]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: Ignore openssl_cipher_suite_config_hapd failure (OpenSSL 1.1.1)
[thirdparty/hostap.git] / tests / hwsim / test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
4 #
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
7
8 import base64
9 import binascii
10 import time
11 import subprocess
12 import logging
13 logger = logging.getLogger()
14 import os
15 import signal
16 import socket
17 import SocketServer
18 import struct
19 import tempfile
20
21 import hwsim_utils
22 import hostapd
23 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
24 from wpasupplicant import WpaSupplicant
25 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
26
27 try:
28 import OpenSSL
29 openssl_imported = True
30 except ImportError:
31 openssl_imported = False
32
33 def check_hlr_auc_gw_support():
34 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
35 raise HwsimSkip("No hlr_auc_gw available")
36
37 def check_eap_capa(dev, method):
38 res = dev.get_capability("eap")
39 if method not in res:
40 raise HwsimSkip("EAP method %s not supported in the build" % method)
41
42 def check_subject_match_support(dev):
43 tls = dev.request("GET tls_library")
44 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
45 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
46
47 def check_altsubject_match_support(dev):
48 tls = dev.request("GET tls_library")
49 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
50 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
51
52 def check_domain_match(dev):
53 tls = dev.request("GET tls_library")
54 if tls.startswith("internal"):
55 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
56
57 def check_domain_suffix_match(dev):
58 tls = dev.request("GET tls_library")
59 if tls.startswith("internal"):
60 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
61
62 def check_domain_match_full(dev):
63 tls = dev.request("GET tls_library")
64 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
65 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
66
67 def check_cert_probe_support(dev):
68 tls = dev.request("GET tls_library")
69 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
70 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
71
72 def check_ext_cert_check_support(dev):
73 tls = dev.request("GET tls_library")
74 if not tls.startswith("OpenSSL"):
75 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
76
77 def check_ocsp_support(dev):
78 tls = dev.request("GET tls_library")
79 #if tls.startswith("internal"):
80 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
81 #if "BoringSSL" in tls:
82 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83
84 def check_pkcs5_v15_support(dev):
85 tls = dev.request("GET tls_library")
86 if "BoringSSL" in tls or "GnuTLS" in tls:
87 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls)
88
89 def check_ocsp_multi_support(dev):
90 tls = dev.request("GET tls_library")
91 if not tls.startswith("internal"):
92 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls)
93 as_hapd = hostapd.Hostapd("as")
94 res = as_hapd.request("GET tls_library")
95 del as_hapd
96 if not res.startswith("internal"):
97 raise HwsimSkip("Authentication server does not support ocsp_multi")
98
99 def check_pkcs12_support(dev):
100 tls = dev.request("GET tls_library")
101 #if tls.startswith("internal"):
102 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
103 if tls.startswith("wolfSSL"):
104 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
105
106 def check_dh_dsa_support(dev):
107 tls = dev.request("GET tls_library")
108 if tls.startswith("internal"):
109 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
110
111 def read_pem(fname):
112 with open(fname, "r") as f:
113 lines = f.readlines()
114 copy = False
115 cert = ""
116 for l in lines:
117 if "-----END" in l:
118 break
119 if copy:
120 cert = cert + l
121 if "-----BEGIN" in l:
122 copy = True
123 return base64.b64decode(cert)
124
125 def eap_connect(dev, hapd, method, identity,
126 sha256=False, expect_failure=False, local_error_report=False,
127 maybe_local_error=False, report_failure=False, **kwargs):
128 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
129 eap=method, identity=identity,
130 wait_connect=False, scan_freq="2412", ieee80211w="1",
131 **kwargs)
132 eap_check_auth(dev, method, True, sha256=sha256,
133 expect_failure=expect_failure,
134 local_error_report=local_error_report,
135 maybe_local_error=maybe_local_error,
136 report_failure=report_failure)
137 if expect_failure:
138 return id
139 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
140 if ev is None:
141 raise Exception("No connection event received from hostapd")
142 return id
143
144 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
145 expect_failure=False, local_error_report=False,
146 maybe_local_error=False, report_failure=False):
147 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
148 if ev is None:
149 raise Exception("Association and EAP start timed out")
150 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
151 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
152 if ev is None:
153 raise Exception("EAP method selection timed out")
154 if "CTRL-EVENT-EAP-FAILURE" in ev:
155 if maybe_local_error:
156 return
157 raise Exception("Could not select EAP method")
158 if method not in ev:
159 raise Exception("Unexpected EAP method")
160 if expect_failure:
161 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
162 if ev is None:
163 raise Exception("EAP failure timed out")
164 ev = dev.wait_disconnected(timeout=10)
165 if maybe_local_error and "locally_generated=1" in ev:
166 return
167 if not local_error_report:
168 if "reason=23" not in ev:
169 raise Exception("Proper reason code for disconnection not reported")
170 return
171 if report_failure:
172 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
173 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
174 if ev is None:
175 raise Exception("EAP success timed out")
176 if "CTRL-EVENT-EAP-SUCCESS" not in ev:
177 raise Exception("EAP failed")
178 else:
179 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
180 if ev is None:
181 raise Exception("EAP success timed out")
182
183 if initial:
184 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
185 else:
186 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
187 if ev is None:
188 raise Exception("Association with the AP timed out")
189 status = dev.get_status()
190 if status["wpa_state"] != "COMPLETED":
191 raise Exception("Connection not completed")
192
193 if status["suppPortStatus"] != "Authorized":
194 raise Exception("Port not authorized")
195 if "selectedMethod" not in status:
196 logger.info("Status: " + str(status))
197 raise Exception("No selectedMethod in status")
198 if method not in status["selectedMethod"]:
199 raise Exception("Incorrect EAP method status")
200 if sha256:
201 e = "WPA2-EAP-SHA256"
202 elif rsn:
203 e = "WPA2/IEEE 802.1X/EAP"
204 else:
205 e = "WPA/IEEE 802.1X/EAP"
206 if status["key_mgmt"] != e:
207 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
208 return status
209
210 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
211 dev.request("REAUTHENTICATE")
212 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
213 expect_failure=expect_failure)
214
215 def test_ap_wpa2_eap_sim(dev, apdev):
216 """WPA2-Enterprise connection using EAP-SIM"""
217 check_hlr_auc_gw_support()
218 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
219 hapd = hostapd.add_ap(apdev[0], params)
220 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
221 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
222 hwsim_utils.test_connectivity(dev[0], hapd)
223 eap_reauth(dev[0], "SIM")
224
225 eap_connect(dev[1], hapd, "SIM", "1232010000000001",
226 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
227 eap_connect(dev[2], hapd, "SIM", "1232010000000002",
228 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
229 expect_failure=True)
230
231 logger.info("Negative test with incorrect key")
232 dev[0].request("REMOVE_NETWORK all")
233 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
234 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
235 expect_failure=True)
236
237 logger.info("Invalid GSM-Milenage key")
238 dev[0].request("REMOVE_NETWORK all")
239 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
240 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
241 expect_failure=True)
242
243 logger.info("Invalid GSM-Milenage key(2)")
244 dev[0].request("REMOVE_NETWORK all")
245 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
246 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
247 expect_failure=True)
248
249 logger.info("Invalid GSM-Milenage key(3)")
250 dev[0].request("REMOVE_NETWORK all")
251 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
252 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
253 expect_failure=True)
254
255 logger.info("Invalid GSM-Milenage key(4)")
256 dev[0].request("REMOVE_NETWORK all")
257 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
258 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
259 expect_failure=True)
260
261 logger.info("Missing key configuration")
262 dev[0].request("REMOVE_NETWORK all")
263 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
264 expect_failure=True)
265
266 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
267 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
268 check_hlr_auc_gw_support()
269 try:
270 import sqlite3
271 except ImportError:
272 raise HwsimSkip("No sqlite3 module available")
273 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
274 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
275 params['auth_server_port'] = "1814"
276 hapd = hostapd.add_ap(apdev[0], params)
277 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
278 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
279
280 logger.info("SIM fast re-authentication")
281 eap_reauth(dev[0], "SIM")
282
283 logger.info("SIM full auth with pseudonym")
284 with con:
285 cur = con.cursor()
286 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
287 eap_reauth(dev[0], "SIM")
288
289 logger.info("SIM full auth with permanent identity")
290 with con:
291 cur = con.cursor()
292 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
293 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
294 eap_reauth(dev[0], "SIM")
295
296 logger.info("SIM reauth with mismatching MK")
297 with con:
298 cur = con.cursor()
299 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
300 eap_reauth(dev[0], "SIM", expect_failure=True)
301 dev[0].request("REMOVE_NETWORK all")
302
303 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
304 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
305 with con:
306 cur = con.cursor()
307 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
308 eap_reauth(dev[0], "SIM")
309 with con:
310 cur = con.cursor()
311 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
312 logger.info("SIM reauth with mismatching counter")
313 eap_reauth(dev[0], "SIM")
314 dev[0].request("REMOVE_NETWORK all")
315
316 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
317 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
318 with con:
319 cur = con.cursor()
320 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
321 logger.info("SIM reauth with max reauth count reached")
322 eap_reauth(dev[0], "SIM")
323
324 def test_ap_wpa2_eap_sim_config(dev, apdev):
325 """EAP-SIM configuration options"""
326 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
327 hapd = hostapd.add_ap(apdev[0], params)
328 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
329 identity="1232010000000000",
330 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
331 phase1="sim_min_num_chal=1",
332 wait_connect=False, scan_freq="2412")
333 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
334 if ev is None:
335 raise Exception("No EAP error message seen")
336 dev[0].request("REMOVE_NETWORK all")
337
338 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
339 identity="1232010000000000",
340 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
341 phase1="sim_min_num_chal=4",
342 wait_connect=False, scan_freq="2412")
343 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
344 if ev is None:
345 raise Exception("No EAP error message seen (2)")
346 dev[0].request("REMOVE_NETWORK all")
347
348 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
349 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
350 phase1="sim_min_num_chal=2")
351 eap_connect(dev[1], hapd, "SIM", "1232010000000000",
352 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
353 anonymous_identity="345678")
354
355 def test_ap_wpa2_eap_sim_ext(dev, apdev):
356 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
357 try:
358 _test_ap_wpa2_eap_sim_ext(dev, apdev)
359 finally:
360 dev[0].request("SET external_sim 0")
361
362 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
363 check_hlr_auc_gw_support()
364 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
365 hostapd.add_ap(apdev[0], params)
366 dev[0].request("SET external_sim 1")
367 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
368 identity="1232010000000000",
369 wait_connect=False, scan_freq="2412")
370 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
371 if ev is None:
372 raise Exception("Network connected timed out")
373
374 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
375 if ev is None:
376 raise Exception("Wait for external SIM processing request timed out")
377 p = ev.split(':', 2)
378 if p[1] != "GSM-AUTH":
379 raise Exception("Unexpected CTRL-REQ-SIM type")
380 rid = p[0].split('-')[3]
381
382 # IK:CK:RES
383 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
384 # This will fail during processing, but the ctrl_iface command succeeds
385 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
386 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
387 if ev is None:
388 raise Exception("EAP failure not reported")
389 dev[0].request("DISCONNECT")
390 dev[0].wait_disconnected()
391 time.sleep(0.1)
392
393 dev[0].select_network(id, freq="2412")
394 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
395 if ev is None:
396 raise Exception("Wait for external SIM processing request timed out")
397 p = ev.split(':', 2)
398 if p[1] != "GSM-AUTH":
399 raise Exception("Unexpected CTRL-REQ-SIM type")
400 rid = p[0].split('-')[3]
401 # This will fail during GSM auth validation
402 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
403 raise Exception("CTRL-RSP-SIM failed")
404 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
405 if ev is None:
406 raise Exception("EAP failure not reported")
407 dev[0].request("DISCONNECT")
408 dev[0].wait_disconnected()
409 time.sleep(0.1)
410
411 dev[0].select_network(id, freq="2412")
412 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
413 if ev is None:
414 raise Exception("Wait for external SIM processing request timed out")
415 p = ev.split(':', 2)
416 if p[1] != "GSM-AUTH":
417 raise Exception("Unexpected CTRL-REQ-SIM type")
418 rid = p[0].split('-')[3]
419 # This will fail during GSM auth validation
420 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
421 raise Exception("CTRL-RSP-SIM failed")
422 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
423 if ev is None:
424 raise Exception("EAP failure not reported")
425 dev[0].request("DISCONNECT")
426 dev[0].wait_disconnected()
427 time.sleep(0.1)
428
429 dev[0].select_network(id, freq="2412")
430 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
431 if ev is None:
432 raise Exception("Wait for external SIM processing request timed out")
433 p = ev.split(':', 2)
434 if p[1] != "GSM-AUTH":
435 raise Exception("Unexpected CTRL-REQ-SIM type")
436 rid = p[0].split('-')[3]
437 # This will fail during GSM auth validation
438 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
439 raise Exception("CTRL-RSP-SIM failed")
440 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
441 if ev is None:
442 raise Exception("EAP failure not reported")
443 dev[0].request("DISCONNECT")
444 dev[0].wait_disconnected()
445 time.sleep(0.1)
446
447 dev[0].select_network(id, freq="2412")
448 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
449 if ev is None:
450 raise Exception("Wait for external SIM processing request timed out")
451 p = ev.split(':', 2)
452 if p[1] != "GSM-AUTH":
453 raise Exception("Unexpected CTRL-REQ-SIM type")
454 rid = p[0].split('-')[3]
455 # This will fail during GSM auth validation
456 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
457 raise Exception("CTRL-RSP-SIM failed")
458 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
459 if ev is None:
460 raise Exception("EAP failure not reported")
461 dev[0].request("DISCONNECT")
462 dev[0].wait_disconnected()
463 time.sleep(0.1)
464
465 dev[0].select_network(id, freq="2412")
466 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
467 if ev is None:
468 raise Exception("Wait for external SIM processing request timed out")
469 p = ev.split(':', 2)
470 if p[1] != "GSM-AUTH":
471 raise Exception("Unexpected CTRL-REQ-SIM type")
472 rid = p[0].split('-')[3]
473 # This will fail during GSM auth validation
474 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
475 raise Exception("CTRL-RSP-SIM failed")
476 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
477 if ev is None:
478 raise Exception("EAP failure not reported")
479 dev[0].request("DISCONNECT")
480 dev[0].wait_disconnected()
481 time.sleep(0.1)
482
483 dev[0].select_network(id, freq="2412")
484 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
485 if ev is None:
486 raise Exception("Wait for external SIM processing request timed out")
487 p = ev.split(':', 2)
488 if p[1] != "GSM-AUTH":
489 raise Exception("Unexpected CTRL-REQ-SIM type")
490 rid = p[0].split('-')[3]
491 # This will fail during GSM auth validation
492 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
493 raise Exception("CTRL-RSP-SIM failed")
494 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
495 if ev is None:
496 raise Exception("EAP failure not reported")
497
498 def test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
499 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
500 try:
501 _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev)
502 finally:
503 dev[0].request("SET external_sim 0")
504
505 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
506 check_hlr_auc_gw_support()
507 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
508 hostapd.add_ap(apdev[0], params)
509 dev[0].request("SET external_sim 1")
510 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
511 identity="1232010000000000",
512 wait_connect=False, scan_freq="2412")
513
514 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
515 if ev is None:
516 raise Exception("Wait for external SIM processing request timed out")
517 p = ev.split(':', 2)
518 if p[1] != "GSM-AUTH":
519 raise Exception("Unexpected CTRL-REQ-SIM type")
520 rid = p[0].split('-')[3]
521 rand = p[2].split(' ')[0]
522
523 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
524 "-m",
525 "auth_serv/hlr_auc_gw.milenage_db",
526 "GSM-AUTH-REQ 232010000000000 " + rand])
527 if "GSM-AUTH-RESP" not in res:
528 raise Exception("Unexpected hlr_auc_gw response")
529 resp = res.split(' ')[2].rstrip()
530
531 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
532 dev[0].wait_connected(timeout=15)
533 dev[0].request("DISCONNECT")
534 dev[0].wait_disconnected()
535
536 # Replace SIM, but forget to drop the previous pseudonym identity
537 dev[0].set_network_quoted(id, "identity", "1232010000000009")
538 dev[0].select_network(id, freq="2412")
539
540 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
541 if ev is None:
542 raise Exception("Wait for external SIM processing request timed out")
543 p = ev.split(':', 2)
544 if p[1] != "GSM-AUTH":
545 raise Exception("Unexpected CTRL-REQ-SIM type")
546 rid = p[0].split('-')[3]
547 rand = p[2].split(' ')[0]
548
549 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
550 "-m",
551 "auth_serv/hlr_auc_gw.milenage_db",
552 "GSM-AUTH-REQ 232010000000009 " + rand])
553 if "GSM-AUTH-RESP" not in res:
554 raise Exception("Unexpected hlr_auc_gw response")
555 resp = res.split(' ')[2].rstrip()
556
557 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
558 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
559 if ev is None:
560 raise Exception("EAP-Failure not reported")
561 dev[0].request("DISCONNECT")
562 dev[0].wait_disconnected()
563
564 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
565 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
566 try:
567 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev)
568 finally:
569 dev[0].request("SET external_sim 0")
570
571 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
572 check_hlr_auc_gw_support()
573 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
574 hostapd.add_ap(apdev[0], params)
575 dev[0].request("SET external_sim 1")
576 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
577 identity="1232010000000000",
578 wait_connect=False, scan_freq="2412")
579
580 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
581 if ev is None:
582 raise Exception("Wait for external SIM processing request timed out")
583 p = ev.split(':', 2)
584 if p[1] != "GSM-AUTH":
585 raise Exception("Unexpected CTRL-REQ-SIM type")
586 rid = p[0].split('-')[3]
587 rand = p[2].split(' ')[0]
588
589 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
590 "-m",
591 "auth_serv/hlr_auc_gw.milenage_db",
592 "GSM-AUTH-REQ 232010000000000 " + rand])
593 if "GSM-AUTH-RESP" not in res:
594 raise Exception("Unexpected hlr_auc_gw response")
595 resp = res.split(' ')[2].rstrip()
596
597 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
598 dev[0].wait_connected(timeout=15)
599 dev[0].request("DISCONNECT")
600 dev[0].wait_disconnected()
601
602 # Replace SIM and drop the previous pseudonym identity
603 dev[0].set_network_quoted(id, "identity", "1232010000000009")
604 dev[0].set_network(id, "anonymous_identity", "NULL")
605 dev[0].select_network(id, freq="2412")
606
607 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
608 if ev is None:
609 raise Exception("Wait for external SIM processing request timed out")
610 p = ev.split(':', 2)
611 if p[1] != "GSM-AUTH":
612 raise Exception("Unexpected CTRL-REQ-SIM type")
613 rid = p[0].split('-')[3]
614 rand = p[2].split(' ')[0]
615
616 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
617 "-m",
618 "auth_serv/hlr_auc_gw.milenage_db",
619 "GSM-AUTH-REQ 232010000000009 " + rand])
620 if "GSM-AUTH-RESP" not in res:
621 raise Exception("Unexpected hlr_auc_gw response")
622 resp = res.split(' ')[2].rstrip()
623
624 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
625 dev[0].wait_connected()
626 dev[0].request("DISCONNECT")
627 dev[0].wait_disconnected()
628
629 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
630 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
631 try:
632 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev)
633 finally:
634 dev[0].request("SET external_sim 0")
635
636 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
637 check_hlr_auc_gw_support()
638 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
639 hostapd.add_ap(apdev[0], params)
640 dev[0].request("SET external_sim 1")
641 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
642 wait_connect=False, scan_freq="2412")
643
644 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
645 if ev is None:
646 raise Exception("Request for identity timed out")
647 rid = ev.split(':')[0].split('-')[-1]
648 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000000")
649
650 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
651 if ev is None:
652 raise Exception("Wait for external SIM processing request timed out")
653 p = ev.split(':', 2)
654 if p[1] != "GSM-AUTH":
655 raise Exception("Unexpected CTRL-REQ-SIM type")
656 rid = p[0].split('-')[3]
657 rand = p[2].split(' ')[0]
658
659 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
660 "-m",
661 "auth_serv/hlr_auc_gw.milenage_db",
662 "GSM-AUTH-REQ 232010000000000 " + rand])
663 if "GSM-AUTH-RESP" not in res:
664 raise Exception("Unexpected hlr_auc_gw response")
665 resp = res.split(' ')[2].rstrip()
666
667 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
668 dev[0].wait_connected(timeout=15)
669 dev[0].request("DISCONNECT")
670 dev[0].wait_disconnected()
671
672 # Replace SIM and drop the previous permanent and pseudonym identities
673 dev[0].set_network(id, "identity", "NULL")
674 dev[0].set_network(id, "anonymous_identity", "NULL")
675 dev[0].select_network(id, freq="2412")
676
677 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
678 if ev is None:
679 raise Exception("Request for identity timed out")
680 rid = ev.split(':')[0].split('-')[-1]
681 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000009")
682
683 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
684 if ev is None:
685 raise Exception("Wait for external SIM processing request timed out")
686 p = ev.split(':', 2)
687 if p[1] != "GSM-AUTH":
688 raise Exception("Unexpected CTRL-REQ-SIM type")
689 rid = p[0].split('-')[3]
690 rand = p[2].split(' ')[0]
691
692 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
693 "-m",
694 "auth_serv/hlr_auc_gw.milenage_db",
695 "GSM-AUTH-REQ 232010000000009 " + rand])
696 if "GSM-AUTH-RESP" not in res:
697 raise Exception("Unexpected hlr_auc_gw response")
698 resp = res.split(' ')[2].rstrip()
699
700 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
701 dev[0].wait_connected()
702 dev[0].request("DISCONNECT")
703 dev[0].wait_disconnected()
704
705 def test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
706 """EAP-SIM with external GSM auth and auth failing"""
707 try:
708 _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev)
709 finally:
710 dev[0].request("SET external_sim 0")
711
712 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
713 check_hlr_auc_gw_support()
714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
715 hostapd.add_ap(apdev[0], params)
716 dev[0].request("SET external_sim 1")
717 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
718 identity="1232010000000000",
719 wait_connect=False, scan_freq="2412")
720
721 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
722 if ev is None:
723 raise Exception("Wait for external SIM processing request timed out")
724 p = ev.split(':', 2)
725 rid = p[0].split('-')[3]
726 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-FAIL")
727 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
728 if ev is None:
729 raise Exception("EAP failure not reported")
730 dev[0].request("REMOVE_NETWORK all")
731 dev[0].wait_disconnected()
732
733 def test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
734 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
735 try:
736 _test_ap_wpa2_eap_sim_change_bssid(dev, apdev)
737 finally:
738 dev[0].request("SET external_sim 0")
739
740 def _test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
741 check_hlr_auc_gw_support()
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 hostapd.add_ap(apdev[0], params)
744 dev[0].request("SET external_sim 1")
745 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
746 identity="1232010000000000",
747 wait_connect=False, scan_freq="2412")
748
749 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
750 if ev is None:
751 raise Exception("Wait for external SIM processing request timed out")
752 p = ev.split(':', 2)
753 if p[1] != "GSM-AUTH":
754 raise Exception("Unexpected CTRL-REQ-SIM type")
755 rid = p[0].split('-')[3]
756 rand = p[2].split(' ')[0]
757
758 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
759 "-m",
760 "auth_serv/hlr_auc_gw.milenage_db",
761 "GSM-AUTH-REQ 232010000000000 " + rand])
762 if "GSM-AUTH-RESP" not in res:
763 raise Exception("Unexpected hlr_auc_gw response")
764 resp = res.split(' ')[2].rstrip()
765
766 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
767 dev[0].wait_connected(timeout=15)
768
769 # Verify that EAP-SIM Reauthentication can be used after a profile change
770 # that does not affect EAP parameters.
771 dev[0].set_network(id, "bssid", "any")
772 eap_reauth(dev[0], "SIM")
773
774 def test_ap_wpa2_eap_sim_no_change_set(dev, apdev):
775 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
776 try:
777 _test_ap_wpa2_eap_sim_no_change_set(dev, apdev)
778 finally:
779 dev[0].request("SET external_sim 0")
780
781 def _test_ap_wpa2_eap_sim_no_change_set(dev, apdev):
782 check_hlr_auc_gw_support()
783 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
784 hostapd.add_ap(apdev[0], params)
785 dev[0].request("SET external_sim 1")
786 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
787 identity="1232010000000000",
788 wait_connect=False, scan_freq="2412")
789
790 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
791 if ev is None:
792 raise Exception("Wait for external SIM processing request timed out")
793 p = ev.split(':', 2)
794 if p[1] != "GSM-AUTH":
795 raise Exception("Unexpected CTRL-REQ-SIM type")
796 rid = p[0].split('-')[3]
797 rand = p[2].split(' ')[0]
798
799 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
800 "-m",
801 "auth_serv/hlr_auc_gw.milenage_db",
802 "GSM-AUTH-REQ 232010000000000 " + rand])
803 if "GSM-AUTH-RESP" not in res:
804 raise Exception("Unexpected hlr_auc_gw response")
805 resp = res.split(' ')[2].rstrip()
806
807 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
808 dev[0].wait_connected(timeout=15)
809
810 # Verify that EAP-SIM Reauthentication can be used after network profile
811 # SET_NETWORK commands that do not actually change previously set
812 # parameter values.
