]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
23 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
24 from wpasupplicant
import WpaSupplicant
25 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
29 openssl_imported
= True
31 openssl_imported
= False
33 def check_hlr_auc_gw_support():
34 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
35 raise HwsimSkip("No hlr_auc_gw available")
37 def check_eap_capa(dev
, method
):
38 res
= dev
.get_capability("eap")
40 raise HwsimSkip("EAP method %s not supported in the build" % method
)
42 def check_subject_match_support(dev
):
43 tls
= dev
.request("GET tls_library")
44 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
45 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
47 def check_altsubject_match_support(dev
):
48 tls
= dev
.request("GET tls_library")
49 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
50 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
52 def check_domain_match(dev
):
53 tls
= dev
.request("GET tls_library")
54 if tls
.startswith("internal"):
55 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
57 def check_domain_suffix_match(dev
):
58 tls
= dev
.request("GET tls_library")
59 if tls
.startswith("internal"):
60 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
62 def check_domain_match_full(dev
):
63 tls
= dev
.request("GET tls_library")
64 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
65 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
67 def check_cert_probe_support(dev
):
68 tls
= dev
.request("GET tls_library")
69 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
70 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
72 def check_ext_cert_check_support(dev
):
73 tls
= dev
.request("GET tls_library")
74 if not tls
.startswith("OpenSSL"):
75 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
77 def check_ocsp_support(dev
):
78 tls
= dev
.request("GET tls_library")
79 #if tls.startswith("internal"):
80 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
81 #if "BoringSSL" in tls:
82 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
84 def check_pkcs5_v15_support(dev
):
85 tls
= dev
.request("GET tls_library")
86 if "BoringSSL" in tls
or "GnuTLS" in tls
:
87 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
89 def check_ocsp_multi_support(dev
):
90 tls
= dev
.request("GET tls_library")
91 if not tls
.startswith("internal"):
92 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
93 as_hapd
= hostapd
.Hostapd("as")
94 res
= as_hapd
.request("GET tls_library")
96 if not res
.startswith("internal"):
97 raise HwsimSkip("Authentication server does not support ocsp_multi")
99 def check_pkcs12_support(dev
):
100 tls
= dev
.request("GET tls_library")
101 #if tls.startswith("internal"):
102 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
103 if tls
.startswith("wolfSSL"):
104 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls
)
106 def check_dh_dsa_support(dev
):
107 tls
= dev
.request("GET tls_library")
108 if tls
.startswith("internal"):
109 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
112 with
open(fname
, "r") as f
:
113 lines
= f
.readlines()
121 if "-----BEGIN" in l
:
123 return base64
.b64decode(cert
)
125 def eap_connect(dev
, hapd
, method
, identity
,
126 sha256
=False, expect_failure
=False, local_error_report
=False,
127 maybe_local_error
=False, report_failure
=False, **kwargs
):
128 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
129 eap
=method
, identity
=identity
,
130 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
132 eap_check_auth(dev
, method
, True, sha256
=sha256
,
133 expect_failure
=expect_failure
,
134 local_error_report
=local_error_report
,
135 maybe_local_error
=maybe_local_error
,
136 report_failure
=report_failure
)
139 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
141 raise Exception("No connection event received from hostapd")
144 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
145 expect_failure
=False, local_error_report
=False,
146 maybe_local_error
=False, report_failure
=False):
147 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
149 raise Exception("Association and EAP start timed out")
150 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
151 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
153 raise Exception("EAP method selection timed out")
154 if "CTRL-EVENT-EAP-FAILURE" in ev
:
155 if maybe_local_error
:
157 raise Exception("Could not select EAP method")
159 raise Exception("Unexpected EAP method")
161 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
163 raise Exception("EAP failure timed out")
164 ev
= dev
.wait_disconnected(timeout
=10)
165 if maybe_local_error
and "locally_generated=1" in ev
:
167 if not local_error_report
:
168 if "reason=23" not in ev
:
169 raise Exception("Proper reason code for disconnection not reported")
172 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
173 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
175 raise Exception("EAP success timed out")
176 if "CTRL-EVENT-EAP-SUCCESS" not in ev
:
177 raise Exception("EAP failed")
179 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
181 raise Exception("EAP success timed out")
184 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
186 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
188 raise Exception("Association with the AP timed out")
189 status
= dev
.get_status()
190 if status
["wpa_state"] != "COMPLETED":
191 raise Exception("Connection not completed")
193 if status
["suppPortStatus"] != "Authorized":
194 raise Exception("Port not authorized")
195 if "selectedMethod" not in status
:
196 logger
.info("Status: " + str(status
))
197 raise Exception("No selectedMethod in status")
198 if method
not in status
["selectedMethod"]:
199 raise Exception("Incorrect EAP method status")
201 e
= "WPA2-EAP-SHA256"
203 e
= "WPA2/IEEE 802.1X/EAP"
205 e
= "WPA/IEEE 802.1X/EAP"
206 if status
["key_mgmt"] != e
:
207 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
210 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
211 dev
.request("REAUTHENTICATE")
212 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
213 expect_failure
=expect_failure
)
215 def test_ap_wpa2_eap_sim(dev
, apdev
):
216 """WPA2-Enterprise connection using EAP-SIM"""
217 check_hlr_auc_gw_support()
218 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
219 hapd
= hostapd
.add_ap(apdev
[0], params
)
220 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
221 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
222 hwsim_utils
.test_connectivity(dev
[0], hapd
)
223 eap_reauth(dev
[0], "SIM")
225 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
226 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
227 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
228 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
231 logger
.info("Negative test with incorrect key")
232 dev
[0].request("REMOVE_NETWORK all")
233 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
234 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
237 logger
.info("Invalid GSM-Milenage key")
238 dev
[0].request("REMOVE_NETWORK all")
239 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
240 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
243 logger
.info("Invalid GSM-Milenage key(2)")
244 dev
[0].request("REMOVE_NETWORK all")
245 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
246 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
249 logger
.info("Invalid GSM-Milenage key(3)")
250 dev
[0].request("REMOVE_NETWORK all")
251 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
252 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
255 logger
.info("Invalid GSM-Milenage key(4)")
256 dev
[0].request("REMOVE_NETWORK all")
257 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
258 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
261 logger
.info("Missing key configuration")
262 dev
[0].request("REMOVE_NETWORK all")
263 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
266 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
267 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
268 check_hlr_auc_gw_support()
272 raise HwsimSkip("No sqlite3 module available")
273 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
274 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
275 params
['auth_server_port'] = "1814"
276 hapd
= hostapd
.add_ap(apdev
[0], params
)
277 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
278 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
280 logger
.info("SIM fast re-authentication")
281 eap_reauth(dev
[0], "SIM")
283 logger
.info("SIM full auth with pseudonym")
286 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
287 eap_reauth(dev
[0], "SIM")
289 logger
.info("SIM full auth with permanent identity")
292 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
293 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
294 eap_reauth(dev
[0], "SIM")
296 logger
.info("SIM reauth with mismatching MK")
299 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
300 eap_reauth(dev
[0], "SIM", expect_failure
=True)
301 dev
[0].request("REMOVE_NETWORK all")
303 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
304 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
307 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
308 eap_reauth(dev
[0], "SIM")
311 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
312 logger
.info("SIM reauth with mismatching counter")
313 eap_reauth(dev
[0], "SIM")
314 dev
[0].request("REMOVE_NETWORK all")
316 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
317 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
320 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
321 logger
.info("SIM reauth with max reauth count reached")
322 eap_reauth(dev
[0], "SIM")
324 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
325 """EAP-SIM configuration options"""
326 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
327 hapd
= hostapd
.add_ap(apdev
[0], params
)
328 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
329 identity
="1232010000000000",
330 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
331 phase1
="sim_min_num_chal=1",
332 wait_connect
=False, scan_freq
="2412")
333 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
335 raise Exception("No EAP error message seen")
336 dev
[0].request("REMOVE_NETWORK all")
338 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
339 identity
="1232010000000000",
340 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
341 phase1
="sim_min_num_chal=4",
342 wait_connect
=False, scan_freq
="2412")
343 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
345 raise Exception("No EAP error message seen (2)")
346 dev
[0].request("REMOVE_NETWORK all")
348 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
349 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
350 phase1
="sim_min_num_chal=2")
351 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
352 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
353 anonymous_identity
="345678")
355 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
356 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
358 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
360 dev
[0].request("SET external_sim 0")
362 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
363 check_hlr_auc_gw_support()
364 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
365 hostapd
.add_ap(apdev
[0], params
)
366 dev
[0].request("SET external_sim 1")
367 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
368 identity
="1232010000000000",
369 wait_connect
=False, scan_freq
="2412")
370 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
372 raise Exception("Network connected timed out")
374 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
376 raise Exception("Wait for external SIM processing request timed out")
378 if p
[1] != "GSM-AUTH":
379 raise Exception("Unexpected CTRL-REQ-SIM type")
380 rid
= p
[0].split('-')[3]
383 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
384 # This will fail during processing, but the ctrl_iface command succeeds
385 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
386 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
388 raise Exception("EAP failure not reported")
389 dev
[0].request("DISCONNECT")
390 dev
[0].wait_disconnected()
393 dev
[0].select_network(id, freq
="2412")
394 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
396 raise Exception("Wait for external SIM processing request timed out")
398 if p
[1] != "GSM-AUTH":
399 raise Exception("Unexpected CTRL-REQ-SIM type")
400 rid
= p
[0].split('-')[3]
401 # This will fail during GSM auth validation
402 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
403 raise Exception("CTRL-RSP-SIM failed")
404 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
406 raise Exception("EAP failure not reported")
407 dev
[0].request("DISCONNECT")
408 dev
[0].wait_disconnected()
411 dev
[0].select_network(id, freq
="2412")
412 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
414 raise Exception("Wait for external SIM processing request timed out")
416 if p
[1] != "GSM-AUTH":
417 raise Exception("Unexpected CTRL-REQ-SIM type")
418 rid
= p
[0].split('-')[3]
419 # This will fail during GSM auth validation
420 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
421 raise Exception("CTRL-RSP-SIM failed")
422 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
424 raise Exception("EAP failure not reported")
425 dev
[0].request("DISCONNECT")
426 dev
[0].wait_disconnected()
429 dev
[0].select_network(id, freq
="2412")
430 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
432 raise Exception("Wait for external SIM processing request timed out")
434 if p
[1] != "GSM-AUTH":
435 raise Exception("Unexpected CTRL-REQ-SIM type")
436 rid
= p
[0].split('-')[3]
437 # This will fail during GSM auth validation
438 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
439 raise Exception("CTRL-RSP-SIM failed")
440 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
442 raise Exception("EAP failure not reported")
443 dev
[0].request("DISCONNECT")
444 dev
[0].wait_disconnected()
447 dev
[0].select_network(id, freq
="2412")
448 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
450 raise Exception("Wait for external SIM processing request timed out")
452 if p
[1] != "GSM-AUTH":
453 raise Exception("Unexpected CTRL-REQ-SIM type")
454 rid
= p
[0].split('-')[3]
455 # This will fail during GSM auth validation
456 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
457 raise Exception("CTRL-RSP-SIM failed")
458 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
460 raise Exception("EAP failure not reported")
461 dev
[0].request("DISCONNECT")
462 dev
[0].wait_disconnected()
465 dev
[0].select_network(id, freq
="2412")
466 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
468 raise Exception("Wait for external SIM processing request timed out")
470 if p
[1] != "GSM-AUTH":
471 raise Exception("Unexpected CTRL-REQ-SIM type")
472 rid
= p
[0].split('-')[3]
473 # This will fail during GSM auth validation
474 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
475 raise Exception("CTRL-RSP-SIM failed")
476 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
478 raise Exception("EAP failure not reported")
479 dev
[0].request("DISCONNECT")
480 dev
[0].wait_disconnected()
483 dev
[0].select_network(id, freq
="2412")
484 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
486 raise Exception("Wait for external SIM processing request timed out")
488 if p
[1] != "GSM-AUTH":
489 raise Exception("Unexpected CTRL-REQ-SIM type")
490 rid
= p
[0].split('-')[3]
491 # This will fail during GSM auth validation
492 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
493 raise Exception("CTRL-RSP-SIM failed")
494 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
496 raise Exception("EAP failure not reported")
498 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
499 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
501 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
503 dev
[0].request("SET external_sim 0")
505 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
506 check_hlr_auc_gw_support()
507 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
508 hostapd
.add_ap(apdev
[0], params
)
509 dev
[0].request("SET external_sim 1")
510 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
511 identity
="1232010000000000",
512 wait_connect
=False, scan_freq
="2412")
514 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
516 raise Exception("Wait for external SIM processing request timed out")
518 if p
[1] != "GSM-AUTH":
519 raise Exception("Unexpected CTRL-REQ-SIM type")
520 rid
= p
[0].split('-')[3]
521 rand
= p
[2].split(' ')[0]
523 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
525 "auth_serv/hlr_auc_gw.milenage_db",
526 "GSM-AUTH-REQ 232010000000000 " + rand
])
527 if "GSM-AUTH-RESP" not in res
:
528 raise Exception("Unexpected hlr_auc_gw response")
529 resp
= res
.split(' ')[2].rstrip()
531 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
532 dev
[0].wait_connected(timeout
=15)
533 dev
[0].request("DISCONNECT")
534 dev
[0].wait_disconnected()
536 # Replace SIM, but forget to drop the previous pseudonym identity
537 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
538 dev
[0].select_network(id, freq
="2412")
540 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
542 raise Exception("Wait for external SIM processing request timed out")
544 if p
[1] != "GSM-AUTH":
545 raise Exception("Unexpected CTRL-REQ-SIM type")
546 rid
= p
[0].split('-')[3]
547 rand
= p
[2].split(' ')[0]
549 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
551 "auth_serv/hlr_auc_gw.milenage_db",
552 "GSM-AUTH-REQ 232010000000009 " + rand
])
553 if "GSM-AUTH-RESP" not in res
:
554 raise Exception("Unexpected hlr_auc_gw response")
555 resp
= res
.split(' ')[2].rstrip()
557 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
558 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
560 raise Exception("EAP-Failure not reported")
561 dev
[0].request("DISCONNECT")
562 dev
[0].wait_disconnected()
564 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
565 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
567 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
569 dev
[0].request("SET external_sim 0")
571 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
572 check_hlr_auc_gw_support()
573 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
574 hostapd
.add_ap(apdev
[0], params
)
575 dev
[0].request("SET external_sim 1")
576 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
577 identity
="1232010000000000",
578 wait_connect
=False, scan_freq
="2412")
580 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
582 raise Exception("Wait for external SIM processing request timed out")
584 if p
[1] != "GSM-AUTH":
585 raise Exception("Unexpected CTRL-REQ-SIM type")
586 rid
= p
[0].split('-')[3]
587 rand
= p
[2].split(' ')[0]
589 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
591 "auth_serv/hlr_auc_gw.milenage_db",
592 "GSM-AUTH-REQ 232010000000000 " + rand
])
593 if "GSM-AUTH-RESP" not in res
:
594 raise Exception("Unexpected hlr_auc_gw response")
595 resp
= res
.split(' ')[2].rstrip()
597 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
598 dev
[0].wait_connected(timeout
=15)
599 dev
[0].request("DISCONNECT")
600 dev
[0].wait_disconnected()
602 # Replace SIM and drop the previous pseudonym identity
603 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
604 dev
[0].set_network(id, "anonymous_identity", "NULL")
605 dev
[0].select_network(id, freq
="2412")
607 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
609 raise Exception("Wait for external SIM processing request timed out")
611 if p
[1] != "GSM-AUTH":
612 raise Exception("Unexpected CTRL-REQ-SIM type")
613 rid
= p
[0].split('-')[3]
614 rand
= p
[2].split(' ')[0]
616 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
618 "auth_serv/hlr_auc_gw.milenage_db",
619 "GSM-AUTH-REQ 232010000000009 " + rand
])
620 if "GSM-AUTH-RESP" not in res
:
621 raise Exception("Unexpected hlr_auc_gw response")
622 resp
= res
.split(' ')[2].rstrip()
624 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
625 dev
[0].wait_connected()
626 dev
[0].request("DISCONNECT")
627 dev
[0].wait_disconnected()
629 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
630 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
632 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
634 dev
[0].request("SET external_sim 0")
636 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
637 check_hlr_auc_gw_support()
638 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
639 hostapd
.add_ap(apdev
[0], params
)
640 dev
[0].request("SET external_sim 1")
641 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
642 wait_connect
=False, scan_freq
="2412")
644 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
646 raise Exception("Request for identity timed out")
647 rid
= ev
.split(':')[0].split('-')[-1]
648 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
650 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
652 raise Exception("Wait for external SIM processing request timed out")
654 if p
[1] != "GSM-AUTH":
655 raise Exception("Unexpected CTRL-REQ-SIM type")
656 rid
= p
[0].split('-')[3]
657 rand
= p
[2].split(' ')[0]
659 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
661 "auth_serv/hlr_auc_gw.milenage_db",
662 "GSM-AUTH-REQ 232010000000000 " + rand
])
663 if "GSM-AUTH-RESP" not in res
:
664 raise Exception("Unexpected hlr_auc_gw response")
665 resp
= res
.split(' ')[2].rstrip()
667 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
668 dev
[0].wait_connected(timeout
=15)
669 dev
[0].request("DISCONNECT")
670 dev
[0].wait_disconnected()
672 # Replace SIM and drop the previous permanent and pseudonym identities
673 dev
[0].set_network(id, "identity", "NULL")
674 dev
[0].set_network(id, "anonymous_identity", "NULL")
675 dev
[0].select_network(id, freq
="2412")
677 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
679 raise Exception("Request for identity timed out")
680 rid
= ev
.split(':')[0].split('-')[-1]
681 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
683 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
685 raise Exception("Wait for external SIM processing request timed out")
687 if p
[1] != "GSM-AUTH":
688 raise Exception("Unexpected CTRL-REQ-SIM type")
689 rid
= p
[0].split('-')[3]
690 rand
= p
[2].split(' ')[0]
692 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
694 "auth_serv/hlr_auc_gw.milenage_db",
695 "GSM-AUTH-REQ 232010000000009 " + rand
])
696 if "GSM-AUTH-RESP" not in res
:
697 raise Exception("Unexpected hlr_auc_gw response")
698 resp
= res
.split(' ')[2].rstrip()
700 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
701 dev
[0].wait_connected()
702 dev
[0].request("DISCONNECT")
703 dev
[0].wait_disconnected()
705 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
706 """EAP-SIM with external GSM auth and auth failing"""
708 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
710 dev
[0].request("SET external_sim 0")
712 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
713 check_hlr_auc_gw_support()
714 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
715 hostapd
.add_ap(apdev
[0], params
)
716 dev
[0].request("SET external_sim 1")
717 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
718 identity
="1232010000000000",
719 wait_connect
=False, scan_freq
="2412")
721 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
723 raise Exception("Wait for external SIM processing request timed out")
725 rid
= p
[0].split('-')[3]
726 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
727 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
729 raise Exception("EAP failure not reported")
730 dev
[0].request("REMOVE_NETWORK all")
731 dev
[0].wait_disconnected()
733 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
734 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
736 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
738 dev
[0].request("SET external_sim 0")
740 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
741 check_hlr_auc_gw_support()
742 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
743 hostapd
.add_ap(apdev
[0], params
)
744 dev
[0].request("SET external_sim 1")
745 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
746 identity
="1232010000000000",
747 wait_connect
=False, scan_freq
="2412")
749 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
751 raise Exception("Wait for external SIM processing request timed out")
753 if p
[1] != "GSM-AUTH":
754 raise Exception("Unexpected CTRL-REQ-SIM type")
755 rid
= p
[0].split('-')[3]
756 rand
= p
[2].split(' ')[0]
758 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
760 "auth_serv/hlr_auc_gw.milenage_db",
761 "GSM-AUTH-REQ 232010000000000 " + rand
])
762 if "GSM-AUTH-RESP" not in res
:
763 raise Exception("Unexpected hlr_auc_gw response")
764 resp
= res
.split(' ')[2].rstrip()
766 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
767 dev
[0].wait_connected(timeout
=15)
769 # Verify that EAP-SIM Reauthentication can be used after a profile change
770 # that does not affect EAP parameters.
