLS", "tls user",
5720 ca_cert
="auth_serv/ec-ca.pem",
5721 client_cert
="auth_serv/ec-user.pem",
5722 private_key
="auth_serv/ec-user.key")
5723 dev
[0].request("REMOVE_NETWORK all")
5724 dev
[0].wait_disconnected()
5726 # TODO: Make wpa_supplicant automatically filter out cipher suites that
5727 # would require ECDH/ECDSA keys when those are not configured in the
5728 # selected client certificate. And for no-client-cert case, deprioritize
5729 # those cipher suites based on configured ca_cert value so that the most
5730 # likely to work cipher suites are selected by the server. Only do these
5731 # when an explicit openssl_ciphers parameter is not set.
5732 eap_connect(dev
[1], hapd
, "TLS", "tls user",
5733 openssl_ciphers
="DEFAULT:-aECDH:-aECDSA",
5734 ca_cert
="auth_serv/ca.pem",
5735 client_cert
="auth_serv/user.pem",
5736 private_key
="auth_serv/user.key")
5737 dev
[1].request("REMOVE_NETWORK all")
5738 dev
[1].wait_disconnected()
5740 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
5741 """RSN element protocol testing for EAP cases on STA side"""
5742 bssid
= apdev
[0]['bssid']
5743 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5744 # This is the RSN element used normally by hostapd
5745 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5746 hapd
= hostapd
.add_ap(apdev
[0], params
)
5747 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5748 identity
="gpsk user",
5749 password
="abcdefghijklmnop0123456789abcdef",
5752 tests
= [('No RSN Capabilities field',
5753 '30120100000fac040100000fac040100000fac01'),
5754 ('No AKM Suite fields',
5755 '300c0100000fac040100000fac04'),
5756 ('No Pairwise Cipher Suite fields',
5757 '30060100000fac04'),
5758 ('No Group Data Cipher Suite field',
5760 for txt
, ie
in tests
:
5761 dev
[0].request("DISCONNECT")
5762 dev
[0].wait_disconnected()
5765 hapd
.set('own_ie_override', ie
)
5767 dev
[0].request("BSS_FLUSH 0")
5768 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
5769 dev
[0].select_network(id, freq
=2412)
5770 dev
[0].wait_connected()
5772 dev
[0].request("DISCONNECT")
5773 dev
[0].wait_disconnected()
5774 dev
[0].flush_scan_cache()
5776 def check_tls_session_resumption_capa(dev
, hapd
):
5777 tls
= hapd
.request("GET tls_library")
5778 if not tls
.startswith("OpenSSL"):
5779 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls
)
5781 tls
= dev
.request("GET tls_library")
5782 if not tls
.startswith("OpenSSL"):
5783 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
5785 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
5786 """EAP-TTLS/PAP session resumption"""
5787 params
= int_eap_server_params()
5788 params
['tls_session_lifetime'] = '60'
5789 hapd
= hostapd
.add_ap(apdev
[0], params
)
5790 check_tls_session_resumption_capa(dev
[0], hapd
)
5791 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5792 anonymous_identity
="ttls", password
="password",
5793 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5795 if dev
[0].get_status_field("tls_session_reused") != '0':
5796 raise Exception("Unexpected session resumption on the first connection")
5798 dev
[0].request("REAUTHENTICATE")
5799 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5801 raise Exception("EAP success timed out")
5802 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5804 raise Exception("Key handshake with the AP timed out")
5805 if dev
[0].get_status_field("tls_session_reused") != '1':
5806 raise Exception("Session resumption not used on the second connection")
5807 hwsim_utils
.test_connectivity(dev
[0], hapd
)
5809 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
5810 """EAP-TTLS/CHAP session resumption"""
5811 params
= int_eap_server_params()
5812 params
['tls_session_lifetime'] = '60'
5813 hapd
= hostapd
.add_ap(apdev
[0], params
)
5814 check_tls_session_resumption_capa(dev
[0], hapd
)
5815 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
5816 anonymous_identity
="ttls", password
="password",
5817 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
5818 if dev
[0].get_status_field("tls_session_reused") != '0':
5819 raise Exception("Unexpected session resumption on the first connection")
5821 dev
[0].request("REAUTHENTICATE")
5822 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5824 raise Exception("EAP success timed out")
5825 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5827 raise Exception("Key handshake with the AP timed out")
5828 if dev
[0].get_status_field("tls_session_reused") != '1':
5829 raise Exception("Session resumption not used on the second connection")
5831 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
5832 """EAP-TTLS/MSCHAP session resumption"""
5833 check_domain_suffix_match(dev
[0])
5834 params
= int_eap_server_params()
5835 params
['tls_session_lifetime'] = '60'
5836 hapd
= hostapd
.add_ap(apdev
[0], params
)
5837 check_tls_session_resumption_capa(dev
[0], hapd
)
5838 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
5839 anonymous_identity
="ttls", password
="password",
5840 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5841 domain_suffix_match
="server.w1.fi")
5842 if dev
[0].get_status_field("tls_session_reused") != '0':
5843 raise Exception("Unexpected session resumption on the first connection")
5845 dev
[0].request("REAUTHENTICATE")
5846 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5848 raise Exception("EAP success timed out")
5849 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5851 raise Exception("Key handshake with the AP timed out")
5852 if dev
[0].get_status_field("tls_session_reused") != '1':
5853 raise Exception("Session resumption not used on the second connection")
5855 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
5856 """EAP-TTLS/MSCHAPv2 session resumption"""
5857 check_domain_suffix_match(dev
[0])
5858 check_eap_capa(dev
[0], "MSCHAPV2")
5859 params
= int_eap_server_params()
5860 params
['tls_session_lifetime'] = '60'
5861 hapd
= hostapd
.add_ap(apdev
[0], params
)
5862 check_tls_session_resumption_capa(dev
[0], hapd
)
5863 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
5864 anonymous_identity
="ttls", password
="password",
5865 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5866 domain_suffix_match
="server.w1.fi")
5867 if dev