813 dev[0].set_network(id, "key_mgmt", "WPA-EAP")
814 dev[0].set_network(id, "eap", "SIM")
815 dev[0].set_network_quoted(id, "identity", "1232010000000000")
816 dev[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
817 eap_reauth(dev[0], "SIM")
818
819 def test_ap_wpa2_eap_sim_oom(dev, apdev):
820 """EAP-SIM and OOM"""
821 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
822 hostapd.add_ap(apdev[0], params)
823 tests = [ (1, "milenage_f2345"),
824 (2, "milenage_f2345"),
825 (3, "milenage_f2345"),
826 (4, "milenage_f2345"),
827 (5, "milenage_f2345"),
828 (6, "milenage_f2345"),
829 (7, "milenage_f2345"),
830 (8, "milenage_f2345"),
831 (9, "milenage_f2345"),
832 (10, "milenage_f2345"),
833 (11, "milenage_f2345"),
834 (12, "milenage_f2345") ]
835 for count, func in tests:
836 with fail_test(dev[0], count, func):
837 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
838 identity="1232010000000000",
839 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
840 wait_connect=False, scan_freq="2412")
841 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
842 if ev is None:
843 raise Exception("EAP method not selected")
844 dev[0].wait_disconnected()
845 dev[0].request("REMOVE_NETWORK all")
846
847 def test_ap_wpa2_eap_aka(dev, apdev):
848 """WPA2-Enterprise connection using EAP-AKA"""
849 check_hlr_auc_gw_support()
850 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
851 hapd = hostapd.add_ap(apdev[0], params)
852 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
853 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
854 hwsim_utils.test_connectivity(dev[0], hapd)
855 eap_reauth(dev[0], "AKA")
856
857 logger.info("Negative test with incorrect key")
858 dev[0].request("REMOVE_NETWORK all")
859 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
860 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
861 expect_failure=True)
862
863 logger.info("Invalid Milenage key")
864 dev[0].request("REMOVE_NETWORK all")
865 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
866 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
867 expect_failure=True)
868
869 logger.info("Invalid Milenage key(2)")
870 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
871 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
872 expect_failure=True)
873
874 logger.info("Invalid Milenage key(3)")
875 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
876 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
877 expect_failure=True)
878
879 logger.info("Invalid Milenage key(4)")
880 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
881 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
882 expect_failure=True)
883
884 logger.info("Invalid Milenage key(5)")
885 dev[0].request("REMOVE_NETWORK all")
886 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
887 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
888 expect_failure=True)
889
890 logger.info("Invalid Milenage key(6)")
891 dev[0].request("REMOVE_NETWORK all")
892 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
893 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
894 expect_failure=True)
895
896 logger.info("Missing key configuration")
897 dev[0].request("REMOVE_NETWORK all")
898 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
899 expect_failure=True)
900
901 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
902 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
903 check_hlr_auc_gw_support()
904 try:
905 import sqlite3
906 except ImportError:
907 raise HwsimSkip("No sqlite3 module available")
908 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
909 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
910 params['auth_server_port'] = "1814"
911 hapd = hostapd.add_ap(apdev[0], params)
912 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
913 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
914
915 logger.info("AKA fast re-authentication")
916 eap_reauth(dev[0], "AKA")
917
918 logger.info("AKA full auth with pseudonym")
919 with con:
920 cur = con.cursor()
921 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
922 eap_reauth(dev[0], "AKA")
923
924 logger.info("AKA full auth with permanent identity")
925 with con:
926 cur = con.cursor()
927 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
928 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
929 eap_reauth(dev[0], "AKA")
930
931 logger.info("AKA reauth with mismatching MK")
932 with con:
933 cur = con.cursor()
934 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
935 eap_reauth(dev[0], "AKA", expect_failure=True)
936 dev[0].request("REMOVE_NETWORK all")
937
938 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
939 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
940 with con:
941 cur = con.cursor()
942 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
943 eap_reauth(dev[0], "AKA")
944 with con:
945 cur = con.cursor()
946 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
947 logger.info("AKA reauth with mismatching counter")
948 eap_reauth(dev[0], "AKA")
949 dev[0].request("REMOVE_NETWORK all")
950
951 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
952 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
953 with con:
954 cur = con.cursor()
955 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
956 logger.info("AKA reauth with max reauth count reached")
957 eap_reauth(dev[0], "AKA")
958
959 def test_ap_wpa2_eap_aka_config(dev, apdev):
960 """EAP-AKA configuration options"""
961 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
962 hapd = hostapd.add_ap(apdev[0], params)
963 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
964 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
965 anonymous_identity="2345678")
966
967 def test_ap_wpa2_eap_aka_ext(dev, apdev):
968 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
969 try:
970 _test_ap_wpa2_eap_aka_ext(dev, apdev)
971 finally:
972 dev[0].request("SET external_sim 0")
973
974 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
975 check_hlr_auc_gw_support()
976 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
977 hostapd.add_ap(apdev[0], params)
978 dev[0].request("SET external_sim 1")
979 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
980 identity="0232010000000000",
981 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
982 wait_connect=False, scan_freq="2412")
983 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
984 if ev is None:
985 raise Exception("Network connected timed out")
986
987 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
988 if ev is None:
989 raise Exception("Wait for external SIM processing request timed out")
990 p = ev.split(':', 2)
991 if p[1] != "UMTS-AUTH":
992 raise Exception("Unexpected CTRL-REQ-SIM type")
993 rid = p[0].split('-')[3]
994
995 # IK:CK:RES
996 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
997 # This will fail during processing, but the ctrl_iface command succeeds
998 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
999 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1000 if ev is None:
1001 raise Exception("EAP failure not reported")
1002 dev[0].request("DISCONNECT")
1003 dev[0].wait_disconnected()
1004 time.sleep(0.1)
1005 dev[0].dump_monitor()
1006
1007 dev[0].select_network(id, freq="2412")
1008 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1009 if ev is None:
1010 raise Exception("Wait for external SIM processing request timed out")
1011 p = ev.split(':', 2)
1012 if p[1] != "UMTS-AUTH":
1013 raise Exception("Unexpected CTRL-REQ-SIM type")
1014 rid = p[0].split('-')[3]
1015 # This will fail during UMTS auth validation
1016 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
1017 raise Exception("CTRL-RSP-SIM failed")
1018 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1019 if ev is None:
1020 raise Exception("Wait for external SIM processing request timed out")
1021 p = ev.split(':', 2)
1022 if p[1] != "UMTS-AUTH":
1023 raise Exception("Unexpected CTRL-REQ-SIM type")
1024 rid = p[0].split('-')[3]
1025 # This will fail during UMTS auth validation
1026 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
1027 raise Exception("CTRL-RSP-SIM failed")
1028 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1029 if ev is None:
1030 raise Exception("EAP failure not reported")
1031 dev[0].request("DISCONNECT")
1032 dev[0].wait_disconnected()
1033 time.sleep(0.1)
1034 dev[0].dump_monitor()
1035
1036 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1037 ":UMTS-AUTH:34",
1038 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1039 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1040 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1041 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1042 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1043 for t in tests:
1044 dev[0].select_network(id, freq="2412")
1045 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1046 if ev is None:
1047 raise Exception("Wait for external SIM processing request timed out")
1048 p = ev.split(':', 2)
1049 if p[1] != "UMTS-AUTH":
1050 raise Exception("Unexpected CTRL-REQ-SIM type")
1051 rid = p[0].split('-')[3]
1052 # This will fail during UMTS auth validation
1053 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
1054 raise Exception("CTRL-RSP-SIM failed")
1055 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1056 if ev is None:
1057 raise Exception("EAP failure not reported")
1058 dev[0].request("DISCONNECT")
1059 dev[0].wait_disconnected()
1060 time.sleep(0.1)
1061 dev[0].dump_monitor()
1062
1063 def test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1064 """EAP-AKA with external UMTS auth and auth failing"""
1065 try:
1066 _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev)
1067 finally:
1068 dev[0].request("SET external_sim 0")
1069
1070 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1071 check_hlr_auc_gw_support()
1072 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1073 hostapd.add_ap(apdev[0], params)
1074 dev[0].request("SET external_sim 1")
1075 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
1076 identity="0232010000000000",
1077 wait_connect=False, scan_freq="2412")
1078
1079 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1080 if ev is None:
1081 raise Exception("Wait for external SIM processing request timed out")
1082 p = ev.split(':', 2)
1083 rid = p[0].split('-')[3]
1084 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1085 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1086 if ev is None:
1087 raise Exception("EAP failure not reported")
1088 dev[0].request("REMOVE_NETWORK all")
1089 dev[0].wait_disconnected()
1090
1091 def test_ap_wpa2_eap_aka_prime(dev, apdev):
1092 """WPA2-Enterprise connection using EAP-AKA'"""
1093 check_hlr_auc_gw_support()
1094 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1095 hapd = hostapd.add_ap(apdev[0], params)
1096 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
1097 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1098 hwsim_utils.test_connectivity(dev[0], hapd)
1099 eap_reauth(dev[0], "AKA'")
1100
1101 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1102 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
1103 identity="6555444333222111@both",
1104 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1105 wait_connect=False, scan_freq="2412")
1106 dev[1].wait_connected(timeout=15)
1107
1108 logger.info("Negative test with incorrect key")
1109 dev[0].request("REMOVE_NETWORK all")
1110 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
1111 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1112 expect_failure=True)
1113
1114 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
1115 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1116 check_hlr_auc_gw_support()
1117 try:
1118 import sqlite3
1119 except ImportError:
1120 raise HwsimSkip("No sqlite3 module available")
1121 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
1122 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1123 params['auth_server_port'] = "1814"
1124 hapd = hostapd.add_ap(apdev[0], params)
1125 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
1126 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1127
1128 logger.info("AKA' fast re-authentication")
1129 eap_reauth(dev[0], "AKA'")
1130
1131 logger.info("AKA' full auth with pseudonym")
1132 with con:
1133 cur = con.cursor()
1134 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1135 eap_reauth(dev[0], "AKA'")
1136
1137 logger.info("AKA' full auth with permanent identity")
1138 with con:
1139 cur = con.cursor()
1140 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1141 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1142 eap_reauth(dev[0], "AKA'")
1143
1144 logger.info("AKA' reauth with mismatching k_aut")
1145 with con:
1146 cur = con.cursor()
1147 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1148 eap_reauth(dev[0], "AKA'", expect_failure=True)
1149 dev[0].request("REMOVE_NETWORK all")
1150
1151 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
1152 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1153 with con:
1154 cur = con.cursor()
1155 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1156 eap_reauth(dev[0], "AKA'")
1157 with con:
1158 cur = con.cursor()
1159 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1160 logger.info("AKA' reauth with mismatching counter")
1161 eap_reauth(dev[0], "AKA'")
1162 dev[0].request("REMOVE_NETWORK all")
1163
1164 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
1165 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1166 with con:
1167 cur = con.cursor()
1168 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1169 logger.info("AKA' reauth with max reauth count reached")
1170 eap_reauth(dev[0], "AKA'")
1171
1172 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1173 """EAP-AKA' with external UMTS auth and auth failing"""
1174 try:
1175 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev)
1176 finally:
1177 dev[0].request("SET external_sim 0")
1178
1179 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1180 check_hlr_auc_gw_support()
1181 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1182 hostapd.add_ap(apdev[0], params)
1183 dev[0].request("SET external_sim 1")
1184 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1185 identity="6555444333222111",
1186 wait_connect=False, scan_freq="2412")
1187
1188 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1189 if ev is None:
1190 raise Exception("Wait for external SIM processing request timed out")
1191 p = ev.split(':', 2)
1192 rid = p[0].split('-')[3]
1193 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1194 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1195 if ev is None:
1196 raise Exception("EAP failure not reported")
1197 dev[0].request("REMOVE_NETWORK all")
1198 dev[0].wait_disconnected()
1199
1200 def test_ap_wpa2_eap_aka_prime_ext(dev, apdev):
1201 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1202 try:
1203 _test_ap_wpa2_eap_aka_prime_ext(dev, apdev)
1204 finally:
1205 dev[0].request("SET external_sim 0")
1206
1207 def _test_ap_wpa2_eap_aka_prime_ext(dev, apdev):
1208 check_hlr_auc_gw_support()
1209 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1210 hostapd.add_ap(apdev[0], params)
1211 dev[0].request("SET external_sim 1")
1212 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1213 identity="6555444333222111",
1214 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1215 wait_connect=False, scan_freq="2412")
1216 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
1217 if ev is None:
1218 raise Exception("Network connected timed out")
1219
1220 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1221 if ev is None:
1222 raise Exception("Wait for external SIM processing request timed out")
1223 p = ev.split(':', 2)
1224 if p[1] != "UMTS-AUTH":
1225 raise Exception("Unexpected CTRL-REQ-SIM type")
1226 rid = p[0].split('-')[3]
1227 # This will fail during UMTS auth validation
1228 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
1229 raise Exception("CTRL-RSP-SIM failed")
1230 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1231 if ev is None:
1232 raise Exception("Wait for external SIM processing request timed out")
1233
1234 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
1235 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1236 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1237 hapd = hostapd.add_ap(apdev[0], params)
1238 key_mgmt = hapd.get_config()['key_mgmt']
1239 if key_mgmt.split(' ')[0] != "WPA-EAP":
1240 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1241 eap_connect(dev[0], hapd, "TTLS", "pap user",
1242 anonymous_identity="ttls", password="password",
1243 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
1244 hwsim_utils.test_connectivity(dev[0], hapd)
1245 eap_reauth(dev[0], "TTLS")
1246 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1247 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1248
1249 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
1250 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1251 check_subject_match_support(dev[0])
1252 check_altsubject_match_support(dev[0])
1253 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1254 hapd = hostapd.add_ap(apdev[0], params)
1255 eap_connect(dev[0], hapd, "TTLS", "pap user",
1256 anonymous_identity="ttls", password="password",
1257 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1258 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
1259 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1260 eap_reauth(dev[0], "TTLS")
1261
1262 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
1263 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1264 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1265 hapd = hostapd.add_ap(apdev[0], params)
1266 eap_connect(dev[0], hapd, "TTLS", "pap user",
1267 anonymous_identity="ttls", password="wrong",
1268 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1269 expect_failure=True)
1270 eap_connect(dev[1], hapd, "TTLS", "user",
1271 anonymous_identity="ttls", password="password",
1272 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1273 expect_failure=True)
1274
1275 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
1276 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1277 skip_with_fips(dev[0])
1278 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1279 hapd = hostapd.add_ap(apdev[0], params)
1280 eap_connect(dev[0], hapd, "TTLS", "chap user",
1281 anonymous_identity="ttls", password="password",
1282 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
1283 hwsim_utils.test_connectivity(dev[0], hapd)
1284 eap_reauth(dev[0], "TTLS")
1285
1286 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
1287 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1288 skip_with_fips(dev[0])
1289 check_altsubject_match_support(dev[0])
1290 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1291 hapd = hostapd.add_ap(apdev[0], params)
1292 eap_connect(dev[0], hapd, "TTLS", "chap user",
1293 anonymous_identity="ttls", password="password",
1294 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1295 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1296 eap_reauth(dev[0], "TTLS")
1297
1298 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
1299 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1300 skip_with_fips(dev[0])
1301 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1302 hapd = hostapd.add_ap(apdev[0], params)
1303 eap_connect(dev[0], hapd, "TTLS", "chap user",
1304 anonymous_identity="ttls", password="wrong",
1305 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1306 expect_failure=True)
1307 eap_connect(dev[1], hapd, "TTLS", "user",
1308 anonymous_identity="ttls", password="password",
1309 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1310 expect_failure=True)
1311
1312 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
1313 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1314 skip_with_fips(dev[0])
1315 check_domain_suffix_match(dev[0])
1316 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1317 hapd = hostapd.add_ap(apdev[0], params)
1318 eap_connect(dev[0], hapd, "TTLS", "mschap user",
1319 anonymous_identity="ttls", password="password",
1320 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1321 domain_suffix_match="server.w1.fi")
1322 hwsim_utils.test_connectivity(dev[0], hapd)
1323 eap_reauth(dev[0], "TTLS")
1324 dev[0].request("REMOVE_NETWORK all")
1325 eap_connect(dev[0], hapd, "TTLS", "mschap user",
1326 anonymous_identity="ttls", password="password",
1327 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1328 fragment_size="200")
1329 dev[0].request("REMOVE_NETWORK all")
1330 dev[0].wait_disconnected()
1331 eap_connect(dev[0], hapd, "TTLS", "mschap user",
1332 anonymous_identity="ttls",
1333 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1334 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
1335
1336 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
1337 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1338 skip_with_fips(dev[0])
1339 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1340 hapd = hostapd.add_ap(apdev[0], params)
1341 eap_connect(dev[0], hapd, "TTLS", "mschap user",
1342 anonymous_identity="ttls", password="wrong",
1343 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1344 expect_failure=True)
1345 eap_connect(dev[1], hapd, "TTLS", "user",
1346 anonymous_identity="ttls", password="password",
1347 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1348 expect_failure=True)
1349 eap_connect(dev[2], hapd, "TTLS", "no such user",
1350 anonymous_identity="ttls", password="password",
1351 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1352 expect_failure=True)
1353
1354 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
1355 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1356 check_domain_suffix_match(dev[0])
1357 check_eap_capa(dev[0], "MSCHAPV2")
1358 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1359 hapd = hostapd.add_ap(apdev[0], params)
1360 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
1361 anonymous_identity="ttls", password="password",
1362 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1363 domain_suffix_match="server.w1.fi")
1364 hwsim_utils.test_connectivity(dev[0], hapd)
1365 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
1366 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1367 eap_reauth(dev[0], "TTLS")
1368 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
1369 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1370 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
1371 raise Exception("dot1xAuthEapolFramesRx did not increase")
1372 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
1373 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1374 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
1375 raise Exception("backendAuthSuccesses did not increase")
1376
1377 logger.info("Password as hash value")
1378 dev[0].request("REMOVE_NETWORK all")
1379 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
1380 anonymous_identity="ttls",
1381 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1382 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1383
1384 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
1385 """EAP-TTLS with invalid phase2 parameter values"""
1386 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1387 hostapd.add_ap(apdev[0], params)
1388 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1389 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1390 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1391 for t in tests:
1392 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1393 identity="DOMAIN\mschapv2 user",
1394 anonymous_identity="ttls", password="password",
1395 ca_cert="auth_serv/ca.pem", phase2=t,
1396 wait_connect=False, scan_freq="2412")
1397 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
1398 if ev is None or "method=21" not in ev:
1399 raise Exception("EAP-TTLS not started")
1400 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
1401 "CTRL-EVENT-CONNECTED"], timeout=5)
1402 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
1403 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
1404 dev[0].request("REMOVE_NETWORK all")
1405 dev[0].wait_disconnected()
1406 dev[0].dump_monitor()
1407
1408 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
1409 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1410 check_domain_match_full(dev[0])
1411 skip_with_fips(dev[0])
1412 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1413 hapd = hostapd.add_ap(apdev[0], params)
1414 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
1415 anonymous_identity="ttls", password="password",
1416 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1417 domain_suffix_match="w1.fi")
1418 hwsim_utils.test_connectivity(dev[0], hapd)
1419 eap_reauth(dev[0], "TTLS")
1420
1421 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
1422 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1423 check_domain_match(dev[0])
1424 skip_with_fips(dev[0])
1425 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1426 hapd = hostapd.add_ap(apdev[0], params)
1427 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
1428 anonymous_identity="ttls", password="password",
1429 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1430 domain_match="Server.w1.fi")
1431 hwsim_utils.test_connectivity(dev[0], hapd)
1432 eap_reauth(dev[0], "TTLS")
1433
1434 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
1435 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1436 skip_with_fips(dev[0])
1437 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1438 hapd = hostapd.add_ap(apdev[0], params)
1439 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
1440 anonymous_identity="ttls", password="password1",
1441 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1442 expect_failure=True)
1443 eap_connect(dev[1], hapd, "TTLS", "user",
1444 anonymous_identity="ttls", password="password",
1445 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1446 expect_failure=True)
1447
1448 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1449 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1450 skip_with_fips(dev[0])
1451 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1452 hapd = hostapd.add_ap(apdev[0], params)
1453 eap_connect(dev[0], hapd, "TTLS", "utf8-user-hash",
1454 anonymous_identity="ttls", password="secret-åäö-€-password",
1455 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1456 eap_connect(dev[1], hapd, "TTLS", "utf8-user",
1457 anonymous_identity="ttls",
1458 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1459 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1460 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1461 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1462 eap="TTLS", identity="utf8-user-hash",
1463 anonymous_identity="ttls", password_hex=p,
1464 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1465 wait_connect=False, scan_freq="2412")
1466 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1467 if ev is None:
1468 raise Exception("No failure reported")
1469 dev[2].request("REMOVE_NETWORK all")
1470 dev[2].wait_disconnected()
1471
1472 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1473 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1474 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1475 hapd = hostapd.add_ap(apdev[0], params)
1476 eap_connect(dev[0], hapd, "TTLS", "user",
1477 anonymous_identity="ttls", password="password",
1478 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1479 hwsim_utils.test_connectivity(dev[0], hapd)
1480 eap_reauth(dev[0], "TTLS")
1481
1482 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1483 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1484 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1485 hapd = hostapd.add_ap(apdev[0], params)
1486 eap_connect(dev[0], hapd, "TTLS", "user",
1487 anonymous_identity="ttls", password="wrong",
1488 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1489 expect_failure=True)
1490
1491 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1492 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1493 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1494 hapd = hostapd.add_ap(apdev[0], params)
1495 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
1496 anonymous_identity="ttls", password="password",
1497 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1498 expect_failure=True)
1499
1500 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1501 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1502 params = int_eap_server_params()
1503 hapd = hostapd.add_ap(apdev[0], params)
1504 with alloc_fail(hapd, 1, "eap_gtc_init"):
1505 eap_connect(dev[0], hapd, "TTLS", "user",
1506 anonymous_identity="ttls", password="password",
1507 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1508 expect_failure=True)
1509 dev[0].request("REMOVE_NETWORK all")
1510
1511 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1512 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1513 eap="TTLS", identity="user",
1514 anonymous_identity="ttls", password="password",
1515 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1516 wait_connect=False, scan_freq="2412")
1517 # This would eventually time out, but we can stop after having reached
1518 # the allocation failure.
1519 for i in range(20):
1520 time.sleep(0.1)
1521 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1522 break
1523
1524 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev, apdev):
1525 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1526 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1527 hapd = hostapd.add_ap(apdev[0], params)
1528
1529 tests = [ "eap_gtc_init",
1530 "eap_msg_alloc;eap_gtc_process" ]
1531 for func in tests:
1532 with alloc_fail(dev[0], 1, func):
1533 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1534 scan_freq="2412",
1535 eap="TTLS", identity="user",
1536 anonymous_identity="ttls", password="password",
1537 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1538 wait_connect=False)
1539 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1540 dev[0].request("REMOVE_NETWORK all")
1541 dev[0].wait_disconnected()
1542
1543 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1544 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1545 check_eap_capa(dev[0], "MD5")
1546 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1547 hapd = hostapd.add_ap(apdev[0], params)
1548 eap_connect(dev[0], hapd, "TTLS", "user",
1549 anonymous_identity="ttls", password="password",
1550 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1551 hwsim_utils.test_connectivity(dev[0], hapd)
1552 eap_reauth(dev[0], "TTLS")
1553
1554 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1555 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1556 check_eap_capa(dev[0], "MD5")
1557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1558 hapd = hostapd.add_ap(apdev[0], params)
1559 eap_connect(dev[0], hapd, "TTLS", "user",
1560 anonymous_identity="ttls", password="wrong",
1561 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1562 expect_failure=True)
1563
1564 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1565 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1566 check_eap_capa(dev[0], "MD5")
1567 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1568 hapd = hostapd.add_ap(apdev[0], params)
1569 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
1570 anonymous_identity="ttls", password="password",
1571 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1572 expect_failure=True)
1573
1574 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1575 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1576 check_eap_capa(dev[0], "MD5")
1577 params = int_eap_server_params()
1578 hapd = hostapd.add_ap(apdev[0], params)
1579 with alloc_fail(hapd, 1, "eap_md5_init"):
1580 eap_connect(dev[0], hapd, "TTLS", "user",
1581 anonymous_identity="ttls", password="password",
1582 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1583 expect_failure=True)
1584 dev[0].request("REMOVE_NETWORK all")
1585
1586 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1587 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1588 eap="TTLS", identity="user",
1589 anonymous_identity="ttls", password="password",
1590 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1591 wait_connect=False, scan_freq="2412")
1592 # This would eventually time out, but we can stop after having reached
1593 # the allocation failure.
1594 for i in range(20):
1595 time.sleep(0.1)
1596 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1597 break
1598
1599 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1600 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1601 check_eap_capa(dev[0], "MSCHAPV2")
1602 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1603 hapd = hostapd.add_ap(apdev[0], params)
1604 eap_connect(dev[0], hapd, "TTLS", "user",
1605 anonymous_identity="ttls", password="password",
1606 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1607 hwsim_utils.test_connectivity(dev[0], hapd)
1608 eap_reauth(dev[0], "TTLS")
1609
1610 logger.info("Negative test with incorrect password")
1611 dev[0].request("REMOVE_NETWORK all")
1612 eap_connect(dev[0], hapd, "TTLS", "user",
1613 anonymous_identity="ttls", password="password1",
1614 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1615 expect_failure=True)
1616
1617 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1618 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1619 check_eap_capa(dev[0], "MSCHAPV2")
1620 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1621 hapd = hostapd.add_ap(apdev[0], params)
1622 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
1623 anonymous_identity="ttls", password="password",
1624 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1625 expect_failure=True)
1626
1627 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1628 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1629 check_eap_capa(dev[0], "MSCHAPV2")
1630 params = int_eap_server_params()
1631 hapd = hostapd.add_ap(apdev[0], params)
1632 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1633 eap_connect(dev[0], hapd, "TTLS", "user",
1634 anonymous_identity="ttls", password="password",
1635 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1636 expect_failure=True)
1637 dev[0].request("REMOVE_NETWORK all")
1638
1639 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1640 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1641 eap="TTLS", identity="user",
1642 anonymous_identity="ttls", password="password",
1643 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1644 wait_connect=False, scan_freq="2412")
1645 # This would eventually time out, but we can stop after having reached
1646 # the allocation failure.
1647 for i in range(20):
1648 time.sleep(0.1)
1649 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1650 break
1651 dev[0].request("REMOVE_NETWORK all")
1652
1653 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1654 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1655 eap="TTLS", identity="user",
1656 anonymous_identity="ttls", password="password",
1657 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1658 wait_connect=False, scan_freq="2412")
1659 # This would eventually time out, but we can stop after having reached
1660 # the allocation failure.
1661 for i in range(20):
1662 time.sleep(0.1)
1663 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1664 break
1665 dev[0].request("REMOVE_NETWORK all")
1666
1667 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1668 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1669 eap="TTLS", identity="user",
1670 anonymous_identity="ttls", password="wrong",
1671 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1672 wait_connect=False, scan_freq="2412")
1673 # This would eventually time out, but we can stop after having reached
1674 # the allocation failure.