771 dev
[0].set_network(id, "bssid", "any")
772 eap_reauth(dev
[0], "SIM")
774 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
775 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
777 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
779 dev
[0].request("SET external_sim 0")
781 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
782 check_hlr_auc_gw_support()
783 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
784 hostapd
.add_ap(apdev
[0], params
)
785 dev
[0].request("SET external_sim 1")
786 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
787 identity
="1232010000000000",
788 wait_connect
=False, scan_freq
="2412")
790 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
792 raise Exception("Wait for external SIM processing request timed out")
794 if p
[1] != "GSM-AUTH":
795 raise Exception("Unexpected CTRL-REQ-SIM type")
796 rid
= p
[0].split('-')[3]
797 rand
= p
[2].split(' ')[0]
799 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
801 "auth_serv/hlr_auc_gw.milenage_db",
802 "GSM-AUTH-REQ 232010000000000 " + rand
])
803 if "GSM-AUTH-RESP" not in res
:
804 raise Exception("Unexpected hlr_auc_gw response")
805 resp
= res
.split(' ')[2].rstrip()
807 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
808 dev
[0].wait_connected(timeout
=15)
810 # Verify that EAP-SIM Reauthentication can be used after network profile
811 # SET_NETWORK commands that do not actually change previously set
813 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
814 dev
[0].set_network(id, "eap", "SIM")
815 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
816 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
817 eap_reauth(dev
[0], "SIM")
819 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
820 """EAP-SIM and OOM"""
821 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
822 hostapd
.add_ap(apdev
[0], params
)
823 tests
= [ (1, "milenage_f2345"),
824 (2, "milenage_f2345"),
825 (3, "milenage_f2345"),
826 (4, "milenage_f2345"),
827 (5, "milenage_f2345"),
828 (6, "milenage_f2345"),
829 (7, "milenage_f2345"),
830 (8, "milenage_f2345"),
831 (9, "milenage_f2345"),
832 (10, "milenage_f2345"),
833 (11, "milenage_f2345"),
834 (12, "milenage_f2345") ]
835 for count
, func
in tests
:
836 with
fail_test(dev
[0], count
, func
):
837 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
838 identity
="1232010000000000",
839 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
840 wait_connect
=False, scan_freq
="2412")
841 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
843 raise Exception("EAP method not selected")
844 dev
[0].wait_disconnected()
845 dev
[0].request("REMOVE_NETWORK all")
847 def test_ap_wpa2_eap_aka(dev
, apdev
):
848 """WPA2-Enterprise connection using EAP-AKA"""
849 check_hlr_auc_gw_support()
850 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
851 hapd
= hostapd
.add_ap(apdev
[0], params
)
852 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
853 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
854 hwsim_utils
.test_connectivity(dev
[0], hapd
)
855 eap_reauth(dev
[0], "AKA")
857 logger
.info("Negative test with incorrect key")
858 dev
[0].request("REMOVE_NETWORK all")
859 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
860 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
863 logger
.info("Invalid Milenage key")
864 dev
[0].request("REMOVE_NETWORK all")
865 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
866 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
869 logger
.info("Invalid Milenage key(2)")
870 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
871 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
874 logger
.info("Invalid Milenage key(3)")
875 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
876 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
879 logger
.info("Invalid Milenage key(4)")
880 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
881 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
884 logger
.info("Invalid Milenage key(5)")
885 dev
[0].request("REMOVE_NETWORK all")
886 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
887 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
890 logger
.info("Invalid Milenage key(6)")
891 dev
[0].request("REMOVE_NETWORK all")
892 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
893 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
896 logger
.info("Missing key configuration")
897 dev
[0].request("REMOVE_NETWORK all")
898 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
901 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
902 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
903 check_hlr_auc_gw_support()
907 raise HwsimSkip("No sqlite3 module available")
908 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
909 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
910 params
['auth_server_port'] = "1814"
911 hapd
= hostapd
.add_ap(apdev
[0], params
)
912 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
913 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
915 logger
.info("AKA fast re-authentication")
916 eap_reauth(dev
[0], "AKA")
918 logger
.info("AKA full auth with pseudonym")
921 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
922 eap_reauth(dev
[0], "AKA")
924 logger
.info("AKA full auth with permanent identity")
927 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
928 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
929 eap_reauth(dev
[0], "AKA")
931 logger
.info("AKA reauth with mismatching MK")
934 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
935 eap_reauth(dev
[0], "AKA", expect_failure
=True)
936 dev
[0].request("REMOVE_NETWORK all")
938 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
939 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
942 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
943 eap_reauth(dev
[0], "AKA")
946 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
947 logger
.info("AKA reauth with mismatching counter")
948 eap_reauth(dev
[0], "AKA")
949 dev
[0].request("REMOVE_NETWORK all")
951 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
952 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
955 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
956 logger
.info("AKA reauth with max reauth count reached")
957 eap_reauth(dev
[0], "AKA")
959 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
960 """EAP-AKA configuration options"""
961 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
962 hapd
= hostapd
.add_ap(apdev
[0], params
)
963 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
964 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
965 anonymous_identity
="2345678")
967 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
968 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
970 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
972 dev
[0].request("SET external_sim 0")
974 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
975 check_hlr_auc_gw_support()
976 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
977 hostapd
.add_ap(apdev
[0], params
)
978 dev
[0].request("SET external_sim 1")
979 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
980 identity
="0232010000000000",
981 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
982 wait_connect
=False, scan_freq
="2412")
983 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
985 raise Exception("Network connected timed out")
987 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
989 raise Exception("Wait for external SIM processing request timed out")
991 if p
[1] != "UMTS-AUTH":
992 raise Exception("Unexpected CTRL-REQ-SIM type")
993 rid
= p
[0].split('-')[3]
996 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
997 # This will fail during processing, but the ctrl_iface command succeeds
998 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
999 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1001 raise Exception("EAP failure not reported")
1002 dev
[0].request("DISCONNECT")
1003 dev
[0].wait_disconnected()
1005 dev
[0].dump_monitor()
1007 dev
[0].select_network(id, freq
="2412")
1008 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1010 raise Exception("Wait for external SIM processing request timed out")
1011 p
= ev
.split(':', 2)
1012 if p
[1] != "UMTS-AUTH":
1013 raise Exception("Unexpected CTRL-REQ-SIM type")
1014 rid
= p
[0].split('-')[3]
1015 # This will fail during UMTS auth validation
1016 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1017 raise Exception("CTRL-RSP-SIM failed")
1018 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1020 raise Exception("Wait for external SIM processing request timed out")
1021 p
= ev
.split(':', 2)
1022 if p
[1] != "UMTS-AUTH":
1023 raise Exception("Unexpected CTRL-REQ-SIM type")
1024 rid
= p
[0].split('-')[3]
1025 # This will fail during UMTS auth validation
1026 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1027 raise Exception("CTRL-RSP-SIM failed")
1028 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1030 raise Exception("EAP failure not reported")
1031 dev
[0].request("DISCONNECT")
1032 dev
[0].wait_disconnected()
1034 dev
[0].dump_monitor()
1036 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1038 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1039 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1040 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1041 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1042 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1044 dev
[0].select_network(id, freq
="2412")
1045 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1047 raise Exception("Wait for external SIM processing request timed out")
1048 p
= ev
.split(':', 2)
1049 if p
[1] != "UMTS-AUTH":
1050 raise Exception("Unexpected CTRL-REQ-SIM type")
1051 rid
= p
[0].split('-')[3]
1052 # This will fail during UMTS auth validation
1053 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1054 raise Exception("CTRL-RSP-SIM failed")
1055 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1057 raise Exception("EAP failure not reported")
1058 dev
[0].request("DISCONNECT")
1059 dev
[0].wait_disconnected()
1061 dev
[0].dump_monitor()
1063 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1064 """EAP-AKA with external UMTS auth and auth failing"""
1066 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1068 dev
[0].request("SET external_sim 0")
1070 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1071 check_hlr_auc_gw_support()
1072 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1073 hostapd
.add_ap(apdev
[0], params
)
1074 dev
[0].request("SET external_sim 1")
1075 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1076 identity
="0232010000000000",
1077 wait_connect
=False, scan_freq
="2412")
1079 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1081 raise Exception("Wait for external SIM processing request timed out")
1082 p
= ev
.split(':', 2)
1083 rid
= p
[0].split('-')[3]
1084 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1085 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1087 raise Exception("EAP failure not reported")
1088 dev
[0].request("REMOVE_NETWORK all")
1089 dev
[0].wait_disconnected()
1091 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1092 """WPA2-Enterprise connection using EAP-AKA'"""
1093 check_hlr_auc_gw_support()
1094 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1095 hapd
= hostapd
.add_ap(apdev
[0], params
)
1096 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1097 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1098 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1099 eap_reauth(dev
[0], "AKA'")
1101 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1102 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1103 identity
="6555444333222111@both",
1104 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1105 wait_connect
=False, scan_freq
="2412")
1106 dev
[1].wait_connected(timeout
=15)
1108 logger
.info("Negative test with incorrect key")
1109 dev
[0].request("REMOVE_NETWORK all")
1110 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1111 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1112 expect_failure
=True)
1114 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1115 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1116 check_hlr_auc_gw_support()
1120 raise HwsimSkip("No sqlite3 module available")
1121 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1122 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1123 params
['auth_server_port'] = "1814"
1124 hapd
= hostapd
.add_ap(apdev
[0], params
)
1125 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1126 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1128 logger
.info("AKA' fast re-authentication")
1129 eap_reauth(dev
[0], "AKA'")
1131 logger
.info("AKA' full auth with pseudonym")
1134 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1135 eap_reauth(dev
[0], "AKA'")
1137 logger
.info("AKA' full auth with permanent identity")
1140 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1141 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1142 eap_reauth(dev
[0], "AKA'")
1144 logger
.info("AKA' reauth with mismatching k_aut")
1147 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1148 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1149 dev
[0].request("REMOVE_NETWORK all")
1151 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1152 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1155 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1156 eap_reauth(dev
[0], "AKA'")
1159 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1160 logger
.info("AKA' reauth with mismatching counter")
1161 eap_reauth(dev
[0], "AKA'")
1162 dev
[0].request("REMOVE_NETWORK all")
1164 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1165 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1168 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1169 logger
.info("AKA' reauth with max reauth count reached")
1170 eap_reauth(dev
[0], "AKA'")
1172 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1173 """EAP-AKA' with external UMTS auth and auth failing"""
1175 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1177 dev
[0].request("SET external_sim 0")
1179 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1180 check_hlr_auc_gw_support()
1181 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1182 hostapd
.add_ap(apdev
[0], params
)
1183 dev
[0].request("SET external_sim 1")
1184 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1185 identity
="6555444333222111",
1186 wait_connect
=False, scan_freq
="2412")
1188 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1190 raise Exception("Wait for external SIM processing request timed out")
1191 p
= ev
.split(':', 2)
1192 rid
= p
[0].split('-')[3]
1193 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1194 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1196 raise Exception("EAP failure not reported")
1197 dev
[0].request("REMOVE_NETWORK all")
1198 dev
[0].wait_disconnected()
1200 def test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1201 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1203 _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
)
1205 dev
[0].request("SET external_sim 0")
1207 def _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1208 check_hlr_auc_gw_support()
1209 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1210 hostapd
.add_ap(apdev
[0], params
)
1211 dev
[0].request("SET external_sim 1")
1212 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1213 identity
="6555444333222111",
1214 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1215 wait_connect
=False, scan_freq
="2412")
1216 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1218 raise Exception("Network connected timed out")
1220 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1222 raise Exception("Wait for external SIM processing request timed out")
1223 p
= ev
.split(':', 2)
1224 if p
[1] != "UMTS-AUTH":
1225 raise Exception("Unexpected CTRL-REQ-SIM type")
1226 rid
= p
[0].split('-')[3]
1227 # This will fail during UMTS auth validation
1228 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1229 raise Exception("CTRL-RSP-SIM failed")
1230 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1232 raise Exception("Wait for external SIM processing request timed out")
1234 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1235 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1236 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1237 hapd
= hostapd
.add_ap(apdev
[0], params
)
1238 key_mgmt
= hapd
.get_config()['key_mgmt']
1239 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1240 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1241 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1242 anonymous_identity
="ttls", password
="password",
1243 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1244 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1245 eap_reauth(dev
[0], "TTLS")
1246 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1247 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1249 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1250 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1251 check_subject_match_support(dev
[0])
1252 check_altsubject_match_support(dev
[0])
1253 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1254 hapd
= hostapd
.add_ap(apdev
[0], params
)
1255 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1256 anonymous_identity
="ttls", password
="password",
1257 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1258 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1259 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1260 eap_reauth(dev
[0], "TTLS")
1262 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1263 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1264 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1265 hapd
= hostapd
.add_ap(apdev
[0], params
)
1266 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1267 anonymous_identity
="ttls", password
="wrong",
1268 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1269 expect_failure
=True)
1270 eap_connect(dev
[1], hapd
, "TTLS", "user",
1271 anonymous_identity
="ttls", password
="password",
1272 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1273 expect_failure
=True)
1275 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1276 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1277 skip_with_fips(dev
[0])
1278 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1279 hapd
= hostapd
.add_ap(apdev
[0], params
)
1280 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1281 anonymous_identity
="ttls", password
="password",
1282 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1283 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1284 eap_reauth(dev
[0], "TTLS")
1286 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1287 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1288 skip_with_fips(dev
[0])
1289 check_altsubject_match_support(dev
[0])
1290 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1291 hapd
= hostapd
.add_ap(apdev
[0], params
)
1292 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1293 anonymous_identity
="ttls", password
="password",
1294 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1295 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1296 eap_reauth(dev
[0], "TTLS")
1298 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1299 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1300 skip_with_fips(dev
[0])
1301 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1302 hapd
= hostapd
.add_ap(apdev
[0], params
)
1303 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1304 anonymous_identity
="ttls", password
="wrong",
1305 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1306 expect_failure
=True)
1307 eap_connect(dev
[1], hapd
, "TTLS", "user",
1308 anonymous_identity
="ttls", password
="password",
1309 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1310 expect_failure
=True)
1312 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1313 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1314 skip_with_fips(dev
[0])
1315 check_domain_suffix_match(dev
[0])
1316 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1317 hapd
= hostapd
.add_ap(apdev
[0], params
)
1318 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1319 anonymous_identity
="ttls", password
="password",
1320 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1321 domain_suffix_match
="server.w1.fi")
1322 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1323 eap_reauth(dev
[0], "TTLS")
1324 dev
[0].request("REMOVE_NETWORK all")
1325 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1326 anonymous_identity
="ttls", password
="password",
1327 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1328 fragment_size
="200")
1329 dev
[0].request("REMOVE_NETWORK all")
1330 dev
[0].wait_disconnected()
1331 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1332 anonymous_identity
="ttls",
1333 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1334 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1336 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1337 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1338 skip_with_fips(dev
[0])
1339 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1340 hapd
= hostapd
.add_ap(apdev
[0], params
)
1341 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1342 anonymous_identity
="ttls", password
="wrong",
1343 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1344 expect_failure
=True)
1345 eap_connect(dev
[1], hapd
, "TTLS", "user",
1346 anonymous_identity
="ttls", password
="password",
1347 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1348 expect_failure
=True)
1349 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1350 anonymous_identity
="ttls", password
="password",
1351 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1352 expect_failure
=True)
1354 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1355 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1356 check_domain_suffix_match(dev
[0])
1357 check_eap_capa(dev
[0], "MSCHAPV2")
1358 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1359 hapd
= hostapd
.add_ap(apdev
[0], params
)
1360 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1361 anonymous_identity
="ttls", password
="password",
1362 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1363 domain_suffix_match
="server.w1.fi")
1364 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1365 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1366 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1367 eap_reauth(dev
[0], "TTLS")
1368 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1369 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1370 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1371 raise Exception("dot1xAuthEapolFramesRx did not increase")
1372 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1373 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1374 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1375 raise Exception("backendAuthSuccesses did not increase")
1377 logger
.info("Password as hash value")
1378 dev
[0].request("REMOVE_NETWORK all")
1379 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1380 anonymous_identity
="ttls",
1381 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1382 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1384 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1385 """EAP-TTLS with invalid phase2 parameter values"""
1386 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1387 hostapd
.add_ap(apdev
[0], params
)
1388 tests