[0].get_status_field("tls_session_reused") != '0':
5868 raise Exception("Unexpected session resumption on the first connection")
5870 dev
[0].request("REAUTHENTICATE")
5871 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5873 raise Exception("EAP success timed out")
5874 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5876 raise Exception("Key handshake with the AP timed out")
5877 if dev
[0].get_status_field("tls_session_reused") != '1':
5878 raise Exception("Session resumption not used on the second connection")
5880 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
5881 """EAP-TTLS/EAP-GTC session resumption"""
5882 params
= int_eap_server_params()
5883 params
['tls_session_lifetime'] = '60'
5884 hapd
= hostapd
.add_ap(apdev
[0], params
)
5885 check_tls_session_resumption_capa(dev
[0], hapd
)
5886 eap_connect(dev
[0], hapd
, "TTLS", "user",
5887 anonymous_identity
="ttls", password
="password",
5888 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
5889 if dev
[0].get_status_field("tls_session_reused") != '0':
5890 raise Exception("Unexpected session resumption on the first connection")
5892 dev
[0].request("REAUTHENTICATE")
5893 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5895 raise Exception("EAP success timed out")
5896 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5898 raise Exception("Key handshake with the AP timed out")
5899 if dev
[0].get_status_field("tls_session_reused") != '1':
5900 raise Exception("Session resumption not used on the second connection")
5902 def test_eap_ttls_no_session_resumption(dev
, apdev
):
5903 """EAP-TTLS session resumption disabled on server"""
5904 params
= int_eap_server_params()
5905 params
['tls_session_lifetime'] = '0'
5906 hapd
= hostapd
.add_ap(apdev
[0], params
)
5907 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5908 anonymous_identity
="ttls", password
="password",
5909 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5911 if dev
[0].get_status_field("tls_session_reused") != '0':
5912 raise Exception("Unexpected session resumption on the first connection")
5914 dev
[0].request("REAUTHENTICATE")
5915 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5917 raise Exception("EAP success timed out")
5918 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5920 raise Exception("Key handshake with the AP timed out")
5921 if dev
[0].get_status_field("tls_session_reused") != '0':
5922 raise Exception("Unexpected session resumption on the second connection")
5924 def test_eap_peap_session_resumption(dev
, apdev
):
5925 """EAP-PEAP session resumption"""
5926 check_eap_capa(dev
[0], "MSCHAPV2")
5927 params
= int_eap_server_params()
5928 params
['tls_session_lifetime'] = '60'
5929 hapd
= hostapd
.add_ap(apdev
[0], params
)
5930 check_tls_session_resumption_capa(dev
[0], hapd
)
5931 eap_connect(dev
[0], hapd
, "PEAP", "user",
5932 anonymous_identity
="peap", password
="password",
5933 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5934 if dev
[0].get_status_field("tls_session_reused") != '0':
5935 raise Exception("Unexpected session resumption on the first connection")
5937 dev
[0].request("REAUTHENTICATE")
5938 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5940 raise Exception("EAP success timed out")
5941 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5943 raise Exception("Key handshake with the AP timed out")
5944 if dev
[0].get_status_field("tls_session_reused") != '1':
5945 raise Exception("Session resumption not used on the second connection")
5947 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
5948 """EAP-PEAP session resumption with crypto binding"""
5949 params
= int_eap_server_params()
5950 params
['tls_session_lifetime'] = '60'
5951 hapd
= hostapd
.add_ap(apdev
[0], params
)
5952 check_tls_session_resumption_capa(dev
[0], hapd
)
5953 eap_connect(dev
[0], hapd
, "PEAP", "user",
5954 anonymous_identity
="peap", password
="password",
5955 phase1
="peapver=0 crypto_binding=2",
5956 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5957 if dev
[0].get_status_field("tls_session_reused") != '0':
5958 raise Exception("Unexpected session resumption on the first connection")
5960 dev
[0].request("REAUTHENTICATE")
5961 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5963 raise Exception("EAP success timed out")
5964 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5966 raise Exception("Key handshake with the AP timed out")
5967 if dev
[0].get_status_field("tls_session_reused") != '1':
5968 raise Exception("Session resumption not used on the second connection")
5970 def test_eap_peap_no_session_resumption(dev
, apdev
):
5971 """EAP-PEAP session resumption disabled on server"""
5972 params
= int_eap_server_params()
5973 hapd
= hostapd
.add_ap(apdev
[0], params
)
5974 eap_connect(dev
[0], hapd
, "PEAP", "user",
5975 anonymous_identity
="peap", password
="password",
5976 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5977 if dev
[0].get_status_field("tls_session_reused") != '0':
5978 raise Exception("Unexpected session resumption on the first connection")
5980 dev
[0].request("REAUTHENTICATE")
5981 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5983 raise Exception("EAP success timed out")
5984 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5986 raise Exception("Key handshake with the AP timed out")
5987 if dev
[0].get_status_field("tls_session_reused") != '0':
5988 raise Exception("Unexpected session resumption on the second connection")
5990 def test_eap_tls_session_resumption(dev
, apdev
):
5991 """EAP-TLS session resumption"""
5992 params
= int_eap_server_params()
5993 params
['tls_session_lifetime'] = '60'
5994 hapd
= hostapd
.add_ap(apdev
[0], params
)
5995 check_tls_session_resumption_capa(dev
[0], hapd
)
5996 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5997 client_cert
="auth_serv/user.pem",
5998 private_key
="auth_serv/user.key")
5999 if dev
[0].get_status_field("tls_session_reused") != '0':
6000 raise Exception("Unexpected session resumption on the first connection")
6002 dev
[0].request("REAUTHENTICATE")
6003 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6005 raise Exception("EAP success timed out")
6006 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6008 raise Exception("Key handshake with the AP timed out")