1675 for i in range(20):
1676 time.sleep(0.1)
1677 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1678 break
1679 dev[0].request("REMOVE_NETWORK all")
1680
1681 def test_ap_wpa2_eap_ttls_eap_sim(dev, apdev):
1682 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1683 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1684 hapd = hostapd.add_ap(apdev[0], params)
1685 eap_connect(dev[0], hapd, "TTLS", "1232010000000000",
1686 anonymous_identity="1232010000000000@ttls",
1687 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1688 ca_cert="auth_serv/ca.pem", phase2="autheap=SIM")
1689 eap_reauth(dev[0], "TTLS")
1690
1691 def run_ext_sim_auth(dev):
1692 ev = dev.wait_event(["CTRL-REQ-SIM"], timeout=15)
1693 if ev is None:
1694 raise Exception("Wait for external SIM processing request timed out")
1695 p = ev.split(':', 2)
1696 if p[1] != "GSM-AUTH":
1697 raise Exception("Unexpected CTRL-REQ-SIM type")
1698 rid = p[0].split('-')[3]
1699 rand = p[2].split(' ')[0]
1700
1701 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
1702 "-m",
1703 "auth_serv/hlr_auc_gw.milenage_db",
1704 "GSM-AUTH-REQ 232010000000000 " + rand])
1705 if "GSM-AUTH-RESP" not in res:
1706 raise Exception("Unexpected hlr_auc_gw response")
1707 resp = res.split(' ')[2].rstrip()
1708
1709 dev.request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
1710 dev.wait_connected(timeout=15)
1711
1712 dev.dump_monitor()
1713 dev.request("REAUTHENTICATE")
1714 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5)
1715 if ev is None:
1716 raise Exception("EAP reauthentication did not succeed")
1717 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=5)
1718 if ev is None:
1719 raise Exception("Key negotiation did not complete")
1720 dev.dump_monitor()
1721
1722 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev, apdev):
1723 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1724 check_hlr_auc_gw_support()
1725 try:
1726 run_ap_wpa2_eap_ttls_eap_sim_ext(dev, apdev)
1727 finally:
1728 dev[0].request("SET external_sim 0")
1729
1730 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev, apdev):
1731 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1732 hapd = hostapd.add_ap(apdev[0], params)
1733 dev[0].request("SET external_sim 1")
1734 dev[0].connect("test-wpa2-eap", eap="TTLS", key_mgmt="WPA-EAP",
1735 identity="1232010000000000",
1736 anonymous_identity="1232010000000000@ttls",
1737 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1738 ca_cert="auth_serv/ca.pem", phase2="autheap=SIM",
1739 wait_connect=False, scan_freq="2412")
1740 run_ext_sim_auth(dev[0])
1741
1742 def test_ap_wpa2_eap_peap_eap_sim(dev, apdev):
1743 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1744 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1745 hapd = hostapd.add_ap(apdev[0], params)
1746 eap_connect(dev[0], hapd, "PEAP", "1232010000000000",
1747 anonymous_identity="1232010000000000@peap",
1748 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1749 ca_cert="auth_serv/ca.pem", phase2="auth=SIM")
1750 eap_reauth(dev[0], "PEAP")
1751
1752 def test_ap_wpa2_eap_peap_eap_sim_ext(dev, apdev):
1753 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1754 check_hlr_auc_gw_support()
1755 try:
1756 run_ap_wpa2_eap_peap_eap_sim_ext(dev, apdev)
1757 finally:
1758 dev[0].request("SET external_sim 0")
1759
1760 def run_ap_wpa2_eap_peap_eap_sim_ext(dev, apdev):
1761 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1762 hapd = hostapd.add_ap(apdev[0], params)
1763 dev[0].request("SET external_sim 1")
1764 dev[0].connect("test-wpa2-eap", eap="PEAP", key_mgmt="WPA-EAP",
1765 identity="1232010000000000",
1766 anonymous_identity="1232010000000000@peap",
1767 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1768 ca_cert="auth_serv/ca.pem", phase2="auth=SIM",
1769 wait_connect=False, scan_freq="2412")
1770 run_ext_sim_auth(dev[0])
1771
1772 def test_ap_wpa2_eap_fast_eap_sim(dev, apdev):
1773 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1774 check_eap_capa(dev[0], "FAST")
1775 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1776 hapd = hostapd.add_ap(apdev[0], params)
1777 eap_connect(dev[0], hapd, "FAST", "1232010000000000",
1778 anonymous_identity="1232010000000000@fast",
1779 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1780 phase1="fast_provisioning=2",
1781 pac_file="blob://fast_pac_auth_sim",
1782 ca_cert="auth_serv/ca.pem", phase2="auth=SIM")
1783 eap_reauth(dev[0], "FAST")
1784
1785 def test_ap_wpa2_eap_fast_eap_sim_ext(dev, apdev):
1786 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1787 check_hlr_auc_gw_support()
1788 try:
1789 run_ap_wpa2_eap_fast_eap_sim_ext(dev, apdev)
1790 finally:
1791 dev[0].request("SET external_sim 0")
1792
1793 def run_ap_wpa2_eap_fast_eap_sim_ext(dev, apdev):
1794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1795 hapd = hostapd.add_ap(apdev[0], params)
1796 dev[0].request("SET external_sim 1")
1797 dev[0].connect("test-wpa2-eap", eap="PEAP", key_mgmt="WPA-EAP",
1798 identity="1232010000000000",
1799 anonymous_identity="1232010000000000@peap",
1800 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1801 phase1="fast_provisioning=2",
1802 pac_file="blob://fast_pac_auth_sim",
1803 ca_cert="auth_serv/ca.pem", phase2="auth=SIM",
1804 wait_connect=False, scan_freq="2412")
1805 run_ext_sim_auth(dev[0])
1806
1807 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1808 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1809 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1810 hapd = hostapd.add_ap(apdev[0], params)
1811 eap_connect(dev[0], hapd, "TTLS", "0232010000000000",
1812 anonymous_identity="0232010000000000@ttls",
1813 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1814 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1815 eap_reauth(dev[0], "TTLS")
1816
1817 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1818 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1819 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1820 hapd = hostapd.add_ap(apdev[0], params)
1821 eap_connect(dev[0], hapd, "PEAP", "0232010000000000",
1822 anonymous_identity="0232010000000000@peap",
1823 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1824 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1825 eap_reauth(dev[0], "PEAP")
1826
1827 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1828 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1829 check_eap_capa(dev[0], "FAST")
1830 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1831 hapd = hostapd.add_ap(apdev[0], params)
1832 eap_connect(dev[0], hapd, "FAST", "0232010000000000",
1833 anonymous_identity="0232010000000000@fast",
1834 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1835 phase1="fast_provisioning=2",
1836 pac_file="blob://fast_pac_auth_aka",
1837 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1838 eap_reauth(dev[0], "FAST")
1839
1840 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1841 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1842 check_eap_capa(dev[0], "MSCHAPV2")
1843 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1844 hapd = hostapd.add_ap(apdev[0], params)
1845 eap_connect(dev[0], hapd, "PEAP", "user",
1846 anonymous_identity="peap", password="password",
1847 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1848 hwsim_utils.test_connectivity(dev[0], hapd)
1849 eap_reauth(dev[0], "PEAP")
1850 dev[0].request("REMOVE_NETWORK all")
1851 eap_connect(dev[0], hapd, "PEAP", "user",
1852 anonymous_identity="peap", password="password",
1853 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1854 fragment_size="200")
1855
1856 logger.info("Password as hash value")
1857 dev[0].request("REMOVE_NETWORK all")
1858 eap_connect(dev[0], hapd, "PEAP", "user",
1859 anonymous_identity="peap",
1860 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1861 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1862
1863 logger.info("Negative test with incorrect password")
1864 dev[0].request("REMOVE_NETWORK all")
1865 eap_connect(dev[0], hapd, "PEAP", "user",
1866 anonymous_identity="peap", password="password1",
1867 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1868 expect_failure=True)
1869
1870 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1871 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1872 check_eap_capa(dev[0], "MSCHAPV2")
1873 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1874 hapd = hostapd.add_ap(apdev[0], params)
1875 eap_connect(dev[0], hapd, "PEAP", "DOMAIN\user3",
1876 anonymous_identity="peap", password="password",
1877 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1878 hwsim_utils.test_connectivity(dev[0], hapd)
1879 eap_reauth(dev[0], "PEAP")
1880
1881 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1882 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1883 check_eap_capa(dev[0], "MSCHAPV2")
1884 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1885 hapd = hostapd.add_ap(apdev[0], params)
1886 eap_connect(dev[0], hapd, "PEAP", "user",
1887 anonymous_identity="peap", password="wrong",
1888 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1889 expect_failure=True)
1890
1891 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1892 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1893 check_eap_capa(dev[0], "MSCHAPV2")
1894 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1895 hapd = hostapd.add_ap(apdev[0], params)
1896 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
1897 ca_cert="auth_serv/ca.pem",
1898 phase1="peapver=0 crypto_binding=2",
1899 phase2="auth=MSCHAPV2")
1900 hwsim_utils.test_connectivity(dev[0], hapd)
1901 eap_reauth(dev[0], "PEAP")
1902
1903 eap_connect(dev[1], hapd, "PEAP", "user", password="password",
1904 ca_cert="auth_serv/ca.pem",
1905 phase1="peapver=0 crypto_binding=1",
1906 phase2="auth=MSCHAPV2")
1907 eap_connect(dev[2], hapd, "PEAP", "user", password="password",
1908 ca_cert="auth_serv/ca.pem",
1909 phase1="peapver=0 crypto_binding=0",
1910 phase2="auth=MSCHAPV2")
1911
1912 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1913 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1914 check_eap_capa(dev[0], "MSCHAPV2")
1915 params = int_eap_server_params()
1916 hapd = hostapd.add_ap(apdev[0], params)
1917 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1918 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
1919 ca_cert="auth_serv/ca.pem",
1920 phase1="peapver=0 crypto_binding=2",
1921 phase2="auth=MSCHAPV2",
1922 expect_failure=True, local_error_report=True)
1923
1924 def test_ap_wpa2_eap_peap_params(dev, apdev):
1925 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1926 check_eap_capa(dev[0], "MSCHAPV2")
1927 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1928 hapd = hostapd.add_ap(apdev[0], params)
1929 eap_connect(dev[0], hapd, "PEAP", "user",
1930 anonymous_identity="peap", password="password",
1931 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1932 phase1="peapver=0 peaplabel=1",
1933 expect_failure=True)
1934 dev[0].request("REMOVE_NETWORK all")
1935 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1936 identity="user",
1937 anonymous_identity="peap", password="password",
1938 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1939 phase1="peap_outer_success=0",
1940 wait_connect=False, scan_freq="2412")
1941 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1942 if ev is None:
1943 raise Exception("No EAP success seen")
1944 # This won't succeed to connect with peap_outer_success=0, so stop here.
1945 dev[0].request("REMOVE_NETWORK all")
1946 dev[0].wait_disconnected()
1947 eap_connect(dev[1], hapd, "PEAP", "user", password="password",
1948 ca_cert="auth_serv/ca.pem",
1949 phase1="peap_outer_success=1",
1950 phase2="auth=MSCHAPV2")
1951 eap_connect(dev[2], hapd, "PEAP", "user", password="password",
1952 ca_cert="auth_serv/ca.pem",
1953 phase1="peap_outer_success=2",
1954 phase2="auth=MSCHAPV2")
1955 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1956 identity="user",
1957 anonymous_identity="peap", password="password",
1958 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1959 phase1="peapver=1 peaplabel=1",
1960 wait_connect=False, scan_freq="2412")
1961 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1962 if ev is None:
1963 raise Exception("No EAP success seen")
1964 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1965 if ev is not None:
1966 raise Exception("Unexpected connection")
1967
1968 tests = [ ("peap-ver0", ""),
1969 ("peap-ver1", ""),
1970 ("peap-ver0", "peapver=0"),
1971 ("peap-ver1", "peapver=1") ]
1972 for anon,phase1 in tests:
1973 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1974 identity="user", anonymous_identity=anon,
1975 password="password", phase1=phase1,
1976 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1977 scan_freq="2412")
1978 dev[0].request("REMOVE_NETWORK all")
1979 dev[0].wait_disconnected()
1980
1981 tests = [ ("peap-ver0", "peapver=1"),
1982 ("peap-ver1", "peapver=0") ]
1983 for anon,phase1 in tests:
1984 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1985 identity="user", anonymous_identity=anon,
1986 password="password", phase1=phase1,
1987 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1988 wait_connect=False, scan_freq="2412")
1989 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1990 if ev is None:
1991 raise Exception("No EAP-Failure seen")
1992 dev[0].request("REMOVE_NETWORK all")
1993 dev[0].wait_disconnected()
1994
1995 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
1996 ca_cert="auth_serv/ca.pem",
1997 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1998 phase2="auth=MSCHAPV2")
1999
2000 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
2001 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
2002 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2003 hapd = hostapd.add_ap(apdev[0], params)
2004 eap_connect(dev[0], hapd, "PEAP", "cert user",
2005 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
2006 ca_cert2="auth_serv/ca.pem",
2007 client_cert2="auth_serv/user.pem",
2008 private_key2="auth_serv/user.key")
2009 eap_reauth(dev[0], "PEAP")
2010
2011 def test_ap_wpa2_eap_tls(dev, apdev):
2012 """WPA2-Enterprise connection using EAP-TLS"""
2013 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2014 hapd = hostapd.add_ap(apdev[0], params)
2015 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2016 client_cert="auth_serv/user.pem",
2017 private_key="auth_serv/user.key")
2018 eap_reauth(dev[0], "TLS")
2019
2020 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
2021 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2022 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2023 hapd = hostapd.add_ap(apdev[0], params)
2024 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2025 client_cert="auth_serv/user.pem",
2026 private_key="auth_serv/user.key.pkcs8",
2027 private_key_passwd="whatever")
2028
2029 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
2030 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
2031 check_pkcs5_v15_support(dev[0])
2032 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2033 hapd = hostapd.add_ap(apdev[0], params)
2034 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2035 client_cert="auth_serv/user.pem",
2036 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
2037 private_key_passwd="whatever")
2038
2039 def test_ap_wpa2_eap_tls_blob(dev, apdev):
2040 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2041 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2042 hapd = hostapd.add_ap(apdev[0], params)
2043 cert = read_pem("auth_serv/ca.pem")
2044 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
2045 raise Exception("Could not set cacert blob")
2046 cert = read_pem("auth_serv/user.pem")
2047 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
2048 raise Exception("Could not set usercert blob")
2049 key = read_pem("auth_serv/user.rsa-key")
2050 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
2051 raise Exception("Could not set cacert blob")
2052 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="blob://cacert",
2053 client_cert="blob://usercert",
2054 private_key="blob://userkey")
2055
2056 def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
2057 """EAP-TLS and config blob missing"""
2058 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2059 hostapd.add_ap(apdev[0], params)
2060 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2061 identity="tls user",
2062 ca_cert="blob://testing-blob-does-not-exist",
2063 client_cert="blob://testing-blob-does-not-exist",
2064 private_key="blob://testing-blob-does-not-exist",
2065 wait_connect=False, scan_freq="2412")
2066 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
2067 if ev is None:
2068 raise Exception("EAP failure not reported")
2069 dev[0].request("REMOVE_NETWORK all")
2070 dev[0].wait_disconnected()
2071
2072 def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
2073 """EAP-TLS and TLS Message Length in unfragmented packets"""
2074 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2075 hapd = hostapd.add_ap(apdev[0], params)
2076 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2077 phase1="include_tls_length=1",
2078 client_cert="auth_serv/user.pem",
2079 private_key="auth_serv/user.key")
2080
2081 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
2082 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2083 check_pkcs12_support(dev[0])
2084 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2085 hapd = hostapd.add_ap(apdev[0], params)
2086 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2087 private_key="auth_serv/user.pkcs12",
2088 private_key_passwd="whatever")
2089 dev[0].request("REMOVE_NETWORK all")
2090 dev[0].wait_disconnected()
2091
2092 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2093 identity="tls user",
2094 ca_cert="auth_serv/ca.pem",
2095 private_key="auth_serv/user.pkcs12",
2096 wait_connect=False, scan_freq="2412")
2097 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2098 if ev is None:
2099 raise Exception("Request for private key passphrase timed out")
2100 id = ev.split(':')[0].split('-')[-1]
2101 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2102 dev[0].wait_connected(timeout=10)
2103 dev[0].request("REMOVE_NETWORK all")
2104 dev[0].wait_disconnected()
2105
2106 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2107 # different files to cover both cases of the extra certificate being the
2108 # one that signed the client certificate and it being unrelated to the
2109 # client certificate.
2110 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2111 for i in range(2):
2112 eap_connect(dev[0], hapd, "TLS", "tls user",
2113 ca_cert="auth_serv/ca.pem",
2114 private_key=pkcs12,
2115 private_key_passwd="whatever")
2116 dev[0].request("REMOVE_NETWORK all")
2117 dev[0].wait_disconnected()
2118
2119 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
2120 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2121 check_pkcs12_support(dev[0])
2122 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2123 hapd = hostapd.add_ap(apdev[0], params)
2124 cert = read_pem("auth_serv/ca.pem")
2125 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
2126 raise Exception("Could not set cacert blob")
2127 with open("auth_serv/user.pkcs12", "rb") as f:
2128 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
2129 raise Exception("Could not set pkcs12 blob")
2130 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="blob://cacert",
2131 private_key="blob://pkcs12",
2132 private_key_passwd="whatever")
2133
2134 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
2135 """WPA2-Enterprise negative test - incorrect trust root"""
2136 check_eap_capa(dev[0], "MSCHAPV2")
2137 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2138 hostapd.add_ap(apdev[0], params)
2139 cert = read_pem("auth_serv/ca-incorrect.pem")
2140 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
2141 raise Exception("Could not set cacert blob")
2142 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2143 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2144 password="password", phase2="auth=MSCHAPV2",
2145 ca_cert="blob://cacert",
2146 wait_connect=False, scan_freq="2412")
2147 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2148 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2149 password="password", phase2="auth=MSCHAPV2",
2150 ca_cert="auth_serv/ca-incorrect.pem",
2151 wait_connect=False, scan_freq="2412")
2152
2153 for dev in (dev[0], dev[1]):
2154 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2155 if ev is None:
2156 raise Exception("Association and EAP start timed out")
2157
2158 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2159 if ev is None:
2160 raise Exception("EAP method selection timed out")
2161 if "TTLS" not in ev:
2162 raise Exception("Unexpected EAP method")
2163
2164 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2165 "CTRL-EVENT-EAP-SUCCESS",
2166 "CTRL-EVENT-EAP-FAILURE",
2167 "CTRL-EVENT-CONNECTED",
2168 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2169 if ev is None:
2170 raise Exception("EAP result timed out")
2171 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2172 raise Exception("TLS certificate error not reported")
2173
2174 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2175 "CTRL-EVENT-EAP-FAILURE",
2176 "CTRL-EVENT-CONNECTED",
2177 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2178 if ev is None:
2179 raise Exception("EAP result(2) timed out")
2180 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2181 raise Exception("EAP failure not reported")
2182
2183 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
2184 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2185 if ev is None:
2186 raise Exception("EAP result(3) timed out")
2187 if "CTRL-EVENT-DISCONNECTED" not in ev:
2188 raise Exception("Disconnection not reported")
2189
2190 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2191 if ev is None:
2192 raise Exception("Network block disabling not reported")
2193
2194 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
2195 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2196 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2197 hapd = hostapd.add_ap(apdev[0], params)
2198 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2199 identity="pap user", anonymous_identity="ttls",
2200 password="password", phase2="auth=PAP",
2201 ca_cert="auth_serv/ca.pem",
2202 wait_connect=True, scan_freq="2412")
2203 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2204 identity="pap user", anonymous_identity="ttls",
2205 password="password", phase2="auth=PAP",
2206 ca_cert="auth_serv/ca-incorrect.pem",
2207 only_add_network=True, scan_freq="2412")
2208
2209 dev[0].request("DISCONNECT")
2210 dev[0].wait_disconnected()
2211 dev[0].dump_monitor()
2212 dev[0].select_network(id, freq="2412")
2213
2214 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2215 if ev is None:
2216 raise Exception("EAP-TTLS not re-started")
2217
2218 ev = dev[0].wait_disconnected(timeout=15)
2219 if "reason=23" not in ev:
2220 raise Exception("Proper reason code for disconnection not reported")
2221
2222 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
2223 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2224 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2225 hapd = hostapd.add_ap(apdev[0], params)
2226 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2227 identity="pap user", anonymous_identity="ttls",
2228 password="password", phase2="auth=PAP",
2229 wait_connect=True, scan_freq="2412")
2230 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2231 identity="pap user", anonymous_identity="ttls",
2232 password="password", phase2="auth=PAP",
2233 ca_cert="auth_serv/ca-incorrect.pem",
2234 only_add_network=True, scan_freq="2412")
2235
2236 dev[0].request("DISCONNECT")
2237 dev[0].wait_disconnected()
2238 dev[0].dump_monitor()
2239 dev[0].select_network(id, freq="2412")
2240
2241 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2242 if ev is None:
2243 raise Exception("EAP-TTLS not re-started")
2244
2245 ev = dev[0].wait_disconnected(timeout=15)
2246 if "reason=23" not in ev:
2247 raise Exception("Proper reason code for disconnection not reported")
2248
2249 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
2250 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2251 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2252 hapd = hostapd.add_ap(apdev[0], params)
2253 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2254 identity="pap user", anonymous_identity="ttls",
2255 password="password", phase2="auth=PAP",
2256 ca_cert="auth_serv/ca.pem",
2257 wait_connect=True, scan_freq="2412")
2258 dev[0].request("DISCONNECT")
2259 dev[0].wait_disconnected()
2260 dev[0].dump_monitor()
2261 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2262 dev[0].select_network(id, freq="2412")
2263
2264 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2265 if ev is None:
2266 raise Exception("EAP-TTLS not re-started")
2267
2268 ev = dev[0].wait_disconnected(timeout=15)
2269 if "reason=23" not in ev:
2270 raise Exception("Proper reason code for disconnection not reported")
2271
2272 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
2273 """WPA2-Enterprise negative test - domain suffix mismatch"""
2274 check_domain_suffix_match(dev[0])
2275 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2276 hostapd.add_ap(apdev[0], params)
2277 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2278 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2279 password="password", phase2="auth=MSCHAPV2",
2280 ca_cert="auth_serv/ca.pem",
2281 domain_suffix_match="incorrect.example.com",
2282 wait_connect=False, scan_freq="2412")
2283
2284 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2285 if ev is None:
2286 raise Exception("Association and EAP start timed out")
2287
2288 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2289 if ev is None:
2290 raise Exception("EAP method selection timed out")
2291 if "TTLS" not in ev:
2292 raise Exception("Unexpected EAP method")
2293
2294 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2295 "CTRL-EVENT-EAP-SUCCESS",
2296 "CTRL-EVENT-EAP-FAILURE",
2297 "CTRL-EVENT-CONNECTED",
2298 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2299 if ev is None:
2300 raise Exception("EAP result timed out")
2301 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2302 raise Exception("TLS certificate error not reported")
2303 if "Domain suffix mismatch" not in ev:
2304 raise Exception("Domain suffix mismatch not reported")
2305
2306 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2307 "CTRL-EVENT-EAP-FAILURE",
2308 "CTRL-EVENT-CONNECTED",
2309 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2310 if ev is None:
2311 raise Exception("EAP result(2) timed out")
2312 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2313 raise Exception("EAP failure not reported")
2314
2315 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2316 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2317 if ev is None:
2318 raise Exception("EAP result(3) timed out")
2319 if "CTRL-EVENT-DISCONNECTED" not in ev:
2320 raise Exception("Disconnection not reported")
2321
2322 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2323 if ev is None:
2324 raise Exception("Network block disabling not reported")
2325
2326 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
2327 """WPA2-Enterprise negative test - domain mismatch"""
2328 check_domain_match(dev[0])
2329 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2330 hostapd.add_ap(apdev[0], params)
2331 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2332 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2333 password="password", phase2="auth=MSCHAPV2",
2334 ca_cert="auth_serv/ca.pem",
2335 domain_match="w1.fi",
2336 wait_connect=False, scan_freq="2412")
2337
2338 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2339 if ev is None:
2340 raise Exception("Association and EAP start timed out")
2341
2342 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2343 if ev is None:
2344 raise Exception("EAP method selection timed out")
2345 if "TTLS" not in ev:
2346 raise Exception("Unexpected EAP method")
2347
2348 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2349 "CTRL-EVENT-EAP-SUCCESS",
2350 "CTRL-EVENT-EAP-FAILURE",
2351 "CTRL-EVENT-CONNECTED",
2352 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2353 if ev is None:
2354 raise Exception("EAP result timed out")
2355 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2356 raise Exception("TLS certificate error not reported")
2357 if "Domain mismatch" not in ev:
2358 raise Exception("Domain mismatch not reported")
2359
2360 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2361 "CTRL-EVENT-EAP-FAILURE",
2362 "CTRL-EVENT-CONNECTED",
2363 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2364 if ev is None:
2365 raise Exception("EAP result(2) timed out")
2366 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2367 raise Exception("EAP failure not reported")
2368
2369 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2370 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2371 if ev is None:
2372 raise Exception("EAP result(3) timed out")
2373 if "CTRL-EVENT-DISCONNECTED" not in ev:
2374 raise Exception("Disconnection not reported")
2375
2376 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2377 if ev is None:
2378 raise Exception("Network block disabling not reported")
2379
2380 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
2381 """WPA2-Enterprise negative test - subject mismatch"""
2382 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2383 hostapd.add_ap(apdev[0], params)
2384 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2385 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2386 password="password", phase2="auth=MSCHAPV2",
2387 ca_cert="auth_serv/ca.pem",
2388 subject_match="/C=FI/O=w1.fi/CN=example.com",
2389 wait_connect=False, scan_freq="2412")
2390
2391 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2392 if ev is None:
2393 raise Exception("Association and EAP start timed out")
2394
2395 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2396 "EAP: Failed to initialize EAP method"], timeout=10)
2397 if ev is None:
2398 raise Exception("EAP method selection timed out")
2399 if "EAP: Failed to initialize EAP method" in ev:
2400 tls = dev[0].request("GET tls_library")
2401 if tls.startswith("OpenSSL"):
2402 raise Exception("Failed to select EAP method")
2403 logger.info("subject_match not supported - connection failed, so test succeeded")
2404 return
2405 if "TTLS" not in ev:
2406 raise Exception("Unexpected EAP method")
2407
2408 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2409 "CTRL-EVENT-EAP-SUCCESS",
2410 "CTRL-EVENT-EAP-FAILURE",
2411 "CTRL-EVENT-CONNECTED",
2412 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2413 if ev is None:
2414 raise Exception("EAP result timed out")
2415 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2416 raise Exception("TLS certificate error not reported")
2417 if "Subject mismatch" not in ev:
2418 raise Exception("Subject mismatch not reported")
2419
2420 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2421 "CTRL-EVENT-EAP-FAILURE",
2422 "CTRL-EVENT-CONNECTED",
2423 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2424 if ev is None:
2425 raise Exception("EAP result(2) timed out")
2426 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2427 raise Exception("EAP failure not reported")
2428
2429 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2430 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2431 if ev is None:
2432 raise Exception("EAP result(3) timed out")
2433 if "CTRL-EVENT-DISCONNECTED" not in ev:
2434 raise Exception("Disconnection not reported")
2435
2436 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2437 if ev is None:
2438 raise Exception("Network block disabling not reported")
2439
2440 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
2441 """WPA2-Enterprise negative test - altsubject mismatch"""
2442 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2443 hostapd.add_ap(apdev[0], params)
2444
2445 tests = [ "incorrect.example.com",
2446 "DNS:incorrect.example.com",
2447 "DNS:w1.fi",
2448 "DNS:erver.w1.fi" ]
2449 for match in tests:
2450 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
2451
2452 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
2453 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2454 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2455 password="password", phase2="auth=MSCHAPV2",
2456 ca_cert="auth_serv/ca.pem",
2457 altsubject_match=match,
2458 wait_connect=False, scan_freq="2412")
2459
2460 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2461 if ev is None:
2462 raise Exception("Association and EAP start timed out")
2463
2464 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2465 "EAP: Failed to initialize EAP method"], timeout=10)
2466 if ev is None:
2467 raise Exception("EAP method selection timed out")
2468 if "EAP: Failed to initialize EAP method" in ev:
2469 tls = dev[0].request("GET tls_library")
2470 if tls.startswith("OpenSSL"):
2471 raise Exception("Failed to select EAP method")
2472 logger.info("altsubject_match not supported - connection failed, so test succeeded")
2473 return
2474 if "TTLS" not in ev:
2475 raise Exception("Unexpected EAP method")
2476
2477 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2478 "CTRL-EVENT-EAP-SUCCESS",
2479 "CTRL-EVENT-EAP-FAILURE",
2480 "CTRL-EVENT-CONNECTED",
2481 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2482 if ev is None:
2483 raise Exception("EAP result timed out")
2484 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2485 raise Exception("TLS certificate error not reported")
2486 if "AltSubject mismatch" not in ev:
2487 raise Exception("altsubject mismatch not reported")
2488
2489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2490 "CTRL-EVENT-EAP-FAILURE",
2491 "CTRL-EVENT-CONNECTED",
2492 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2493 if ev is None:
2494 raise Exception("EAP result(2) timed out")
2495 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2496 raise Exception("EAP failure not reported")
2497
2498 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2499 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2500 if ev is None:
2501 raise Exception("EAP result(3) timed out")
2502 if "CTRL-EVENT-DISCONNECTED" not in ev:
2503 raise Exception("Disconnection not reported")
2504
2505 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2506 if ev is None:
2507 raise Exception("Network block disabling not reported")
2508
2509 dev[0].request("REMOVE_NETWORK all")
2510
2511 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
2512 """WPA2-Enterprise connection using UNAUTH-TLS"""
2513 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2514 hapd = hostapd.add_ap(apdev[0], params)
2515 eap_connect(dev[0], hapd, "UNAUTH-TLS", "unauth-tls",
2516 ca_cert="auth_serv/ca.pem")
2517 eap_reauth(dev[0], "UNAUTH-TLS")
2518
2519 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
2520 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2521 check_cert_probe_support(dev[0])
2522 skip_with_fips(dev[0])
2523 srv_cert_hash = "53728dde442d4adc27cb10a847234a4315590f0b36786353023c3b0f2e9fdf49"
2524 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2525 hapd = hostapd.add_ap(apdev[0], params)
2526 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2527 identity="probe", ca_cert="probe://",
2528 wait_connect=False, scan_freq="2412")
2529 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2530 if ev is None:
2531 raise Exception("Association and EAP start timed out")
2532 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
2533 if ev is None:
2534 raise Exception("No peer server certificate event seen")
2535 if "hash=" + srv_cert_hash not in ev:
2536 raise Exception("Expected server certificate hash not reported")
2537 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2538 if ev is None:
2539 raise Exception("EAP result timed out")
2540 if "Server certificate chain probe" not in ev:
2541 raise Exception("Server certificate probe not reported")
2542 dev[0].wait_disconnected(timeout=10)
2543 dev[0].request("REMOVE_NETWORK all")
2544
2545 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2546 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2547 password="password", phase2="auth=MSCHAPV2",
2548 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2549 wait_connect=False, scan_freq="2412")
2550 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2551 if ev is None:
2552 raise Exception("Association and EAP start timed out")
2553 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2554 if ev is None:
2555 raise Exception("EAP result timed out")
2556 if "Server certificate mismatch" not in ev:
2557 raise Exception("Server certificate mismatch not reported")
2558 dev[0].wait_disconnected(timeout=10)
2559 dev[0].request("REMOVE_NETWORK all")
2560
2561 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
2562 anonymous_identity="ttls", password="password",
2563 ca_cert="hash://server/sha256/" + srv_cert_hash,
2564 phase2="auth=MSCHAPV2")
2565
2566 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
2567 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2568 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2569 hostapd.add_ap(apdev[0], params)
2570 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2571 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2572 password="password", phase2="auth=MSCHAPV2",
2573 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2574 wait_connect=False, scan_freq="2412")
2575 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2576 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2577 password="password", phase2="auth=MSCHAPV2",
2578 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2579 wait_connect=False, scan_freq="2412")
2580 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2581 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2582 password="password", phase2="auth=MSCHAPV2",
2583 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2584 wait_connect=False, scan_freq="2412")
2585 for i in range(0, 3):
2586 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2587 if ev is None:
2588 raise Exception("Association and EAP start timed out")
2589 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2590 if ev is None:
2591 raise Exception("Did not report EAP method initialization failure")
2592
2593 def test_ap_wpa2_eap_pwd(dev, apdev):
2594 """WPA2-Enterprise connection using EAP-pwd"""
2595 check_eap_capa(dev[0], "PWD")
2596 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2597 hapd = hostapd.add_ap(apdev[0], params)
2598 eap_connect(dev[0], hapd, "PWD", "pwd user", password="secret password")
2599 eap_reauth(dev[0], "PWD")
2600 dev[0].request("REMOVE_NETWORK all")
2601
2602 eap_connect(dev[1], hapd, "PWD",
2603 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2604 password="secret password",
2605 fragment_size="90")
2606
2607 logger.info("Negative test with incorrect password")
2608 eap_connect(dev[2], hapd, "PWD", "pwd user", password="secret-password",
2609 expect_failure=True, local_error_report=True)
2610
2611 eap_connect(dev[0], hapd, "PWD",
2612 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2613 password="secret password",
2614 fragment_size="31")
2615
2616 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2617 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2618 check_eap_capa(dev[0], "PWD")
2619 skip_with_fips(dev[0])
2620 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2621 hapd = hostapd.add_ap(apdev[0], params)
2622 eap_connect(dev[0], hapd, "PWD", "pwd-hash", password="secret password")
2623 eap_connect(dev[1], hapd, "PWD", "pwd-hash",
2624 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2625 eap_connect(dev[2], hapd, "PWD", "pwd user",
2626 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2627 expect_failure=True, local_error_report=True)
2628
2629 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2630 """WPA2-Enterprise connection using various EAP-pwd groups"""
2631 check_eap_capa(dev[0], "PWD")
2632 tls = dev[0].request("GET tls_library")
2633 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2634 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2635 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2636 groups = [ 19, 20, 21, 25, 26 ]
2637 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2638 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2639 groups += [ 27, 28, 29, 30 ]
2640 for i in groups:
2641 logger.info("Group %d" % i)
2642 params['pwd_group'] = str(i)
2643 hapd = hostapd.add_ap(apdev[0], params)
2644 try:
2645 eap_connect(dev[0], hapd, "PWD", "pwd user",
2646 password="secret password")
2647 dev[0].request("REMOVE_NETWORK all")
2648 dev[0].wait_disconnected()
2649 dev[0].dump_monitor()
2650 except:
2651 if "BoringSSL" in tls and i in [ 25 ]:
2652 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2653 dev[0].request("DISCONNECT")
2654 time.sleep(0.1)
2655 dev[0].request("REMOVE_NETWORK all")
2656 dev[0].dump_monitor()
2657 continue
2658 raise
2659
2660 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2661 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2662 check_eap_capa(dev[0], "PWD")
2663 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2664 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2665 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2666 params['pwd_group'] = "0"
2667 hostapd.add_ap(apdev[0], params)
2668 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2669 identity="pwd user", password="secret password",
2670 scan_freq="2412", wait_connect=False)
2671 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2672 if ev is None:
2673 raise Exception("Timeout on EAP failure report")
2674
2675 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2676 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2677 check_eap_capa(dev[0], "PWD")
2678 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2679 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2680 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2681 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2682 "pwd_group": "19", "fragment_size": "40" }
2683 hapd = hostapd.add_ap(apdev[0], params)
2684 eap_connect(dev[0], hapd, "PWD", "pwd user", password="secret password")
2685
2686 def test_ap_wpa2_eap_gpsk(dev, apdev):
2687 """WPA2-Enterprise connection using EAP-GPSK"""
2688 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2689 hapd = hostapd.add_ap(apdev[0], params)
2690 id = eap_connect(dev[0], hapd, "GPSK", "gpsk user",
2691 password="abcdefghijklmnop0123456789abcdef")
2692 eap_reauth(dev[0], "GPSK")
2693
2694 logger.info("Test forced algorithm selection")
2695 for phase1 in [ "cipher=1", "cipher=2" ]:
2696 dev[0].set_network_quoted(id, "phase1", phase1)
2697 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2698 if ev is None:
2699 raise Exception("EAP success timed out")
2700 dev[0].wait_connected(timeout=10)
2701
2702 logger.info("Test failed algorithm negotiation")
2703 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2704 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2705 if ev is None:
2706 raise Exception("EAP failure timed out")
2707
2708 logger.info("Negative test with incorrect password")
2709 dev[0].request("REMOVE_NETWORK all")
2710 eap_connect(dev[0], hapd, "GPSK", "gpsk user",
2711 password="ffcdefghijklmnop0123456789abcdef",
2712 expect_failure=True)
2713
2714 def test_ap_wpa2_eap_sake(dev, apdev):
2715 """WPA2-Enterprise connection using EAP-SAKE"""
2716 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2717 hapd = hostapd.add_ap(apdev[0], params)
2718 eap_connect(dev[0], hapd, "SAKE", "sake user",
2719 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2720 eap_reauth(dev[0], "SAKE")
2721
2722 logger.info("Negative test with incorrect password")
2723 dev[0].request("REMOVE_NETWORK all")
2724 eap_connect(dev[0], hapd, "SAKE", "sake user",
2725 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2726 expect_failure=True)
2727
2728 def test_ap_wpa2_eap_eke(dev, apdev):
2729 """WPA2-Enterprise connection using EAP-EKE"""
2730 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2731 hapd = hostapd.add_ap(apdev[0], params)
2732 id = eap_connect(dev[0], hapd, "EKE", "eke user", password="hello")
2733 eap_reauth(dev[0], "EKE")
2734
2735 logger.info("Test forced algorithm selection")
2736 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2737 "dhgroup=4 encr=1 prf=2 mac=2",
2738 "dhgroup=3 encr=1 prf=2 mac=2",
2739 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2740 dev[0].set_network_quoted(id, "phase1", phase1)
2741 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2742 if ev is None:
2743 raise Exception("EAP success timed out")
2744 dev[0].wait_connected(timeout=10)
2745
2746 logger.info("Test failed algorithm negotiation")
2747 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2748 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2749 if ev is None:
2750 raise Exception("EAP failure timed out")
2751
2752 logger.info("Negative test with incorrect password")
2753 dev[0].request("REMOVE_NETWORK all")
2754 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello1",
2755 expect_failure=True)
2756
2757 def test_ap_wpa2_eap_eke_many(dev, apdev, params):
2758 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2759 if not params['long']:
2760 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2761 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2762 hostapd.add_ap(apdev[0], params)
2763 success = 0
2764 fail = 0
2765 for i in range(100):
2766 for j in range(3):
2767 dev[j].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="EKE",
2768 identity="eke user", password="hello",
2769 phase1="dhgroup=3 encr=1 prf=1 mac=1",
2770 scan_freq="2412", wait_connect=False)
2771 for j in range(3):
2772 ev = dev[j].wait_event(["CTRL-EVENT-CONNECTED",
2773 "CTRL-EVENT-DISCONNECTED"], timeout=15)
2774 if ev is None:
2775 raise Exception("No connected/disconnected event")
2776 if "CTRL-EVENT-DISCONNECTED" in ev:
2777 fail += 1
2778 # The RADIUS server limits on active sessions can be hit when
2779 # going through this test case, so try to give some more time
2780 # for the server to remove sessions.