= [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1389 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1390 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1392 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1393 identity
="DOMAIN\mschapv2 user",
1394 anonymous_identity
="ttls", password
="password",
1395 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1396 wait_connect
=False, scan_freq
="2412")
1397 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1398 if ev
is None or "method=21" not in ev
:
1399 raise Exception("EAP-TTLS not started")
1400 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1401 "CTRL-EVENT-CONNECTED"], timeout
=5)
1402 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1403 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1404 dev
[0].request("REMOVE_NETWORK all")
1405 dev
[0].wait_disconnected()
1406 dev
[0].dump_monitor()
1408 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1409 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1410 check_domain_match_full(dev
[0])
1411 skip_with_fips(dev
[0])
1412 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1413 hapd
= hostapd
.add_ap(apdev
[0], params
)
1414 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1415 anonymous_identity
="ttls", password
="password",
1416 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1417 domain_suffix_match
="w1.fi")
1418 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1419 eap_reauth(dev
[0], "TTLS")
1421 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1422 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1423 check_domain_match(dev
[0])
1424 skip_with_fips(dev
[0])
1425 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1426 hapd
= hostapd
.add_ap(apdev
[0], params
)
1427 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1428 anonymous_identity
="ttls", password
="password",
1429 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1430 domain_match
="Server.w1.fi")
1431 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1432 eap_reauth(dev
[0], "TTLS")
1434 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1435 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1436 skip_with_fips(dev
[0])
1437 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1438 hapd
= hostapd
.add_ap(apdev
[0], params
)
1439 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1440 anonymous_identity
="ttls", password
="password1",
1441 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1442 expect_failure
=True)
1443 eap_connect(dev
[1], hapd
, "TTLS", "user",
1444 anonymous_identity
="ttls", password
="password",
1445 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1446 expect_failure
=True)
1448 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1449 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1450 skip_with_fips(dev
[0])
1451 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1452 hapd
= hostapd
.add_ap(apdev
[0], params
)
1453 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1454 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1455 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1456 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1457 anonymous_identity
="ttls",
1458 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1459 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1460 for p
in [ "80", "41c041e04141e041", 257*"41" ]:
1461 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1462 eap
="TTLS", identity
="utf8-user-hash",
1463 anonymous_identity
="ttls", password_hex
=p
,
1464 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1465 wait_connect
=False, scan_freq
="2412")
1466 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1468 raise Exception("No failure reported")
1469 dev
[2].request("REMOVE_NETWORK all")
1470 dev
[2].wait_disconnected()
1472 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1473 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1474 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1475 hapd
= hostapd
.add_ap(apdev
[0], params
)
1476 eap_connect(dev
[0], hapd
, "TTLS", "user",
1477 anonymous_identity
="ttls", password
="password",
1478 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1479 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1480 eap_reauth(dev
[0], "TTLS")
1482 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1483 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1484 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1485 hapd
= hostapd
.add_ap(apdev
[0], params
)
1486 eap_connect(dev
[0], hapd
, "TTLS", "user",
1487 anonymous_identity
="ttls", password
="wrong",
1488 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1489 expect_failure
=True)
1491 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1492 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1493 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1494 hapd
= hostapd
.add_ap(apdev
[0], params
)
1495 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1496 anonymous_identity
="ttls", password
="password",
1497 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1498 expect_failure
=True)
1500 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1501 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1502 params
= int_eap_server_params()
1503 hapd
= hostapd
.add_ap(apdev
[0], params
)
1504 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1505 eap_connect(dev
[0], hapd
, "TTLS", "user",
1506 anonymous_identity
="ttls", password
="password",
1507 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1508 expect_failure
=True)
1509 dev
[0].request("REMOVE_NETWORK all")
1511 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1512 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1513 eap
="TTLS", identity
="user",
1514 anonymous_identity
="ttls", password
="password",
1515 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1516 wait_connect
=False, scan_freq
="2412")
1517 # This would eventually time out, but we can stop after having reached
1518 # the allocation failure.
1521 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1524 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1525 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1526 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1527 hapd
= hostapd
.add_ap(apdev
[0], params
)
1529 tests
= [ "eap_gtc_init",
1530 "eap_msg_alloc;eap_gtc_process" ]
1532 with
alloc_fail(dev
[0], 1, func
):
1533 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1535 eap
="TTLS", identity
="user",
1536 anonymous_identity
="ttls", password
="password",
1537 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1539 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1540 dev
[0].request("REMOVE_NETWORK all")
1541 dev
[0].wait_disconnected()
1543 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1544 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1545 check_eap_capa(dev
[0], "MD5")
1546 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1547 hapd
= hostapd
.add_ap(apdev
[0], params
)
1548 eap_connect(dev
[0], hapd
, "TTLS", "user",
1549 anonymous_identity
="ttls", password
="password",
1550 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1551 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1552 eap_reauth(dev
[0], "TTLS")
1554 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1555 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1556 check_eap_capa(dev
[0], "MD5")
1557 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1558 hapd
= hostapd
.add_ap(apdev
[0], params
)
1559 eap_connect(dev
[0], hapd
, "TTLS", "user",
1560 anonymous_identity
="ttls", password
="wrong",
1561 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1562 expect_failure
=True)
1564 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1565 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1566 check_eap_capa(dev
[0], "MD5")
1567 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1568 hapd
= hostapd
.add_ap(apdev
[0], params
)
1569 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1570 anonymous_identity
="ttls", password
="password",
1571 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1572 expect_failure
=True)
1574 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1575 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1576 check_eap_capa(dev
[0], "MD5")
1577 params
= int_eap_server_params()
1578 hapd
= hostapd
.add_ap(apdev
[0], params
)
1579 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1580 eap_connect(dev
[0], hapd
, "TTLS", "user",
1581 anonymous_identity
="ttls", password
="password",
1582 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1583 expect_failure
=True)
1584 dev
[0].request("REMOVE_NETWORK all")
1586 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1587 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1588 eap
="TTLS", identity
="user",
1589 anonymous_identity
="ttls", password
="password",
1590 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1591 wait_connect
=False, scan_freq
="2412")
1592 # This would eventually time out, but we can stop after having reached
1593 # the allocation failure.
1596 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1599 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1600 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1601 check_eap_capa(dev
[0], "MSCHAPV2")
1602 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1603 hapd
= hostapd
.add_ap(apdev
[0], params
)
1604 eap_connect(dev
[0], hapd
, "TTLS", "user",
1605 anonymous_identity
="ttls", password
="password",
1606 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1607 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1608 eap_reauth(dev
[0], "TTLS")
1610 logger
.info("Negative test with incorrect password")
1611 dev
[0].request("REMOVE_NETWORK all")
1612 eap_connect(dev
[0], hapd
, "TTLS", "user",
1613 anonymous_identity
="ttls", password
="password1",
1614 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1615 expect_failure
=True)
1617 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1618 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1619 check_eap_capa(dev
[0], "MSCHAPV2")
1620 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1621 hapd
= hostapd
.add_ap(apdev
[0], params
)
1622 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1623 anonymous_identity
="ttls", password
="password",
1624 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1625 expect_failure
=True)
1627 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1628 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1629 check_eap_capa(dev
[0], "MSCHAPV2")
1630 params
= int_eap_server_params()
1631 hapd
= hostapd
.add_ap(apdev
[0], params
)
1632 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1633 eap_connect(dev
[0], hapd
, "TTLS", "user",
1634 anonymous_identity
="ttls", password
="password",
1635 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1636 expect_failure
=True)
1637 dev
[0].request("REMOVE_NETWORK all")
1639 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1640 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1641 eap
="TTLS", identity
="user",
1642 anonymous_identity
="ttls", password
="password",
1643 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1644 wait_connect
=False, scan_freq
="2412")
1645 # This would eventually time out, but we can stop after having reached
1646 # the allocation failure.
1649 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1651 dev
[0].request("REMOVE_NETWORK all")
1653 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1654 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1655 eap
="TTLS", identity
="user",
1656 anonymous_identity
="ttls", password
="password",
1657 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1658 wait_connect
=False, scan_freq
="2412")
1659 # This would eventually time out, but we can stop after having reached
1660 # the allocation failure.
1663 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1665 dev
[0].request("REMOVE_NETWORK all")
1667 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1668 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1669 eap
="TTLS", identity
="user",
1670 anonymous_identity
="ttls", password
="wrong",
1671 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1672 wait_connect
=False, scan_freq
="2412")
1673 # This would eventually time out, but we can stop after having reached
1674 # the allocation failure.
1677 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1679 dev
[0].request("REMOVE_NETWORK all")
1681 def test_ap_wpa2_eap_ttls_eap_sim(dev
, apdev
):
1682 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1683 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1684 hapd
= hostapd
.add_ap(apdev
[0], params
)
1685 eap_connect(dev
[0], hapd
, "TTLS", "1232010000000000",
1686 anonymous_identity
="1232010000000000@ttls",
1687 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1688 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM")
1689 eap_reauth(dev
[0], "TTLS")
1691 def run_ext_sim_auth(dev
):
1692 ev
= dev
.wait_event(["CTRL-REQ-SIM"], timeout
=15)
1694 raise Exception("Wait for external SIM processing request timed out")
1695 p
= ev
.split(':', 2)
1696 if p
[1] != "GSM-AUTH":
1697 raise Exception("Unexpected CTRL-REQ-SIM type")
1698 rid
= p
[0].split('-')[3]
1699 rand
= p
[2].split(' ')[0]
1701 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
1703 "auth_serv/hlr_auc_gw.milenage_db",
1704 "GSM-AUTH-REQ 232010000000000 " + rand
])
1705 if "GSM-AUTH-RESP" not in res
:
1706 raise Exception("Unexpected hlr_auc_gw response")
1707 resp
= res
.split(' ')[2].rstrip()
1709 dev
.request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1710 dev
.wait_connected(timeout
=15)
1713 dev
.request("REAUTHENTICATE")
1714 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1716 raise Exception("EAP reauthentication did not succeed")
1717 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=5)
1719 raise Exception("Key negotiation did not complete")
1722 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1723 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1724 check_hlr_auc_gw_support()
1726 run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
)
1728 dev
[0].request("SET external_sim 0")
1730 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1731 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1732 hapd
= hostapd
.add_ap(apdev
[0], params
)
1733 dev
[0].request("SET external_sim 1")
1734 dev
[0].connect("test-wpa2-eap", eap
="TTLS", key_mgmt
="WPA-EAP",
1735 identity
="1232010000000000",
1736 anonymous_identity
="1232010000000000@ttls",
1737 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1738 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM",
1739 wait_connect
=False, scan_freq
="2412")
1740 run_ext_sim_auth(dev
[0])
1742 def test_ap_wpa2_eap_peap_eap_sim(dev
, apdev
):
1743 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1744 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1745 hapd
= hostapd
.add_ap(apdev
[0], params
)
1746 eap_connect(dev
[0], hapd
, "PEAP", "1232010000000000",
1747 anonymous_identity
="1232010000000000@peap",
1748 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1749 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1750 eap_reauth(dev
[0], "PEAP")
1752 def test_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1753 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1754 check_hlr_auc_gw_support()
1756 run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
)
1758 dev
[0].request("SET external_sim 0")
1760 def run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1761 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1762 hapd
= hostapd
.add_ap(apdev
[0], params
)
1763 dev
[0].request("SET external_sim 1")
1764 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1765 identity
="1232010000000000",
1766 anonymous_identity
="1232010000000000@peap",
1767 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1768 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1769 wait_connect
=False, scan_freq
="2412")
1770 run_ext_sim_auth(dev
[0])
1772 def test_ap_wpa2_eap_fast_eap_sim(dev
, apdev
):
1773 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1774 check_eap_capa(dev
[0], "FAST")
1775 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1776 hapd
= hostapd
.add_ap(apdev
[0], params
)
1777 eap_connect(dev
[0], hapd
, "FAST", "1232010000000000",
1778 anonymous_identity
="1232010000000000@fast",
1779 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1780 phase1
="fast_provisioning=2",
1781 pac_file
="blob://fast_pac_auth_sim",
1782 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1783 eap_reauth(dev
[0], "FAST")
1785 def test_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1786 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1787 check_hlr_auc_gw_support()
1789 run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
)
1791 dev
[0].request("SET external_sim 0")
1793 def run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1794 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1795 hapd
= hostapd
.add_ap(apdev
[0], params
)
1796 dev
[0].request("SET external_sim 1")
1797 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1798 identity
="1232010000000000",
1799 anonymous_identity
="1232010000000000@peap",
1800 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1801 phase1
="fast_provisioning=2",
1802 pac_file
="blob://fast_pac_auth_sim",
1803 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1804 wait_connect
=False, scan_freq
="2412")
1805 run_ext_sim_auth(dev
[0])
1807 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1808 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1809 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1810 hapd
= hostapd
.add_ap(apdev
[0], params
)
1811 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1812 anonymous_identity
="0232010000000000@ttls",
1813 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1814 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1815 eap_reauth(dev
[0], "TTLS")
1817 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1818 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1819 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1820 hapd
= hostapd
.add_ap(apdev
[0], params
)
1821 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1822 anonymous_identity
="0232010000000000@peap",
1823 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1824 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1825 eap_reauth(dev
[0], "PEAP")
1827 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1828 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1829 check_eap_capa(dev
[0], "FAST")
1830 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1831 hapd
= hostapd
.add_ap(apdev
[0], params
)
1832 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
1833 anonymous_identity
="0232010000000000@fast",
1834 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1835 phase1
="fast_provisioning=2",
1836 pac_file
="blob://fast_pac_auth_aka",
1837 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1838 eap_reauth(dev
[0], "FAST")
1840 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1841 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1842 check_eap_capa(dev
[0], "MSCHAPV2")
1843 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1844 hapd
= hostapd
.add_ap(apdev
[0], params
)
1845 eap_connect(dev
[0], hapd
, "PEAP", "user",
1846 anonymous_identity
="peap", password
="password",
1847 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1848 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1849 eap_reauth(dev
[0], "PEAP")
1850 dev
[0].request("REMOVE_NETWORK all")
1851 eap_connect(dev
[0], hapd
, "PEAP", "user",
1852 anonymous_identity
="peap", password
="password",
1853 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1854 fragment_size
="200")
1856 logger
.info("Password as hash value")
1857 dev
[0].request("REMOVE_NETWORK all")
1858 eap_connect(dev
[0], hapd
, "PEAP", "user",
1859 anonymous_identity
="peap",
1860 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1861 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1863 logger
.info("Negative test with incorrect password")
1864 dev
[0].request("REMOVE_NETWORK all")
1865 eap_connect(dev
[0], hapd
, "PEAP", "user",
1866 anonymous_identity
="peap", password
="password1",
1867 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1868 expect_failure
=True)
1870 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1871 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1872 check_eap_capa(dev
[0], "MSCHAPV2")
1873 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1874 hapd
= hostapd
.add_ap(apdev
[0], params
)
1875 eap_connect(dev
[0], hapd
, "PEAP", "DOMAIN\user3",
1876 anonymous_identity
="peap", password
="password",
1877 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1878 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1879 eap_reauth(dev
[0], "PEAP")
1881 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1882 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1883 check_eap_capa(dev
[0], "MSCHAPV2")
1884 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1885 hapd
= hostapd
.add_ap(apdev
[0], params
)
1886 eap_connect(dev
[0], hapd
, "PEAP", "user",
1887 anonymous_identity
="peap", password
="wrong",
1888 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1889 expect_failure
=True)
1891 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1892 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1893 check_eap_capa(dev
[0], "MSCHAPV2")
1894 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1895 hapd
= hostapd
.add_ap(apdev
[0], params
)
1896 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1897 ca_cert
="auth_serv/ca.pem",
1898 phase1
="peapver=0 crypto_binding=2",
1899 phase2
="auth=MSCHAPV2")
1900 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1901 eap_reauth(dev
[0], "PEAP")
1903 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1904 ca_cert
="auth_serv/ca.pem",
1905 phase1
="peapver=0 crypto_binding=1",
1906 phase2
="auth=MSCHAPV2")
1907 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1908 ca_cert
="auth_serv/ca.pem",
1909 phase1
="peapver=0 crypto_binding=0",
1910 phase2
="auth=MSCHAPV2")
1912 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1913 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1914 check_eap_capa(dev
[0], "MSCHAPV2")
1915 params
= int_eap_server_params()
1916 hapd
= hostapd
.add_ap(apdev
[0], params
)
1917 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1918 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1919 ca_cert
="auth_serv/ca.pem",
1920 phase1
="peapver=0 crypto_binding=2",
1921 phase2
="auth=MSCHAPV2",
1922 expect_failure
=True, local_error_report
=True)
1924 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1925 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1926 check_eap_capa(dev
[0], "MSCHAPV2")
1927 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1928 hapd
= hostapd
.add_ap(apdev
[0], params
)
1929 eap_connect(dev
[0], hapd
, "PEAP", "user",
1930 anonymous_identity
="peap", password
="password",
1931 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1932 phase1
="peapver=0 peaplabel=1",
1933 expect_failure
=True)
1934 dev
[0].request("REMOVE_NETWORK all")
1935 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1937 anonymous_identity
="peap", password
="password",
1938 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1939 phase1
="peap_outer_success=0",
1940 wait_connect
=False, scan_freq
="2412")
1941 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1943 raise Exception("No EAP success seen")
1944 # This won't succeed to connect with peap_outer_success=0, so stop here.