6009 if dev
[0].get_status_field("tls_session_reused") != '1':
6010 raise Exception("Session resumption not used on the second connection")
6012 dev
[0].request("REAUTHENTICATE")
6013 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6015 raise Exception("EAP success timed out")
6016 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6018 raise Exception("Key handshake with the AP timed out")
6019 if dev
[0].get_status_field("tls_session_reused") != '1':
6020 raise Exception("Session resumption not used on the third connection")
6022 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
6023 """EAP-TLS session resumption"""
6024 params
= int_eap_server_params()
6025 params
['tls_session_lifetime'] = '1'
6026 hapd
= hostapd
.add_ap(apdev
[0], params
)
6027 check_tls_session_resumption_capa(dev
[0], hapd
)
6028 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6029 client_cert
="auth_serv/user.pem",
6030 private_key
="auth_serv/user.key")
6031 if dev
[0].get_status_field("tls_session_reused") != '0':
6032 raise Exception("Unexpected session resumption on the first connection")
6034 # Allow multiple attempts since OpenSSL may not expire the cached entry
6039 dev
[0].request("REAUTHENTICATE")
6040 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6042 raise Exception("EAP success timed out")
6043 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6045 raise Exception("Key handshake with the AP timed out")
6046 if dev
[0].get_status_field("tls_session_reused") == '0':
6048 if dev
[0].get_status_field("tls_session_reused") != '0':
6049 raise Exception("Session resumption used after lifetime expiration")
6051 def test_eap_tls_no_session_resumption(dev
, apdev
):
6052 """EAP-TLS session resumption disabled on server"""
6053 params
= int_eap_server_params()
6054 hapd
= hostapd
.add_ap(apdev
[0], params
)
6055 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6056 client_cert
="auth_serv/user.pem",
6057 private_key
="auth_serv/user.key")
6058 if dev
[0].get_status_field("tls_session_reused") != '0':
6059 raise Exception("Unexpected session resumption on the first connection")
6061 dev
[0].request("REAUTHENTICATE")
6062 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6064 raise Exception("EAP success timed out")
6065 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6067 raise Exception("Key handshake with the AP timed out")
6068 if dev
[0].get_status_field("tls_session_reused") != '0':
6069 raise Exception("Unexpected session resumption on the second connection")
6071 def test_eap_tls_session_resumption_radius(dev
, apdev
):
6072 """EAP-TLS session resumption (RADIUS)"""
6073 params
= {"ssid": "as", "beacon_int": "2000",
6074 "radius_server_clients": "auth_serv/radius_clients.conf",
6075 "radius_server_auth_port": '18128',
6077 "eap_user_file": "auth_serv/eap_user.conf",
6078 "ca_cert": "auth_serv/ca.pem",
6079 "server_cert": "auth_serv/server.pem",
6080 "private_key": "auth_serv/server.key",
6081 "tls_session_lifetime": "60"}
6082 authsrv
= hostapd
.add_ap(apdev
[1], params
)
6083 check_tls_session_resumption_capa(dev
[0], authsrv
)
6085 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6086 params
['auth_server_port'] = "18128"
6087 hapd
= hostapd
.add_ap(apdev
[0], params
)
6088 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6089 client_cert
="auth_serv/user.pem",
6090 private_key
="auth_serv/user.key")
6091 if dev
[0].get_status_field("tls_session_reused") != '0':
6092 raise Exception("Unexpected session resumption on the first connection")
6094 dev
[0].request("REAUTHENTICATE")
6095 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6097 raise Exception("EAP success timed out")
6098 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6100 raise Exception("Key handshake with the AP timed out")
6101 if dev
[0].get_status_field("tls_session_reused") != '1':
6102 raise Exception("Session resumption not used on the second connection")
6104 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
6105 """EAP-TLS session resumption disabled (RADIUS)"""
6106 params
= {"ssid": "as", "beacon_int": "2000",
6107 "radius_server_clients": "auth_serv/radius_clients.conf",
6108 "radius_server_auth_port": '18128',
6110 "eap_user_file": "auth_serv/eap_user.conf",
6111 "ca_cert": "auth_serv/ca.pem",
6112 "server_cert": "auth_serv/server.pem",
6113 "private_key": "auth_serv/server.key",
6114 "tls_session_lifetime": "0"}
6115 hostapd
.add_ap(apdev
[1], params
)
6117 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6118 params
['auth_server_port'] = "18128"
6119 hapd
= hostapd
.add_ap(apdev
[0], params
)
6120 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6121 client_cert
="auth_serv/user.pem",
6122 private_key
="auth_serv/user.key")
6123 if dev
[0].get_status_field("tls_session_reused") != '0':
6124 raise Exception("Unexpected session resumption on the first connection")
6126 dev
[0].request("REAUTHENTICATE")
6127 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6129 raise Exception("EAP success timed out")
6130 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6132 raise Exception("Key handshake with the AP timed out")
6133 if dev
[0].get_status_field("tls_session_reused") != '0':
6134 raise Exception("Unexpected session resumption on the second connection")
6136 def test_eap_mschapv2_errors(dev
, apdev
):
6137 """EAP-MSCHAPv2 error cases"""
6138 check_eap_capa(dev
[0], "MSCHAPV2")
6139 check_eap_capa(dev
[0], "FAST")
6141 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
6142 hapd
= hostapd
.add_ap(apdev
[0], params
)
6143 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6144 identity
="phase1-user", password
="password",
6146 dev
[0].request("REMOVE_NETWORK all")
6147 dev
[0].wait_disconnected()
6149 tests
= [(1, "hash_nt_password_hash;mschapv2_derive_response"),
6150 (1, "nt_password_hash;mschapv2_derive_response"),
6151 (1, "nt_password_hash;=mschapv2_derive_response"),
6152 (1, "generate_nt_response;mschapv2_derive_response"),
6153 (1, "generate_authenticator_response;mschapv2_derive_response"),
6154 (1, "nt_password_hash;=mschapv2_derive_response"),
6155 (1, "get_master_key;mschapv2_derive_response"),