2781 logger.info("Failed to connect i=%d j=%d" % (i, j))
2782 dev[j].request("REMOVE_NETWORK all")
2783 time.sleep(1)
2784 else:
2785 success += 1
2786 dev[j].request("REMOVE_NETWORK all")
2787 dev[j].wait_disconnected()
2788 dev[j].dump_monitor()
2789 logger.info("Total success=%d failure=%d" % (success, fail))
2790
2791 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2792 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2793 params = int_eap_server_params()
2794 params['server_id'] = 'example.server@w1.fi'
2795 hapd = hostapd.add_ap(apdev[0], params)
2796 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello")
2797
2798 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2799 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2800 params = int_eap_server_params()
2801 hapd = hostapd.add_ap(apdev[0], params)
2802 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2803
2804 for count,func in [ (1, "eap_eke_build_commit"),
2805 (2, "eap_eke_build_commit"),
2806 (3, "eap_eke_build_commit"),
2807 (1, "eap_eke_build_confirm"),
2808 (2, "eap_eke_build_confirm"),
2809 (1, "eap_eke_process_commit"),
2810 (2, "eap_eke_process_commit"),
2811 (1, "eap_eke_process_confirm"),
2812 (1, "eap_eke_process_identity"),
2813 (2, "eap_eke_process_identity"),
2814 (3, "eap_eke_process_identity"),
2815 (4, "eap_eke_process_identity") ]:
2816 with alloc_fail(hapd, count, func):
2817 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello",
2818 expect_failure=True)
2819 dev[0].request("REMOVE_NETWORK all")
2820
2821 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2822 (1, "eap_eke_get_session_id", "hello"),
2823 (1, "eap_eke_getKey", "hello"),
2824 (1, "eap_eke_build_msg", "hello"),
2825 (1, "eap_eke_build_failure", "wrong"),
2826 (1, "eap_eke_build_identity", "hello"),
2827 (2, "eap_eke_build_identity", "hello") ]:
2828 with alloc_fail(hapd, count, func):
2829 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2830 eap="EKE", identity="eke user", password=pw,
2831 wait_connect=False, scan_freq="2412")
2832 # This would eventually time out, but we can stop after having
2833 # reached the allocation failure.
2834 for i in range(20):
2835 time.sleep(0.1)
2836 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2837 break
2838 dev[0].request("REMOVE_NETWORK all")
2839
2840 for count in range(1, 1000):
2841 try:
2842 with alloc_fail(hapd, count, "eap_server_sm_step"):
2843 dev[0].connect("test-wpa2-eap",
2844 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2845 eap="EKE", identity="eke user", password=pw,
2846 wait_connect=False, scan_freq="2412")
2847 # This would eventually time out, but we can stop after having
2848 # reached the allocation failure.
2849 for i in range(10):
2850 time.sleep(0.1)
2851 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2852 break
2853 dev[0].request("REMOVE_NETWORK all")
2854 except Exception, e:
2855 if str(e) == "Allocation failure did not trigger":
2856 if count < 30:
2857 raise Exception("Too few allocation failures")
2858 logger.info("%d allocation failures tested" % (count - 1))
2859 break
2860 raise e
2861
2862 def test_ap_wpa2_eap_ikev2(dev, apdev):
2863 """WPA2-Enterprise connection using EAP-IKEv2"""
2864 check_eap_capa(dev[0], "IKEV2")
2865 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2866 hapd = hostapd.add_ap(apdev[0], params)
2867 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
2868 password="ike password")
2869 eap_reauth(dev[0], "IKEV2")
2870 dev[0].request("REMOVE_NETWORK all")
2871 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
2872 password="ike password", fragment_size="50")
2873
2874 logger.info("Negative test with incorrect password")
2875 dev[0].request("REMOVE_NETWORK all")
2876 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
2877 password="ike-password", expect_failure=True)
2878 dev[0].request("REMOVE_NETWORK all")
2879
2880 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
2881 password="ike password", fragment_size="0")
2882 dev[0].request("REMOVE_NETWORK all")
2883 dev[0].wait_disconnected()
2884
2885 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2886 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2887 check_eap_capa(dev[0], "IKEV2")
2888 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2889 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2890 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2891 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2892 "fragment_size": "50" }
2893 hapd = hostapd.add_ap(apdev[0], params)
2894 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
2895 password="ike password")
2896 eap_reauth(dev[0], "IKEV2")
2897
2898 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2899 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2900 check_eap_capa(dev[0], "IKEV2")
2901 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2902 hostapd.add_ap(apdev[0], params)
2903
2904 tests = [ (1, "dh_init"),
2905 (2, "dh_init"),
2906 (1, "dh_derive_shared") ]
2907 for count, func in tests:
2908 with alloc_fail(dev[0], count, func):
2909 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2910 identity="ikev2 user", password="ike password",
2911 wait_connect=False, scan_freq="2412")
2912 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2913 if ev is None:
2914 raise Exception("EAP method not selected")
2915 for i in range(10):
2916 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2917 break
2918 time.sleep(0.02)
2919 dev[0].request("REMOVE_NETWORK all")
2920
2921 tls = dev[0].request("GET tls_library")
2922 if not tls.startswith("wolfSSL"):
2923 tests = [ (1, "os_get_random;dh_init") ]
2924 else:
2925 tests = [ (1, "crypto_dh_init;dh_init") ]
2926 for count, func in tests:
2927 with fail_test(dev[0], count, func):
2928 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2929 identity="ikev2 user", password="ike password",
2930 wait_connect=False, scan_freq="2412")
2931 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2932 if ev is None:
2933 raise Exception("EAP method not selected")
2934 for i in range(10):
2935 if "0:" in dev[0].request("GET_FAIL"):
2936 break
2937 time.sleep(0.02)
2938 dev[0].request("REMOVE_NETWORK all")
2939
2940 def test_ap_wpa2_eap_pax(dev, apdev):
2941 """WPA2-Enterprise connection using EAP-PAX"""
2942 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2943 hapd = hostapd.add_ap(apdev[0], params)
2944 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
2945 password_hex="0123456789abcdef0123456789abcdef")
2946 eap_reauth(dev[0], "PAX")
2947
2948 logger.info("Negative test with incorrect password")
2949 dev[0].request("REMOVE_NETWORK all")
2950 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
2951 password_hex="ff23456789abcdef0123456789abcdef",
2952 expect_failure=True)
2953
2954 def test_ap_wpa2_eap_psk(dev, apdev):
2955 """WPA2-Enterprise connection using EAP-PSK"""
2956 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2957 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2958 params["ieee80211w"] = "2"
2959 hapd = hostapd.add_ap(apdev[0], params)
2960 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
2961 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2962 eap_reauth(dev[0], "PSK", sha256=True)
2963 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2964 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2965
2966 bss = dev[0].get_bss(apdev[0]['bssid'])
2967 if 'flags' not in bss:
2968 raise Exception("Could not get BSS flags from BSS table")
2969 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2970 raise Exception("Unexpected BSS flags: " + bss['flags'])
2971
2972 logger.info("Negative test with incorrect password")
2973 dev[0].request("REMOVE_NETWORK all")
2974 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
2975 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2976 expect_failure=True)
2977
2978 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2979 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2980 skip_with_fips(dev[0])
2981 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2982 hostapd.add_ap(apdev[0], params)
2983 tests = [ (1, "=aes_128_eax_encrypt"),
2984 (1, "=aes_128_eax_decrypt") ]
2985 for count, func in tests:
2986 with alloc_fail(dev[0], count, func):
2987 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2988 identity="psk.user@example.com",
2989 password_hex="0123456789abcdef0123456789abcdef",
2990 wait_connect=False, scan_freq="2412")
2991 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2992 if ev is None:
2993 raise Exception("EAP method not selected")
2994 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
2995 note="Failure not triggered: %d:%s" % (count, func))
2996 dev[0].request("REMOVE_NETWORK all")
2997 dev[0].wait_disconnected()
2998
2999 tests = [ (1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
3000 (1, "omac1_aes_128;aes_128_eax_encrypt"),
3001 (2, "omac1_aes_128;aes_128_eax_encrypt"),
3002 (3, "omac1_aes_128;aes_128_eax_encrypt"),
3003 (1, "omac1_aes_vector"),
3004 (1, "omac1_aes_128;aes_128_eax_decrypt"),
3005 (2, "omac1_aes_128;aes_128_eax_decrypt"),
3006 (3, "omac1_aes_128;aes_128_eax_decrypt"),
3007 (1, "aes_ctr_encrypt;aes_128_eax_decrypt") ]
3008 for count, func in tests:
3009 with fail_test(dev[0], count, func):
3010 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
3011 identity="psk.user@example.com",
3012 password_hex="0123456789abcdef0123456789abcdef",
3013 wait_connect=False, scan_freq="2412")
3014 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
3015 if ev is None:
3016 raise Exception("EAP method not selected")
3017 wait_fail_trigger(dev[0], "GET_FAIL",
3018 note="Failure not triggered: %d:%s" % (count, func))
3019 dev[0].request("REMOVE_NETWORK all")
3020 dev[0].wait_disconnected()
3021
3022 with fail_test(dev[0], 1, "aes_128_encrypt_block"):
3023 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
3024 identity="psk.user@example.com",
3025 password_hex="0123456789abcdef0123456789abcdef",
3026 wait_connect=False, scan_freq="2412")
3027 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3028 if ev is None:
3029 raise Exception("EAP method failure not reported")
3030 dev[0].request("REMOVE_NETWORK all")
3031 dev[0].wait_disconnected()
3032
3033 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
3034 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
3035 check_eap_capa(dev[0], "MSCHAPV2")
3036 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
3037 hapd = hostapd.add_ap(apdev[0], params)
3038 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
3039 identity="user", password="password", phase2="auth=MSCHAPV2",
3040 ca_cert="auth_serv/ca.pem", wait_connect=False,
3041 scan_freq="2412")
3042 eap_check_auth(dev[0], "PEAP", True, rsn=False)
3043 hwsim_utils.test_connectivity(dev[0], hapd)
3044 eap_reauth(dev[0], "PEAP", rsn=False)
3045 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3046 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
3047 status = dev[0].get_status(extra="VERBOSE")
3048 if 'portControl' not in status:
3049 raise Exception("portControl missing from STATUS-VERBOSE")
3050 if status['portControl'] != 'Auto':
3051 raise Exception("Unexpected portControl value: " + status['portControl'])
3052 if 'eap_session_id' not in status:
3053 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3054 if not status['eap_session_id'].startswith("19"):
3055 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
3056
3057 def test_ap_wpa2_eap_interactive(dev, apdev):
3058 """WPA2-Enterprise connection using interactive identity/password entry"""
3059 check_eap_capa(dev[0], "MSCHAPV2")
3060 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3061 hapd = hostapd.add_ap(apdev[0], params)
3062
3063 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
3064 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3065 None, "password"),
3066 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3067 "TTLS", "ttls", None, "auth=MSCHAPV2",
3068 "DOMAIN\mschapv2 user", "password"),
3069 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3070 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3071 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3072 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3073 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3074 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3075 ("Connection with dynamic PEAP/EAP-GTC password entry",
3076 "PEAP", None, "user", "auth=GTC", None, "password") ]
3077 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
3078 logger.info(desc)
3079 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
3080 anonymous_identity=anon, identity=identity,
3081 ca_cert="auth_serv/ca.pem", phase2=phase2,
3082 wait_connect=False, scan_freq="2412")
3083 if req_id:
3084 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
3085 if ev is None:
3086 raise Exception("Request for identity timed out")
3087 id = ev.split(':')[0].split('-')[-1]
3088 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
3089 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
3090 if ev is None:
3091 raise Exception("Request for password timed out")
3092 id = ev.split(':')[0].split('-')[-1]
3093 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
3094 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
3095 dev[0].wait_connected(timeout=10)
3096 dev[0].request("REMOVE_NETWORK all")
3097
3098 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
3099 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3100 check_eap_capa(dev[0], "MSCHAPV2")
3101 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3102 hapd = hostapd.add_ap(apdev[0], params)
3103
3104 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
3105 only_add_network=True)
3106
3107 req_id = "DOMAIN\mschapv2 user"
3108 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3109 anonymous_identity="ttls", identity=None,
3110 password="password",
3111 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3112 wait_connect=False, scan_freq="2412")
3113 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
3114 if ev is None:
3115 raise Exception("Request for identity timed out")
3116 id = ev.split(':')[0].split('-')[-1]
3117 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
3118 dev[0].wait_connected(timeout=10)
3119
3120 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
3121 raise Exception("Failed to enable network")
3122 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
3123 if ev is not None:
3124 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3125 dev[0].request("REMOVE_NETWORK all")
3126
3127 def test_ap_wpa2_eap_vendor_test(dev, apdev):
3128 """WPA2-Enterprise connection using EAP vendor test"""
3129 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3130 hapd = hostapd.add_ap(apdev[0], params)
3131 eap_connect(dev[0], hapd, "VENDOR-TEST", "vendor-test")
3132 eap_reauth(dev[0], "VENDOR-TEST")
3133 eap_connect(dev[1], hapd, "VENDOR-TEST", "vendor-test",
3134 password="pending")
3135
3136 def test_ap_wpa2_eap_vendor_test_oom(dev, apdev):
3137 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3139 hostapd.add_ap(apdev[0], params)
3140
3141 tests = [ "eap_vendor_test_init",
3142 "eap_msg_alloc;eap_vendor_test_process",
3143 "eap_vendor_test_getKey" ]
3144 for func in tests:
3145 with alloc_fail(dev[0], 1, func):
3146 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
3147 scan_freq="2412",
3148 eap="VENDOR-TEST", identity="vendor-test",
3149 wait_connect=False)
3150 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
3151 dev[0].request("REMOVE_NETWORK all")
3152 dev[0].wait_disconnected()
3153
3154 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
3155 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3156 check_eap_capa(dev[0], "FAST")
3157 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3158 hapd = hostapd.add_ap(apdev[0], params)
3159 eap_connect(dev[0], hapd, "FAST", "user",
3160 anonymous_identity="FAST", password="password",
3161 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3162 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
3163 hwsim_utils.test_connectivity(dev[0], hapd)
3164 res = eap_reauth(dev[0], "FAST")
3165 if res['tls_session_reused'] != '1':
3166 raise Exception("EAP-FAST could not use PAC session ticket")
3167
3168 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
3169 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3170 check_eap_capa(dev[0], "FAST")
3171 pac_file = os.path.join(params['logdir'], "fast.pac")
3172 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
3173 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3174 hapd = hostapd.add_ap(apdev[0], params)
3175
3176 try:
3177 eap_connect(dev[0], hapd, "FAST", "user",
3178 anonymous_identity="FAST", password="password",
3179 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3180 phase1="fast_provisioning=1", pac_file=pac_file)
3181 with open(pac_file, "r") as f:
3182 data = f.read()
3183 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
3184 raise Exception("PAC file header missing")
3185 if "PAC-Key=" not in data:
3186 raise Exception("PAC-Key missing from PAC file")
3187 dev[0].request("REMOVE_NETWORK all")
3188 eap_connect(dev[0], hapd, "FAST", "user",
3189 anonymous_identity="FAST", password="password",
3190 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3191 pac_file=pac_file)
3192
3193 eap_connect(dev[1], hapd, "FAST", "user",
3194 anonymous_identity="FAST", password="password",
3195 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3196 phase1="fast_provisioning=1 fast_pac_format=binary",
3197 pac_file=pac_file2)
3198 dev[1].request("REMOVE_NETWORK all")
3199 eap_connect(dev[1], hapd, "FAST", "user",
3200 anonymous_identity="FAST", password="password",
3201 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3202 phase1="fast_pac_format=binary",
3203 pac_file=pac_file2)
3204 finally:
3205 try:
3206 os.remove(pac_file)
3207 except:
3208 pass
3209 try:
3210 os.remove(pac_file2)
3211 except:
3212 pass
3213
3214 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
3215 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3216 check_eap_capa(dev[0], "FAST")
3217 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3218 hapd = hostapd.add_ap(apdev[0], params)
3219 eap_connect(dev[0], hapd, "FAST", "user",
3220 anonymous_identity="FAST", password="password",
3221 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3222 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3223 pac_file="blob://fast_pac_bin")
3224 res = eap_reauth(dev[0], "FAST")
3225 if res['tls_session_reused'] != '1':
3226 raise Exception("EAP-FAST could not use PAC session ticket")
3227
3228 # Verify fast_max_pac_list_len=0 special case
3229 dev[0].request("REMOVE_NETWORK all")
3230 dev[0].wait_disconnected()
3231 eap_connect(dev[0], hapd, "FAST", "user",
3232 anonymous_identity="FAST", password="password",
3233 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3234 phase1="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3235 pac_file="blob://fast_pac_bin")
3236
3237 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
3238 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3239 check_eap_capa(dev[0], "FAST")
3240 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3241 hostapd.add_ap(apdev[0], params)
3242
3243 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3244 identity="user", anonymous_identity="FAST",
3245 password="password",
3246 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3247 pac_file="blob://fast_pac_not_in_use",
3248 wait_connect=False, scan_freq="2412")
3249 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3250 if ev is None:
3251 raise Exception("Timeout on EAP failure report")
3252 dev[0].request("REMOVE_NETWORK all")
3253
3254 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3255 identity="user", anonymous_identity="FAST",
3256 password="password",
3257 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3258 wait_connect=False, scan_freq="2412")
3259 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3260 if ev is None:
3261 raise Exception("Timeout on EAP failure report")
3262
3263 def test_ap_wpa2_eap_fast_binary_pac_errors(dev, apdev):
3264 """EAP-FAST and binary PAC errors"""
3265 check_eap_capa(dev[0], "FAST")
3266 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3267 hapd = hostapd.add_ap(apdev[0], params)
3268
3269 tests = [ (1, "=eap_fast_save_pac_bin"),
3270 (1, "eap_fast_write_pac"),
3271 (2, "eap_fast_write_pac"), ]
3272 for count, func in tests:
3273 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors "):
3274 raise Exception("Could not set blob")
3275
3276 with alloc_fail(dev[0], count, func):
3277 eap_connect(dev[0], hapd, "FAST", "user",
3278 anonymous_identity="FAST", password="password",
3279 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3280 phase1="fast_provisioning=1 fast_pac_format=binary",
3281 pac_file="blob://fast_pac_bin_errors")
3282 dev[0].request("REMOVE_NETWORK all")
3283 dev[0].wait_disconnected()
3284
3285 tests = [ "00", "000000000000", "6ae4920c0001",
3286 "6ae4920c000000",
3287 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3288 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3289 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3290 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3291 for t in tests:
3292 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + t):
3293 raise Exception("Could not set blob")
3294
3295 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3296 identity="user", anonymous_identity="FAST",
3297 password="password",
3298 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3299 phase1="fast_provisioning=1 fast_pac_format=binary",
3300 pac_file="blob://fast_pac_bin_errors",
3301 scan_freq="2412", wait_connect=False)
3302 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3303 timeout=5)
3304 if ev is None:
3305 raise Exception("Failure not reported")
3306 dev[0].request("REMOVE_NETWORK all")
3307 dev[0].wait_disconnected()
3308
3309 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3310 tests = [ (1, "eap_fast_load_pac_bin"),
3311 (2, "eap_fast_load_pac_bin"),
3312 (3, "eap_fast_load_pac_bin") ]
3313 for count, func in tests:
3314 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3315 raise Exception("Could not set blob")
3316
3317 with alloc_fail(dev[0], count, func):
3318 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3319 identity="user", anonymous_identity="FAST",
3320 password="password",
3321 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3322 phase1="fast_provisioning=1 fast_pac_format=binary",
3323 pac_file="blob://fast_pac_bin_errors",
3324 scan_freq="2412", wait_connect=False)
3325 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3326 timeout=5)
3327 if ev is None:
3328 raise Exception("Failure not reported")
3329 dev[0].request("REMOVE_NETWORK all")
3330 dev[0].wait_disconnected()
3331
3332 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3333 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3334 raise Exception("Could not set blob")
3335
3336 eap_connect(dev[0], hapd, "FAST", "user",
3337 anonymous_identity="FAST", password="password",
3338 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3339 phase1="fast_provisioning=1 fast_pac_format=binary",
3340 pac_file="blob://fast_pac_bin_errors")
3341 dev[0].request("REMOVE_NETWORK all")
3342 dev[0].wait_disconnected()
3343
3344 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3345 tests = [ (1, "eap_fast_pac_get_a_id"),
3346 (2, "eap_fast_pac_get_a_id") ]
3347 for count, func in tests:
3348 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3349 raise Exception("Could not set blob")
3350 with alloc_fail(dev[0], count, func):
3351 eap_connect(dev[0], hapd, "FAST", "user",
3352 anonymous_identity="FAST", password="password",
3353 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3354 phase1="fast_provisioning=1 fast_pac_format=binary",
3355 pac_file="blob://fast_pac_bin_errors")
3356 dev[0].request("REMOVE_NETWORK all")
3357 dev[0].wait_disconnected()
3358
3359 def test_ap_wpa2_eap_fast_text_pac_errors(dev, apdev):
3360 """EAP-FAST and text PAC errors"""
3361 check_eap_capa(dev[0], "FAST")
3362 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3363 hostapd.add_ap(apdev[0], params)
3364
3365 tests = [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3366 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3367 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3368 (1, "eap_fast_parse_start"),
3369 (1, "eap_fast_save_pac") ]
3370 for count, func in tests:
3371 dev[0].request("FLUSH")
3372 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3373 raise Exception("Could not set blob")
3374
3375 with alloc_fail(dev[0], count, func):
3376 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3377 identity="user", anonymous_identity="FAST",
3378 password="password",
3379 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3380 phase1="fast_provisioning=1",
3381 pac_file="blob://fast_pac_text_errors",
3382 scan_freq="2412", wait_connect=False)
3383 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
3384 dev[0].request("REMOVE_NETWORK all")
3385 dev[0].wait_disconnected()
3386
3387 pac = "wpa_supplicant EAP-FAST PAC file - version 1\n"
3388 pac += "START\n"
3389 pac += "PAC-Type\n"
3390 pac += "END\n"
3391 if "OK" not in dev[0].request("SET blob fast_pac_text_errors " + pac.encode("hex")):
3392 raise Exception("Could not set blob")
3393
3394 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3395 identity="user", anonymous_identity="FAST",
3396 password="password",
3397 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3398 phase1="fast_provisioning=1",
3399 pac_file="blob://fast_pac_text_errors",
3400 scan_freq="2412", wait_connect=False)
3401 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=5)
3402 if ev is None:
3403 raise Exception("Failure not reported")
3404 dev[0].request("REMOVE_NETWORK all")
3405 dev[0].wait_disconnected()
3406
3407 dev[0].request("FLUSH")
3408 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3409 raise Exception("Could not set blob")
3410
3411 with alloc_fail(dev[0], 1, "eap_fast_add_pac_data"):
3412 for i in range(3):
3413 params = int_eap_server_params()
3414 params['ssid'] = "test-wpa2-eap-2"
3415 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3416 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3417 params['eap_fast_a_id_info'] = "test server %d" % i
3418
3419 hapd2 = hostapd.add_ap(apdev[1], params)
3420
3421 dev[0].connect("test-wpa2-eap-2", key_mgmt="WPA-EAP", eap="FAST",
3422 identity="user", anonymous_identity="FAST",
3423 password="password",
3424 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3425 phase1="fast_provisioning=1",
3426 pac_file="blob://fast_pac_text_errors",
3427 scan_freq="2412", wait_connect=False)
3428 dev[0].wait_connected()
3429 dev[0].request("REMOVE_NETWORK all")
3430 dev[0].wait_disconnected()
3431
3432 hapd2.disable()
3433
3434 def test_ap_wpa2_eap_fast_pac_truncate(dev, apdev):
3435 """EAP-FAST and PAC list truncation"""
3436 check_eap_capa(dev[0], "FAST")
3437 if "OK" not in dev[0].request("SET blob fast_pac_truncate "):
3438 raise Exception("Could not set blob")
3439 for i in range(5):
3440 params = int_eap_server_params()
3441 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3442 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3443 params['eap_fast_a_id_info'] = "test server %d" % i
3444 hapd = hostapd.add_ap(apdev[0], params)
3445
3446 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3447 identity="user", anonymous_identity="FAST",
3448 password="password",
3449 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3450 phase1="fast_provisioning=1 fast_max_pac_list_len=2",
3451 pac_file="blob://fast_pac_truncate",
3452 scan_freq="2412", wait_connect=False)
3453 dev[0].wait_connected()
3454 dev[0].request("REMOVE_NETWORK all")
3455 dev[0].wait_disconnected()
3456
3457 hapd.disable()
3458
3459 def test_ap_wpa2_eap_fast_pac_refresh(dev, apdev):
3460 """EAP-FAST and PAC refresh"""
3461 check_eap_capa(dev[0], "FAST")
3462 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3463 raise Exception("Could not set blob")
3464 for i in range(2):
3465 params = int_eap_server_params()
3466 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3467 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3468 params['eap_fast_a_id_info'] = "test server %d" % i
3469 params['pac_key_refresh_time'] = "1"
3470 params['pac_key_lifetime'] = "10"
3471 hapd = hostapd.add_ap(apdev[0], params)
3472
3473 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3474 identity="user", anonymous_identity="FAST",
3475 password="password",
3476 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3477 phase1="fast_provisioning=1",
3478 pac_file="blob://fast_pac_refresh",
3479 scan_freq="2412", wait_connect=False)
3480 dev[0].wait_connected()
3481 dev[0].request("REMOVE_NETWORK all")
3482 dev[0].wait_disconnected()
3483
3484 hapd.disable()
3485
3486 for i in range(2):
3487 params = int_eap_server_params()
3488 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3489 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3490 params['eap_fast_a_id_info'] = "test server %d" % i
3491 params['pac_key_refresh_time'] = "10"
3492 params['pac_key_lifetime'] = "10"
3493 hapd = hostapd.add_ap(apdev[0], params)
3494
3495 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3496 identity="user", anonymous_identity="FAST",
3497 password="password",
3498 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3499 phase1="fast_provisioning=1",
3500 pac_file="blob://fast_pac_refresh",
3501 scan_freq="2412", wait_connect=False)
3502 dev[0].wait_connected()
3503 dev[0].request("REMOVE_NETWORK all")
3504 dev[0].wait_disconnected()
3505
3506 hapd.disable()
3507
3508 def test_ap_wpa2_eap_fast_pac_lifetime(dev, apdev):
3509 """EAP-FAST and PAC lifetime"""
3510 check_eap_capa(dev[0], "FAST")
3511 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3512 raise Exception("Could not set blob")
3513
3514 i = 0
3515 params = int_eap_server_params()
3516 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3517 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3518 params['eap_fast_a_id_info'] = "test server %d" % i
3519 params['pac_key_refresh_time'] = "0"
3520 params['pac_key_lifetime'] = "2"
3521 hapd = hostapd.add_ap(apdev[0], params)
3522