1945 dev
[0].request("REMOVE_NETWORK all")
1946 dev
[0].wait_disconnected()
1947 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1948 ca_cert
="auth_serv/ca.pem",
1949 phase1
="peap_outer_success=1",
1950 phase2
="auth=MSCHAPV2")
1951 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1952 ca_cert
="auth_serv/ca.pem",
1953 phase1
="peap_outer_success=2",
1954 phase2
="auth=MSCHAPV2")
1955 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1957 anonymous_identity
="peap", password
="password",
1958 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1959 phase1
="peapver=1 peaplabel=1",
1960 wait_connect
=False, scan_freq
="2412")
1961 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1963 raise Exception("No EAP success seen")
1964 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1966 raise Exception("Unexpected connection")
1968 tests
= [ ("peap-ver0", ""),
1970 ("peap-ver0", "peapver=0"),
1971 ("peap-ver1", "peapver=1") ]
1972 for anon
,phase1
in tests
:
1973 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1974 identity
="user", anonymous_identity
=anon
,
1975 password
="password", phase1
=phase1
,
1976 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1978 dev
[0].request("REMOVE_NETWORK all")
1979 dev
[0].wait_disconnected()
1981 tests
= [ ("peap-ver0", "peapver=1"),
1982 ("peap-ver1", "peapver=0") ]
1983 for anon
,phase1
in tests
:
1984 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1985 identity
="user", anonymous_identity
=anon
,
1986 password
="password", phase1
=phase1
,
1987 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1988 wait_connect
=False, scan_freq
="2412")
1989 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1991 raise Exception("No EAP-Failure seen")
1992 dev
[0].request("REMOVE_NETWORK all")
1993 dev
[0].wait_disconnected()
1995 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1996 ca_cert
="auth_serv/ca.pem",
1997 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1998 phase2
="auth=MSCHAPV2")
2000 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
2001 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
2002 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2003 hapd
= hostapd
.add_ap(apdev
[0], params
)
2004 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
2005 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
2006 ca_cert2
="auth_serv/ca.pem",
2007 client_cert2
="auth_serv/user.pem",
2008 private_key2
="auth_serv/user.key")
2009 eap_reauth(dev
[0], "PEAP")
2011 def test_ap_wpa2_eap_tls(dev
, apdev
):
2012 """WPA2-Enterprise connection using EAP-TLS"""
2013 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2014 hapd
= hostapd
.add_ap(apdev
[0], params
)
2015 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2016 client_cert
="auth_serv/user.pem",
2017 private_key
="auth_serv/user.key")
2018 eap_reauth(dev
[0], "TLS")
2020 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
2021 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2022 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2023 hapd
= hostapd
.add_ap(apdev
[0], params
)
2024 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2025 client_cert
="auth_serv/user.pem",
2026 private_key
="auth_serv/user.key.pkcs8",
2027 private_key_passwd
="whatever")
2029 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
2030 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
2031 check_pkcs5_v15_support(dev
[0])
2032 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2033 hapd
= hostapd
.add_ap(apdev
[0], params
)
2034 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2035 client_cert
="auth_serv/user.pem",
2036 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
2037 private_key_passwd
="whatever")
2039 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
2040 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2041 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2042 hapd
= hostapd
.add_ap(apdev
[0], params
)
2043 cert
= read_pem("auth_serv/ca.pem")
2044 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2045 raise Exception("Could not set cacert blob")
2046 cert
= read_pem("auth_serv/user.pem")
2047 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
2048 raise Exception("Could not set usercert blob")
2049 key
= read_pem("auth_serv/user.rsa-key")
2050 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
2051 raise Exception("Could not set cacert blob")
2052 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2053 client_cert
="blob://usercert",
2054 private_key
="blob://userkey")
2056 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
2057 """EAP-TLS and config blob missing"""
2058 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2059 hostapd
.add_ap(apdev
[0], params
)
2060 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2061 identity
="tls user",
2062 ca_cert
="blob://testing-blob-does-not-exist",
2063 client_cert
="blob://testing-blob-does-not-exist",
2064 private_key
="blob://testing-blob-does-not-exist",
2065 wait_connect
=False, scan_freq
="2412")
2066 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
2068 raise Exception("EAP failure not reported")
2069 dev
[0].request("REMOVE_NETWORK all")
2070 dev
[0].wait_disconnected()
2072 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
2073 """EAP-TLS and TLS Message Length in unfragmented packets"""
2074 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2075 hapd
= hostapd
.add_ap(apdev
[0], params
)
2076 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2077 phase1
="include_tls_length=1",
2078 client_cert
="auth_serv/user.pem",
2079 private_key
="auth_serv/user.key")
2081 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
2082 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2083 check_pkcs12_support(dev
[0])
2084 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2085 hapd
= hostapd
.add_ap(apdev
[0], params
)
2086 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2087 private_key
="auth_serv/user.pkcs12",
2088 private_key_passwd
="whatever")
2089 dev
[0].request("REMOVE_NETWORK all")
2090 dev
[0].wait_disconnected()
2092 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2093 identity
="tls user",
2094 ca_cert
="auth_serv/ca.pem",
2095 private_key
="auth_serv/user.pkcs12",
2096 wait_connect
=False, scan_freq
="2412")
2097 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2099 raise Exception("Request for private key passphrase timed out")
2100 id = ev
.split(':')[0].split('-')[-1]
2101 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2102 dev
[0].wait_connected(timeout
=10)
2103 dev
[0].request("REMOVE_NETWORK all")
2104 dev
[0].wait_disconnected()
2106 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2107 # different files to cover both cases of the extra certificate being the
2108 # one that signed the client certificate and it being unrelated to the
2109 # client certificate.
2110 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2112 eap_connect(dev
[0], hapd
, "TLS", "tls user",
2113 ca_cert
="auth_serv/ca.pem",
2115 private_key_passwd
="whatever")
2116 dev
[0].request("REMOVE_NETWORK all")
2117 dev
[0].wait_disconnected()
2119 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
2120 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2121 check_pkcs12_support(dev
[0])
2122 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2123 hapd
= hostapd
.add_ap(apdev
[0], params
)
2124 cert
= read_pem("auth_serv/ca.pem")
2125 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2126 raise Exception("Could not set cacert blob")
2127 with
open("auth_serv/user.pkcs12", "rb") as f
:
2128 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
2129 raise Exception("Could not set pkcs12 blob")
2130 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2131 private_key
="blob://pkcs12",
2132 private_key_passwd
="whatever")
2134 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
2135 """WPA2-Enterprise negative test - incorrect trust root"""
2136 check_eap_capa(dev
[0], "MSCHAPV2")
2137 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2138 hostapd
.add_ap(apdev
[0], params
)
2139 cert
= read_pem("auth_serv/ca-incorrect.pem")
2140 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2141 raise Exception("Could not set cacert blob")
2142 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2143 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2144 password
="password", phase2
="auth=MSCHAPV2",
2145 ca_cert
="blob://cacert",
2146 wait_connect
=False, scan_freq
="2412")
2147 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2148 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2149 password
="password", phase2
="auth=MSCHAPV2",
2150 ca_cert
="auth_serv/ca-incorrect.pem",
2151 wait_connect
=False, scan_freq
="2412")
2153 for dev
in (dev
[0], dev
[1]):
2154 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2156 raise Exception("Association and EAP start timed out")
2158 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2160 raise Exception("EAP method selection timed out")
2161 if "TTLS" not in ev
:
2162 raise Exception("Unexpected EAP method")
2164 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2165 "CTRL-EVENT-EAP-SUCCESS",
2166 "CTRL-EVENT-EAP-FAILURE",
2167 "CTRL-EVENT-CONNECTED",
2168 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2170 raise Exception("EAP result timed out")
2171 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2172 raise Exception("TLS certificate error not reported")
2174 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2175 "CTRL-EVENT-EAP-FAILURE",
2176 "CTRL-EVENT-CONNECTED",
2177 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2179 raise Exception("EAP result(2) timed out")
2180 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2181 raise Exception("EAP failure not reported")
2183 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2184 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2186 raise Exception("EAP result(3) timed out")
2187 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2188 raise Exception("Disconnection not reported")
2190 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2192 raise Exception("Network block disabling not reported")
2194 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2195 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2196 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2197 hapd
= hostapd
.add_ap(apdev
[0], params
)
2198 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2199 identity
="pap user", anonymous_identity
="ttls",
2200 password
="password", phase2
="auth=PAP",
2201 ca_cert
="auth_serv/ca.pem",
2202 wait_connect
=True, scan_freq
="2412")
2203 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2204 identity
="pap user", anonymous_identity
="ttls",
2205 password
="password", phase2
="auth=PAP",
2206 ca_cert
="auth_serv/ca-incorrect.pem",
2207 only_add_network
=True, scan_freq
="2412")
2209 dev
[0].request("DISCONNECT")
2210 dev
[0].wait_disconnected()
2211 dev
[0].dump_monitor()
2212 dev
[0].select_network(id, freq
="2412")
2214 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2216 raise Exception("EAP-TTLS not re-started")
2218 ev
= dev
[0].wait_disconnected(timeout
=15)
2219 if "reason=23" not in ev
:
2220 raise Exception("Proper reason code for disconnection not reported")
2222 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2223 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2224 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2225 hapd
= hostapd
.add_ap(apdev
[0], params
)
2226 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2227 identity
="pap user", anonymous_identity
="ttls",
2228 password
="password", phase2
="auth=PAP",
2229 wait_connect
=True, scan_freq
="2412")
2230 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2231 identity
="pap user", anonymous_identity
="ttls",
2232 password
="password", phase2
="auth=PAP",
2233 ca_cert
="auth_serv/ca-incorrect.pem",
2234 only_add_network
=True, scan_freq
="2412")
2236 dev
[0].request("DISCONNECT")
2237 dev
[0].wait_disconnected()
2238 dev
[0].dump_monitor()
2239 dev
[0].select_network(id, freq
="2412")
2241 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2243 raise Exception("EAP-TTLS not re-started")
2245 ev
= dev
[0].wait_disconnected(timeout
=15)
2246 if "reason=23" not in ev
:
2247 raise Exception("Proper reason code for disconnection not reported")
2249 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2250 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2251 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2252 hapd
= hostapd
.add_ap(apdev
[0], params
)
2253 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2254 identity
="pap user", anonymous_identity
="ttls",
2255 password
="password", phase2
="auth=PAP",
2256 ca_cert
="auth_serv/ca.pem",
2257 wait_connect
=True, scan_freq
="2412")
2258 dev
[0].request("DISCONNECT")
2259 dev
[0].wait_disconnected()
2260 dev
[0].dump_monitor()
2261 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2262 dev
[0].select_network(id, freq
="2412")
2264 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2266 raise Exception("EAP-TTLS not re-started")
2268 ev
= dev
[0].wait_disconnected(timeout
=15)
2269 if "reason=23" not in ev
:
2270 raise Exception("Proper reason code for disconnection not reported")
2272 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2273 """WPA2-Enterprise negative test - domain suffix mismatch"""
2274 check_domain_suffix_match(dev
[0])
2275 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2276 hostapd
.add_ap(apdev
[0], params
)
2277 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2278 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2279 password
="password", phase2
="auth=MSCHAPV2",
2280 ca_cert
="auth_serv/ca.pem",
2281 domain_suffix_match
="incorrect.example.com",
2282 wait_connect
=False, scan_freq
="2412")
2284 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2286 raise Exception("Association and EAP start timed out")
2288 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2290 raise Exception("EAP method selection timed out")
2291 if "TTLS" not in ev
:
2292 raise Exception("Unexpected EAP method")
2294 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2295 "CTRL-EVENT-EAP-SUCCESS",
2296 "CTRL-EVENT-EAP-FAILURE",
2297 "CTRL-EVENT-CONNECTED",
2298 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2300 raise Exception("EAP result timed out")
2301 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2302 raise Exception("TLS certificate error not reported")
2303 if "Domain suffix mismatch" not in ev
:
2304 raise Exception("Domain suffix mismatch not reported")
2306 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2307 "CTRL-EVENT-EAP-FAILURE",
2308 "CTRL-EVENT-CONNECTED",
2309 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2311 raise Exception("EAP result(2) timed out")
2312 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2313 raise Exception("EAP failure not reported")
2315 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2316 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2318 raise Exception("EAP result(3) timed out")
2319 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2320 raise Exception("Disconnection not reported")
2322 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2324 raise Exception("Network block disabling not reported")
2326 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2327 """WPA2-Enterprise negative test - domain mismatch"""
2328 check_domain_match(dev
[0])
2329 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2330 hostapd
.add_ap(apdev
[0], params
)
2331 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2332 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2333 password
="password", phase2
="auth=MSCHAPV2",
2334 ca_cert
="auth_serv/ca.pem",
2335 domain_match
="w1.fi",
2336 wait_connect
=False, scan_freq
="2412")
2338 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2340 raise Exception("Association and EAP start timed out")
2342 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2344 raise Exception("EAP method selection timed out")
2345 if "TTLS" not in ev
:
2346 raise Exception("Unexpected EAP method")
2348 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2349 "CTRL-EVENT-EAP-SUCCESS",
2350 "CTRL-EVENT-EAP-FAILURE",
2351 "CTRL-EVENT-CONNECTED",
2352 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2354 raise Exception("EAP result timed out")
2355 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2356 raise Exception("TLS certificate error not reported")
2357 if "Domain mismatch" not in ev
:
2358 raise Exception("Domain mismatch not reported")
2360 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2361 "CTRL-EVENT-EAP-FAILURE",
2362 "CTRL-EVENT-CONNECTED",
2363 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2365 raise Exception("EAP result(2) timed out")
2366 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2367 raise Exception("EAP failure not reported")
2369 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2370 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2372 raise Exception("EAP result(3) timed out")
2373 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2374 raise Exception("Disconnection not reported")
2376 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2378 raise Exception("Network block disabling not reported")
2380 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2381 """WPA2-Enterprise negative test - subject mismatch"""
2382 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2383 hostapd
.add_ap(apdev
[0], params
)
2384 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2385 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2386 password
="password", phase2
="auth=MSCHAPV2",
2387 ca_cert
="auth_serv/ca.pem",
2388 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2389 wait_connect
=False, scan_freq
="2412")
2391 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2393 raise Exception("Association and EAP start timed out")