6156 (1, "os_get_random;eap_mschapv2_challenge_reply")]
6157 for count
, func
in tests
:
6158 with
fail_test(dev
[0], count
, func
):
6159 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6160 identity
="phase1-user", password
="password",
6161 wait_connect
=False, scan_freq
="2412")
6162 wait_fail_trigger(dev
[0], "GET_FAIL")
6163 dev
[0].request("REMOVE_NETWORK all")
6164 dev
[0].wait_disconnected()
6166 tests
= [(1, "hash_nt_password_hash;mschapv2_derive_response"),
6167 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
6168 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
6169 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response")]
6170 for count
, func
in tests
:
6171 with
fail_test(dev
[0], count
, func
):
6172 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6173 identity
="phase1-user",
6174 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
6175 wait_connect
=False, scan_freq
="2412")
6176 wait_fail_trigger(dev
[0], "GET_FAIL")
6177 dev
[0].request("REMOVE_NETWORK all")
6178 dev
[0].wait_disconnected()
6180 tests
= [(1, "eap_mschapv2_init"),
6181 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
6182 (1, "eap_msg_alloc;eap_mschapv2_success"),
6183 (1, "eap_mschapv2_getKey")]
6184 for count
, func
in tests
:
6185 with
alloc_fail(dev
[0], count
, func
):
6186 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6187 identity
="phase1-user", password
="password",
6188 wait_connect
=False, scan_freq
="2412")
6189 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6190 dev
[0].request("REMOVE_NETWORK all")
6191 dev
[0].wait_disconnected()
6193 tests
= [(1, "eap_msg_alloc;eap_mschapv2_failure")]
6194 for count
, func
in tests
:
6195 with
alloc_fail(dev
[0], count
, func
):
6196 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6197 identity
="phase1-user", password
="wrong password",
6198 wait_connect
=False, scan_freq
="2412")
6199 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6200 dev
[0].request("REMOVE_NETWORK all")
6201 dev
[0].wait_disconnected()
6203 tests
= [(2, "eap_mschapv2_init"),
6204 (3, "eap_mschapv2_init")]
6205 for count
, func
in tests
:
6206 with
alloc_fail(dev
[0], count
, func
):
6207 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6208 anonymous_identity
="FAST", identity
="user",
6209 password
="password",
6210 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
6211 phase1
="fast_provisioning=1",
6212 pac_file
="blob://fast_pac",
6213 wait_connect
=False, scan_freq
="2412")
6214 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6215 dev
[0].request("REMOVE_NETWORK all")
6216 dev
[0].wait_disconnected()
6218 def test_eap_gpsk_errors(dev
, apdev
):
6219 """EAP-GPSK error cases"""
6220 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
6221 hapd
= hostapd
.add_ap(apdev
[0], params
)
6222 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6223 identity
="gpsk user",
6224 password
="abcdefghijklmnop0123456789abcdef",
6226 dev
[0].request("REMOVE_NETWORK all")
6227 dev
[0].wait_disconnected()
6229 tests
= [(1, "os_get_random;eap_gpsk_send_gpsk_2", None),
6230 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6232 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6234 (1, "eap_gpsk_derive_keys_helper", None),
6235 (2, "eap_gpsk_derive_keys_helper", None),
6236 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6238 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6240 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
6241 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
6242 (1, "eap_gpsk_derive_mid_helper", None)]
6243 for count
, func
, phase1
in tests
:
6244 with
fail_test(dev
[0], count
, func
):
6245 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6246 identity
="gpsk user",
6247 password
="abcdefghijklmnop0123456789abcdef",
6249 wait_connect
=False, scan_freq
="2412")
6250 wait_fail_trigger(dev
[0], "GET_FAIL")
6251 dev
[0].request("REMOVE_NETWORK all")
6252 dev
[0].wait_disconnected()
6254 tests
= [(1, "eap_gpsk_init"),
6255 (2, "eap_gpsk_init"),
6256 (3, "eap_gpsk_init"),
6257 (1, "eap_gpsk_process_id_server"),
6258 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
6259 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6260 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6261 (1, "eap_gpsk_derive_keys"),
6262 (1, "eap_gpsk_derive_keys_helper"),
6263 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
6264 (1, "eap_gpsk_getKey"),
6265 (1, "eap_gpsk_get_emsk"),
6266 (1, "eap_gpsk_get_session_id")]
6267 for count
, func
in tests
:
6268 with
alloc_fail(dev
[0], count
, func
):
6269 dev
[0].request("ERP_FLUSH")
6270 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6271 identity
="gpsk user@domain", erp
="1",
6272 password
="abcdefghijklmnop0123456789abcdef",
6273 wait_connect
=False, scan_freq
="2412")
6274 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6275 dev
[0].request("REMOVE_NETWORK all")
6276 dev
[0].wait_disconnected()
6278 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
6279 """EAP-SIM DB error cases"""
6280 sockpath
= '/tmp/hlr_auc_gw.sock-test'
6285 hparams
= int_eap_server_params()
6286 hparams
['eap_sim_db'] = 'unix:' + sockpath
6287 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
6289 # Initial test with hlr_auc_gw socket not available
6290 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
6291 eap
="SIM", identity
="1232010000000000",
6292 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
6293 scan_freq
="2412", wait_connect
=False)
6294 ev
= dev
[0].wait_event(["EAP-ERROR-CODE"], timeout
=10)
6296 raise Exception("EAP method specific error code not reported")
6297 if int(ev
.split()[1]) != 16384:
6298 raise Exception("Unexpected EAP method specific error code: " + ev
)
6299 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6301 raise Exception("EAP-Failure not reported")
6302 dev
[0].wait_disconnected()
6303 dev
[0].request("DISCONNECT")
6305 # Test with invalid responses and response timeout
6307 class test_handler(SocketServer
.DatagramRequestHandler
):
6309 data
= self
.request
[0].decode().strip()
6310 socket
= self
.request
[1]
6311 logger
.debug("Received hlr_auc_gw request: " + data
)
6312 # EAP-SIM DB: Failed to parse response string
6313 socket
.sendto(b