3523 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3524 identity="user", anonymous_identity="FAST",
3525 password="password",
3526 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3527 phase1="fast_provisioning=2",
3528 pac_file="blob://fast_pac_refresh",
3529 scan_freq="2412", wait_connect=False)
3530 dev[0].wait_connected()
3531 dev[0].request("DISCONNECT")
3532 dev[0].wait_disconnected()
3533
3534 time.sleep(3)
3535 dev[0].request("PMKSA_FLUSH")
3536 dev[0].request("RECONNECT")
3537 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3538 if ev is None:
3539 raise Exception("No EAP-Failure seen after expired PAC")
3540 dev[0].request("DISCONNECT")
3541 dev[0].wait_disconnected()
3542
3543 dev[0].select_network(id)
3544 dev[0].wait_connected()
3545 dev[0].request("REMOVE_NETWORK all")
3546 dev[0].wait_disconnected()
3547
3548 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
3549 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3550 check_eap_capa(dev[0], "FAST")
3551 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3552 hapd = hostapd.add_ap(apdev[0], params)
3553 eap_connect(dev[0], hapd, "FAST", "user",
3554 anonymous_identity="FAST", password="password",
3555 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3556 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
3557 hwsim_utils.test_connectivity(dev[0], hapd)
3558 res = eap_reauth(dev[0], "FAST")
3559 if res['tls_session_reused'] != '1':
3560 raise Exception("EAP-FAST could not use PAC session ticket")
3561
3562 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
3563 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3564 check_eap_capa(dev[0], "FAST")
3565 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3566 hapd = hostapd.add_ap(apdev[0], params)
3567 id = eap_connect(dev[0], hapd, "FAST", "user",
3568 anonymous_identity="FAST", password="password",
3569 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3570 phase1="fast_provisioning=2",
3571 pac_file="blob://fast_pac_auth")
3572 dev[0].set_network_quoted(id, "identity", "user2")
3573 dev[0].wait_disconnected()
3574 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
3575 if ev is None:
3576 raise Exception("EAP-FAST not started")
3577 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
3578 if ev is None:
3579 raise Exception("EAP failure not reported")
3580 dev[0].wait_disconnected()
3581
3582 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
3583 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3584 check_eap_capa(dev[0], "FAST")
3585 tls = dev[0].request("GET tls_library")
3586 if tls.startswith("OpenSSL"):
3587 func = "tls_connection_get_eap_fast_key"
3588 count = 2
3589 elif tls.startswith("internal"):
3590 func = "tls_connection_prf"
3591 count = 1
3592 else:
3593 raise HwsimSkip("Unsupported TLS library")
3594 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3595 hapd = hostapd.add_ap(apdev[0], params)
3596 with alloc_fail(dev[0], count, func):
3597 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3598 identity="user", anonymous_identity="FAST",
3599 password="password", ca_cert="auth_serv/ca.pem",
3600 phase2="auth=GTC",
3601 phase1="fast_provisioning=2",
3602 pac_file="blob://fast_pac_auth",
3603 wait_connect=False, scan_freq="2412")
3604 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
3605 if ev is None:
3606 raise Exception("EAP failure not reported")
3607 dev[0].request("DISCONNECT")
3608
3609 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
3610 """EAP-FAST/MSCHAPv2 and server OOM"""
3611 check_eap_capa(dev[0], "FAST")
3612
3613 params = int_eap_server_params()
3614 params['dh_file'] = 'auth_serv/dh.conf'
3615 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3616 params['eap_fast_a_id'] = '1011'
3617 params['eap_fast_a_id_info'] = 'another test server'
3618 hapd = hostapd.add_ap(apdev[0], params)
3619
3620 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
3621 id = eap_connect(dev[0], hapd, "FAST", "user",
3622 anonymous_identity="FAST", password="password",
3623 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3624 phase1="fast_provisioning=1",
3625 pac_file="blob://fast_pac",
3626 expect_failure=True)
3627 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3628 if ev is None:
3629 raise Exception("No EAP failure reported")
3630 dev[0].wait_disconnected()
3631 dev[0].request("DISCONNECT")
3632
3633 dev[0].select_network(id, freq="2412")
3634
3635 def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev):
3636 """EAP-FAST and different TLS cipher suites"""
3637 check_eap_capa(dev[0], "FAST")
3638 tls = dev[0].request("GET tls_library")
3639 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
3640 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls)
3641
3642 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3643 hapd = hostapd.add_ap(apdev[0], params)
3644
3645 dev[0].request("SET blob fast_pac_ciphers ")
3646 eap_connect(dev[0], hapd, "FAST", "user",
3647 anonymous_identity="FAST", password="password",
3648 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3649 phase1="fast_provisioning=2",
3650 pac_file="blob://fast_pac_ciphers")
3651 res = dev[0].get_status_field('EAP TLS cipher')
3652 dev[0].request("REMOVE_NETWORK all")
3653 dev[0].wait_disconnected()
3654 if res != "DHE-RSA-AES256-SHA":
3655 raise Exception("Unexpected cipher suite for provisioning: " + res)
3656
3657 tests = [ "DHE-RSA-AES128-SHA",
3658 "RC4-SHA",
3659 "AES128-SHA",
3660 "AES256-SHA",
3661 "DHE-RSA-AES256-SHA" ]
3662 for cipher in tests:
3663 dev[0].dump_monitor()
3664 logger.info("Testing " + cipher)
3665 try:
3666 eap_connect(dev[0], hapd, "FAST", "user",
3667 openssl_ciphers=cipher,
3668 anonymous_identity="FAST", password="password",
3669 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3670 pac_file="blob://fast_pac_ciphers",
3671 report_failure=True)
3672 except Exception, e:
3673 if cipher == "RC4-SHA" and \
3674 ("Could not select EAP method" in str(e) or \
3675 "EAP failed" in str(e)):
3676 if "run=OpenSSL 1.1" in tls:
3677 logger.info("Allow failure due to missing TLS library support")
3678 dev[0].request("REMOVE_NETWORK all")
3679 dev[0].wait_disconnected()
3680 continue
3681 raise
3682 res = dev[0].get_status_field('EAP TLS cipher')
3683 dev[0].request("REMOVE_NETWORK all")
3684 dev[0].wait_disconnected()
3685 if res != cipher:
3686 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher, res))
3687
3688 def test_ap_wpa2_eap_fast_prov(dev, apdev):
3689 """EAP-FAST and provisioning options"""
3690 check_eap_capa(dev[0], "FAST")
3691 if "OK" not in dev[0].request("SET blob fast_pac_prov "):
3692 raise Exception("Could not set blob")
3693
3694 i = 100
3695 params = int_eap_server_params()
3696 params['disable_pmksa_caching'] = '1'
3697 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3698 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3699 params['eap_fast_a_id_info'] = "test server %d" % i
3700 params['eap_fast_prov'] = "0"
3701 hapd = hostapd.add_ap(apdev[0], params)
3702
3703 logger.info("Provisioning attempt while server has provisioning disabled")
3704 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3705 identity="user", anonymous_identity="FAST",
3706 password="password",
3707 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3708 phase1="fast_provisioning=2",
3709 pac_file="blob://fast_pac_prov",
3710 scan_freq="2412", wait_connect=False)
3711 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3712 timeout=15)
3713 if ev is None:
3714 raise Exception("EAP result not reported")
3715 if "parameter='failure'" not in ev:
3716 raise Exception("Unexpected EAP result: " + ev)
3717 dev[0].wait_disconnected()
3718 dev[0].request("DISCONNECT")
3719 dev[0].dump_monitor()
3720
3721 hapd.disable()
3722 logger.info("Authenticated provisioning")
3723 hapd.set("eap_fast_prov", "2")
3724 hapd.enable()
3725
3726 dev[0].select_network(id, freq="2412")
3727 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3728 timeout=15)
3729 if ev is None:
3730 raise Exception("EAP result not reported")
3731 if "parameter='success'" not in ev:
3732 raise Exception("Unexpected EAP result: " + ev)
3733 dev[0].wait_connected()
3734 dev[0].request("DISCONNECT")
3735 dev[0].wait_disconnected()
3736 dev[0].dump_monitor()
3737
3738 hapd.disable()
3739 logger.info("Provisioning disabled - using previously provisioned PAC")
3740 hapd.set("eap_fast_prov", "0")
3741 hapd.enable()
3742
3743 dev[0].select_network(id, freq="2412")
3744 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3745 timeout=15)
3746 if ev is None:
3747 raise Exception("EAP result not reported")
3748 if "parameter='success'" not in ev:
3749 raise Exception("Unexpected EAP result: " + ev)
3750 dev[0].wait_connected()
3751 dev[0].request("DISCONNECT")
3752 dev[0].wait_disconnected()
3753 dev[0].dump_monitor()
3754
3755 logger.info("Drop PAC and verify connection failure")
3756 if "OK" not in dev[0].request("SET blob fast_pac_prov "):
3757 raise Exception("Could not set blob")
3758
3759 dev[0].select_network(id, freq="2412")
3760 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3761 timeout=15)
3762 if ev is None:
3763 raise Exception("EAP result not reported")
3764 if "parameter='failure'" not in ev:
3765 raise Exception("Unexpected EAP result: " + ev)
3766 dev[0].wait_disconnected()
3767 dev[0].request("DISCONNECT")
3768 dev[0].dump_monitor()
3769
3770 hapd.disable()
3771 logger.info("Anonymous provisioning")
3772 hapd.set("eap_fast_prov", "1")
3773 hapd.enable()
3774 dev[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3775 dev[0].select_network(id, freq="2412")
3776 # Anonymous provisioning results in EAP-Failure first
3777 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3778 timeout=15)
3779 if ev is None:
3780 raise Exception("EAP result not reported")
3781 if "parameter='failure'" not in ev:
3782 raise Exception("Unexpected EAP result: " + ev)
3783 dev[0].wait_disconnected()
3784 # And then the actual data connection
3785 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3786 timeout=15)
3787 if ev is None:
3788 raise Exception("EAP result not reported")
3789 if "parameter='success'" not in ev:
3790 raise Exception("Unexpected EAP result: " + ev)
3791 dev[0].wait_connected()
3792 dev[0].request("DISCONNECT")
3793 dev[0].wait_disconnected()
3794 dev[0].dump_monitor()
3795
3796 hapd.disable()
3797 logger.info("Provisioning disabled - using previously provisioned PAC")
3798 hapd.set("eap_fast_prov", "0")
3799 hapd.enable()
3800
3801 dev[0].select_network(id, freq="2412")
3802 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3803 timeout=15)
3804 if ev is None:
3805 raise Exception("EAP result not reported")
3806 if "parameter='success'" not in ev:
3807 raise Exception("Unexpected EAP result: " + ev)
3808 dev[0].wait_connected()
3809 dev[0].request("DISCONNECT")
3810 dev[0].wait_disconnected()
3811 dev[0].dump_monitor()
3812
3813 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
3814 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3815 check_ocsp_support(dev[0])
3816 check_pkcs12_support(dev[0])
3817 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3818 hapd = hostapd.add_ap(apdev[0], params)
3819 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3820 private_key="auth_serv/user.pkcs12",
3821 private_key_passwd="whatever", ocsp=2)
3822
3823 def test_ap_wpa2_eap_tls_ocsp_multi(dev, apdev):
3824 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3825 check_ocsp_multi_support(dev[0])
3826 check_pkcs12_support(dev[0])
3827
3828 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3829 hapd = hostapd.add_ap(apdev[0], params)
3830 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3831 private_key="auth_serv/user.pkcs12",
3832 private_key_passwd="whatever", ocsp=2)
3833
3834 def int_eap_server_params():
3835 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3836 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3837 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3838 "ca_cert": "auth_serv/ca.pem",
3839 "server_cert": "auth_serv/server.pem",
3840 "private_key": "auth_serv/server.key",
3841 "dh_file": "auth_serv/dh.conf" }
3842 return params
3843
3844 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
3845 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3846 check_ocsp_support(dev[0])
3847 check_pkcs12_support(dev[0])
3848 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
3849 if not os.path.exists(ocsp):
3850 raise HwsimSkip("No OCSP response available")
3851 params = int_eap_server_params()
3852 params["ocsp_stapling_response"] = ocsp
3853 hostapd.add_ap(apdev[0], params)
3854 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3855 identity="tls user", ca_cert="auth_serv/ca.pem",
3856 private_key="auth_serv/user.pkcs12",
3857 private_key_passwd="whatever", ocsp=2,
3858 scan_freq="2412")
3859
3860 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
3861 """EAP-TLS and CA signed OCSP response (good)"""
3862 check_ocsp_support(dev[0])
3863 check_pkcs12_support(dev[0])
3864 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
3865 if not os.path.exists(ocsp):
3866 raise HwsimSkip("No OCSP response available")
3867 params = int_eap_server_params()
3868 params["ocsp_stapling_response"] = ocsp
3869 hostapd.add_ap(apdev[0], params)
3870 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3871 identity="tls user", ca_cert="auth_serv/ca.pem",
3872 private_key="auth_serv/user.pkcs12",
3873 private_key_passwd="whatever", ocsp=2,
3874 scan_freq="2412")
3875
3876 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
3877 """EAP-TLS and CA signed OCSP response (revoked)"""
3878 check_ocsp_support(dev[0])
3879 check_pkcs12_support(dev[0])
3880 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
3881 if not os.path.exists(ocsp):
3882 raise HwsimSkip("No OCSP response available")
3883 params = int_eap_server_params()
3884 params["ocsp_stapling_response"] = ocsp
3885 hostapd.add_ap(apdev[0], params)
3886 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3887 identity="tls user", ca_cert="auth_serv/ca.pem",
3888 private_key="auth_serv/user.pkcs12",
3889 private_key_passwd="whatever", ocsp=2,
3890 wait_connect=False, scan_freq="2412")
3891 count = 0
3892 while True:
3893 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3894 if ev is None:
3895 raise Exception("Timeout on EAP status")
3896 if 'bad certificate status response' in ev:
3897 break
3898 if 'certificate revoked' in ev:
3899 break
3900 count = count + 1
3901 if count > 10:
3902 raise Exception("Unexpected number of EAP status messages")
3903
3904 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3905 if ev is None:
3906 raise Exception("Timeout on EAP failure report")
3907
3908 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
3909 """EAP-TLS and CA signed OCSP response (unknown)"""
3910 check_ocsp_support(dev[0])
3911 check_pkcs12_support(dev[0])
3912 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
3913 if not os.path.exists(ocsp):
3914 raise HwsimSkip("No OCSP response available")
3915 params = int_eap_server_params()
3916 params["ocsp_stapling_response"] = ocsp
3917 hostapd.add_ap(apdev[0], params)
3918 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3919 identity="tls user", ca_cert="auth_serv/ca.pem",
3920 private_key="auth_serv/user.pkcs12",
3921 private_key_passwd="whatever", ocsp=2,
3922 wait_connect=False, scan_freq="2412")
3923 count = 0
3924 while True:
3925 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3926 if ev is None:
3927 raise Exception("Timeout on EAP status")
3928 if 'bad certificate status response' in ev:
3929 break
3930 count = count + 1
3931 if count > 10:
3932 raise Exception("Unexpected number of EAP status messages")
3933
3934 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3935 if ev is None:
3936 raise Exception("Timeout on EAP failure report")
3937
3938 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
3939 """EAP-TLS and server signed OCSP response"""
3940 check_ocsp_support(dev[0])
3941 check_pkcs12_support(dev[0])
3942 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
3943 if not os.path.exists(ocsp):
3944 raise HwsimSkip("No OCSP response available")
3945 params = int_eap_server_params()
3946 params["ocsp_stapling_response"] = ocsp
3947 hostapd.add_ap(apdev[0], params)
3948 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3949 identity="tls user", ca_cert="auth_serv/ca.pem",
3950 private_key="auth_serv/user.pkcs12",
3951 private_key_passwd="whatever", ocsp=2,
3952 wait_connect=False, scan_freq="2412")
3953 count = 0
3954 while True:
3955 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3956 if ev is None:
3957 raise Exception("Timeout on EAP status")
3958 if 'bad certificate status response' in ev:
3959 break
3960 count = count + 1
3961 if count > 10:
3962 raise Exception("Unexpected number of EAP status messages")
3963
3964 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3965 if ev is None:
3966 raise Exception("Timeout on EAP failure report")
3967
3968 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
3969 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3970 check_ocsp_support(dev[0])
3971 check_pkcs12_support(dev[0])
3972 params = int_eap_server_params()
3973 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3974 hostapd.add_ap(apdev[0], params)
3975 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3976 identity="tls user", ca_cert="auth_serv/ca.pem",
3977 private_key="auth_serv/user.pkcs12",
3978 private_key_passwd="whatever", ocsp=2,
3979 wait_connect=False, scan_freq="2412")
3980 count = 0
3981 while True:
3982 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3983 if ev is None:
3984 raise Exception("Timeout on EAP status")
3985 if 'bad certificate status response' in ev:
3986 break
3987 count = count + 1
3988 if count > 10:
3989 raise Exception("Unexpected number of EAP status messages")
3990
3991 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3992 if ev is None:
3993 raise Exception("Timeout on EAP failure report")
3994
3995 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
3996 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3997 check_ocsp_support(dev[0])
3998 check_pkcs12_support(dev[0])
3999 params = int_eap_server_params()
4000 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
4001 hostapd.add_ap(apdev[0], params)
4002 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4003 identity="tls user", ca_cert="auth_serv/ca.pem",
4004 private_key="auth_serv/user.pkcs12",
4005 private_key_passwd="whatever", ocsp=2,
4006 wait_connect=False, scan_freq="2412")
4007 count = 0
4008 while True:
4009 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4010 if ev is None:
4011 raise Exception("Timeout on EAP status")
4012 if 'bad certificate status response' in ev:
4013 break
4014 count = count + 1
4015 if count > 10:
4016 raise Exception("Unexpected number of EAP status messages")
4017
4018 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4019 if ev is None:
4020 raise Exception("Timeout on EAP failure report")
4021
4022 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
4023 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
4024 check_ocsp_support(dev[0])
4025 check_pkcs12_support(dev[0])
4026 params = int_eap_server_params()
4027 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
4028 hostapd.add_ap(apdev[0], params)
4029 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4030 identity="tls user", ca_cert="auth_serv/ca.pem",
4031 private_key="auth_serv/user.pkcs12",
4032 private_key_passwd="whatever", ocsp=2,
4033 wait_connect=False, scan_freq="2412")
4034 count = 0
4035 while True:
4036 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4037 if ev is None:
4038 raise Exception("Timeout on EAP status")
4039 if 'bad certificate status response' in ev:
4040 break
4041 count = count + 1
4042 if count > 10:
4043 raise Exception("Unexpected number of EAP status messages")
4044
4045 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4046 if ev is None:
4047 raise Exception("Timeout on EAP failure report")
4048
4049 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
4050 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4051 check_ocsp_support(dev[0])
4052 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
4053 if not os.path.exists(ocsp):
4054 raise HwsimSkip("No OCSP response available")
4055 params = int_eap_server_params()
4056 params["ocsp_stapling_response"] = ocsp
4057 hostapd.add_ap(apdev[0], params)
4058 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4059 identity="pap user", ca_cert="auth_serv/ca.pem",
4060 anonymous_identity="ttls", password="password",
4061 phase2="auth=PAP", ocsp=2,
4062 wait_connect=False, scan_freq="2412")
4063 count = 0
4064 while True:
4065 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4066 if ev is None:
4067 raise Exception("Timeout on EAP status")
4068 if 'bad certificate status response' in ev:
4069 break
4070 if 'certificate revoked' in ev:
4071 break
4072 count = count + 1
4073 if count > 10:
4074 raise Exception("Unexpected number of EAP status messages")
4075
4076 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4077 if ev is None:
4078 raise Exception("Timeout on EAP failure report")
4079
4080 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
4081 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4082 check_ocsp_support(dev[0])
4083 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
4084 if not os.path.exists(ocsp):
4085 raise HwsimSkip("No OCSP response available")
4086 params = int_eap_server_params()
4087 params["ocsp_stapling_response"] = ocsp
4088 hostapd.add_ap(apdev[0], params)
4089 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4090 identity="pap user", ca_cert="auth_serv/ca.pem",
4091 anonymous_identity="ttls", password="password",
4092 phase2="auth=PAP", ocsp=2,
4093 wait_connect=False, scan_freq="2412")
4094 count = 0
4095 while True:
4096 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4097 if ev is None:
4098 raise Exception("Timeout on EAP status")
4099 if 'bad certificate status response' in ev:
4100 break
4101 count = count + 1
4102 if count > 10:
4103 raise Exception("Unexpected number of EAP status messages")
4104
4105 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4106 if ev is None:
4107 raise Exception("Timeout on EAP failure report")
4108
4109 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
4110 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4111 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
4112 if not os.path.exists(ocsp):
4113 raise HwsimSkip("No OCSP response available")
4114 params = int_eap_server_params()
4115 params["ocsp_stapling_response"] = ocsp
4116 hostapd.add_ap(apdev[0], params)
4117 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4118 identity="pap user", ca_cert="auth_serv/ca.pem",
4119 anonymous_identity="ttls", password="password",
4120 phase2="auth=PAP", ocsp=1, scan_freq="2412")
4121
4122 def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
4123 """EAP-TLS with intermediate server/user CA"""
4124 params = int_eap_server_params()
4125 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4126 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4127 params["private_key"] = "auth_serv/iCA-server/server.key"
4128 hostapd.add_ap(apdev[0], params)
4129 tls = dev[0].request("GET tls_library")
4130 if "GnuTLS" in tls:
4131 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4132 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4133 else:
4134 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4135 client_cert = "auth_serv/iCA-user/user.pem"
4136 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4137 identity="tls user",
4138 ca_cert=ca_cert,
4139 client_cert=client_cert,
4140 private_key="auth_serv/iCA-user/user.key",
4141 scan_freq="2412")
4142
4143 def root_ocsp(cert):
4144 ca = "auth_serv/ca.pem"
4145
4146 fd2, fn2 = tempfile.mkstemp()
4147 os.close(fd2)
4148
4149 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256",
4150 "-cert", cert, "-no_nonce", "-text" ]
4151 logger.info(' '.join(arg))
4152 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4153 stderr=subprocess.PIPE)
4154 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
4155 cmd.stdout.close()
4156 cmd.stderr.close()
4157 cmd.wait()
4158 if cmd.returncode != 0:
4159 raise Exception("bad return code from openssl ocsp\n\n" + res)
4160 logger.info("OCSP request:\n" + res)
4161
4162 fd, fn = tempfile.mkstemp()
4163 os.close(fd)
4164 arg = [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4165 "-rsigner", ca, "-rkey", "auth_serv/ca-key.pem",
4166 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
4167 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
4168 "-text" ]
4169 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4170 stderr=subprocess.PIPE)
4171 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
4172 cmd.stdout.close()
4173 cmd.stderr.close()
4174 cmd.wait()
4175 if cmd.returncode != 0:
4176 raise Exception("bad return code from openssl ocsp\n\n" + res)
4177 logger.info("OCSP response:\n" + res)
4178 os.unlink(fn2)
4179 return fn
4180
4181 def ica_ocsp(cert, md="-sha256"):
4182 prefix = "auth_serv/iCA-server/"
4183 ca = prefix + "cacert.pem"
4184 cert = prefix + cert
4185
4186 fd2, fn2 = tempfile.mkstemp()
4187 os.close(fd2)
4188
4189 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, md,
4190 "-cert", cert, "-no_nonce", "-text" ]
4191 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4192 stderr=subprocess.PIPE)
4193 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
4194 cmd.stdout.close()
4195 cmd.stderr.close()
4196 cmd.wait()
4197 if cmd.returncode != 0:
4198 raise Exception("bad return code from openssl ocsp\n\n" + res)
4199 logger.info("OCSP request:\n" + res)
4200
4201 fd, fn = tempfile.mkstemp()
4202 os.close(fd)
4203 arg = [ "openssl", "ocsp", "-index", prefix + "index.txt",
4204 "-rsigner", ca, "-rkey", prefix + "private/cakey.pem",
4205 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
4206 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
4207 "-text" ]
4208 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
4209 stderr=subprocess.PIPE)
4210 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
4211 cmd.stdout.close()
4212 cmd.stderr.close()
4213 cmd.wait()
4214 if cmd.returncode != 0:
4215 raise Exception("bad return code from openssl ocsp\n\n" + res)
4216 logger.info("OCSP response:\n" + res)
4217 os.unlink(fn2)
4218 return fn
4219
4220 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
4221 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4222 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, "-sha256")
4223
4224 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev, apdev, params):
4225 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4226 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, "-sha1")
4227
4228 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, md):
4229 params = int_eap_server_params()
4230 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4231 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4232 params["private_key"] = "auth_serv/iCA-server/server.key"
4233 fn = ica_ocsp("server.pem", md)
4234 params["ocsp_stapling_response"] = fn
4235 try:
4236 hostapd.add_ap(apdev[0], params)
4237 tls = dev[0].request("GET tls_library")
4238 if "GnuTLS" in tls:
4239 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4240 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4241 else:
4242 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4243 client_cert = "auth_serv/iCA-user/user.pem"
4244 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4245 identity="tls user",
4246 ca_cert=ca_cert,
4247 client_cert=client_cert,
4248 private_key="auth_serv/iCA-user/user.key",
4249 scan_freq="2412", ocsp=2)
4250 finally:
4251 os.unlink(fn)
4252
4253 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params):
4254 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4255 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params,
4256 "-sha256")
4257
4258 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev, apdev, params):
4259 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4260 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params,
4261 "-sha1")
4262
4263 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params, md):
4264 params = int_eap_server_params()
4265 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4266 params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4267 params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4268 fn = ica_ocsp("server-revoked.pem", md)
4269 params["ocsp_stapling_response"] = fn
4270 try:
4271 hostapd.add_ap(apdev[0], params)
4272 tls = dev[0].request("GET tls_library")
4273 if "GnuTLS" in tls:
4274 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4275 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4276 else:
4277 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4278 client_cert = "auth_serv/iCA-user/user.pem"
4279 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4280 identity="tls user",
4281 ca_cert=ca_cert,
4282 client_cert=client_cert,
4283 private_key="auth_serv/iCA-user/user.key",
4284 scan_freq="2412", ocsp=1, wait_connect=False)
4285 count = 0
4286 while True:
4287 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4288 "CTRL-EVENT-EAP-SUCCESS"])
4289 if ev is None:
4290 raise Exception("Timeout on EAP status")
4291 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4292 raise Exception("Unexpected EAP-Success")
4293 if 'bad certificate status response' in ev:
4294 break
4295 if 'certificate revoked' in ev:
4296 break
4297 count = count + 1
4298 if count > 10:
4299 raise Exception("Unexpected number of EAP status messages")
4300
4301 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4302 if ev is None:
4303 raise Exception("Timeout on EAP failure report")
4304 dev[0].request("REMOVE_NETWORK all")
4305 dev[0].wait_disconnected()
4306 finally:
4307 os.unlink(fn)
4308
4309 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, params):
4310 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4311 check_ocsp_support(dev[0])
4312 check_ocsp_multi_support(dev[0])
4313
4314 params = int_eap_server_params()
4315 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4316 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4317 params["private_key"] = "auth_serv/iCA-server/server.key"