2395 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2396 "EAP: Failed to initialize EAP method"], timeout
=10)
2398 raise Exception("EAP method selection timed out")
2399 if "EAP: Failed to initialize EAP method" in ev
:
2400 tls
= dev
[0].request("GET tls_library")
2401 if tls
.startswith("OpenSSL"):
2402 raise Exception("Failed to select EAP method")
2403 logger
.info("subject_match not supported - connection failed, so test succeeded")
2405 if "TTLS" not in ev
:
2406 raise Exception("Unexpected EAP method")
2408 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2409 "CTRL-EVENT-EAP-SUCCESS",
2410 "CTRL-EVENT-EAP-FAILURE",
2411 "CTRL-EVENT-CONNECTED",
2412 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2414 raise Exception("EAP result timed out")
2415 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2416 raise Exception("TLS certificate error not reported")
2417 if "Subject mismatch" not in ev
:
2418 raise Exception("Subject mismatch not reported")
2420 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2421 "CTRL-EVENT-EAP-FAILURE",
2422 "CTRL-EVENT-CONNECTED",
2423 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2425 raise Exception("EAP result(2) timed out")
2426 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2427 raise Exception("EAP failure not reported")
2429 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2430 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2432 raise Exception("EAP result(3) timed out")
2433 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2434 raise Exception("Disconnection not reported")
2436 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2438 raise Exception("Network block disabling not reported")
2440 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2441 """WPA2-Enterprise negative test - altsubject mismatch"""
2442 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2443 hostapd
.add_ap(apdev
[0], params
)
2445 tests
= [ "incorrect.example.com",
2446 "DNS:incorrect.example.com",
2450 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2452 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2453 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2454 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2455 password
="password", phase2
="auth=MSCHAPV2",
2456 ca_cert
="auth_serv/ca.pem",
2457 altsubject_match
=match
,
2458 wait_connect
=False, scan_freq
="2412")
2460 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2462 raise Exception("Association and EAP start timed out")
2464 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2465 "EAP: Failed to initialize EAP method"], timeout
=10)
2467 raise Exception("EAP method selection timed out")
2468 if "EAP: Failed to initialize EAP method" in ev
:
2469 tls
= dev
[0].request("GET tls_library")
2470 if tls
.startswith("OpenSSL"):
2471 raise Exception("Failed to select EAP method")
2472 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2474 if "TTLS" not in ev
:
2475 raise Exception("Unexpected EAP method")
2477 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2478 "CTRL-EVENT-EAP-SUCCESS",
2479 "CTRL-EVENT-EAP-FAILURE",
2480 "CTRL-EVENT-CONNECTED",
2481 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2483 raise Exception("EAP result timed out")
2484 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2485 raise Exception("TLS certificate error not reported")
2486 if "AltSubject mismatch" not in ev
:
2487 raise Exception("altsubject mismatch not reported")
2489 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2490 "CTRL-EVENT-EAP-FAILURE",
2491 "CTRL-EVENT-CONNECTED",
2492 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2494 raise Exception("EAP result(2) timed out")
2495 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2496 raise Exception("EAP failure not reported")
2498 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2499 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2501 raise Exception("EAP result(3) timed out")
2502 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2503 raise Exception("Disconnection not reported")
2505 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2507 raise Exception("Network block disabling not reported")
2509 dev
[0].request("REMOVE_NETWORK all")
2511 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2512 """WPA2-Enterprise connection using UNAUTH-TLS"""
2513 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2514 hapd
= hostapd
.add_ap(apdev
[0], params
)
2515 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2516 ca_cert
="auth_serv/ca.pem")
2517 eap_reauth(dev
[0], "UNAUTH-TLS")
2519 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2520 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2521 check_cert_probe_support(dev
[0])
2522 skip_with_fips(dev
[0])
2523 srv_cert_hash
= "53728dde442d4adc27cb10a847234a4315590f0b36786353023c3b0f2e9fdf49"
2524 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2525 hapd
= hostapd
.add_ap(apdev
[0], params
)
2526 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2527 identity
="probe", ca_cert
="probe://",
2528 wait_connect
=False, scan_freq
="2412")
2529 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2531 raise Exception("Association and EAP start timed out")
2532 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2534 raise Exception("No peer server certificate event seen")
2535 if "hash=" + srv_cert_hash
not in ev
:
2536 raise Exception("Expected server certificate hash not reported")
2537 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2539 raise Exception("EAP result timed out")
2540 if "Server certificate chain probe" not in ev
:
2541 raise Exception("Server certificate probe not reported")
2542 dev
[0].wait_disconnected(timeout
=10)
2543 dev
[0].request("REMOVE_NETWORK all")
2545 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2546 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2547 password
="password", phase2
="auth=MSCHAPV2",
2548 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2549 wait_connect
=False, scan_freq
="2412")
2550 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2552 raise Exception("Association and EAP start timed out")
2553 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2555 raise Exception("EAP result timed out")
2556 if "Server certificate mismatch" not in ev
:
2557 raise Exception("Server certificate mismatch not reported")
2558 dev
[0].wait_disconnected(timeout
=10)
2559 dev
[0].request("REMOVE_NETWORK all")
2561 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2562 anonymous_identity
="ttls", password
="password",
2563 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2564 phase2
="auth=MSCHAPV2")
2566 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2567 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2568 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2569 hostapd
.add_ap(apdev
[0], params
)
2570 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2571 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2572 password
="password", phase2
="auth=MSCHAPV2",
2573 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2574 wait_connect
=False, scan_freq
="2412")
2575 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2576 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2577 password
="password", phase2
="auth=MSCHAPV2",
2578 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2579 wait_connect
=False, scan_freq
="2412")
2580 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2581 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2582 password
="password", phase2
="auth=MSCHAPV2",
2583 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2584 wait_connect
=False, scan_freq
="2412")
2585 for i
in range(0, 3):
2586 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2588 raise Exception("Association and EAP start timed out")
2589 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2591 raise Exception("Did not report EAP method initialization failure")
2593 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2594 """WPA2-Enterprise connection using EAP-pwd"""
2595 check_eap_capa(dev
[0], "PWD")
2596 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2597 hapd
= hostapd
.add_ap(apdev
[0], params
)
2598 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2599 eap_reauth(dev
[0], "PWD")
2600 dev
[0].request("REMOVE_NETWORK all")
2602 eap_connect(dev
[1], hapd
, "PWD",
2603 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2604 password
="secret password",
2607 logger
.info("Negative test with incorrect password")
2608 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2609 expect_failure
=True, local_error_report
=True)
2611 eap_connect(dev
[0], hapd
, "PWD",
2612 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2613 password
="secret password",
2616 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2617 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2618 check_eap_capa(dev
[0], "PWD")
2619 skip_with_fips(dev
[0])
2620 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2621 hapd
= hostapd
.add_ap(apdev
[0], params
)
2622 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2623 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2624 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2625 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2626 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2627 expect_failure
=True, local_error_report
=True)
2629 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2630 """WPA2-Enterprise connection using various EAP-pwd groups"""
2631 check_eap_capa(dev
[0], "PWD")
2632 tls
= dev
[0].request("GET tls_library")
2633 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2634 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2635 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2636 groups
= [ 19, 20, 21, 25, 26 ]
2637 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2638 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2639 groups
+= [ 27, 28, 29, 30 ]
2641 logger
.info("Group %d" % i
)
2642 params
['pwd_group'] = str(i
)
2643 hapd
= hostapd
.add_ap(apdev
[0], params
)
2645 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2646 password
="secret password")
2647 dev
[0].request("REMOVE_NETWORK all")
2648 dev
[0].wait_disconnected()
2649 dev
[0].dump_monitor()
2651 if "BoringSSL" in tls
and i
in [ 25 ]:
2652 logger
.info("Ignore connection failure with group %d with BoringSSL" % i
)
2653 dev
[0].request("DISCONNECT")
2655 dev
[0].request("REMOVE_NETWORK all")
2656 dev
[0].dump_monitor()
2660 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2661 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2662 check_eap_capa(dev
[0], "PWD")
2663 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2664 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2665 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2666 params
['pwd_group'] = "0"
2667 hostapd
.add_ap(apdev
[0], params
)
2668 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2669 identity
="pwd user", password
="secret password",
2670 scan_freq
="2412", wait_connect
=False)
2671 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2673 raise Exception("Timeout on EAP failure report")
2675 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2676 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2677 check_eap_capa(dev
[0], "PWD")
2678 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2679 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2680 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2681 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2682 "pwd_group": "19", "fragment_size": "40" }
2683 hapd
= hostapd
.add_ap(apdev
[0], params
)
2684 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2686 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2687 """WPA2-Enterprise connection using EAP-GPSK"""
2688 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2689 hapd
= hostapd
.add_ap(apdev
[0], params
)
2690 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2691 password
="abcdefghijklmnop0123456789abcdef")
2692 eap_reauth(dev
[0], "GPSK")
2694 logger
.info("Test forced algorithm selection")
2695 for phase1
in [ "cipher=1", "cipher=2" ]:
2696 dev
[0].set_network_quoted(id, "phase1", phase1
)
2697 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2699 raise Exception("EAP success timed out")
2700 dev
[0].wait_connected(timeout
=10)
2702 logger
.info("Test failed algorithm negotiation")
2703 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2704 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2706 raise Exception("EAP failure timed out")
2708 logger
.info("Negative test with incorrect password")
2709 dev
[0].request("REMOVE_NETWORK all")
2710 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2711 password
="ffcdefghijklmnop0123456789abcdef",
2712 expect_failure
=True)
2714 def test_ap_wpa2_eap_sake(dev
, apdev
):
2715 """WPA2-Enterprise connection using EAP-SAKE"""
2716 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2717 hapd
= hostapd
.add_ap(apdev
[0], params
)
2718 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2719 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2720 eap_reauth(dev
[0], "SAKE")
2722 logger
.info("Negative test with incorrect password")
2723 dev
[0].request("REMOVE_NETWORK all")
2724 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2725 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2726 expect_failure
=True)
2728 def test_ap_wpa2_eap_eke(dev
, apdev
):
2729 """WPA2-Enterprise connection using EAP-EKE"""
2730 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2731 hapd
= hostapd
.add_ap(apdev
[0], params
)
2732 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2733 eap_reauth(dev
[0], "EKE")
2735 logger
.info("Test forced algorithm selection")
2736 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
2737 "dhgroup=4 encr=1 prf=2 mac=2",
2738 "dhgroup=3 encr=1 prf=2 mac=2",
2739 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2740 dev
[0].set_network_quoted(id, "phase1", phase1
)
2741 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2743 raise Exception("EAP success timed out")
2744 dev
[0].wait_connected(timeout
=10)
2746 logger
.info("Test failed algorithm negotiation")
2747 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2748 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2750 raise Exception("EAP failure timed out")
2752 logger
.info("Negative test with incorrect password")
2753 dev
[0].request("REMOVE_NETWORK all")
2754 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
2755 expect_failure
=True)
2757 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2758 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2759 if not params
['long']:
2760 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2761 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2762 hostapd
.add_ap(apdev
[0], params
)
2765 for i
in range(100):
2767 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2768 identity
="eke user", password
="hello",
2769 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2770 scan_freq
="2412", wait_connect
=False)
2772 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2773 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2775 raise Exception("No connected/disconnected event")
2776 if "CTRL-EVENT-DISCONNECTED" in ev
:
2778 # The RADIUS server limits on active sessions can be hit when
2779 # going through this test case, so try to give some more time
2780 # for the server to remove sessions.
2781 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2782 dev
[j
].request("REMOVE_NETWORK all")
2786 dev
[j
].request("REMOVE_NETWORK all")
2787 dev
[j
].wait_disconnected()
2788 dev
[j
].dump_monitor()
2789 logger
.info("Total success=%d failure=%d" % (success
, fail
))
2791 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2792 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2793 params
= int_eap_server_params()
2794 params
['server_id'] = 'example.server@w1.fi'
2795 hapd
= hostapd
.add_ap(apdev
[0], params
)
2796 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2798 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2799 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2800 params
= int_eap_server_params()
2801 hapd
= hostapd
.add_ap(apdev
[0], params
)
2802 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2804 for count
,func
in [ (1, "eap_eke_build_commit"),
2805 (2, "eap_eke_build_commit"),
2806 (3, "eap_eke_build_commit"),
2807 (1, "eap_eke_build_confirm"),
2808 (2, "eap_eke_build_confirm"),
2809 (1, "eap_eke_process_commit"),
2810 (2, "eap_eke_process_commit"),
2811 (1, "eap_eke_process_confirm"),
2812 (1, "eap_eke_process_identity"),
2813 (2, "eap_eke_process_identity"),
2814 (3, "eap_eke_process_identity"),
2815 (4, "eap_eke_process_identity") ]:
2816 with
alloc_fail(hapd
, count
, func
):
2817 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2818 expect_failure
=True)
2819 dev
[0].request("REMOVE_NETWORK all")
2821 for count
,func
,pw
in [ (1, "eap_eke_init", "hello"),
2822 (1, "eap_eke_get_session_id", "hello"),
2823 (1, "eap_eke_getKey", "hello"),
2824 (1, "eap_eke_build_msg", "hello"),
2825 (1, "eap_eke_build_failure", "wrong"),
2826 (1, "eap_eke_build_identity", "hello"),
2827 (2, "eap_eke_build_identity", "hello") ]:
2828 with
alloc_fail(hapd
, count
, func
):
2829 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2830 eap
="EKE", identity
="eke user", password
=pw
,
2831 wait_connect
=False, scan_freq
="2412")
2832 # This would eventually time out, but we can stop after having
2833 # reached the allocation failure.
2836 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2838 dev
[0].request("REMOVE_NETWORK all")
2840 for count
in range(1, 1000):
2842 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2843 dev
[0].connect("test-wpa2-eap",
2844 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2845 eap
="EKE", identity
="eke user", password
=pw
,
2846 wait_connect
=False, scan_freq
="2412")
2847 # This would eventually time out, but we can stop after having
2848 # reached the allocation failure.