"FOO", self
.client_address
)
6314 # EAP-SIM DB: Failed to parse response string
6315 socket
.sendto(b
"FOO 1", self
.client_address
)
6316 # EAP-SIM DB: Unknown external response
6317 socket
.sendto(b
"FOO 1 2", self
.client_address
)
6318 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
6320 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
6323 dev
[0].select_network(id)
6324 server
.handle_request()
6325 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6327 raise Exception("EAP-Failure not reported")
6328 dev
[0].wait_disconnected()
6329 dev
[0].request("DISCONNECT")
6331 # Test with a valid response
6333 class test_handler2(SocketServer
.DatagramRequestHandler
):
6335 data
= self
.request
[0].decode().strip()
6336 socket
= self
.request
[1]
6337 logger
.debug("Received hlr_auc_gw request: " + data
)
6338 fname
= os
.path
.join(params
['logdir'],
6339 'hlr_auc_gw.milenage_db')
6340 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
6342 stdout
=subprocess
.PIPE
)
6343 res
= cmd
.stdout
.read().decode().strip()
6345 logger
.debug("hlr_auc_gw response: " + res
)
6346 socket
.sendto(res
.encode(), self
.client_address
)
6348 server
.RequestHandlerClass
= test_handler2
6350 dev
[0].select_network(id)
6351 server
.handle_request()
6352 dev
[0].wait_connected()
6353 dev
[0].request("DISCONNECT")
6354 dev
[0].wait_disconnected()
6356 def test_eap_tls_sha512(dev
, apdev
, params
):
6357 """EAP-TLS with SHA512 signature"""
6358 params
= int_eap_server_params()
6359 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6360 params
["server_cert"] = "auth_serv/sha512-server.pem"
6361 params
["private_key"] = "auth_serv/sha512-server.key"
6362 hostapd
.add_ap(apdev
[0], params
)
6364 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6365 identity
="tls user sha512",
6366 ca_cert
="auth_serv/sha512-ca.pem",
6367 client_cert
="auth_serv/sha512-user.pem",
6368 private_key
="auth_serv/sha512-user.key",
6370 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6371 identity
="tls user sha512",
6372 ca_cert
="auth_serv/sha512-ca.pem",
6373 client_cert
="auth_serv/sha384-user.pem",
6374 private_key
="auth_serv/sha384-user.key",
6377 def test_eap_tls_sha384(dev
, apdev
, params
):
6378 """EAP-TLS with SHA384 signature"""
6379 params
= int_eap_server_params()
6380 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6381 params
["server_cert"] = "auth_serv/sha384-server.pem"
6382 params
["private_key"] = "auth_serv/sha384-server.key"
6383 hostapd
.add_ap(apdev
[0], params
)
6385 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6386 identity
="tls user sha512",
6387 ca_cert
="auth_serv/sha512-ca.pem",
6388 client_cert
="auth_serv/sha512-user.pem",
6389 private_key
="auth_serv/sha512-user.key",
6391 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6392 identity
="tls user sha512",
6393 ca_cert
="auth_serv/sha512-ca.pem",
6394 client_cert
="auth_serv/sha384-user.pem",
6395 private_key
="auth_serv/sha384-user.key",
6398 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
6399 """WPA2-Enterprise AP and association request RSN IE differences"""
6400 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6401 hostapd
.add_ap(apdev
[0], params
)
6403 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
6404 params
["ieee80211w"] = "2"
6405 hostapd
.add_ap(apdev
[1], params
)
6407 # Success cases with optional RSN IE fields removed one by one
6408 tests
= [("Normal wpa_supplicant assoc req RSN IE",
6409 "30140100000fac040100000fac040100000fac010000"),
6410 ("Extra PMKIDCount field in RSN IE",
6411 "30160100000fac040100000fac040100000fac0100000000"),
6412 ("Extra Group Management Cipher Suite in RSN IE",
6413 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6414 ("Extra undefined extension field in RSN IE",
6415 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6416 ("RSN IE without RSN Capabilities",
6417 "30120100000fac040100000fac040100000fac01"),
6418 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6419 ("RSN IE without pairwise", "30060100000fac04"),
6420 ("RSN IE without group", "30020100")]
6421 for title
, ie
in tests
:
6423 set_test_assoc_ie(dev
[0], ie
)
6424 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6425 identity
="gpsk user",
6426 password
="abcdefghijklmnop0123456789abcdef",
6428 dev
[0].request("REMOVE_NETWORK all")
6429 dev
[0].wait_disconnected()
6431 tests
= [("Normal wpa_supplicant assoc req RSN IE",
6432 "30140100000fac040100000fac040100000fac01cc00"),
6433 ("Group management cipher included in assoc req RSN IE",
6434 "301a0100000fac040100000fac040100000fac01cc000000000fac06")]
6435 for title
, ie
in tests
:
6437 set_test_assoc_ie(dev
[0], ie
)
6438 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6439 eap
="GPSK", identity
="gpsk user",
6440 password
="abcdefghijklmnop0123456789abcdef",
6442 dev
[0].request("REMOVE_NETWORK all")
6443 dev
[0].wait_disconnected()
6445 tests
= [("Invalid group cipher", "30060100000fac02", 41),
6446 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42)]
6447 for title
, ie
, status
in tests
:
6449 set_test_assoc_ie(dev
[0], ie
)
6450 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6451 identity
="gpsk user",
6452 password
="abcdefghijklmnop0123456789abcdef",
6453 scan_freq
="2412", wait_connect
=False)
6454 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6456 raise Exception("Association rejection not reported")
6457 if "status_code=" + str(status
) not in ev
:
6458 raise Exception("Unexpected status code: " + ev
)
6459 dev
[0].request("REMOVE_NETWORK all")
6460 dev
[0].dump_monitor()
6462 tests
= [("Management frame protection not enabled",
6463 "30140100000fac040100000fac040100000fac010000", 31),
6464 ("Unsupported management group cipher",
6465 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46)]
6466 for title
, ie
, status
in tests
:
6468 set_test_assoc_ie(dev
[0], ie
)
6469 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6470 eap
="GPSK", identity
="gpsk user",
6471 password
="abcdefghijklmnop0123456789abcdef",
6472 scan_freq
="2412", wait_connect
=False)
6473 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6475 raise Exception("Association rejection not reported")
6476 if "status_code=" + str(status
) not in ev