4318 fn = ica_ocsp("server.pem")
4319 params["ocsp_stapling_response"] = fn
4320 try:
4321 hostapd.add_ap(apdev[0], params)
4322 tls = dev[0].request("GET tls_library")
4323 if "GnuTLS" in tls:
4324 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4325 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4326 else:
4327 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4328 client_cert = "auth_serv/iCA-user/user.pem"
4329 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4330 identity="tls user",
4331 ca_cert=ca_cert,
4332 client_cert=client_cert,
4333 private_key="auth_serv/iCA-user/user.key",
4334 scan_freq="2412", ocsp=3, wait_connect=False)
4335 count = 0
4336 while True:
4337 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4338 "CTRL-EVENT-EAP-SUCCESS"])
4339 if ev is None:
4340 raise Exception("Timeout on EAP status")
4341 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4342 raise Exception("Unexpected EAP-Success")
4343 if 'bad certificate status response' in ev:
4344 break
4345 if 'certificate revoked' in ev:
4346 break
4347 count = count + 1
4348 if count > 10:
4349 raise Exception("Unexpected number of EAP status messages")
4350
4351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4352 if ev is None:
4353 raise Exception("Timeout on EAP failure report")
4354 dev[0].request("REMOVE_NETWORK all")
4355 dev[0].wait_disconnected()
4356 finally:
4357 os.unlink(fn)
4358
4359 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
4360 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4361 check_ocsp_support(dev[0])
4362 check_ocsp_multi_support(dev[0])
4363
4364 params = int_eap_server_params()
4365 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4366 params["server_cert"] = "auth_serv/iCA-server/server.pem"
4367 params["private_key"] = "auth_serv/iCA-server/server.key"
4368 fn = ica_ocsp("server.pem")
4369 fn2 = root_ocsp("auth_serv/iCA-server/cacert.pem")
4370 params["ocsp_stapling_response"] = fn
4371
4372 with open(fn, "r") as f:
4373 resp_server = f.read()
4374 with open(fn2, "r") as f:
4375 resp_ica = f.read()
4376
4377 fd3, fn3 = tempfile.mkstemp()
4378 try:
4379 f = os.fdopen(fd3, 'w')
4380 f.write(struct.pack(">L", len(resp_server))[1:4])
4381 f.write(resp_server)
4382 f.write(struct.pack(">L", len(resp_ica))[1:4])
4383 f.write(resp_ica)
4384 f.close()
4385
4386 params["ocsp_stapling_response_multi"] = fn3
4387
4388 hostapd.add_ap(apdev[0], params)
4389 tls = dev[0].request("GET tls_library")
4390 if "GnuTLS" in tls:
4391 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4392 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
4393 else:
4394 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
4395 client_cert = "auth_serv/iCA-user/user.pem"
4396 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4397 identity="tls user",
4398 ca_cert=ca_cert,
4399 client_cert=client_cert,
4400 private_key="auth_serv/iCA-user/user.key",
4401 scan_freq="2412", ocsp=3)
4402 dev[0].request("REMOVE_NETWORK all")
4403 dev[0].wait_disconnected()
4404 finally:
4405 os.unlink(fn)
4406 os.unlink(fn2)
4407 os.unlink(fn3)
4408
4409 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
4410 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4411 check_ocsp_support(dev[0])
4412 check_ocsp_multi_support(dev[0])
4413 check_pkcs12_support(dev[0])
4414
4415 ocsp_revoked = os.path.join(params['logdir'],
4416 "ocsp-resp-ca-signed-revoked.der")
4417 if not os.path.exists(ocsp_revoked):
4418 raise HwsimSkip("No OCSP response (revoked) available")
4419 ocsp_unknown = os.path.join(params['logdir'],
4420 "ocsp-resp-ca-signed-unknown.der")
4421 if not os.path.exists(ocsp_unknown):
4422 raise HwsimSkip("No OCSP response(unknown) available")
4423
4424 with open(ocsp_revoked, "r") as f:
4425 resp_revoked = f.read()
4426 with open(ocsp_unknown, "r") as f:
4427 resp_unknown = f.read()
4428
4429 fd, fn = tempfile.mkstemp()
4430 try:
4431 # This is not really a valid order of the OCSPResponse items in the
4432 # list, but this works for now to verify parsing and processing of
4433 # multiple responses.
4434 f = os.fdopen(fd, 'w')
4435 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4436 f.write(resp_unknown)
4437 f.write(struct.pack(">L", len(resp_revoked))[1:4])
4438 f.write(resp_revoked)
4439 f.write(struct.pack(">L", 0)[1:4])
4440 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4441 f.write(resp_unknown)
4442 f.close()
4443
4444 params = int_eap_server_params()
4445 params["ocsp_stapling_response_multi"] = fn
4446 hostapd.add_ap(apdev[0], params)
4447 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4448 identity="tls user", ca_cert="auth_serv/ca.pem",
4449 private_key="auth_serv/user.pkcs12",
4450 private_key_passwd="whatever", ocsp=1,
4451 wait_connect=False, scan_freq="2412")
4452 count = 0
4453 while True:
4454 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4455 "CTRL-EVENT-EAP-SUCCESS"])
4456 if ev is None:
4457 raise Exception("Timeout on EAP status")
4458 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4459 raise Exception("Unexpected EAP-Success")
4460 if 'bad certificate status response' in ev:
4461 break
4462 if 'certificate revoked' in ev:
4463 break
4464 count = count + 1
4465 if count > 10:
4466 raise Exception("Unexpected number of EAP status messages")
4467 finally:
4468 os.unlink(fn)
4469
4470 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
4471 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4472 check_domain_match_full(dev[0])
4473 check_pkcs12_support(dev[0])
4474 params = int_eap_server_params()
4475 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4476 params["private_key"] = "auth_serv/server-no-dnsname.key"
4477 hostapd.add_ap(apdev[0], params)
4478 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4479 identity="tls user", ca_cert="auth_serv/ca.pem",
4480 private_key="auth_serv/user.pkcs12",
4481 private_key_passwd="whatever",
4482 domain_suffix_match="server3.w1.fi",
4483 scan_freq="2412")
4484
4485 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
4486 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4487 check_domain_match(dev[0])
4488 check_pkcs12_support(dev[0])
4489 params = int_eap_server_params()
4490 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4491 params["private_key"] = "auth_serv/server-no-dnsname.key"
4492 hostapd.add_ap(apdev[0], params)
4493 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4494 identity="tls user", ca_cert="auth_serv/ca.pem",
4495 private_key="auth_serv/user.pkcs12",
4496 private_key_passwd="whatever",
4497 domain_match="server3.w1.fi",
4498 scan_freq="2412")
4499
4500 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
4501 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4502 check_domain_match_full(dev[0])
4503 check_pkcs12_support(dev[0])
4504 params = int_eap_server_params()
4505 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4506 params["private_key"] = "auth_serv/server-no-dnsname.key"
4507 hostapd.add_ap(apdev[0], params)
4508 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4509 identity="tls user", ca_cert="auth_serv/ca.pem",
4510 private_key="auth_serv/user.pkcs12",
4511 private_key_passwd="whatever",
4512 domain_suffix_match="w1.fi",
4513 scan_freq="2412")
4514
4515 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
4516 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4517 check_domain_suffix_match(dev[0])
4518 check_pkcs12_support(dev[0])
4519 params = int_eap_server_params()
4520 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4521 params["private_key"] = "auth_serv/server-no-dnsname.key"
4522 hostapd.add_ap(apdev[0], params)
4523 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4524 identity="tls user", ca_cert="auth_serv/ca.pem",
4525 private_key="auth_serv/user.pkcs12",
4526 private_key_passwd="whatever",
4527 domain_suffix_match="example.com",
4528 wait_connect=False,
4529 scan_freq="2412")
4530 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4531 identity="tls user", ca_cert="auth_serv/ca.pem",
4532 private_key="auth_serv/user.pkcs12",
4533 private_key_passwd="whatever",
4534 domain_suffix_match="erver3.w1.fi",
4535 wait_connect=False,
4536 scan_freq="2412")
4537 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4538 if ev is None:
4539 raise Exception("Timeout on EAP failure report")
4540 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4541 if ev is None:
4542 raise Exception("Timeout on EAP failure report (2)")
4543
4544 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
4545 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4546 check_domain_match(dev[0])
4547 check_pkcs12_support(dev[0])
4548 params = int_eap_server_params()
4549 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4550 params["private_key"] = "auth_serv/server-no-dnsname.key"
4551 hostapd.add_ap(apdev[0], params)
4552 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4553 identity="tls user", ca_cert="auth_serv/ca.pem",
4554 private_key="auth_serv/user.pkcs12",
4555 private_key_passwd="whatever",
4556 domain_match="example.com",
4557 wait_connect=False,
4558 scan_freq="2412")
4559 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4560 identity="tls user", ca_cert="auth_serv/ca.pem",
4561 private_key="auth_serv/user.pkcs12",
4562 private_key_passwd="whatever",
4563 domain_match="w1.fi",
4564 wait_connect=False,
4565 scan_freq="2412")
4566 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4567 if ev is None:
4568 raise Exception("Timeout on EAP failure report")
4569 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4570 if ev is None:
4571 raise Exception("Timeout on EAP failure report (2)")
4572
4573 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
4574 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4575 skip_with_fips(dev[0])
4576 params = int_eap_server_params()
4577 params["server_cert"] = "auth_serv/server-expired.pem"
4578 params["private_key"] = "auth_serv/server-expired.key"
4579 hostapd.add_ap(apdev[0], params)
4580 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4581 identity="mschap user", password="password",
4582 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4583 wait_connect=False,
4584 scan_freq="2412")
4585 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4586 if ev is None:
4587 raise Exception("Timeout on EAP certificate error report")
4588 if "reason=4" not in ev or "certificate has expired" not in ev:
4589 raise Exception("Unexpected failure reason: " + ev)
4590 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4591 if ev is None:
4592 raise Exception("Timeout on EAP failure report")
4593
4594 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
4595 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4596 skip_with_fips(dev[0])
4597 params = int_eap_server_params()
4598 params["server_cert"] = "auth_serv/server-expired.pem"
4599 params["private_key"] = "auth_serv/server-expired.key"
4600 hostapd.add_ap(apdev[0], params)
4601 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4602 identity="mschap user", password="password",
4603 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4604 phase1="tls_disable_time_checks=1",
4605 scan_freq="2412")
4606
4607 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
4608 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4609 skip_with_fips(dev[0])
4610 params = int_eap_server_params()
4611 params["server_cert"] = "auth_serv/server-long-duration.pem"
4612 params["private_key"] = "auth_serv/server-long-duration.key"
4613 hostapd.add_ap(apdev[0], params)
4614 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4615 identity="mschap user", password="password",
4616 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4617 scan_freq="2412")
4618
4619 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
4620 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4621 skip_with_fips(dev[0])
4622 params = int_eap_server_params()
4623 params["server_cert"] = "auth_serv/server-eku-client.pem"
4624 params["private_key"] = "auth_serv/server-eku-client.key"
4625 hostapd.add_ap(apdev[0], params)
4626 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4627 identity="mschap user", password="password",
4628 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4629 wait_connect=False,
4630 scan_freq="2412")
4631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4632 if ev is None:
4633 raise Exception("Timeout on EAP failure report")
4634
4635 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
4636 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4637 skip_with_fips(dev[0])
4638 params = int_eap_server_params()
4639 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
4640 params["private_key"] = "auth_serv/server-eku-client-server.key"
4641 hostapd.add_ap(apdev[0], params)
4642 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4643 identity="mschap user", password="password",
4644 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4645 scan_freq="2412")
4646
4647 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
4648 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4649 skip_with_fips(dev[0])
4650 params = int_eap_server_params()
4651 del params["server_cert"]
4652 params["private_key"] = "auth_serv/server.pkcs12"
4653 hostapd.add_ap(apdev[0], params)
4654 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4655 identity="mschap user", password="password",
4656 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4657 scan_freq="2412")
4658
4659 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev, apdev):
4660 """EAP-TTLS and server PKCS#12 file with extra certs"""
4661 skip_with_fips(dev[0])
4662 params = int_eap_server_params()
4663 del params["server_cert"]
4664 params["private_key"] = "auth_serv/server-extra.pkcs12"
4665 params["private_key_passwd"] = "whatever"
4666 hostapd.add_ap(apdev[0], params)
4667 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4668 identity="mschap user", password="password",
4669 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4670 scan_freq="2412")
4671
4672 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
4673 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4674 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4675 hapd = hostapd.add_ap(apdev[0], params)
4676 eap_connect(dev[0], hapd, "TTLS", "pap user",
4677 anonymous_identity="ttls", password="password",
4678 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4679 dh_file="auth_serv/dh.conf")
4680
4681 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
4682 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4683 check_dh_dsa_support(dev[0])
4684 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4685 hapd = hostapd.add_ap(apdev[0], params)
4686 eap_connect(dev[0], hapd, "TTLS", "pap user",
4687 anonymous_identity="ttls", password="password",
4688 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4689 dh_file="auth_serv/dsaparam.pem")
4690
4691 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4692 """EAP-TTLS and DH params file not found"""
4693 skip_with_fips(dev[0])
4694 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4695 hostapd.add_ap(apdev[0], params)
4696 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4697 identity="mschap user", password="password",
4698 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4699 dh_file="auth_serv/dh-no-such-file.conf",
4700 scan_freq="2412", wait_connect=False)
4701 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4702 if ev is None:
4703 raise Exception("EAP failure timed out")
4704 dev[0].request("REMOVE_NETWORK all")
4705 dev[0].wait_disconnected()
4706
4707 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4708 """EAP-TTLS and invalid DH params file"""
4709 skip_with_fips(dev[0])
4710 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4711 hostapd.add_ap(apdev[0], params)
4712 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4713 identity="mschap user", password="password",
4714 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4715 dh_file="auth_serv/ca.pem",
4716 scan_freq="2412", wait_connect=False)
4717 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4718 if ev is None:
4719 raise Exception("EAP failure timed out")
4720 dev[0].request("REMOVE_NETWORK all")
4721 dev[0].wait_disconnected()
4722
4723 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
4724 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4725 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4726 hapd = hostapd.add_ap(apdev[0], params)
4727 dh = read_pem("auth_serv/dh2.conf")
4728 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
4729 raise Exception("Could not set dhparams blob")
4730 eap_connect(dev[0], hapd, "TTLS", "pap user",
4731 anonymous_identity="ttls", password="password",
4732 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4733 dh_file="blob://dhparams")
4734
4735 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
4736 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4737 params = int_eap_server_params()
4738 params["dh_file"] = "auth_serv/dh2.conf"
4739 hapd = hostapd.add_ap(apdev[0], params)
4740 eap_connect(dev[0], hapd, "TTLS", "pap user",
4741 anonymous_identity="ttls", password="password",
4742 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4743
4744 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
4745 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4746 params = int_eap_server_params()
4747 params["dh_file"] = "auth_serv/dsaparam.pem"
4748 hapd = hostapd.add_ap(apdev[0], params)
4749 eap_connect(dev[0], hapd, "TTLS", "pap user",
4750 anonymous_identity="ttls", password="password",
4751 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4752
4753 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4754 """EAP-TLS server and dhparams file not found"""
4755 params = int_eap_server_params()
4756 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
4757 hapd = hostapd.add_ap(apdev[0], params, no_enable=True)
4758 if "FAIL" not in hapd.request("ENABLE"):
4759 raise Exception("Invalid configuration accepted")
4760
4761 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4762 """EAP-TLS server and invalid dhparams file"""
4763 params = int_eap_server_params()
4764 params["dh_file"] = "auth_serv/ca.pem"
4765 hapd = hostapd.add_ap(apdev[0], params, no_enable=True)
4766 if "FAIL" not in hapd.request("ENABLE"):
4767 raise Exception("Invalid configuration accepted")
4768
4769 def test_ap_wpa2_eap_reauth(dev, apdev):
4770 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4771 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4772 params['eap_reauth_period'] = '2'
4773 hapd = hostapd.add_ap(apdev[0], params)
4774 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
4775 password_hex="0123456789abcdef0123456789abcdef")
4776 logger.info("Wait for reauthentication")
4777 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
4778 if ev is None:
4779 raise Exception("Timeout on reauthentication")
4780 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4781 if ev is None:
4782 raise Exception("Timeout on reauthentication")
4783 for i in range(0, 20):
4784 state = dev[0].get_status_field("wpa_state")
4785 if state == "COMPLETED":
4786 break
4787 time.sleep(0.1)
4788 if state != "COMPLETED":
4789 raise Exception("Reauthentication did not complete")
4790
4791 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
4792 """Optional displayable message in EAP Request-Identity"""
4793 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4794 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4795 hapd = hostapd.add_ap(apdev[0], params)
4796 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
4797 password_hex="0123456789abcdef0123456789abcdef")
4798
4799 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
4800 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4801 check_hlr_auc_gw_support()
4802 params = int_eap_server_params()
4803 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4804 params['eap_sim_aka_result_ind'] = "1"
4805 hapd = hostapd.add_ap(apdev[0], params)
4806
4807 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
4808 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4809 phase1="result_ind=1")
4810 eap_reauth(dev[0], "SIM")
4811 eap_connect(dev[1], hapd, "SIM", "1232010000000000",
4812 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4813
4814 dev[0].request("REMOVE_NETWORK all")
4815 dev[1].request("REMOVE_NETWORK all")
4816
4817 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
4818 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4819 phase1="result_ind=1")
4820 eap_reauth(dev[0], "AKA")
4821 eap_connect(dev[1], hapd, "AKA", "0232010000000000",
4822 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4823
4824 dev[0].request("REMOVE_NETWORK all")
4825 dev[1].request("REMOVE_NETWORK all")
4826
4827 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
4828 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4829 phase1="result_ind=1")
4830 eap_reauth(dev[0], "AKA'")
4831 eap_connect(dev[1], hapd, "AKA'", "6555444333222111",
4832 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4833
4834 def test_ap_wpa2_eap_sim_zero_db_timeout(dev, apdev):
4835 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4836 check_hlr_auc_gw_support()
4837 params = int_eap_server_params()
4838 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4839 params['eap_sim_db_timeout'] = "0"
4840 params['disable_pmksa_caching'] = '1'
4841 hapd = hostapd.add_ap(apdev[0], params)
4842
4843 # Run multiple iterations to make it more likely to hit the case where the
4844 # DB request times out and response is lost.
4845 for i in range(20):
4846 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
4847 identity="1232010000000000",
4848 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4849 wait_connect=False, scan_freq="2412")
4850 ev = dev[0].wait_event([ "CTRL-EVENT-CONNECTED",
4851 "CTRL-EVENT-DISCONNECTED" ],
4852 timeout=15)
4853 if ev is None:
4854 raise Exception("No connection result")
4855 dev[0].request("REMOVE_NETWORK all")
4856 if "CTRL-EVENT-DISCONNECTED" in ev:
4857 break
4858 dev[0].wait_disconnected()
4859 hapd.ping()
4860
4861 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
4862 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4863 skip_with_fips(dev[0])
4864 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4865 hostapd.add_ap(apdev[0], params)
4866 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4867 eap="TTLS", identity="mschap user",
4868 wait_connect=False, scan_freq="2412", ieee80211w="1",
4869 anonymous_identity="ttls", password="password",
4870 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4871 fragment_size="8")
4872 ev = dev[0].wait_event(["EAP: more than",
4873 "CTRL-EVENT-EAP-SUCCESS"], timeout=20)
4874 if ev is None or "EAP: more than" not in ev:
4875 raise Exception("EAP roundtrip limit not reached")
4876
4877 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
4878 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4879 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4880 hostapd.add_ap(apdev[0], params)
4881 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4882 eap="PSK", identity="vendor-test",
4883 password_hex="ff23456789abcdef0123456789abcdef",
4884 wait_connect=False)
4885
4886 found = False
4887 for i in range(0, 5):
4888 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=16)
4889 if ev is None:
4890 raise Exception("Association and EAP start timed out")
4891 if "refuse proposed method" in ev:
4892 found = True
4893 break
4894 if not found:
4895 raise Exception("Unexpected EAP status: " + ev)
4896
4897 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4898 if ev is None:
4899 raise Exception("EAP failure timed out")
4900
4901 def test_ap_wpa2_eap_sql(dev, apdev, params):
4902 """WPA2-Enterprise connection using SQLite for user DB"""
4903 skip_with_fips(dev[0])
4904 try:
4905 import sqlite3
4906 except ImportError:
4907 raise HwsimSkip("No sqlite3 module available")
4908 dbfile = os.path.join(params['logdir'], "eap-user.db")
4909 try:
4910 os.remove(dbfile)
4911 except:
4912 pass
4913 con = sqlite3.connect(dbfile)
4914 with con:
4915 cur = con.cursor()
4916 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4917 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4918 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4919 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4920 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4921 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4922 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4923 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4924
4925 try:
4926 params = int_eap_server_params()
4927 params["eap_user_file"] = "sqlite:" + dbfile
4928 hapd = hostapd.add_ap(apdev[0], params)
4929 eap_connect(dev[0], hapd, "TTLS", "user-mschapv2",
4930 anonymous_identity="ttls", password="password",
4931 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4932 dev[0].request("REMOVE_NETWORK all")
4933 eap_connect(dev[1], hapd, "TTLS", "user-mschap",
4934 anonymous_identity="ttls", password="password",
4935 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
4936 dev[1].request("REMOVE_NETWORK all")
4937 eap_connect(dev[0], hapd, "TTLS", "user-chap",
4938 anonymous_identity="ttls", password="password",
4939 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
4940 eap_connect(dev[1], hapd, "TTLS", "user-pap",
4941 anonymous_identity="ttls", password="password",
4942 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4943 finally:
4944 os.remove(dbfile)
4945
4946 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
4947 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4948 params = int_eap_server_params()
4949 hostapd.add_ap(apdev[0], params)
4950 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4951 identity="\x80", password="password", wait_connect=False)
4952 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4953 identity="a\x80", password="password", wait_connect=False)
4954 for i in range(0, 2):
4955 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4956 if ev is None:
4957 raise Exception("Association and EAP start timed out")
4958 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4959 if ev is None:
4960 raise Exception("EAP method selection timed out")
4961
4962 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
4963 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4964 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4965 hostapd.add_ap(apdev[0], params)
4966 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4967 identity="\x80", password="password", wait_connect=False)
4968 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4969 identity="a\x80", password="password", wait_connect=False)
4970 for i in range(0, 2):
4971 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4972 if ev is None:
4973 raise Exception("Association and EAP start timed out")
4974 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4975 if ev is None:
4976 raise Exception("EAP method selection timed out")
4977
4978 def test_openssl_cipher_suite_config_wpas(dev, apdev):
4979 """OpenSSL cipher suite configuration on wpa_supplicant"""
4980 tls = dev[0].request("GET tls_library")
4981 if not tls.startswith("OpenSSL"):
4982 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
4983 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4984 hapd = hostapd.add_ap(apdev[0], params)
4985 eap_connect(dev[0], hapd, "TTLS", "pap user",
4986 anonymous_identity="ttls", password="password",
4987 openssl_ciphers="AES128",
4988 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4989 eap_connect(dev[1], hapd, "TTLS", "pap user",
4990 anonymous_identity="ttls", password="password",
4991 openssl_ciphers="EXPORT",
4992 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4993 expect_failure=True, maybe_local_error=True)
4994 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4995 identity="pap user", anonymous_identity="ttls",
4996 password="password",
4997 openssl_ciphers="FOO",
4998 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4999 wait_connect=False)
5000 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5001 if ev is None:
5002 raise Exception("EAP failure after invalid openssl_ciphers not reported")
5003 dev[2].request("DISCONNECT")
5004
5005 def test_openssl_cipher_suite_config_hapd(dev, apdev):
5006 """OpenSSL cipher suite configuration on hostapd"""
5007 tls = dev[0].request("GET tls_library")
5008 if not tls.startswith("OpenSSL"):
5009 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
5010 params = int_eap_server_params()
5011 params['openssl_ciphers'] = "AES256"
5012 hapd = hostapd.add_ap(apdev[0], params)
5013 tls = hapd.request("GET tls_library")
5014 if not tls.startswith("OpenSSL"):
5015 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
5016 eap_connect(dev[0], hapd, "TTLS", "pap user",
5017 anonymous_identity="ttls", password="password",
5018 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
5019 eap_connect(dev[1], hapd, "TTLS", "pap user",
5020 anonymous_identity="ttls", password="password",
5021 openssl_ciphers="AES128",
5022 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
5023 expect_failure=True)
5024 eap_connect(dev[2], hapd, "TTLS", "pap user",
5025 anonymous_identity="ttls", password="password",
5026 openssl_ciphers="HIGH:!ADH",
5027 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
5028
5029 params['openssl_ciphers'] = "FOO"
5030 hapd2 = hostapd.add_ap(apdev[1], params, no_enable=True)
5031 if "FAIL" not in hapd2.request("ENABLE"):
5032 if "run=OpenSSL 1.1.1" in tls:
5033 logger.info("Ignore acceptance of an invalid openssl_ciphers value with OpenSSL 1.1.1")
5034 else:
5035 raise Exception("Invalid openssl_ciphers value accepted")
5036
5037 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
5038 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5039 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5040 hapd = hostapd.add_ap(apdev[0], p)
5041 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5042 pid = find_wpas_process(dev[0])
5043 id = eap_connect(dev[0], hapd, "TTLS", "pap-secret",
5044 anonymous_identity="ttls", password=password,
5045 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
5046 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5047 # event has been delivered, so verify that wpa_supplicant has returned to
5048 # eloop before reading process memory.