2851 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2853 dev
[0].request("REMOVE_NETWORK all")
2854 except Exception, e
:
2855 if str(e
) == "Allocation failure did not trigger":
2857 raise Exception("Too few allocation failures")
2858 logger
.info("%d allocation failures tested" % (count
- 1))
2862 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
2863 """WPA2-Enterprise connection using EAP-IKEv2"""
2864 check_eap_capa(dev
[0], "IKEV2")
2865 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2866 hapd
= hostapd
.add_ap(apdev
[0], params
)
2867 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2868 password
="ike password")
2869 eap_reauth(dev
[0], "IKEV2")
2870 dev
[0].request("REMOVE_NETWORK all")
2871 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2872 password
="ike password", fragment_size
="50")
2874 logger
.info("Negative test with incorrect password")
2875 dev
[0].request("REMOVE_NETWORK all")
2876 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2877 password
="ike-password", expect_failure
=True)
2878 dev
[0].request("REMOVE_NETWORK all")
2880 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2881 password
="ike password", fragment_size
="0")
2882 dev
[0].request("REMOVE_NETWORK all")
2883 dev
[0].wait_disconnected()
2885 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
2886 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2887 check_eap_capa(dev
[0], "IKEV2")
2888 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2889 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2890 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2891 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2892 "fragment_size": "50" }
2893 hapd
= hostapd
.add_ap(apdev
[0], params
)
2894 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2895 password
="ike password")
2896 eap_reauth(dev
[0], "IKEV2")
2898 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
2899 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2900 check_eap_capa(dev
[0], "IKEV2")
2901 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2902 hostapd
.add_ap(apdev
[0], params
)
2904 tests
= [ (1, "dh_init"),
2906 (1, "dh_derive_shared") ]
2907 for count
, func
in tests
:
2908 with
alloc_fail(dev
[0], count
, func
):
2909 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2910 identity
="ikev2 user", password
="ike password",
2911 wait_connect
=False, scan_freq
="2412")
2912 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2914 raise Exception("EAP method not selected")
2916 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2919 dev
[0].request("REMOVE_NETWORK all")
2921 tls
= dev
[0].request("GET tls_library")
2922 if not tls
.startswith("wolfSSL"):
2923 tests
= [ (1, "os_get_random;dh_init") ]
2925 tests
= [ (1, "crypto_dh_init;dh_init") ]
2926 for count
, func
in tests
:
2927 with
fail_test(dev
[0], count
, func
):
2928 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2929 identity
="ikev2 user", password
="ike password",
2930 wait_connect
=False, scan_freq
="2412")
2931 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2933 raise Exception("EAP method not selected")
2935 if "0:" in dev
[0].request("GET_FAIL"):
2938 dev
[0].request("REMOVE_NETWORK all")
2940 def test_ap_wpa2_eap_pax(dev
, apdev
):
2941 """WPA2-Enterprise connection using EAP-PAX"""
2942 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2943 hapd
= hostapd
.add_ap(apdev
[0], params
)
2944 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2945 password_hex
="0123456789abcdef0123456789abcdef")
2946 eap_reauth(dev
[0], "PAX")
2948 logger
.info("Negative test with incorrect password")
2949 dev
[0].request("REMOVE_NETWORK all")
2950 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2951 password_hex
="ff23456789abcdef0123456789abcdef",
2952 expect_failure
=True)
2954 def test_ap_wpa2_eap_psk(dev
, apdev
):
2955 """WPA2-Enterprise connection using EAP-PSK"""
2956 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2957 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2958 params
["ieee80211w"] = "2"
2959 hapd
= hostapd
.add_ap(apdev
[0], params
)
2960 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
2961 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
2962 eap_reauth(dev
[0], "PSK", sha256
=True)
2963 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2964 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2966 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
2967 if 'flags' not in bss
:
2968 raise Exception("Could not get BSS flags from BSS table")
2969 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
2970 raise Exception("Unexpected BSS flags: " + bss
['flags'])
2972 logger
.info("Negative test with incorrect password")
2973 dev
[0].request("REMOVE_NETWORK all")
2974 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
2975 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
2976 expect_failure
=True)
2978 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
2979 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2980 skip_with_fips(dev
[0])
2981 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2982 hostapd
.add_ap(apdev
[0], params
)
2983 tests
= [ (1, "=aes_128_eax_encrypt"),
2984 (1, "=aes_128_eax_decrypt") ]
2985 for count
, func
in tests
:
2986 with
alloc_fail(dev
[0], count
, func
):
2987 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2988 identity
="psk.user@example.com",
2989 password_hex
="0123456789abcdef0123456789abcdef",
2990 wait_connect
=False, scan_freq
="2412")
2991 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2993 raise Exception("EAP method not selected")
2994 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
2995 note
="Failure not triggered: %d:%s" % (count
, func
))
2996 dev
[0].request("REMOVE_NETWORK all")
2997 dev
[0].wait_disconnected()
2999 tests
= [ (1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
3000 (1, "omac1_aes_128;aes_128_eax_encrypt"),
3001 (2, "omac1_aes_128;aes_128_eax_encrypt"),
3002 (3, "omac1_aes_128;aes_128_eax_encrypt"),
3003 (1, "omac1_aes_vector"),
3004 (1, "omac1_aes_128;aes_128_eax_decrypt"),
3005 (2, "omac1_aes_128;aes_128_eax_decrypt"),
3006 (3, "omac1_aes_128;aes_128_eax_decrypt"),
3007 (1, "aes_ctr_encrypt;aes_128_eax_decrypt") ]
3008 for count
, func
in tests
:
3009 with
fail_test(dev
[0], count
, func
):
3010 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3011 identity
="psk.user@example.com",
3012 password_hex
="0123456789abcdef0123456789abcdef",
3013 wait_connect
=False, scan_freq
="2412")
3014 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3016 raise Exception("EAP method not selected")
3017 wait_fail_trigger(dev
[0], "GET_FAIL",
3018 note
="Failure not triggered: %d:%s" % (count
, func
))
3019 dev
[0].request("REMOVE_NETWORK all")
3020 dev
[0].wait_disconnected()
3022 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
3023 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3024 identity
="psk.user@example.com",
3025 password_hex
="0123456789abcdef0123456789abcdef",
3026 wait_connect
=False, scan_freq
="2412")
3027 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3029 raise Exception("EAP method failure not reported")
3030 dev
[0].request("REMOVE_NETWORK all")
3031 dev
[0].wait_disconnected()
3033 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
3034 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
3035 check_eap_capa(dev
[0], "MSCHAPV2")
3036 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
3037 hapd
= hostapd
.add_ap(apdev
[0], params
)
3038 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
3039 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
3040 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
3042 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
3043 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3044 eap_reauth(dev
[0], "PEAP", rsn
=False)
3045 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3046 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
3047 status
= dev
[0].get_status(extra
="VERBOSE")
3048 if 'portControl' not in status
:
3049 raise Exception("portControl missing from STATUS-VERBOSE")
3050 if status
['portControl'] != 'Auto':
3051 raise Exception("Unexpected portControl value: " + status
['portControl'])
3052 if 'eap_session_id' not in status
:
3053 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3054 if not status
['eap_session_id'].startswith("19"):
3055 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
3057 def test_ap_wpa2_eap_interactive(dev
, apdev
):
3058 """WPA2-Enterprise connection using interactive identity/password entry"""
3059 check_eap_capa(dev
[0], "MSCHAPV2")
3060 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3061 hapd
= hostapd
.add_ap(apdev
[0], params
)
3063 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
3064 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3066 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3067 "TTLS", "ttls", None, "auth=MSCHAPV2",
3068 "DOMAIN\mschapv2 user", "password"),
3069 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3070 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3071 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3072 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3073 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3074 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3075 ("Connection with dynamic PEAP/EAP-GTC password entry",
3076 "PEAP", None, "user", "auth=GTC", None, "password") ]
3077 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
3079 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
3080 anonymous_identity
=anon
, identity
=identity
,
3081 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
3082 wait_connect
=False, scan_freq
="2412")
3084 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3086 raise Exception("Request for identity timed out")
3087 id = ev
.split(':')[0].split('-')[-1]
3088 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3089 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
3091 raise Exception("Request for password timed out")
3092 id = ev
.split(':')[0].split('-')[-1]
3093 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
3094 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
3095 dev
[0].wait_connected(timeout
=10)
3096 dev
[0].request("REMOVE_NETWORK all")
3098 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
3099 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3100 check_eap_capa(dev
[0], "MSCHAPV2")
3101 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3102 hapd
= hostapd
.add_ap(apdev
[0], params
)
3104 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
3105 only_add_network
=True)
3107 req_id
= "DOMAIN\mschapv2 user"
3108 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3109 anonymous_identity
="ttls", identity
=None,
3110 password
="password",
3111 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3112 wait_connect
=False, scan_freq
="2412")
3113 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3115 raise Exception("Request for identity timed out")
3116 id = ev
.split(':')[0].split('-')[-1]
3117 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3118 dev
[0].wait_connected(timeout
=10)
3120 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
3121 raise Exception("Failed to enable network")
3122 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
3124 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3125 dev
[0].request("REMOVE_NETWORK all")
3127 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
3128 """WPA2-Enterprise connection using EAP vendor test"""
3129 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3130 hapd
= hostapd
.add_ap(apdev
[0], params
)
3131 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
3132 eap_reauth(dev
[0], "VENDOR-TEST")
3133 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
3136 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
3137 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3138 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3139 hostapd
.add_ap(apdev
[0], params
)
3141 tests
= [ "eap_vendor_test_init",
3142 "eap_msg_alloc;eap_vendor_test_process",
3143 "eap_vendor_test_getKey" ]
3145 with
alloc_fail(dev
[0], 1, func
):
3146 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
3148 eap
="VENDOR-TEST", identity
="vendor-test",
3150 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3151 dev
[0].request("REMOVE_NETWORK all")
3152 dev
[0].wait_disconnected()
3154 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
3155 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3156 check_eap_capa(dev
[0], "FAST")
3157 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3158 hapd
= hostapd
.add_ap(apdev
[0], params
)
3159 eap_connect(dev
[0], hapd
, "FAST", "user",
3160 anonymous_identity
="FAST", password
="password",
3161 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3162 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
3163 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3164 res
= eap_reauth(dev
[0], "FAST")
3165 if res
['tls_session_reused'] != '1':
3166 raise Exception("EAP-FAST could not use PAC session ticket")
3168 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
3169 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3170 check_eap_capa(dev
[0], "FAST")
3171 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
3172 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
3173 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3174 hapd
= hostapd
.add_ap(apdev
[0], params
)
3177 eap_connect(dev
[0], hapd
, "FAST", "user",
3178 anonymous_identity
="FAST", password
="password",
3179 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3180 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3181 with
open(pac_file
, "r") as f
:
3183 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3184 raise Exception("PAC file header missing")
3185 if "PAC-Key=" not in data
:
3186 raise Exception("PAC-Key missing from PAC file")
3187 dev
[0].request("REMOVE_NETWORK all")
3188 eap_connect(dev
[0], hapd
, "FAST", "user",
3189 anonymous_identity
="FAST", password
="password",
3190 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3193 eap_connect(dev
[1], hapd
, "FAST", "user",
3194 anonymous_identity
="FAST", password
="password",
3195 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3196 phase1
="fast_provisioning=1 fast_pac_format=binary",
3198 dev
[1].request("REMOVE_NETWORK all")
3199 eap_connect(dev
[1], hapd
, "FAST", "user",
3200 anonymous_identity
="FAST", password
="password",
3201 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3202 phase1
="fast_pac_format=binary",
3210 os
.remove(pac_file2
)
3214 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3215 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3216 check_eap_capa(dev
[0], "FAST")
3217 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3218 hapd
= hostapd
.add_ap(apdev
[0], params
)
3219 eap_connect(dev
[0], hapd
, "FAST", "user",
3220 anonymous_identity
="FAST", password
="password",
3221 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3222 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3223 pac_file
="blob://fast_pac_bin")
3224 res
= eap_reauth(dev
[0], "FAST")
3225 if res
['tls_session_reused'] != '1':
3226 raise Exception("EAP-FAST could not use PAC session ticket")
3228 # Verify fast_max_pac_list_len=0 special case
3229 dev
[0].request("REMOVE_NETWORK all")
3230 dev
[0].wait_disconnected()
3231 eap_connect(dev
[0], hapd
, "FAST", "user",
3232 anonymous_identity
="FAST", password
="password",
3233 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3234 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3235 pac_file
="blob://fast_pac_bin")
3237 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3238 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3239 check_eap_capa(dev
[0], "FAST")
3240 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3241 hostapd
.add_ap(apdev
[0], params
)
3243 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3244 identity
="user", anonymous_identity
="FAST",
3245 password
="password",
3246 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3247 pac_file
="blob://fast_pac_not_in_use",
3248 wait_connect
=False, scan_freq
="2412")
3249 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3251 raise Exception("Timeout on EAP failure report")
3252 dev
[0].request("REMOVE_NETWORK all")
3254 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3255 identity
="user", anonymous_identity
="FAST",
3256 password
="password",
3257 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3258 wait_connect
=False, scan_freq
="2412")
3259 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3261 raise Exception("Timeout on EAP failure report")
3263 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3264 """EAP-FAST and binary PAC errors"""
3265 check_eap_capa(dev
[0], "FAST")
3266 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3267 hapd
= hostapd
.add_ap(apdev
[0], params
)
3269 tests
= [ (1, "=eap_fast_save_pac_bin"),
3270 (1, "eap_fast_write_pac"),
3271 (2, "eap_fast_write_pac"), ]
3272 for count
, func
in tests
:
3273 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3274 raise Exception("Could not set blob")
3276 with
alloc_fail(dev
[0], count
, func
):
3277 eap_connect(dev
[0], hapd
, "FAST", "user",
3278 anonymous_identity
="FAST", password
="password",
3279 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3280 phase1
="fast_provisioning=1 fast_pac_format=binary",
3281 pac_file
="blob://fast_pac_bin_errors")
3282 dev
[0].request("REMOVE_NETWORK all")
3283 dev
[0].wait_disconnected()
3285 tests
= [ "00", "000000000000", "6ae4920c0001",
3287 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3288 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3289 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3290 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3292 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3293 raise Exception("Could not set blob")
3295 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3296 identity
="user", anonymous_identity
="FAST",
3297 password
="password",
3298 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3299 phase1
="fast_provisioning=1 fast_pac_format=binary",
3300 pac_file
="blob://fast_pac_bin_errors",
3301 scan_freq
="2412", wait_connect
=False)
3302 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3305 raise Exception("Failure not reported")
3306 dev
[0].request("REMOVE_NETWORK all")
3307 dev
[0].wait_disconnected()
3309 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3310 tests
= [ (1, "eap_fast_load_pac_bin"),
3311 (2, "eap_fast_load_pac_bin"),
3312 (3, "eap_fast_load_pac_bin") ]
3313 for count
, func
in tests
:
3314 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3315 raise Exception("Could not set blob")
3317 with
alloc_fail(dev
[0], count
, func
):
3318 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3319 identity
="user", anonymous_identity
="FAST",
3320 password
="password",
3321 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3322 phase1
="fast_provisioning=1 fast_pac_format=binary",
3323 pac_file
="blob://fast_pac_bin_errors",
3324 scan_freq
="2412", wait_connect
=False)
3325 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3328 raise Exception("Failure not reported")
3329 dev
[0].request("REMOVE_NETWORK all")
3330 dev
[0].wait_disconnected()
3332 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3333 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3334 raise Exception("Could not set blob")
3336 eap_connect(dev
[0], hapd
, "FAST", "user",
3337 anonymous_identity
="FAST", password
="password",
3338 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3339 phase1
="fast_provisioning=1 fast_pac_format=binary",
3340 pac_file
="blob://fast_pac_bin_errors")
3341 dev
[0].request("REMOVE_NETWORK all")
3342 dev
[0].wait_disconnected()
3344 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3345 tests
= [ (1, "eap_fast_pac_get_a_id"),
3346 (2, "eap_fast_pac_get_a_id") ]
3347 for count
, func
in tests
:
3348 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3349 raise Exception("Could not set blob")
3350 with
alloc_fail(dev
[0], count
, func
):
3351 eap_connect(dev
[0], hapd
, "FAST", "user",
3352 anonymous_identity
="FAST", password
="password",
3353 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3354 phase1
="fast_provisioning=1 fast_pac_format=binary",
3355 pac_file
="blob://fast_pac_bin_errors")
3356 dev
[0].request("REMOVE_NETWORK all")
3357 dev
[0].wait_disconnected()