:
6477 raise Exception("Unexpected status code: " + ev
)
6478 dev
[0].request("REMOVE_NETWORK all")
6479 dev
[0].dump_monitor()
6481 def test_eap_tls_ext_cert_check(dev
, apdev
):
6482 """EAP-TLS and external server certification validation"""
6483 # With internal server certificate chain validation
6484 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6485 identity
="tls user",
6486 ca_cert
="auth_serv/ca.pem",
6487 client_cert
="auth_serv/user.pem",
6488 private_key
="auth_serv/user.key",
6489 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6490 only_add_network
=True)
6491 run_ext_cert_check(dev
, apdev
, id)
6493 def test_eap_ttls_ext_cert_check(dev
, apdev
):
6494 """EAP-TTLS and external server certification validation"""
6495 # Without internal server certificate chain validation
6496 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6497 identity
="pap user", anonymous_identity
="ttls",
6498 password
="password", phase2
="auth=PAP",
6499 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6500 only_add_network
=True)
6501 run_ext_cert_check(dev
, apdev
, id)
6503 def test_eap_peap_ext_cert_check(dev
, apdev
):
6504 """EAP-PEAP and external server certification validation"""
6505 # With internal server certificate chain validation
6506 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6507 identity
="user", anonymous_identity
="peap",
6508 ca_cert
="auth_serv/ca.pem",
6509 password
="password", phase2
="auth=MSCHAPV2",
6510 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6511 only_add_network
=True)
6512 run_ext_cert_check(dev
, apdev
, id)
6514 def test_eap_fast_ext_cert_check(dev
, apdev
):
6515 """EAP-FAST and external server certification validation"""
6516 check_eap_capa(dev
[0], "FAST")
6517 # With internal server certificate chain validation
6518 dev
[0].request("SET blob fast_pac_auth_ext ")
6519 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6520 identity
="user", anonymous_identity
="FAST",
6521 ca_cert
="auth_serv/ca.pem",
6522 password
="password", phase2
="auth=GTC",
6523 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
6524 pac_file
="blob://fast_pac_auth_ext",
6526 only_add_network
=True)
6527 run_ext_cert_check(dev
, apdev
, id)
6529 def run_ext_cert_check(dev
, apdev
, net_id
):
6530 check_ext_cert_check_support(dev
[0])
6531 if not openssl_imported
:
6532 raise HwsimSkip("OpenSSL python method not available")
6534 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6535 hapd
= hostapd
.add_ap(apdev
[0], params
)
6537 dev
[0].select_network(net_id
)
6540 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6541 "CTRL-REQ-EXT_CERT_CHECK",
6542 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6544 raise Exception("No peer server certificate event seen")
6545 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
6548 vals
= ev
.split(' ')
6550 if v
.startswith("depth="):
6551 depth
= int(v
.split('=')[1])
6552 elif v
.startswith("cert="):
6553 cert
= v
.split('=')[1]
6554 if depth
is not None and cert
:
6555 certs
[depth
] = binascii
.unhexlify(cert
)
6556 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
6557 raise Exception("Unexpected EAP-Success")
6558 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
6559 id = ev
.split(':')[0].split('-')[-1]
6562 raise Exception("Server certificate not received")
6564 raise Exception("Server certificate issuer not received")
6566 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6568 cn
= cert
.get_subject().commonName
6569 logger
.info("Server certificate CN=" + cn
)
6571 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6573 icn
= issuer
.get_subject().commonName
6574 logger
.info("Issuer certificate CN=" + icn
)
6576 if cn
!= "server.w1.fi":
6577 raise Exception("Unexpected server certificate CN: " + cn
)
6578 if icn
!= "Root CA":
6579 raise Exception("Unexpected server certificate issuer CN: " + icn
)
6581 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
6583 raise Exception("Unexpected EAP-Success before external check result indication")
6585 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6586 dev
[0].wait_connected()
6588 dev
[0].request("DISCONNECT")
6589 dev
[0].wait_disconnected()
6590 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
6591 raise Exception("PMKSA_FLUSH failed")
6592 dev
[0].request("SET blob fast_pac_auth_ext ")
6593 dev
[0].request("RECONNECT")
6595 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
6597 raise Exception("No peer server certificate event seen (2)")
6598 id = ev
.split(':')[0].split('-')[-1]
6599 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6600 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
6602 raise Exception("EAP-Failure not reported")
6603 dev
[0].request("REMOVE_NETWORK all")
6604 dev
[0].wait_disconnected()
6606 def test_eap_tls_errors(dev
, apdev
):
6607 """EAP-TLS error cases"""
6608 params
= int_eap_server_params()
6609 params
['fragment_size'] = '100'
6610 hostapd
.add_ap(apdev
[0], params
)
6611 with
alloc_fail(dev
[0], 1,
6612 "eap_peer_tls_reassemble_fragment"):
6613 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6614 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6615 client_cert
="auth_serv/user.pem",
6616 private_key
="auth_serv/user.key",
6617 wait_connect
=False, scan_freq
="2412")
6618 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6619 dev
[0].request("REMOVE_NETWORK all")
6620 dev
[0].wait_disconnected()
6622 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
6623 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6624 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6625 client_cert
="auth_serv/user.pem",
6626 private_key
="auth_serv/user.key",
6627 wait_connect
=False, scan_freq
="2412")
6628 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6629 dev
[0].request("REMOVE_NETWORK all")
6630 dev
[0].wait_disconnected()
6632 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
6633 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6634 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6635 client_cert
="auth_serv/user.pem",
6636 private_key
="auth_serv/user.key",
6638 wait_connect
=False, scan_freq
="2412")
6639 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6640 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