5049 time.sleep(1)
5050 dev[0].ping()
5051 buf = read_process_memory(pid, password)
5052
5053 dev[0].request("DISCONNECT")
5054 dev[0].wait_disconnected()
5055
5056 dev[0].relog()
5057 msk = None
5058 emsk = None
5059 pmk = None
5060 ptk = None
5061 gtk = None
5062 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
5063 for l in f.readlines():
5064 if "EAP-TTLS: Derived key - hexdump" in l:
5065 val = l.strip().split(':')[3].replace(' ', '')
5066 msk = binascii.unhexlify(val)
5067 if "EAP-TTLS: Derived EMSK - hexdump" in l:
5068 val = l.strip().split(':')[3].replace(' ', '')
5069 emsk = binascii.unhexlify(val)
5070 if "WPA: PMK - hexdump" in l:
5071 val = l.strip().split(':')[3].replace(' ', '')
5072 pmk = binascii.unhexlify(val)
5073 if "WPA: PTK - hexdump" in l:
5074 val = l.strip().split(':')[3].replace(' ', '')
5075 ptk = binascii.unhexlify(val)
5076 if "WPA: Group Key - hexdump" in l:
5077 val = l.strip().split(':')[3].replace(' ', '')
5078 gtk = binascii.unhexlify(val)
5079 if not msk or not emsk or not pmk or not ptk or not gtk:
5080 raise Exception("Could not find keys from debug log")
5081 if len(gtk) != 16:
5082 raise Exception("Unexpected GTK length")
5083
5084 kck = ptk[0:16]
5085 kek = ptk[16:32]
5086 tk = ptk[32:48]
5087
5088 fname = os.path.join(params['logdir'],
5089 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5090
5091 logger.info("Checking keys in memory while associated")
5092 get_key_locations(buf, password, "Password")
5093 get_key_locations(buf, pmk, "PMK")
5094 get_key_locations(buf, msk, "MSK")
5095 get_key_locations(buf, emsk, "EMSK")
5096 if password not in buf:
5097 raise HwsimSkip("Password not found while associated")
5098 if pmk not in buf:
5099 raise HwsimSkip("PMK not found while associated")
5100 if kck not in buf:
5101 raise Exception("KCK not found while associated")
5102 if kek not in buf:
5103 raise Exception("KEK not found while associated")
5104 #if tk in buf:
5105 # raise Exception("TK found from memory")
5106
5107 logger.info("Checking keys in memory after disassociation")
5108 buf = read_process_memory(pid, password)
5109
5110 # Note: Password is still present in network configuration
5111 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5112
5113 get_key_locations(buf, password, "Password")
5114 get_key_locations(buf, pmk, "PMK")
5115 get_key_locations(buf, msk, "MSK")
5116 get_key_locations(buf, emsk, "EMSK")
5117 verify_not_present(buf, kck, fname, "KCK")
5118 verify_not_present(buf, kek, fname, "KEK")
5119 verify_not_present(buf, tk, fname, "TK")
5120 if gtk in buf:
5121 get_key_locations(buf, gtk, "GTK")
5122 verify_not_present(buf, gtk, fname, "GTK")
5123
5124 dev[0].request("PMKSA_FLUSH")
5125 dev[0].set_network_quoted(id, "identity", "foo")
5126 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5127 buf = read_process_memory(pid, password)
5128 get_key_locations(buf, password, "Password")
5129 get_key_locations(buf, pmk, "PMK")
5130 get_key_locations(buf, msk, "MSK")
5131 get_key_locations(buf, emsk, "EMSK")
5132 verify_not_present(buf, pmk, fname, "PMK")
5133
5134 dev[0].request("REMOVE_NETWORK all")
5135
5136 logger.info("Checking keys in memory after network profile removal")
5137 buf = read_process_memory(pid, password)
5138
5139 get_key_locations(buf, password, "Password")
5140 get_key_locations(buf, pmk, "PMK")
5141 get_key_locations(buf, msk, "MSK")
5142 get_key_locations(buf, emsk, "EMSK")
5143 verify_not_present(buf, password, fname, "password")
5144 verify_not_present(buf, pmk, fname, "PMK")
5145 verify_not_present(buf, kck, fname, "KCK")
5146 verify_not_present(buf, kek, fname, "KEK")
5147 verify_not_present(buf, tk, fname, "TK")
5148 verify_not_present(buf, gtk, fname, "GTK")
5149 verify_not_present(buf, msk, fname, "MSK")
5150 verify_not_present(buf, emsk, fname, "EMSK")
5151
5152 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
5153 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5154 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5155 hapd = hostapd.add_ap(apdev[0], params)
5156 bssid = apdev[0]['bssid']
5157 eap_connect(dev[0], hapd, "TTLS", "pap user",
5158 anonymous_identity="ttls", password="password",
5159 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
5160
5161 # Send unexpected WEP EAPOL-Key; this gets dropped
5162 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5163 if "OK" not in res:
5164 raise Exception("EAPOL_RX to wpa_supplicant failed")
5165
5166 def test_ap_wpa2_eap_in_bridge(dev, apdev):
5167 """WPA2-EAP and wpas interface in a bridge"""
5168 br_ifname='sta-br0'
5169 ifname='wlan5'
5170 try:
5171 _test_ap_wpa2_eap_in_bridge(dev, apdev)
5172 finally:
5173 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
5174 subprocess.call(['brctl', 'delif', br_ifname, ifname])
5175 subprocess.call(['brctl', 'delbr', br_ifname])
5176 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
5177
5178 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
5179 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5180 hapd = hostapd.add_ap(apdev[0], params)
5181
5182 br_ifname='sta-br0'
5183 ifname='wlan5'
5184 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
5185 subprocess.call(['brctl', 'addbr', br_ifname])
5186 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
5187 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
5188 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
5189 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
5190 wpas.interface_add(ifname, br_ifname=br_ifname)
5191 wpas.dump_monitor()
5192
5193 id = eap_connect(wpas, hapd, "PAX", "pax.user@example.com",
5194 password_hex="0123456789abcdef0123456789abcdef")
5195 wpas.dump_monitor()
5196 eap_reauth(wpas, "PAX")
5197 wpas.dump_monitor()
5198 # Try again as a regression test for packet socket workaround
5199 eap_reauth(wpas, "PAX")
5200 wpas.dump_monitor()
5201 wpas.request("DISCONNECT")
5202 wpas.wait_disconnected()
5203 wpas.dump_monitor()
5204 wpas.request("RECONNECT")
5205 wpas.wait_connected()
5206 wpas.dump_monitor()
5207
5208 def test_ap_wpa2_eap_session_ticket(dev, apdev):
5209 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5210 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5211 hapd = hostapd.add_ap(apdev[0], params)
5212 key_mgmt = hapd.get_config()['key_mgmt']
5213 if key_mgmt.split(' ')[0] != "WPA-EAP":
5214 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
5215 eap_connect(dev[0], hapd, "TTLS", "pap user",
5216 anonymous_identity="ttls", password="password",
5217 ca_cert="auth_serv/ca.pem",
5218 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
5219 eap_reauth(dev[0], "TTLS")
5220
5221 def test_ap_wpa2_eap_no_workaround(dev, apdev):
5222 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5223 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5224 hapd = hostapd.add_ap(apdev[0], params)
5225 key_mgmt = hapd.get_config()['key_mgmt']
5226 if key_mgmt.split(' ')[0] != "WPA-EAP":
5227 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
5228 eap_connect(dev[0], hapd, "TTLS", "pap user",
5229 anonymous_identity="ttls", password="password",
5230 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5231 phase2="auth=PAP")
5232 eap_reauth(dev[0], "TTLS")
5233
5234 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
5235 """EAP-TLS and server checking CRL"""
5236 params = int_eap_server_params()
5237 params['check_crl'] = '1'
5238 hapd = hostapd.add_ap(apdev[0], params)
5239
5240 # check_crl=1 and no CRL available --> reject connection
5241 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5242 client_cert="auth_serv/user.pem",
5243 private_key="auth_serv/user.key", expect_failure=True)
5244 dev[0].request("REMOVE_NETWORK all")
5245
5246 hapd.disable()
5247 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
5248 hapd.enable()
5249
5250 # check_crl=1 and valid CRL --> accept
5251 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5252 client_cert="auth_serv/user.pem",
5253 private_key="auth_serv/user.key")
5254 dev[0].request("REMOVE_NETWORK all")
5255
5256 hapd.disable()
5257 hapd.set("check_crl", "2")
5258 hapd.enable()
5259
5260 # check_crl=2 and valid CRL --> accept
5261 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5262 client_cert="auth_serv/user.pem",
5263 private_key="auth_serv/user.key")
5264 dev[0].request("REMOVE_NETWORK all")
5265
5266 def test_ap_wpa2_eap_tls_oom(dev, apdev):
5267 """EAP-TLS and OOM"""
5268 check_subject_match_support(dev[0])
5269 check_altsubject_match_support(dev[0])
5270 check_domain_match(dev[0])
5271 check_domain_match_full(dev[0])
5272
5273 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5274 hostapd.add_ap(apdev[0], params)
5275
5276 tests = [ (1, "tls_connection_set_subject_match"),
5277 (2, "tls_connection_set_subject_match"),
5278 (3, "tls_connection_set_subject_match"),
5279 (4, "tls_connection_set_subject_match") ]
5280 for count, func in tests:
5281 with alloc_fail(dev[0], count, func):
5282 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5283 identity="tls user", ca_cert="auth_serv/ca.pem",
5284 client_cert="auth_serv/user.pem",
5285 private_key="auth_serv/user.key",
5286 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
5287 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5288 domain_suffix_match="server.w1.fi",
5289 domain_match="server.w1.fi",
5290 wait_connect=False, scan_freq="2412")
5291 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5292 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
5293 if ev is None:
5294 raise Exception("No passphrase request")
5295 dev[0].request("REMOVE_NETWORK all")
5296 dev[0].wait_disconnected()
5297
5298 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
5299 """WPA2-Enterprise connection using MAC ACL"""
5300 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5301 params["macaddr_acl"] = "2"
5302 hapd = hostapd.add_ap(apdev[0], params)
5303 eap_connect(dev[1], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5304 client_cert="auth_serv/user.pem",
5305 private_key="auth_serv/user.key")
5306
5307 def test_ap_wpa2_eap_oom(dev, apdev):
5308 """EAP server and OOM"""
5309 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5310 hapd = hostapd.add_ap(apdev[0], params)
5311 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
5312
5313 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
5314 # The first attempt fails, but STA will send EAPOL-Start to retry and
5315 # that succeeds.
5316 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5317 identity="tls user", ca_cert="auth_serv/ca.pem",
5318 client_cert="auth_serv/user.pem",
5319 private_key="auth_serv/user.key",
5320 scan_freq="2412")
5321
5322 def check_tls_ver(dev, hapd, phase1, expected):
5323 eap_connect(dev, hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5324 client_cert="auth_serv/user.pem",
5325 private_key="auth_serv/user.key",
5326 phase1=phase1)
5327 ver = dev.get_status_field("eap_tls_version")
5328 if ver != expected:
5329 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
5330
5331 def test_ap_wpa2_eap_tls_versions(dev, apdev):
5332 """EAP-TLS and TLS version configuration"""
5333 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5334 hapd = hostapd.add_ap(apdev[0], params)
5335
5336 tls = dev[0].request("GET tls_library")
5337 if tls.startswith("OpenSSL"):
5338 if "build=OpenSSL 1.0.1" not in tls and "run=OpenSSL 1.0.1" not in tls:
5339 check_tls_ver(dev[0], hapd,
5340 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5341 "TLSv1.2")
5342 if tls.startswith("wolfSSL"):
5343 if ("build=3.10.0" in tls and "run=3.10.0" in tls) or \
5344 ("build=3.13.0" in tls and "run=3.13.0" in tls):
5345 check_tls_ver(dev[0], hapd,
5346 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5347 "TLSv1.2")
5348 elif tls.startswith("internal"):
5349 check_tls_ver(dev[0], hapd,
5350 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5351 check_tls_ver(dev[1], hapd,
5352 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5353 check_tls_ver(dev[2], hapd,
5354 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5355
5356 def test_rsn_ie_proto_eap_sta(dev, apdev):
5357 """RSN element protocol testing for EAP cases on STA side"""
5358 bssid = apdev[0]['bssid']
5359 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5360 # This is the RSN element used normally by hostapd
5361 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5362 hapd = hostapd.add_ap(apdev[0], params)
5363 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5364 identity="gpsk user",
5365 password="abcdefghijklmnop0123456789abcdef",
5366 scan_freq="2412")
5367
5368 tests = [ ('No RSN Capabilities field',
5369 '30120100000fac040100000fac040100000fac01'),
5370 ('No AKM Suite fields',
5371 '300c0100000fac040100000fac04'),
5372 ('No Pairwise Cipher Suite fields',
5373 '30060100000fac04'),
5374 ('No Group Data Cipher Suite field',
5375 '30020100') ]
5376 for txt,ie in tests:
5377 dev[0].request("DISCONNECT")
5378 dev[0].wait_disconnected()
5379 logger.info(txt)
5380 hapd.disable()
5381 hapd.set('own_ie_override', ie)
5382 hapd.enable()
5383 dev[0].request("BSS_FLUSH 0")
5384 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
5385 dev[0].select_network(id, freq=2412)
5386 dev[0].wait_connected()
5387
5388 dev[0].request("DISCONNECT")
5389 dev[0].wait_disconnected()
5390 dev[0].flush_scan_cache()
5391
5392 def check_tls_session_resumption_capa(dev, hapd):
5393 tls = hapd.request("GET tls_library")
5394 if not tls.startswith("OpenSSL"):
5395 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls)
5396
5397 tls = dev.request("GET tls_library")
5398 if not tls.startswith("OpenSSL"):
5399 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
5400
5401 def test_eap_ttls_pap_session_resumption(dev, apdev):
5402 """EAP-TTLS/PAP session resumption"""
5403 params = int_eap_server_params()
5404 params['tls_session_lifetime'] = '60'
5405 hapd = hostapd.add_ap(apdev[0], params)
5406 check_tls_session_resumption_capa(dev[0], hapd)
5407 eap_connect(dev[0], hapd, "TTLS", "pap user",
5408 anonymous_identity="ttls", password="password",
5409 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5410 phase2="auth=PAP")
5411 if dev[0].get_status_field("tls_session_reused") != '0':
5412 raise Exception("Unexpected session resumption on the first connection")
5413
5414 dev[0].request("REAUTHENTICATE")
5415 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5416 if ev is None:
5417 raise Exception("EAP success timed out")
5418 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5419 if ev is None:
5420 raise Exception("Key handshake with the AP timed out")
5421 if dev[0].get_status_field("tls_session_reused") != '1':
5422 raise Exception("Session resumption not used on the second connection")
5423
5424 def test_eap_ttls_chap_session_resumption(dev, apdev):
5425 """EAP-TTLS/CHAP session resumption"""
5426 params = int_eap_server_params()
5427 params['tls_session_lifetime'] = '60'
5428 hapd = hostapd.add_ap(apdev[0], params)
5429 check_tls_session_resumption_capa(dev[0], hapd)
5430 eap_connect(dev[0], hapd, "TTLS", "chap user",
5431 anonymous_identity="ttls", password="password",
5432 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
5433 if dev[0].get_status_field("tls_session_reused") != '0':
5434 raise Exception("Unexpected session resumption on the first connection")
5435
5436 dev[0].request("REAUTHENTICATE")
5437 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5438 if ev is None:
5439 raise Exception("EAP success timed out")
5440 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5441 if ev is None:
5442 raise Exception("Key handshake with the AP timed out")
5443 if dev[0].get_status_field("tls_session_reused") != '1':
5444 raise Exception("Session resumption not used on the second connection")
5445
5446 def test_eap_ttls_mschap_session_resumption(dev, apdev):
5447 """EAP-TTLS/MSCHAP session resumption"""
5448 check_domain_suffix_match(dev[0])
5449 params = int_eap_server_params()
5450 params['tls_session_lifetime'] = '60'
5451 hapd = hostapd.add_ap(apdev[0], params)
5452 check_tls_session_resumption_capa(dev[0], hapd)
5453 eap_connect(dev[0], hapd, "TTLS", "mschap user",
5454 anonymous_identity="ttls", password="password",
5455 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
5456 domain_suffix_match="server.w1.fi")
5457 if dev[0].get_status_field("tls_session_reused") != '0':
5458 raise Exception("Unexpected session resumption on the first connection")
5459
5460 dev[0].request("REAUTHENTICATE")
5461 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5462 if ev is None:
5463 raise Exception("EAP success timed out")
5464 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5465 if ev is None:
5466 raise Exception("Key handshake with the AP timed out")
5467 if dev[0].get_status_field("tls_session_reused") != '1':
5468 raise Exception("Session resumption not used on the second connection")
5469
5470 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
5471 """EAP-TTLS/MSCHAPv2 session resumption"""
5472 check_domain_suffix_match(dev[0])
5473 check_eap_capa(dev[0], "MSCHAPV2")
5474 params = int_eap_server_params()
5475 params['tls_session_lifetime'] = '60'
5476 hapd = hostapd.add_ap(apdev[0], params)
5477 check_tls_session_resumption_capa(dev[0], hapd)
5478 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
5479 anonymous_identity="ttls", password="password",
5480 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5481 domain_suffix_match="server.w1.fi")
5482 if dev[0].get_status_field("tls_session_reused") != '0':
5483 raise Exception("Unexpected session resumption on the first connection")
5484
5485 dev[0].request("REAUTHENTICATE")
5486 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5487 if ev is None:
5488 raise Exception("EAP success timed out")
5489 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5490 if ev is None:
5491 raise Exception("Key handshake with the AP timed out")
5492 if dev[0].get_status_field("tls_session_reused") != '1':
5493 raise Exception("Session resumption not used on the second connection")
5494
5495 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
5496 """EAP-TTLS/EAP-GTC session resumption"""
5497 params = int_eap_server_params()
5498 params['tls_session_lifetime'] = '60'
5499 hapd = hostapd.add_ap(apdev[0], params)
5500 check_tls_session_resumption_capa(dev[0], hapd)
5501 eap_connect(dev[0], hapd, "TTLS", "user",
5502 anonymous_identity="ttls", password="password",
5503 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
5504 if dev[0].get_status_field("tls_session_reused") != '0':
5505 raise Exception("Unexpected session resumption on the first connection")
5506
5507 dev[0].request("REAUTHENTICATE")
5508 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5509 if ev is None:
5510 raise Exception("EAP success timed out")
5511 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5512 if ev is None:
5513 raise Exception("Key handshake with the AP timed out")
5514 if dev[0].get_status_field("tls_session_reused") != '1':
5515 raise Exception("Session resumption not used on the second connection")
5516
5517 def test_eap_ttls_no_session_resumption(dev, apdev):
5518 """EAP-TTLS session resumption disabled on server"""
5519 params = int_eap_server_params()
5520 params['tls_session_lifetime'] = '0'
5521 hapd = hostapd.add_ap(apdev[0], params)
5522 eap_connect(dev[0], hapd, "TTLS", "pap user",
5523 anonymous_identity="ttls", password="password",
5524 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5525 phase2="auth=PAP")
5526 if dev[0].get_status_field("tls_session_reused") != '0':
5527 raise Exception("Unexpected session resumption on the first connection")
5528
5529 dev[0].request("REAUTHENTICATE")
5530 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5531 if ev is None:
5532 raise Exception("EAP success timed out")
5533 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5534 if ev is None:
5535 raise Exception("Key handshake with the AP timed out")
5536 if dev[0].get_status_field("tls_session_reused") != '0':
5537 raise Exception("Unexpected session resumption on the second connection")
5538
5539 def test_eap_peap_session_resumption(dev, apdev):
5540 """EAP-PEAP session resumption"""
5541 check_eap_capa(dev[0], "MSCHAPV2")
5542 params = int_eap_server_params()
5543 params['tls_session_lifetime'] = '60'
5544 hapd = hostapd.add_ap(apdev[0], params)
5545 check_tls_session_resumption_capa(dev[0], hapd)
5546 eap_connect(dev[0], hapd, "PEAP", "user",
5547 anonymous_identity="peap", password="password",
5548 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5549 if dev[0].get_status_field("tls_session_reused") != '0':
5550 raise Exception("Unexpected session resumption on the first connection")
5551
5552 dev[0].request("REAUTHENTICATE")
5553 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5554 if ev is None:
5555 raise Exception("EAP success timed out")
5556 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5557 if ev is None:
5558 raise Exception("Key handshake with the AP timed out")
5559 if dev[0].get_status_field("tls_session_reused") != '1':
5560 raise Exception("Session resumption not used on the second connection")
5561
5562 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
5563 """EAP-PEAP session resumption with crypto binding"""
5564 params = int_eap_server_params()
5565 params['tls_session_lifetime'] = '60'
5566 hapd = hostapd.add_ap(apdev[0], params)
5567 check_tls_session_resumption_capa(dev[0], hapd)
5568 eap_connect(dev[0], hapd, "PEAP", "user",
5569 anonymous_identity="peap", password="password",
5570 phase1="peapver=0 crypto_binding=2",
5571 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5572 if dev[0].get_status_field("tls_session_reused") != '0':
5573 raise Exception("Unexpected session resumption on the first connection")
5574
5575 dev[0].request("REAUTHENTICATE")
5576 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5577 if ev is None:
5578 raise Exception("EAP success timed out")
5579 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5580 if ev is None:
5581 raise Exception("Key handshake with the AP timed out")
5582 if dev[0].get_status_field("tls_session_reused") != '1':
5583 raise Exception("Session resumption not used on the second connection")
5584
5585 def test_eap_peap_no_session_resumption(dev, apdev):
5586 """EAP-PEAP session resumption disabled on server"""
5587 params = int_eap_server_params()
5588 hapd = hostapd.add_ap(apdev[0], params)
5589 eap_connect(dev[0], hapd, "PEAP", "user",
5590 anonymous_identity="peap", password="password",
5591 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5592 if dev[0].get_status_field("tls_session_reused") != '0':
5593 raise Exception("Unexpected session resumption on the first connection")
5594
5595 dev[0].request("REAUTHENTICATE")
5596 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5597 if ev is None:
5598 raise Exception("EAP success timed out")
5599 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5600 if ev is None:
5601 raise Exception("Key handshake with the AP timed out")
5602 if dev[0].get_status_field("tls_session_reused") != '0':
5603 raise Exception("Unexpected session resumption on the second connection")
5604
5605 def test_eap_tls_session_resumption(dev, apdev):
5606 """EAP-TLS session resumption"""
5607 params = int_eap_server_params()
5608 params['tls_session_lifetime'] = '60'
5609 hapd = hostapd.add_ap(apdev[0], params)
5610 check_tls_session_resumption_capa(dev[0], hapd)
5611 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5612 client_cert="auth_serv/user.pem",
5613 private_key="auth_serv/user.key")
5614 if dev[0].get_status_field("tls_session_reused") != '0':
5615 raise Exception("Unexpected session resumption on the first connection")
5616
5617 dev[0].request("REAUTHENTICATE")
5618 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5619 if ev is None:
5620 raise Exception("EAP success timed out")
5621 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5622 if ev is None:
5623 raise Exception("Key handshake with the AP timed out")
5624 if dev[0].get_status_field("tls_session_reused") != '1':
5625 raise Exception("Session resumption not used on the second connection")
5626
5627 dev[0].request("REAUTHENTICATE")
5628 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5629 if ev is None:
5630 raise Exception("EAP success timed out")
5631 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5632 if ev is None:
5633 raise Exception("Key handshake with the AP timed out")
5634 if dev[0].get_status_field("tls_session_reused") != '1':
5635 raise Exception("Session resumption not used on the third connection")
5636
5637 def test_eap_tls_session_resumption_expiration(dev, apdev):
5638 """EAP-TLS session resumption"""
5639 params = int_eap_server_params()
5640 params['tls_session_lifetime'] = '1'
5641 hapd = hostapd.add_ap(apdev[0], params)
5642 check_tls_session_resumption_capa(dev[0], hapd)
5643 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5644 client_cert="auth_serv/user.pem",
5645 private_key="auth_serv/user.key")
5646 if dev[0].get_status_field("tls_session_reused") != '0':
5647 raise Exception("Unexpected session resumption on the first connection")
5648
5649 # Allow multiple attempts since OpenSSL may not expire the cached entry
5650 # immediately.