3359 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3360 """EAP-FAST and text PAC errors"""
3361 check_eap_capa(dev
[0], "FAST")
3362 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3363 hostapd
.add_ap(apdev
[0], params
)
3365 tests
= [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3366 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3367 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3368 (1, "eap_fast_parse_start"),
3369 (1, "eap_fast_save_pac") ]
3370 for count
, func
in tests
:
3371 dev
[0].request("FLUSH")
3372 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3373 raise Exception("Could not set blob")
3375 with
alloc_fail(dev
[0], count
, func
):
3376 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3377 identity
="user", anonymous_identity
="FAST",
3378 password
="password",
3379 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3380 phase1
="fast_provisioning=1",
3381 pac_file
="blob://fast_pac_text_errors",
3382 scan_freq
="2412", wait_connect
=False)
3383 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3384 dev
[0].request("REMOVE_NETWORK all")
3385 dev
[0].wait_disconnected()
3387 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3391 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + pac
.encode("hex")):
3392 raise Exception("Could not set blob")
3394 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3395 identity
="user", anonymous_identity
="FAST",
3396 password
="password",
3397 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3398 phase1
="fast_provisioning=1",
3399 pac_file
="blob://fast_pac_text_errors",
3400 scan_freq
="2412", wait_connect
=False)
3401 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3403 raise Exception("Failure not reported")
3404 dev
[0].request("REMOVE_NETWORK all")
3405 dev
[0].wait_disconnected()
3407 dev
[0].request("FLUSH")
3408 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3409 raise Exception("Could not set blob")
3411 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3413 params
= int_eap_server_params()
3414 params
['ssid'] = "test-wpa2-eap-2"
3415 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3416 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3417 params
['eap_fast_a_id_info'] = "test server %d" % i
3419 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3421 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3422 identity
="user", anonymous_identity
="FAST",
3423 password
="password",
3424 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3425 phase1
="fast_provisioning=1",
3426 pac_file
="blob://fast_pac_text_errors",
3427 scan_freq
="2412", wait_connect
=False)
3428 dev
[0].wait_connected()
3429 dev
[0].request("REMOVE_NETWORK all")
3430 dev
[0].wait_disconnected()
3434 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3435 """EAP-FAST and PAC list truncation"""
3436 check_eap_capa(dev
[0], "FAST")
3437 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3438 raise Exception("Could not set blob")
3440 params
= int_eap_server_params()
3441 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3442 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3443 params
['eap_fast_a_id_info'] = "test server %d" % i
3444 hapd
= hostapd
.add_ap(apdev
[0], params
)
3446 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3447 identity
="user", anonymous_identity
="FAST",
3448 password
="password",
3449 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3450 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3451 pac_file
="blob://fast_pac_truncate",
3452 scan_freq
="2412", wait_connect
=False)
3453 dev
[0].wait_connected()
3454 dev
[0].request("REMOVE_NETWORK all")
3455 dev
[0].wait_disconnected()
3459 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3460 """EAP-FAST and PAC refresh"""
3461 check_eap_capa(dev
[0], "FAST")
3462 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3463 raise Exception("Could not set blob")
3465 params
= int_eap_server_params()
3466 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3467 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3468 params
['eap_fast_a_id_info'] = "test server %d" % i
3469 params
['pac_key_refresh_time'] = "1"
3470 params
['pac_key_lifetime'] = "10"
3471 hapd
= hostapd
.add_ap(apdev
[0], params
)
3473 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3474 identity
="user", anonymous_identity
="FAST",
3475 password
="password",
3476 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3477 phase1
="fast_provisioning=1",
3478 pac_file
="blob://fast_pac_refresh",
3479 scan_freq
="2412", wait_connect
=False)
3480 dev
[0].wait_connected()
3481 dev
[0].request("REMOVE_NETWORK all")
3482 dev
[0].wait_disconnected()
3487 params
= int_eap_server_params()
3488 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3489 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3490 params
['eap_fast_a_id_info'] = "test server %d" % i
3491 params
['pac_key_refresh_time'] = "10"
3492 params
['pac_key_lifetime'] = "10"
3493 hapd
= hostapd
.add_ap(apdev
[0], params
)
3495 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3496 identity
="user", anonymous_identity
="FAST",
3497 password
="password",
3498 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3499 phase1
="fast_provisioning=1",
3500 pac_file
="blob://fast_pac_refresh",
3501 scan_freq
="2412", wait_connect
=False)
3502 dev
[0].wait_connected()
3503 dev
[0].request("REMOVE_NETWORK all")
3504 dev
[0].wait_disconnected()
3508 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3509 """EAP-FAST and PAC lifetime"""
3510 check_eap_capa(dev
[0], "FAST")
3511 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3512 raise Exception("Could not set blob")
3515 params
= int_eap_server_params()
3516 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3517 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3518 params
['eap_fast_a_id_info'] = "test server %d" % i
3519 params
['pac_key_refresh_time'] = "0"
3520 params
['pac_key_lifetime'] = "2"
3521 hapd
= hostapd
.add_ap(apdev
[0], params
)
3523 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3524 identity
="user", anonymous_identity
="FAST",
3525 password
="password",
3526 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3527 phase1
="fast_provisioning=2",
3528 pac_file
="blob://fast_pac_refresh",
3529 scan_freq
="2412", wait_connect
=False)
3530 dev
[0].wait_connected()
3531 dev
[0].request("DISCONNECT")
3532 dev
[0].wait_disconnected()
3535 dev
[0].request("PMKSA_FLUSH")
3536 dev
[0].request("RECONNECT")
3537 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3539 raise Exception("No EAP-Failure seen after expired PAC")
3540 dev
[0].request("DISCONNECT")
3541 dev
[0].wait_disconnected()
3543 dev
[0].select_network(id)
3544 dev
[0].wait_connected()
3545 dev
[0].request("REMOVE_NETWORK all")
3546 dev
[0].wait_disconnected()
3548 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3549 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3550 check_eap_capa(dev
[0], "FAST")
3551 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3552 hapd
= hostapd
.add_ap(apdev
[0], params
)
3553 eap_connect(dev
[0], hapd
, "FAST", "user",
3554 anonymous_identity
="FAST", password
="password",
3555 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3556 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3557 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3558 res
= eap_reauth(dev
[0], "FAST")
3559 if res
['tls_session_reused'] != '1':
3560 raise Exception("EAP-FAST could not use PAC session ticket")
3562 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3563 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3564 check_eap_capa(dev
[0], "FAST")
3565 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3566 hapd
= hostapd
.add_ap(apdev
[0], params
)
3567 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3568 anonymous_identity
="FAST", password
="password",
3569 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3570 phase1
="fast_provisioning=2",
3571 pac_file
="blob://fast_pac_auth")
3572 dev
[0].set_network_quoted(id, "identity", "user2")
3573 dev
[0].wait_disconnected()
3574 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3576 raise Exception("EAP-FAST not started")
3577 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3579 raise Exception("EAP failure not reported")
3580 dev
[0].wait_disconnected()
3582 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3583 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3584 check_eap_capa(dev
[0], "FAST")
3585 tls
= dev
[0].request("GET tls_library")
3586 if tls
.startswith("OpenSSL"):
3587 func
= "tls_connection_get_eap_fast_key"
3589 elif tls
.startswith("internal"):
3590 func
= "tls_connection_prf"
3593 raise HwsimSkip("Unsupported TLS library")
3594 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3595 hapd
= hostapd
.add_ap(apdev
[0], params
)
3596 with
alloc_fail(dev
[0], count
, func
):
3597 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3598 identity
="user", anonymous_identity
="FAST",
3599 password
="password", ca_cert
="auth_serv/ca.pem",
3601 phase1
="fast_provisioning=2",
3602 pac_file
="blob://fast_pac_auth",
3603 wait_connect
=False, scan_freq
="2412")
3604 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3606 raise Exception("EAP failure not reported")
3607 dev
[0].request("DISCONNECT")
3609 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3610 """EAP-FAST/MSCHAPv2 and server OOM"""
3611 check_eap_capa(dev
[0], "FAST")
3613 params
= int_eap_server_params()
3614 params
['dh_file'] = 'auth_serv/dh.conf'
3615 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3616 params
['eap_fast_a_id'] = '1011'
3617 params
['eap_fast_a_id_info'] = 'another test server'
3618 hapd
= hostapd
.add_ap(apdev
[0], params
)
3620 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3621 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3622 anonymous_identity
="FAST", password
="password",
3623 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3624 phase1
="fast_provisioning=1",
3625 pac_file
="blob://fast_pac",
3626 expect_failure
=True)
3627 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3629 raise Exception("No EAP failure reported")
3630 dev
[0].wait_disconnected()
3631 dev
[0].request("DISCONNECT")
3633 dev
[0].select_network(id, freq
="2412")
3635 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3636 """EAP-FAST and different TLS cipher suites"""
3637 check_eap_capa(dev
[0], "FAST")
3638 tls
= dev
[0].request("GET tls_library")
3639 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
3640 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls
)
3642 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3643 hapd
= hostapd
.add_ap(apdev
[0], params
)
3645 dev
[0].request("SET blob fast_pac_ciphers ")
3646 eap_connect(dev
[0], hapd
, "FAST", "user",
3647 anonymous_identity
="FAST", password
="password",
3648 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3649 phase1
="fast_provisioning=2",
3650 pac_file
="blob://fast_pac_ciphers")
3651 res
= dev
[0].get_status_field('EAP TLS cipher')
3652 dev
[0].request("REMOVE_NETWORK all")
3653 dev
[0].wait_disconnected()
3654 if res
!= "DHE-RSA-AES256-SHA":
3655 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3657 tests
= [ "DHE-RSA-AES128-SHA",
3661 "DHE-RSA-AES256-SHA" ]
3662 for cipher
in tests
:
3663 dev
[0].dump_monitor()
3664 logger
.info("Testing " + cipher
)
3666 eap_connect(dev
[0], hapd
, "FAST", "user",
3667 openssl_ciphers
=cipher
,
3668 anonymous_identity
="FAST", password
="password",
3669 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3670 pac_file
="blob://fast_pac_ciphers",
3671 report_failure
=True)
3672 except Exception, e
:
3673 if cipher
== "RC4-SHA" and \
3674 ("Could not select EAP method" in str(e
) or \
3675 "EAP failed" in str(e
)):
3676 if "run=OpenSSL 1.1" in tls
:
3677 logger
.info("Allow failure due to missing TLS library support")
3678 dev
[0].request("REMOVE_NETWORK all")
3679 dev
[0].wait_disconnected()
3682 res
= dev
[0].get_status_field('EAP TLS cipher')
3683 dev
[0].request("REMOVE_NETWORK all")
3684 dev
[0].wait_disconnected()
3686 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3688 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3689 """EAP-FAST and provisioning options"""
3690 check_eap_capa(dev
[0], "FAST")
3691 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3692 raise Exception("Could not set blob")
3695 params
= int_eap_server_params()
3696 params
['disable_pmksa_caching'] = '1'
3697 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3698 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3699 params
['eap_fast_a_id_info'] = "test server %d" % i
3700 params
['eap_fast_prov'] = "0"
3701 hapd
= hostapd
.add_ap(apdev
[0], params
)
3703 logger
.info("Provisioning attempt while server has provisioning disabled")
3704 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3705 identity
="user", anonymous_identity
="FAST",
3706 password
="password",
3707 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3708 phase1
="fast_provisioning=2",
3709 pac_file
="blob://fast_pac_prov",
3710 scan_freq
="2412", wait_connect
=False)
3711 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3714 raise Exception("EAP result not reported")
3715 if "parameter='failure'" not in ev
:
3716 raise Exception("Unexpected EAP result: " + ev
)
3717 dev
[0].wait_disconnected()
3718 dev
[0].request("DISCONNECT")
3719 dev
[0].dump_monitor()
3722 logger
.info("Authenticated provisioning")
3723 hapd
.set("eap_fast_prov", "2")
3726 dev
[0].select_network(id, freq
="2412")
3727 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3730 raise Exception("EAP result not reported")
3731 if "parameter='success'" not in ev
:
3732 raise Exception("Unexpected EAP result: " + ev
)
3733 dev
[0].wait_connected()
3734 dev
[0].request("DISCONNECT")
3735 dev
[0].wait_disconnected()
3736 dev
[0].dump_monitor()
3739 logger
.info("Provisioning disabled - using previously provisioned PAC")
3740 hapd
.set("eap_fast_prov", "0")
3743 dev
[0].select_network(id, freq
="2412")
3744 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3747 raise Exception("EAP result not reported")
3748 if "parameter='success'" not in ev
:
3749 raise Exception("Unexpected EAP result: " + ev
)
3750 dev
[0].wait_connected()
3751 dev
[0].request("DISCONNECT")
3752 dev
[0].wait_disconnected()
3753 dev
[0].dump_monitor()
3755 logger
.info("Drop PAC and verify connection failure")
3756 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3757 raise Exception("Could not set blob")
3759 dev
[0].select_network(id, freq
="2412")
3760 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3763 raise Exception("EAP result not reported")
3764 if "parameter='failure'" not in ev
:
3765 raise Exception("Unexpected EAP result: " + ev
)
3766 dev
[0].wait_disconnected()
3767 dev
[0].request("DISCONNECT")
3768 dev
[0].dump_monitor()
3771 logger
.info("Anonymous provisioning")
3772 hapd
.set("eap_fast_prov", "1")
3774 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3775 dev
[0].select_network(id, freq
="2412")
3776 # Anonymous provisioning results in EAP-Failure first
3777 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3780 raise Exception("EAP result not reported")
3781 if "parameter='failure'" not in ev
:
3782 raise Exception("Unexpected EAP result: " + ev
)
3783 dev
[0].wait_disconnected()
3784 # And then the actual data connection
3785 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3788 raise Exception("EAP result not reported")
3789 if "parameter='success'" not in ev
:
3790 raise Exception("Unexpected EAP result: " + ev
)
3791 dev
[0].wait_connected()
3792 dev
[0].request("DISCONNECT")
3793 dev
[0].wait_disconnected()
3794 dev
[0].dump_monitor()
3797 logger
.info("Provisioning disabled - using previously provisioned PAC")
3798 hapd
.set("eap_fast_prov", "0")
3801 dev
[0].select_network(id, freq
="2412")
3802 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3805 raise Exception("EAP result not reported")
3806 if "parameter='success'" not in ev
:
3807 raise Exception("Unexpected EAP result: " + ev
)
3808 dev
[0].wait_connected()
3809 dev
[0].request("DISCONNECT")
3810 dev
[0].wait_disconnected()
3811 dev
[0].dump_monitor()
3813 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
3814 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3815 check_ocsp_support(dev
[0])
3816 check_pkcs12_support(dev
[0])
3817 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3818 hapd
= hostapd
.add_ap(apdev
[0], params
)
3819 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3820 private_key
="auth_serv/user.pkcs12",
3821 private_key_passwd
="whatever", ocsp
=2)
3823 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
3824 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3825 check_ocsp_multi_support(dev
[0])
3826 check_pkcs12_support(dev
[0])
3828 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3829 hapd
= hostapd
.add_ap(apdev
[0], params
)
3830 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3831 private_key
="auth_serv/user.pkcs12",
3832 private_key_passwd
="whatever", ocsp
=2)
3834 def int_eap_server_params():
3835 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3836 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3837 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3838 "ca_cert": "auth_serv/ca.pem",
3839 "server_cert": "auth_serv/server.pem",
3840 "private_key": "auth_serv/server.key",
3841 "dh_file": "auth_serv/dh.conf" }
3844 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
3845 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3846 check_ocsp_support(dev
[0])
3847 check_pkcs12_support(dev
[0])
3848 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
3849 if not os
.path
.exists(ocsp
):
3850 raise HwsimSkip("No OCSP response available")
3851 params
= int_eap_server_params()
3852 params
["ocsp_stapling_response"] = ocsp
3853 hostapd
.add_ap(apdev
[0], params
)
3854 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3855 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3856 private_key
="auth_serv/user.pkcs12",
3857 private_key_passwd
="whatever", ocsp
=2,
3860 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
3861 """EAP-TLS and CA signed OCSP response (good)"""
3862 check_ocsp_support(dev
[0])
3863 check_pkcs12_support(dev
[0])
3864 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
3865 if not os
.path
.exists(ocsp
):
3866 raise HwsimSkip("No OCSP response available")
3867 params
= int_eap_server_params()
3868 params
["ocsp_stapling_response"] = ocsp
3869 hostapd
.add_ap(apdev
[0], params
)
3870 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3871 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3872 private_key
="auth_serv/user.pkcs12",
3873 private_key_passwd
="whatever", ocsp
=2,
3876 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
3877 """EAP-TLS and CA signed OCSP response (revoked)"""
3878 check_ocsp_support(dev
[0])
3879 check_pkcs12_support(dev
[0])
3880 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
3881 if not os
.path
.exists(ocsp
):
3882 raise HwsimSkip("No OCSP response available")
3883 params
= int_eap_server_params()
3884 params
["ocsp_stapling_response"] = ocsp
3885 hostapd
.add_ap(apdev
[0], params
)
3886 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3887 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3888 private_key
="auth_serv/user.pkcs12",
3889 private_key_passwd
="whatever", ocsp
=2,
3890 wait_connect
=False, scan_freq
="2412")
3893 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3895 raise Exception("Timeout on EAP status")
3896 if 'bad certificate status response' in ev
:
3898 if 'certificate revoked' in ev
:
3902 raise Exception("Unexpected number of EAP status messages")
3904 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3906 raise Exception("Timeout on EAP failure report")
3908 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
3909 """EAP-TLS and CA signed OCSP response (unknown)"""
3910 check_ocsp_support(dev
[0])
3911 check_pkcs12_support(dev
[0])
3912 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
3913 if not os
.path
.exists(ocsp
):
3914 raise HwsimSkip("No OCSP response available")
3915 params
= int_eap_server_params()
3916 params
["ocsp_stapling_response"] = ocsp
3917 hostapd
.add_ap(apdev
[0], params
)
3918 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3919 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3920 private_key
="auth_serv/user.pkcs12",
3921 private_key_passwd
="whatever", ocsp
=2,
3922 wait_connect
=False, scan_freq
="2412")