6642 raise Exception("No CTRL-REQ-PIN seen")
6643 dev
[0].request("REMOVE_NETWORK all")
6644 dev
[0].wait_disconnected()
6646 tests
= ["eap_peer_tls_derive_key;eap_tls_success",
6647 "eap_peer_tls_derive_session_id;eap_tls_success",
6650 "eap_tls_get_session_id"]
6652 with
alloc_fail(dev
[0], 1, func
):
6653 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6654 identity
="tls user@domain",
6655 ca_cert
="auth_serv/ca.pem",
6656 client_cert
="auth_serv/user.pem",
6657 private_key
="auth_serv/user.key",
6659 wait_connect
=False, scan_freq
="2412")
6660 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6661 dev
[0].request("REMOVE_NETWORK all")
6662 dev
[0].wait_disconnected()
6664 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6665 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6666 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6667 wait_connect
=False, scan_freq
="2412")
6668 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6669 dev
[0].request("REMOVE_NETWORK all")
6670 dev
[0].wait_disconnected()
6672 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6673 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6674 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6675 wait_connect
=False, scan_freq
="2412")
6676 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6677 dev
[0].request("REMOVE_NETWORK all")
6678 dev
[0].wait_disconnected()
6680 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6681 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6682 eap
="WFA-UNAUTH-TLS",
6683 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6684 wait_connect
=False, scan_freq
="2412")
6685 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6686 dev
[0].request("REMOVE_NETWORK all")
6687 dev
[0].wait_disconnected()
6689 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6690 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6691 eap
="WFA-UNAUTH-TLS",
6692 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6693 wait_connect
=False, scan_freq
="2412")
6694 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6695 dev
[0].request("REMOVE_NETWORK all")
6696 dev
[0].wait_disconnected()
6698 def test_ap_wpa2_eap_status(dev
, apdev
):
6699 """EAP state machine status information"""
6700 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6701 hostapd
.add_ap(apdev
[0], params
)
6702 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6703 identity
="cert user",
6704 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6705 ca_cert2
="auth_serv/ca.pem",
6706 client_cert2
="auth_serv/user.pem",
6707 private_key2
="auth_serv/user.key",
6708 scan_freq
="2412", wait_connect
=False)
6714 selected_methods
= []
6716 for i
in range(100000):
6717 if not connected
and i
% 10 == 9:
6718 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=0.0001)
6721 s
= dev
[0].get_status(extra
="VERBOSE")
6722 if 'EAP state' in s
:
6723 state
= s
['EAP state']
6725 if state
not in states
:
6726 states
.append(state
)
6727 if state
== "SUCCESS":
6730 if 'methodState' in s
:
6731 val
= s
['methodState']
6732 if val
not in method_states
:
6733 method_states
.append(val
)
6736 if val
not in decisions
:
6737 decisions
.append(val
)
6738 if 'reqMethod' in s
:
6739 val
= s
['reqMethod']
6740 if val
not in req_methods
:
6741 req_methods
.append(val
)
6742 if 'selectedMethod' in s
:
6743 val
= s
['selectedMethod']
6744 if val
not in selected_methods
:
6745 selected_methods
.append(val
)
6746 logger
.info("Iterations: %d" % i
)
6747 logger
.info("EAP states: " + str(states
))
6748 logger
.info("methodStates: " + str(method_states
))
6749 logger
.info("decisions: " + str(decisions
))
6750 logger
.info("reqMethods: " + str(req_methods
))
6751 logger
.info("selectedMethods: " + str(selected_methods
))
6753 raise Exception("EAP did not succeed")
6755 dev
[0].wait_connected()
6756 dev
[0].request("REMOVE_NETWORK all")
6757 dev
[0].wait_disconnected()
6759 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
6760 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6761 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6762 params
['wpa_ptk_rekey'] = '2'
6763 hapd
= hostapd
.add_ap(apdev
[0], params
)
6764 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
6765 password
="abcdefghijklmnop0123456789abcdef")
6766 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
6768 raise Exception("PTK rekey timed out")
6769 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6771 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
6772 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6773 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6774 hapd
= hostapd
.add_ap(apdev
[0], params
)
6775 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
6776 identity
="gpsk user",
6777 password
="abcdefghijklmnop0123456789abcdef",
6780 def test_ap_wpa2_eap_psk_mac_addr_change(dev
, apdev
):
6781 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
6782 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6783 hapd
= hostapd
.add_ap(apdev
[0], params
)
6785 cmd
= subprocess
.Popen(['ps', '-eo', 'pid,command'], stdout
=subprocess
.PIPE
)
6786 res
= cmd
.stdout
.read().decode()
6789 for p
in res
.splitlines():
6790 if "wpa_supplicant" not in p
:
6792 if dev
[0].ifname
not in p
:
6794 pid
= int(p
.strip().split(' ')[0])
6796 logger
.info("Could not find wpa_supplicant PID")
6798 logger
.info("wpa_supplicant PID %d" % pid
)
6800 addr
= dev
[0].get_status_field("address")
6801 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6802 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6803 '02:11:22:33:44:55'])
6804 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6805 addr1
= dev
[0].get_status_field("address")
6806 if addr1
!= '02:11:22:33:44:55':
6807 raise Exception("Failed to change MAC address")
6809 # Scan using the externally set MAC address, stop the wpa_supplicant
6810 # process to avoid it from processing the ifdown event before the interface
6811 # is already UP, change the MAC address back, allow the wpa_supplicant
6812 # process to continue. This will result in the ifdown + ifup sequence of
6813 # RTM_NEWLINK events to be processed while the interface is already UP.