5651 for i in range(10):
5652 time.sleep(1.2)
5653
5654 dev[0].request("REAUTHENTICATE")
5655 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5656 if ev is None:
5657 raise Exception("EAP success timed out")
5658 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5659 if ev is None:
5660 raise Exception("Key handshake with the AP timed out")
5661 if dev[0].get_status_field("tls_session_reused") == '0':
5662 break
5663 if dev[0].get_status_field("tls_session_reused") != '0':
5664 raise Exception("Session resumption used after lifetime expiration")
5665
5666 def test_eap_tls_no_session_resumption(dev, apdev):
5667 """EAP-TLS session resumption disabled on server"""
5668 params = int_eap_server_params()
5669 hapd = hostapd.add_ap(apdev[0], params)
5670 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5671 client_cert="auth_serv/user.pem",
5672 private_key="auth_serv/user.key")
5673 if dev[0].get_status_field("tls_session_reused") != '0':
5674 raise Exception("Unexpected session resumption on the first connection")
5675
5676 dev[0].request("REAUTHENTICATE")
5677 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5678 if ev is None:
5679 raise Exception("EAP success timed out")
5680 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5681 if ev is None:
5682 raise Exception("Key handshake with the AP timed out")
5683 if dev[0].get_status_field("tls_session_reused") != '0':
5684 raise Exception("Unexpected session resumption on the second connection")
5685
5686 def test_eap_tls_session_resumption_radius(dev, apdev):
5687 """EAP-TLS session resumption (RADIUS)"""
5688 params = { "ssid": "as", "beacon_int": "2000",
5689 "radius_server_clients": "auth_serv/radius_clients.conf",
5690 "radius_server_auth_port": '18128',
5691 "eap_server": "1",
5692 "eap_user_file": "auth_serv/eap_user.conf",
5693 "ca_cert": "auth_serv/ca.pem",
5694 "server_cert": "auth_serv/server.pem",
5695 "private_key": "auth_serv/server.key",
5696 "tls_session_lifetime": "60" }
5697 authsrv = hostapd.add_ap(apdev[1], params)
5698 check_tls_session_resumption_capa(dev[0], authsrv)
5699
5700 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5701 params['auth_server_port'] = "18128"
5702 hapd = hostapd.add_ap(apdev[0], params)
5703 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5704 client_cert="auth_serv/user.pem",
5705 private_key="auth_serv/user.key")
5706 if dev[0].get_status_field("tls_session_reused") != '0':
5707 raise Exception("Unexpected session resumption on the first connection")
5708
5709 dev[0].request("REAUTHENTICATE")
5710 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5711 if ev is None:
5712 raise Exception("EAP success timed out")
5713 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5714 if ev is None:
5715 raise Exception("Key handshake with the AP timed out")
5716 if dev[0].get_status_field("tls_session_reused") != '1':
5717 raise Exception("Session resumption not used on the second connection")
5718
5719 def test_eap_tls_no_session_resumption_radius(dev, apdev):
5720 """EAP-TLS session resumption disabled (RADIUS)"""
5721 params = { "ssid": "as", "beacon_int": "2000",
5722 "radius_server_clients": "auth_serv/radius_clients.conf",
5723 "radius_server_auth_port": '18128',
5724 "eap_server": "1",
5725 "eap_user_file": "auth_serv/eap_user.conf",
5726 "ca_cert": "auth_serv/ca.pem",
5727 "server_cert": "auth_serv/server.pem",
5728 "private_key": "auth_serv/server.key",
5729 "tls_session_lifetime": "0" }
5730 hostapd.add_ap(apdev[1], params)
5731
5732 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5733 params['auth_server_port'] = "18128"
5734 hapd = hostapd.add_ap(apdev[0], params)
5735 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5736 client_cert="auth_serv/user.pem",
5737 private_key="auth_serv/user.key")
5738 if dev[0].get_status_field("tls_session_reused") != '0':
5739 raise Exception("Unexpected session resumption on the first connection")
5740
5741 dev[0].request("REAUTHENTICATE")
5742 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5743 if ev is None:
5744 raise Exception("EAP success timed out")
5745 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5746 if ev is None:
5747 raise Exception("Key handshake with the AP timed out")
5748 if dev[0].get_status_field("tls_session_reused") != '0':
5749 raise Exception("Unexpected session resumption on the second connection")
5750
5751 def test_eap_mschapv2_errors(dev, apdev):
5752 """EAP-MSCHAPv2 error cases"""
5753 check_eap_capa(dev[0], "MSCHAPV2")
5754 check_eap_capa(dev[0], "FAST")
5755
5756 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5757 hapd = hostapd.add_ap(apdev[0], params)
5758 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5759 identity="phase1-user", password="password",
5760 scan_freq="2412")
5761 dev[0].request("REMOVE_NETWORK all")
5762 dev[0].wait_disconnected()
5763
5764 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5765 (1, "nt_password_hash;mschapv2_derive_response"),
5766 (1, "nt_password_hash;=mschapv2_derive_response"),
5767 (1, "generate_nt_response;mschapv2_derive_response"),
5768 (1, "generate_authenticator_response;mschapv2_derive_response"),
5769 (1, "nt_password_hash;=mschapv2_derive_response"),
5770 (1, "get_master_key;mschapv2_derive_response"),
5771 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5772 for count, func in tests:
5773 with fail_test(dev[0], count, func):
5774 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5775 identity="phase1-user", password="password",
5776 wait_connect=False, scan_freq="2412")
5777 wait_fail_trigger(dev[0], "GET_FAIL")
5778 dev[0].request("REMOVE_NETWORK all")
5779 dev[0].wait_disconnected()
5780
5781 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5782 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5783 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5784 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5785 for count, func in tests:
5786 with fail_test(dev[0], count, func):
5787 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5788 identity="phase1-user",
5789 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
5790 wait_connect=False, scan_freq="2412")
5791 wait_fail_trigger(dev[0], "GET_FAIL")
5792 dev[0].request("REMOVE_NETWORK all")
5793 dev[0].wait_disconnected()
5794
5795 tests = [ (1, "eap_mschapv2_init"),
5796 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5797 (1, "eap_msg_alloc;eap_mschapv2_success"),
5798 (1, "eap_mschapv2_getKey") ]
5799 for count, func in tests:
5800 with alloc_fail(dev[0], count, func):
5801 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5802 identity="phase1-user", password="password",
5803 wait_connect=False, scan_freq="2412")
5804 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5805 dev[0].request("REMOVE_NETWORK all")
5806 dev[0].wait_disconnected()
5807
5808 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5809 for count, func in tests:
5810 with alloc_fail(dev[0], count, func):
5811 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5812 identity="phase1-user", password="wrong password",
5813 wait_connect=False, scan_freq="2412")
5814 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5815 dev[0].request("REMOVE_NETWORK all")
5816 dev[0].wait_disconnected()
5817
5818 tests = [ (2, "eap_mschapv2_init"),
5819 (3, "eap_mschapv2_init") ]
5820 for count, func in tests:
5821 with alloc_fail(dev[0], count, func):
5822 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
5823 anonymous_identity="FAST", identity="user",
5824 password="password",
5825 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5826 phase1="fast_provisioning=1",
5827 pac_file="blob://fast_pac",
5828 wait_connect=False, scan_freq="2412")
5829 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5830 dev[0].request("REMOVE_NETWORK all")
5831 dev[0].wait_disconnected()
5832
5833 def test_eap_gpsk_errors(dev, apdev):
5834 """EAP-GPSK error cases"""
5835 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5836 hapd = hostapd.add_ap(apdev[0], params)
5837 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5838 identity="gpsk user",
5839 password="abcdefghijklmnop0123456789abcdef",
5840 scan_freq="2412")
5841 dev[0].request("REMOVE_NETWORK all")
5842 dev[0].wait_disconnected()
5843
5844 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5845 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5846 "cipher=1"),
5847 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5848 "cipher=2"),
5849 (1, "eap_gpsk_derive_keys_helper", None),
5850 (2, "eap_gpsk_derive_keys_helper", None),
5851 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5852 "cipher=1"),
5853 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5854 "cipher=2"),
5855 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5856 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5857 (1, "eap_gpsk_derive_mid_helper", None) ]
5858 for count, func, phase1 in tests:
5859 with fail_test(dev[0], count, func):
5860 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5861 identity="gpsk user",
5862 password="abcdefghijklmnop0123456789abcdef",
5863 phase1=phase1,
5864 wait_connect=False, scan_freq="2412")
5865 wait_fail_trigger(dev[0], "GET_FAIL")
5866 dev[0].request("REMOVE_NETWORK all")
5867 dev[0].wait_disconnected()
5868
5869 tests = [ (1, "eap_gpsk_init"),
5870 (2, "eap_gpsk_init"),
5871 (3, "eap_gpsk_init"),
5872 (1, "eap_gpsk_process_id_server"),
5873 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5874 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5875 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5876 (1, "eap_gpsk_derive_keys"),
5877 (1, "eap_gpsk_derive_keys_helper"),
5878 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5879 (1, "eap_gpsk_getKey"),
5880 (1, "eap_gpsk_get_emsk"),
5881 (1, "eap_gpsk_get_session_id") ]
5882 for count, func in tests:
5883 with alloc_fail(dev[0], count, func):
5884 dev[0].request("ERP_FLUSH")
5885 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5886 identity="gpsk user@domain", erp="1",
5887 password="abcdefghijklmnop0123456789abcdef",
5888 wait_connect=False, scan_freq="2412")
5889 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5890 dev[0].request("REMOVE_NETWORK all")
5891 dev[0].wait_disconnected()
5892
5893 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
5894 """EAP-SIM DB error cases"""
5895 sockpath = '/tmp/hlr_auc_gw.sock-test'
5896 try:
5897 os.remove(sockpath)
5898 except:
5899 pass
5900 hparams = int_eap_server_params()
5901 hparams['eap_sim_db'] = 'unix:' + sockpath
5902 hapd = hostapd.add_ap(apdev[0], hparams)
5903
5904 # Initial test with hlr_auc_gw socket not available
5905 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
5906 eap="SIM", identity="1232010000000000",
5907 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5908 scan_freq="2412", wait_connect=False)
5909 ev = dev[0].wait_event(["EAP-ERROR-CODE"], timeout=10)
5910 if ev is None:
5911 raise Exception("EAP method specific error code not reported")
5912 if int(ev.split()[1]) != 16384:
5913 raise Exception("Unexpected EAP method specific error code: " + ev)
5914 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5915 if ev is None:
5916 raise Exception("EAP-Failure not reported")
5917 dev[0].wait_disconnected()
5918 dev[0].request("DISCONNECT")
5919
5920 # Test with invalid responses and response timeout
5921
5922 class test_handler(SocketServer.DatagramRequestHandler):
5923 def handle(self):
5924 data = self.request[0].strip()
5925 socket = self.request[1]
5926 logger.debug("Received hlr_auc_gw request: " + data)
5927 # EAP-SIM DB: Failed to parse response string
5928 socket.sendto("FOO", self.client_address)
5929 # EAP-SIM DB: Failed to parse response string
5930 socket.sendto("FOO 1", self.client_address)
5931 # EAP-SIM DB: Unknown external response
5932 socket.sendto("FOO 1 2", self.client_address)
5933 logger.info("No proper response - wait for pending eap_sim_db request timeout")
5934
5935 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
5936 server.timeout = 1
5937
5938 dev[0].select_network(id)
5939 server.handle_request()
5940 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5941 if ev is None:
5942 raise Exception("EAP-Failure not reported")
5943 dev[0].wait_disconnected()
5944 dev[0].request("DISCONNECT")
5945
5946 # Test with a valid response
5947
5948 class test_handler2(SocketServer.DatagramRequestHandler):
5949 def handle(self):
5950 data = self.request[0].strip()
5951 socket = self.request[1]
5952 logger.debug("Received hlr_auc_gw request: " + data)
5953 fname = os.path.join(params['logdir'],
5954 'hlr_auc_gw.milenage_db')
5955 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
5956 '-m', fname, data],
5957 stdout=subprocess.PIPE)
5958 res = cmd.stdout.read().strip()
5959 cmd.stdout.close()
5960 logger.debug("hlr_auc_gw response: " + res)
5961 socket.sendto(res, self.client_address)
5962
5963 server.RequestHandlerClass = test_handler2
5964
5965 dev[0].select_network(id)
5966 server.handle_request()
5967 dev[0].wait_connected()
5968 dev[0].request("DISCONNECT")
5969 dev[0].wait_disconnected()
5970
5971 def test_eap_tls_sha512(dev, apdev, params):
5972 """EAP-TLS with SHA512 signature"""
5973 params = int_eap_server_params()
5974 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5975 params["server_cert"] = "auth_serv/sha512-server.pem"
5976 params["private_key"] = "auth_serv/sha512-server.key"
5977 hostapd.add_ap(apdev[0], params)
5978
5979 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5980 identity="tls user sha512",
5981 ca_cert="auth_serv/sha512-ca.pem",
5982 client_cert="auth_serv/sha512-user.pem",
5983 private_key="auth_serv/sha512-user.key",
5984 scan_freq="2412")
5985 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5986 identity="tls user sha512",
5987 ca_cert="auth_serv/sha512-ca.pem",
5988 client_cert="auth_serv/sha384-user.pem",
5989 private_key="auth_serv/sha384-user.key",
5990 scan_freq="2412")
5991
5992 def test_eap_tls_sha384(dev, apdev, params):
5993 """EAP-TLS with SHA384 signature"""
5994 params = int_eap_server_params()
5995 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5996 params["server_cert"] = "auth_serv/sha384-server.pem"
5997 params["private_key"] = "auth_serv/sha384-server.key"
5998 hostapd.add_ap(apdev[0], params)
5999
6000 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6001 identity="tls user sha512",
6002 ca_cert="auth_serv/sha512-ca.pem",
6003 client_cert="auth_serv/sha512-user.pem",
6004 private_key="auth_serv/sha512-user.key",
6005 scan_freq="2412")
6006 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6007 identity="tls user sha512",
6008 ca_cert="auth_serv/sha512-ca.pem",
6009 client_cert="auth_serv/sha384-user.pem",
6010 private_key="auth_serv/sha384-user.key",
6011 scan_freq="2412")
6012
6013 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
6014 """WPA2-Enterprise AP and association request RSN IE differences"""
6015 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6016 hostapd.add_ap(apdev[0], params)
6017
6018 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
6019 params["ieee80211w"] = "2"
6020 hostapd.add_ap(apdev[1], params)
6021
6022 # Success cases with optional RSN IE fields removed one by one
6023 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
6024 "30140100000fac040100000fac040100000fac010000"),
6025 ("Extra PMKIDCount field in RSN IE",
6026 "30160100000fac040100000fac040100000fac0100000000"),
6027 ("Extra Group Management Cipher Suite in RSN IE",
6028 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6029 ("Extra undefined extension field in RSN IE",
6030 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6031 ("RSN IE without RSN Capabilities",
6032 "30120100000fac040100000fac040100000fac01"),
6033 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6034 ("RSN IE without pairwise", "30060100000fac04"),
6035 ("RSN IE without group", "30020100") ]
6036 for title, ie in tests:
6037 logger.info(title)
6038 set_test_assoc_ie(dev[0], ie)
6039 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
6040 identity="gpsk user",
6041 password="abcdefghijklmnop0123456789abcdef",
6042 scan_freq="2412")
6043 dev[0].request("REMOVE_NETWORK all")
6044 dev[0].wait_disconnected()
6045
6046 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
6047 "30140100000fac040100000fac040100000fac01cc00"),
6048 ("Group management cipher included in assoc req RSN IE",
6049 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
6050 for title, ie in tests:
6051 logger.info(title)
6052 set_test_assoc_ie(dev[0], ie)
6053 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
6054 eap="GPSK", identity="gpsk user",
6055 password="abcdefghijklmnop0123456789abcdef",
6056 scan_freq="2412")
6057 dev[0].request("REMOVE_NETWORK all")
6058 dev[0].wait_disconnected()
6059
6060 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
6061 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
6062 for title, ie, status in tests:
6063 logger.info(title)
6064 set_test_assoc_ie(dev[0], ie)
6065 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
6066 identity="gpsk user",
6067 password="abcdefghijklmnop0123456789abcdef",
6068 scan_freq="2412", wait_connect=False)
6069 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6070 if ev is None:
6071 raise Exception("Association rejection not reported")
6072 if "status_code=" + str(status) not in ev:
6073 raise Exception("Unexpected status code: " + ev)
6074 dev[0].request("REMOVE_NETWORK all")
6075 dev[0].dump_monitor()
6076
6077 tests = [ ("Management frame protection not enabled",
6078 "30140100000fac040100000fac040100000fac010000", 31),
6079 ("Unsupported management group cipher",
6080 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46) ]
6081 for title, ie, status in tests:
6082 logger.info(title)
6083 set_test_assoc_ie(dev[0], ie)
6084 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
6085 eap="GPSK", identity="gpsk user",
6086 password="abcdefghijklmnop0123456789abcdef",
6087 scan_freq="2412", wait_connect=False)
6088 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6089 if ev is None:
6090 raise Exception("Association rejection not reported")
6091 if "status_code=" + str(status) not in ev:
6092 raise Exception("Unexpected status code: " + ev)
6093 dev[0].request("REMOVE_NETWORK all")
6094 dev[0].dump_monitor()
6095
6096 def test_eap_tls_ext_cert_check(dev, apdev):
6097 """EAP-TLS and external server certification validation"""
6098 # With internal server certificate chain validation
6099 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6100 identity="tls user",
6101 ca_cert="auth_serv/ca.pem",
6102 client_cert="auth_serv/user.pem",
6103 private_key="auth_serv/user.key",
6104 phase1="tls_ext_cert_check=1", scan_freq="2412",
6105 only_add_network=True)
6106 run_ext_cert_check(dev, apdev, id)
6107
6108 def test_eap_ttls_ext_cert_check(dev, apdev):
6109 """EAP-TTLS and external server certification validation"""
6110 # Without internal server certificate chain validation
6111 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
6112 identity="pap user", anonymous_identity="ttls",
6113 password="password", phase2="auth=PAP",
6114 phase1="tls_ext_cert_check=1", scan_freq="2412",
6115 only_add_network=True)
6116 run_ext_cert_check(dev, apdev, id)
6117
6118 def test_eap_peap_ext_cert_check(dev, apdev):
6119 """EAP-PEAP and external server certification validation"""
6120 # With internal server certificate chain validation
6121 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
6122 identity="user", anonymous_identity="peap",
6123 ca_cert="auth_serv/ca.pem",
6124 password="password", phase2="auth=MSCHAPV2",
6125 phase1="tls_ext_cert_check=1", scan_freq="2412",
6126 only_add_network=True)
6127 run_ext_cert_check(dev, apdev, id)
6128
6129 def test_eap_fast_ext_cert_check(dev, apdev):
6130 """EAP-FAST and external server certification validation"""
6131 check_eap_capa(dev[0], "FAST")
6132 # With internal server certificate chain validation
6133 dev[0].request("SET blob fast_pac_auth_ext ")
6134 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
6135 identity="user", anonymous_identity="FAST",
6136 ca_cert="auth_serv/ca.pem",
6137 password="password", phase2="auth=GTC",
6138 phase1="tls_ext_cert_check=1 fast_provisioning=2",
6139 pac_file="blob://fast_pac_auth_ext",
6140 scan_freq="2412",
6141 only_add_network=True)
6142 run_ext_cert_check(dev, apdev, id)
6143
6144 def run_ext_cert_check(dev, apdev, net_id):
6145 check_ext_cert_check_support(dev[0])
6146 if not openssl_imported:
6147 raise HwsimSkip("OpenSSL python method not available")
6148
6149 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6150 hapd = hostapd.add_ap(apdev[0], params)
6151
6152 dev[0].select_network(net_id)
6153 certs = {}
6154 while True:
6155 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6156 "CTRL-REQ-EXT_CERT_CHECK",
6157 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
6158 if ev is None:
6159 raise Exception("No peer server certificate event seen")
6160 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
6161 depth = None
6162 cert = None
6163 vals = ev.split(' ')
6164 for v in vals:
6165 if v.startswith("depth="):
6166 depth = int(v.split('=')[1])
6167 elif v.startswith("cert="):
6168 cert = v.split('=')[1]
6169 if depth is not None and cert:
6170 certs[depth] = binascii.unhexlify(cert)
6171 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
6172 raise Exception("Unexpected EAP-Success")
6173 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
6174 id = ev.split(':')[0].split('-')[-1]
6175 break
6176 if 0 not in certs:
6177 raise Exception("Server certificate not received")
6178 if 1 not in certs:
6179 raise Exception("Server certificate issuer not received")
6180
6181 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
6182 certs[0])
6183 cn = cert.get_subject().commonName
6184 logger.info("Server certificate CN=" + cn)
6185
6186 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
6187 certs[1])
6188 icn = issuer.get_subject().commonName
6189 logger.info("Issuer certificate CN=" + icn)
6190
6191 if cn != "server.w1.fi":
6192 raise Exception("Unexpected server certificate CN: " + cn)
6193 if icn != "Root CA":
6194 raise Exception("Unexpected server certificate issuer CN: " + icn)
6195
6196 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
6197 if ev:
6198 raise Exception("Unexpected EAP-Success before external check result indication")
6199
6200 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6201 dev[0].wait_connected()
6202
6203 dev[0].request("DISCONNECT")
6204 dev[0].wait_disconnected()
6205 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
6206 raise Exception("PMKSA_FLUSH failed")
6207 dev[0].request("SET blob fast_pac_auth_ext ")
6208 dev[0].request("RECONNECT")
6209
6210 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
6211 if ev is None:
6212 raise Exception("No peer server certificate event seen (2)")
6213 id = ev.split(':')[0].split('-')[-1]
6214 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6215 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
6216 if ev is None:
6217 raise Exception("EAP-Failure not reported")
6218 dev[0].request("REMOVE_NETWORK all")
6219 dev[0].wait_disconnected()
6220
6221 def test_eap_tls_errors(dev, apdev):
6222 """EAP-TLS error cases"""
6223 params = int_eap_server_params()
6224 params['fragment_size'] = '100'
6225 hostapd.add_ap(apdev[0], params)
6226 with alloc_fail(dev[0], 1,
6227 "eap_peer_tls_reassemble_fragment"):
6228 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6229 identity="tls user", ca_cert="auth_serv/ca.pem",
6230 client_cert="auth_serv/user.pem",
6231 private_key="auth_serv/user.key",
6232 wait_connect=False, scan_freq="2412")
6233 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6234 dev[0].request("REMOVE_NETWORK all")
6235 dev[0].wait_disconnected()
6236
6237 with alloc_fail(dev[0], 1, "eap_tls_init"):
6238 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6239 identity="tls user", ca_cert="auth_serv/ca.pem",
6240 client_cert="auth_serv/user.pem",
6241 private_key="auth_serv/user.key",
6242 wait_connect=False, scan_freq="2412")
6243 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6244 dev[0].request("REMOVE_NETWORK all")
6245 dev[0].wait_disconnected()
6246
6247 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init"):
6248 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6249 identity="tls user", ca_cert="auth_serv/ca.pem",
6250 client_cert="auth_serv/user.pem",
6251 private_key="auth_serv/user.key",
6252 engine="1",
6253 wait_connect=False, scan_freq="2412")
6254 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6255 ev = dev[0].wait_event(["CTRL-REQ-PIN"], timeout=5)
6256 if ev is None:
6257 raise Exception("No CTRL-REQ-PIN seen")
6258 dev[0].request("REMOVE_NETWORK all")
6259 dev[0].wait_disconnected()
6260
6261 tests = [ "eap_peer_tls_derive_key;eap_tls_success",
6262 "eap_peer_tls_derive_session_id;eap_tls_success",
6263 "eap_tls_getKey",
6264 "eap_tls_get_emsk",
6265 "eap_tls_get_session_id" ]
6266 for func in tests:
6267 with alloc_fail(dev[0], 1, func):
6268 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
6269 identity="tls user@domain",
6270 ca_cert="auth_serv/ca.pem",
6271 client_cert="auth_serv/user.pem",
6272 private_key="auth_serv/user.key",
6273 erp="1",
6274 wait_connect=False, scan_freq="2412")
6275 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6276 dev[0].request("REMOVE_NETWORK all")
6277 dev[0].wait_disconnected()
6278
6279 with alloc_fail(dev[0], 1, "eap_unauth_tls_init"):
6280 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
6281 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
6282 wait_connect=False, scan_freq="2412")
6283 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6284 dev[0].request("REMOVE_NETWORK all")
6285 dev[0].wait_disconnected()
6286
6287 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6288 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
6289 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
6290 wait_connect=False, scan_freq="2412")
6291 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6292 dev[0].request("REMOVE_NETWORK all")
6293 dev[0].wait_disconnected()
6294
6295 with alloc_fail(dev[0], 1, "eap_wfa_unauth_tls_init"):
6296 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
6297 eap="WFA-UNAUTH-TLS",
6298 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
6299 wait_connect=False, scan_freq="2412")
6300 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6301 dev[0].request("REMOVE_NETWORK all")
6302 dev[0].wait_disconnected()
6303
6304 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6305 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
6306 eap="WFA-UNAUTH-TLS",
6307 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
6308 wait_connect=False, scan_freq="2412")
6309 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6310 dev[0].request("REMOVE_NETWORK all")
6311 dev[0].wait_disconnected()
6312
6313 def test_ap_wpa2_eap_status(dev, apdev):
6314 """EAP state machine status information"""
6315 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6316 hostapd.add_ap(apdev[0], params)
6317 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
6318 identity="cert user",
6319 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
6320 ca_cert2="auth_serv/ca.pem",
6321 client_cert2="auth_serv/user.pem",
6322 private_key2="auth_serv/user.key",
6323 scan_freq="2412", wait_connect=False)
6324 success = False
6325 states = []
6326 method_states = []
6327 decisions = []
6328 req_methods = []
6329 selected_methods = []
6330 for i in range(100000):
6331 s = dev[0].get_status(extra="VERBOSE")
6332 if 'EAP state' in s:
6333 state = s['EAP state']
6334 if state:
6335 if state not in states:
6336 states.append(state)
6337 if state == "SUCCESS":
6338 success = True
6339 break
6340 if 'methodState' in s:
6341 val = s['methodState']
6342 if val not in method_states:
6343 method_states.append(val)
6344 if 'decision' in s:
6345 val = s['decision']
6346 if val not in decisions:
6347 decisions.append(val)
6348 if 'reqMethod' in s:
6349 val = s['reqMethod']
6350 if val not in req_methods:
6351 req_methods.append(val)
6352 if 'selectedMethod' in s:
6353 val = s['selectedMethod']
6354 if val not in selected_methods:
6355 selected_methods.append(val)
6356 logger.info("Iterations: %d" % i)
6357 logger.info("EAP states: " + str(states))
6358 logger.info("methodStates: " + str(method_states))
6359 logger.info("decisions: " + str(decisions))
6360 logger.info("reqMethods: " + str(req_methods))
6361 logger.info("selectedMethods: " + str(selected_methods))
6362 if not success:
6363 raise Exception("EAP did not succeed")
6364 dev[0].wait_connected()
6365 dev[0].request("REMOVE_NETWORK all")
6366 dev[0].wait_disconnected()
6367
6368 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev, apdev):
6369 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6370 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6371 params['wpa_ptk_rekey'] = '2'
6372 hapd = hostapd.add_ap(apdev[0], params)
6373 id = eap_connect(dev[0], hapd, "GPSK", "gpsk user",
6374 password="abcdefghijklmnop0123456789abcdef")
6375 ev = dev[0].wait_event(["WPA: Key negotiation completed"])
6376 if ev is None:
6377 raise Exception("PTK rekey timed out")
6378 hwsim_utils.test_connectivity(dev[0], hapd)
6379
6380 def test_ap_wpa2_eap_wildcard_ssid(dev, apdev):
6381 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6382 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6383 hapd = hostapd.add_ap(apdev[0], params)
6384 dev[0].connect(bssid=apdev[0]['bssid'], key_mgmt="WPA-EAP", eap="GPSK",
6385 identity="gpsk user",
6386 password="abcdefghijklmnop0123456789abcdef",
6387 scan_freq="2412")
6388
6389 def test_ap_wpa2_eap_psk_mac_addr_change(dev, apdev):
6390 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
6391 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
6392 hapd = hostapd.add_ap(apdev[0], params)
6393
6394 cmd = subprocess.Popen(['ps', '-eo', 'pid,command'], stdout=subprocess.PIPE)
6395 res = cmd.stdout.read()
6396 cmd.stdout.close()
6397 pid = 0
6398 for p in res.splitlines():
6399 if "wpa_supplicant" not in p:
6400 continue
6401 if dev[0].ifname not in p:
6402 continue
6403 pid = int(p.strip().split(' ')[0])
6404 if pid == 0:
6405 logger.info("Could not find wpa_supplicant PID")
6406 else:
6407 logger.info("wpa_supplicant PID %d" % pid)
6408
6409 addr = dev[0].get_status_field("address")
6410 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'down'])
6411 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'address',
6412 '02:11:22:33:44:55'])
6413 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'up'])
6414 addr1 = dev[0].get_status_field("address")
6415 if addr1 != '02:11:22:33:44:55':
6416 raise Exception("Failed to change MAC address")
6417
6418 # Scan using the externally set MAC address, stop the wpa_supplicant
6419 # process to avoid it from processing the ifdown event before the interface
6420 # is already UP, change the MAC address back, allow the wpa_supplicant
6421 # process to continue. This will result in the ifdown + ifup sequence of
6422 # RTM_NEWLINK events to be processed while the interface is already UP.
6423 try:
6424 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
6425 os.kill(pid, signal.SIGSTOP)
6426 time.sleep(0.1)
6427 finally:
6428 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'down'])
6429 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'address',
6430 addr])
6431 subprocess.call(['ip', 'link', 'set', 'dev', dev[0].ifname, 'up'])
6432 time.sleep(0.1)
6433 os.kill(pid, signal.SIGCONT)
6434
6435 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
6436 password_hex="0123456789abcdef0123456789abcdef")
6437
6438 addr2 = dev[0].get_status_field("address")
6439 if addr != addr2:
6440 raise Exception("Failed to restore MAC address")
Unnamed repository; edit this file 'description' to name the repository.