6815 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
6816 os
.kill(pid
, signal
.SIGSTOP
)
6819 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6820 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6822 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6824 os
.kill(pid
, signal
.SIGCONT
)
6826 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
6827 password_hex
="0123456789abcdef0123456789abcdef")
6829 addr2
= dev
[0].get_status_field("address")
6831 raise Exception("Failed to restore MAC address")
6833 def test_ap_wpa2_eap_server_get_id(dev
, apdev
):
6834 """Internal EAP server and dot1xAuthSessionUserName"""
6835 params
= int_eap_server_params()
6836 hapd
= hostapd
.add_ap(apdev
[0], params
)
6837 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6838 client_cert
="auth_serv/user.pem",
6839 private_key
="auth_serv/user.key")
6840 sta
= hapd
.get_sta(dev
[0].own_addr())
6841 if 'dot1xAuthSessionUserName' not in sta
:
6842 raise Exception("No dot1xAuthSessionUserName included")
6843 user
= sta
['dot1xAuthSessionUserName']
6844 if user
!= "tls user":
6845 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6847 def test_ap_wpa2_radius_server_get_id(dev
, apdev
):
6848 """External RADIUS server and dot1xAuthSessionUserName"""
6849 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6850 hapd
= hostapd
.add_ap(apdev
[0], params
)
6851 eap_connect(dev
[0], hapd
, "TTLS", "test-user",
6852 anonymous_identity
="ttls", password
="password",
6853 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
6854 sta
= hapd
.get_sta(dev
[0].own_addr())
6855 if 'dot1xAuthSessionUserName' not in sta
:
6856 raise Exception("No dot1xAuthSessionUserName included")
6857 user
= sta
['dot1xAuthSessionUserName']
6858 if user
!= "real-user":
6859 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6861 def test_openssl_systemwide_policy(dev
, apdev
, test_params
):
6862 """OpenSSL systemwide policy and overrides"""
6863 prefix
= "openssl_systemwide_policy"
6864 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
6866 with
HWSimRadio() as (radio
, iface
):
6867 run_openssl_systemwide_policy(iface
, apdev
, test_params
)
6869 if os
.path
.exists(pidfile
):
6870 with
open(pidfile
, 'r') as f
:
6871 pid
= int(f
.read().strip())
6872 os
.kill(pid
, signal
.SIGTERM
)
6874 def write_openssl_cnf(cnf
, MinProtocol
=None, CipherString
=None):
6875 with
open(cnf
, "w") as f
:
6876 f
.write("""openssl_conf = default_conf
6880 system_default = system_default_sect
6881 [system_default_sect]
6884 f
.write("MinProtocol = %s\n" % MinProtocol
)
6886 f
.write("CipherString = %s\n" % CipherString
)
6888 def run_openssl_systemwide_policy(iface
, apdev
, test_params
):
6889 prefix
= "openssl_systemwide_policy"
6890 logfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.log-wpas')
6891 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
6892 conffile
= os
.path
.join(test_params
['logdir'], prefix
+ '.conf')
6893 openssl_cnf
= os
.path
.join(test_params
['logdir'], prefix
+ '.openssl.cnf')
6895 write_openssl_cnf(openssl_cnf
, "TLSv1.2", "DEFAULT@SECLEVEL=2")
6897 with
open(conffile
, 'w') as f
:
6898 f
.write("ctrl_interface=DIR=/var/run/wpa_supplicant\n")
6900 params
= int_eap_server_params()
6901 params
['tls_flags'] = "[DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"
6903 hapd
= hostapd
.add_ap(apdev
[0], params
)
6905 prg
= os
.path
.join(test_params
['logdir'],
6906 'alt-wpa_supplicant/wpa_supplicant/wpa_supplicant')
6907 if not os
.path
.exists(prg
):
6908 prg
= '../../wpa_supplicant/wpa_supplicant'
6909 arg
= [prg
, '-BddtK', '-P', pidfile
, '-f', logfile
,
6910 '-Dnl80211', '-c', conffile
, '-i', iface
]
6911 logger
.info("Start wpa_supplicant: " + str(arg
))
6912 subprocess
.call(arg
, env
={'OPENSSL_CONF': openssl_cnf
})
6913 wpas
= WpaSupplicant(ifname
=iface
)
6914 if "PONG" not in wpas
.request("PING"):
6915 raise Exception("Could not PING wpa_supplicant")
6916 tls
= wpas
.request("GET tls_library")
6917 if not tls
.startswith("OpenSSL"):
6918 raise HwsimSkip("Not using OpenSSL")
6920 # Use default configuration without any TLS version overrides. This should
6921 # end up using OpenSSL systemwide policy and result in failure to find a
6922 # compatible protocol version.
6923 ca_file
= os
.path
.join(os
.getcwd(), "auth_serv/ca.pem")
6924 id = wpas
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6925 identity
="pap user", anonymous_identity
="ttls",
6926 password
="password", phase2
="auth=PAP",
6928 scan_freq
="2412", wait_connect
=False)
6929 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
6931 raise Exception("EAP not started")
6932 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'"],
6935 raise HwsimSkip("OpenSSL systemwide policy not supported")
6936 wpas
.request("DISCONNECT")
6937 wpas
.wait_disconnected()
6940 # Explicitly allow TLSv1.0 to be used to override OpenSSL systemwide policy
6941 wpas
.set_network_quoted(id, "openssl_ciphers", "DEFAULT@SECLEVEL=1")
6942 wpas
.set_network_quoted(id, "phase1", "tls_disable_tlsv1_0=0")
6943 wpas
.select_network(id, freq
="2412")
6944 wpas
.wait_connected()
6946 wpas
.request("TERMINATE")
6948 def test_ap_wpa2_eap_tls_tod(dev
, apdev
):
6949 """EAP-TLS server certificate validation and TOD"""
6950 params
= int_eap_server_params()
6951 params
["server_cert"] = "auth_serv/server-certpol.pem"
6952 params
["private_key"] = "auth_serv/server-certpol.key"
6953 hapd
= hostapd
.add_ap(apdev
[0], params
)
6955 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6956 eap
="TLS", identity
="tls user",
6957 wait_connect
=False, scan_freq
="2412",
6958 ca_cert
="auth_serv/ca.pem",
6959 client_cert
="auth_serv/user.pem",
6960 private_key
="auth_serv/user.key")
6963 while tod0
is None or tod1
is None:
6964 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT"], timeout
=10)
6966 raise Exception("Peer certificate not reported")
6967 if "depth=1 " in ev
and "hash=" in ev
:
6968 tod1
= " tod=1" in ev
6969 if "depth=0 " in ev
and "hash=" in ev
:
6970 tod0
= " tod=1" in ev
6971 dev
[0].wait_connected()
6973 raise Exception("TOD policy not reported for server certificate")
6975 raise Exception("TOD policy unexpectedly reported for CA certificate")