3925 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3927 raise Exception("Timeout on EAP status")
3928 if 'bad certificate status response' in ev
:
3932 raise Exception("Unexpected number of EAP status messages")
3934 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3936 raise Exception("Timeout on EAP failure report")
3938 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
3939 """EAP-TLS and server signed OCSP response"""
3940 check_ocsp_support(dev
[0])
3941 check_pkcs12_support(dev
[0])
3942 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
3943 if not os
.path
.exists(ocsp
):
3944 raise HwsimSkip("No OCSP response available")
3945 params
= int_eap_server_params()
3946 params
["ocsp_stapling_response"] = ocsp
3947 hostapd
.add_ap(apdev
[0], params
)
3948 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3949 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3950 private_key
="auth_serv/user.pkcs12",
3951 private_key_passwd
="whatever", ocsp
=2,
3952 wait_connect
=False, scan_freq
="2412")
3955 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3957 raise Exception("Timeout on EAP status")
3958 if 'bad certificate status response' in ev
:
3962 raise Exception("Unexpected number of EAP status messages")
3964 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3966 raise Exception("Timeout on EAP failure report")
3968 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
3969 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3970 check_ocsp_support(dev
[0])
3971 check_pkcs12_support(dev
[0])
3972 params
= int_eap_server_params()
3973 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3974 hostapd
.add_ap(apdev
[0], params
)
3975 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3976 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3977 private_key
="auth_serv/user.pkcs12",
3978 private_key_passwd
="whatever", ocsp
=2,
3979 wait_connect
=False, scan_freq
="2412")
3982 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3984 raise Exception("Timeout on EAP status")
3985 if 'bad certificate status response' in ev
:
3989 raise Exception("Unexpected number of EAP status messages")
3991 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3993 raise Exception("Timeout on EAP failure report")
3995 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
3996 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3997 check_ocsp_support(dev
[0])
3998 check_pkcs12_support(dev
[0])
3999 params
= int_eap_server_params()
4000 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
4001 hostapd
.add_ap(apdev
[0], params
)
4002 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4003 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4004 private_key
="auth_serv/user.pkcs12",
4005 private_key_passwd
="whatever", ocsp
=2,
4006 wait_connect
=False, scan_freq
="2412")
4009 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4011 raise Exception("Timeout on EAP status")
4012 if 'bad certificate status response' in ev
:
4016 raise Exception("Unexpected number of EAP status messages")
4018 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4020 raise Exception("Timeout on EAP failure report")
4022 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
4023 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
4024 check_ocsp_support(dev
[0])
4025 check_pkcs12_support(dev
[0])
4026 params
= int_eap_server_params()
4027 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
4028 hostapd
.add_ap(apdev
[0], params
)
4029 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4030 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4031 private_key
="auth_serv/user.pkcs12",
4032 private_key_passwd
="whatever", ocsp
=2,
4033 wait_connect
=False, scan_freq
="2412")
4036 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4038 raise Exception("Timeout on EAP status")
4039 if 'bad certificate status response' in ev
:
4043 raise Exception("Unexpected number of EAP status messages")
4045 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4047 raise Exception("Timeout on EAP failure report")
4049 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
4050 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4051 check_ocsp_support(dev
[0])
4052 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
4053 if not os
.path
.exists(ocsp
):
4054 raise HwsimSkip("No OCSP response available")
4055 params
= int_eap_server_params()
4056 params
["ocsp_stapling_response"] = ocsp
4057 hostapd
.add_ap(apdev
[0], params
)
4058 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4059 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4060 anonymous_identity
="ttls", password
="password",
4061 phase2
="auth=PAP", ocsp
=2,
4062 wait_connect
=False, scan_freq
="2412")
4065 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4067 raise Exception("Timeout on EAP status")
4068 if 'bad certificate status response' in ev
:
4070 if 'certificate revoked' in ev
:
4074 raise Exception("Unexpected number of EAP status messages")
4076 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4078 raise Exception("Timeout on EAP failure report")
4080 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
4081 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4082 check_ocsp_support(dev
[0])
4083 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4084 if not os
.path
.exists(ocsp
):
4085 raise HwsimSkip("No OCSP response available")
4086 params
= int_eap_server_params()
4087 params
["ocsp_stapling_response"] = ocsp
4088 hostapd
.add_ap(apdev
[0], params
)
4089 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4090 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4091 anonymous_identity
="ttls", password
="password",
4092 phase2
="auth=PAP", ocsp
=2,
4093 wait_connect
=False, scan_freq
="2412")
4096 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4098 raise Exception("Timeout on EAP status")
4099 if 'bad certificate status response' in ev
:
4103 raise Exception("Unexpected number of EAP status messages")
4105 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4107 raise Exception("Timeout on EAP failure report")
4109 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
4110 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4111 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4112 if not os
.path
.exists(ocsp
):
4113 raise HwsimSkip("No OCSP response available")
4114 params
= int_eap_server_params()
4115 params
["ocsp_stapling_response"] = ocsp
4116 hostapd
.add_ap(apdev
[0], params
)
4117 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4118 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4119 anonymous_identity
="ttls", password
="password",
4120 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
4122 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
4123 """EAP-TLS with intermediate server/user CA"""
4124 params
= int_eap_server_params()
4125 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4126 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4127 params
["private_key"] = "auth_serv/iCA-server/server.key"
4128 hostapd
.add_ap(apdev
[0], params
)
4129 tls
= dev
[0].request("GET tls_library")
4131 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4132 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4134 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4135 client_cert
= "auth_serv/iCA-user/user.pem"
4136 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4137 identity
="tls user",
4139 client_cert
=client_cert
,
4140 private_key
="auth_serv/iCA-user/user.key",
4143 def root_ocsp(cert
):
4144 ca
= "auth_serv/ca.pem"
4146 fd2
, fn2
= tempfile
.mkstemp()
4149 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-sha256",
4150 "-cert", cert
, "-no_nonce", "-text" ]
4151 logger
.info(' '.join(arg
))
4152 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4153 stderr
=subprocess
.PIPE
)
4154 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4158 if cmd
.returncode
!= 0:
4159 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4160 logger
.info("OCSP request:\n" + res
)
4162 fd
, fn
= tempfile
.mkstemp()
4164 arg
= [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4165 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
4166 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4167 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4169 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4170 stderr
=subprocess
.PIPE
)
4171 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4175 if cmd
.returncode
!= 0:
4176 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4177 logger
.info("OCSP response:\n" + res
)
4181 def ica_ocsp(cert
, md
="-sha256"):
4182 prefix
= "auth_serv/iCA-server/"
4183 ca
= prefix
+ "cacert.pem"
4184 cert
= prefix
+ cert
4186 fd2
, fn2
= tempfile
.mkstemp()
4189 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, md
,
4190 "-cert", cert
, "-no_nonce", "-text" ]
4191 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4192 stderr
=subprocess
.PIPE
)
4193 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4197 if cmd
.returncode
!= 0:
4198 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4199 logger
.info("OCSP request:\n" + res
)
4201 fd
, fn
= tempfile
.mkstemp()
4203 arg
= [ "openssl", "ocsp", "-index", prefix
+ "index.txt",
4204 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
4205 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4206 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4208 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4209 stderr
=subprocess
.PIPE
)
4210 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4214 if cmd
.returncode
!= 0:
4215 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4216 logger
.info("OCSP response:\n" + res
)
4220 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4221 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4222 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha256")
4224 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev
, apdev
, params
):
4225 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4226 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha1")
4228 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, md
):
4229 params
= int_eap_server_params()
4230 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4231 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4232 params
["private_key"] = "auth_serv/iCA-server/server.key"
4233 fn
= ica_ocsp("server.pem", md
)
4234 params
["ocsp_stapling_response"] = fn
4236 hostapd
.add_ap(apdev
[0], params
)
4237 tls
= dev
[0].request("GET tls_library")
4239 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4240 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4242 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4243 client_cert
= "auth_serv/iCA-user/user.pem"
4244 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4245 identity
="tls user",
4247 client_cert
=client_cert
,
4248 private_key
="auth_serv/iCA-user/user.key",
4249 scan_freq
="2412", ocsp
=2)
4253 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4254 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4255 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4258 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev
, apdev
, params
):
4259 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4260 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4263 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
, md
):
4264 params
= int_eap_server_params()
4265 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4266 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4267 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4268 fn
= ica_ocsp("server-revoked.pem", md
)
4269 params
["ocsp_stapling_response"] = fn
4271 hostapd
.add_ap(apdev
[0], params
)
4272 tls
= dev
[0].request("GET tls_library")
4274 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4275 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4277 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4278 client_cert
= "auth_serv/iCA-user/user.pem"
4279 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4280 identity
="tls user",
4282 client_cert
=client_cert
,
4283 private_key
="auth_serv/iCA-user/user.key",
4284 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4287 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4288 "CTRL-EVENT-EAP-SUCCESS"])
4290 raise Exception("Timeout on EAP status")
4291 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4292 raise Exception("Unexpected EAP-Success")
4293 if 'bad certificate status response' in ev
:
4295 if 'certificate revoked' in ev
:
4299 raise Exception("Unexpected number of EAP status messages")
4301 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4303 raise Exception("Timeout on EAP failure report")
4304 dev
[0].request("REMOVE_NETWORK all")
4305 dev
[0].wait_disconnected()
4309 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4310 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4311 check_ocsp_support(dev
[0])
4312 check_ocsp_multi_support(dev
[0])
4314 params
= int_eap_server_params()
4315 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4316 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4317 params
["private_key"] = "auth_serv/iCA-server/server.key"
4318 fn
= ica_ocsp("server.pem")
4319 params
["ocsp_stapling_response"] = fn
4321 hostapd
.add_ap(apdev
[0], params
)
4322 tls
= dev
[0].request("GET tls_library")
4324 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4325 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4327 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4328 client_cert
= "auth_serv/iCA-user/user.pem"
4329 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4330 identity
="tls user",
4332 client_cert
=client_cert
,
4333 private_key
="auth_serv/iCA-user/user.key",
4334 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4337 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4338 "CTRL-EVENT-EAP-SUCCESS"])
4340 raise Exception("Timeout on EAP status")
4341 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4342 raise Exception("Unexpected EAP-Success")
4343 if 'bad certificate status response' in ev
:
4345 if 'certificate revoked' in ev
:
4349 raise Exception("Unexpected number of EAP status messages")
4351 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4353 raise Exception("Timeout on EAP failure report")
4354 dev
[0].request("REMOVE_NETWORK all")
4355 dev
[0].wait_disconnected()
4359 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4360 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4361 check_ocsp_support(dev
[0])
4362 check_ocsp_multi_support(dev
[0])
4364 params
= int_eap_server_params()
4365 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4366 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4367 params
["private_key"] = "auth_serv/iCA-server/server.key"
4368 fn
= ica_ocsp("server.pem")
4369 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4370 params
["ocsp_stapling_response"] = fn
4372 with
open(fn
, "r") as f
:
4373 resp_server
= f
.read()
4374 with
open(fn2
, "r") as f
:
4377 fd3
, fn3
= tempfile
.mkstemp()
4379 f
= os
.fdopen(fd3
, 'w')
4380 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4381 f
.write(resp_server
)
4382 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4386 params
["ocsp_stapling_response_multi"] = fn3
4388 hostapd
.add_ap(apdev
[0], params
)
4389 tls
= dev
[0].request("GET tls_library")
4391 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4392 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4394 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4395 client_cert
= "auth_serv/iCA-user/user.pem"
4396 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4397 identity
="tls user",
4399 client_cert
=client_cert
,
4400 private_key
="auth_serv/iCA-user/user.key",
4401 scan_freq
="2412", ocsp
=3)
4402 dev
[0].request("REMOVE_NETWORK all")
4403 dev
[0].wait_disconnected()
4409 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4410 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4411 check_ocsp_support(dev
[0])
4412 check_ocsp_multi_support(dev
[0])
4413 check_pkcs12_support(dev
[0])
4415 ocsp_revoked
= os
.path
.join(params
['logdir'],
4416 "ocsp-resp-ca-signed-revoked.der")
4417 if not os
.path
.exists(ocsp_revoked
):
4418 raise HwsimSkip("No OCSP response (revoked) available")
4419 ocsp_unknown
= os
.path
.join(params
['logdir'],
4420 "ocsp-resp-ca-signed-unknown.der")
4421 if not os
.path
.exists(ocsp_unknown
):
4422 raise HwsimSkip("No OCSP response(unknown) available")
4424 with
open(ocsp_revoked
, "r") as f
:
4425 resp_revoked
= f
.read()
4426 with
open(ocsp_unknown
, "r") as f
:
4427 resp_unknown
= f
.read()
4429 fd
, fn
= tempfile
.mkstemp()
4431 # This is not really a valid order of the OCSPResponse items in the
4432 # list, but this works for now to verify parsing and processing of
4433 # multiple responses.
4434 f
= os
.fdopen(fd
, 'w')
4435 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4436 f
.write(resp_unknown
)
4437 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4438 f
.write(resp_revoked
)
4439 f
.write(struct
.pack(">L", 0)[1:4])
4440 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4441 f
.write(resp_unknown
)
4444 params
= int_eap_server_params()
4445 params
["ocsp_stapling_response_multi"] = fn
4446 hostapd
.add_ap(apdev
[0], params
)
4447 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4448 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4449 private_key
="auth_serv/user.pkcs12",
4450 private_key_passwd
="whatever", ocsp
=1,
4451 wait_connect
=False, scan_freq
="2412")
4454 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4455 "CTRL-EVENT-EAP-SUCCESS"])
4457 raise Exception("Timeout on EAP status")
4458 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4459 raise Exception("Unexpected EAP-Success")
4460 if 'bad certificate status response' in ev
:
4462 if 'certificate revoked' in ev
:
4466 raise Exception("Unexpected number of EAP status messages")
4470 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4471 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4472 check_domain_match_full(dev
[0])
4473 check_pkcs12_support(dev
[0])
4474 params
= int_eap_server_params()
4475 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4476 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4477 hostapd
.add_ap(apdev
[0], params
)
4478 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4479 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4480 private_key
="auth_serv/user.pkcs12",
4481 private_key_passwd
="whatever",
4482 domain_suffix_match
="server3.w1.fi",
4485 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4486 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4487 check_domain_match(dev
[0])
4488 check_pkcs12_support(dev
[0])
4489 params
= int_eap_server_params()
4490 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4491 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4492 hostapd
.add_ap(apdev
[0], params
)
4493 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4494 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4495 private_key
="auth_serv/user.pkcs12",
4496 private_key_passwd
="whatever",
4497 domain_match
="server3.w1.fi",
4500 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4501 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4502 check_domain_match_full(dev
[0])
4503 check_pkcs12_support(dev
[0])
4504 params
= int_eap_server_params()
4505 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4506 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4507 hostapd
.add_ap(apdev
[0], params
)
4508 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4509 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4510 private_key
="auth_serv/user.pkcs12",
4511 private_key_passwd
="whatever",
4512 domain_suffix_match
="w1.fi",
4515 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4516 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4517 check_domain_suffix_match(dev
[0])
4518 check_pkcs12_support(dev
[0])
4519 params
= int_eap_server_params()
4520 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4521 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4522 hostapd
.add_ap(apdev
[0], params
)
4523 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4524 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4525 private_key
="auth_serv/user.pkcs12",
4526 private_key_passwd
="whatever",
4527 domain_suffix_match
="example.com",
4530 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4531 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4532 private_key
="auth_serv/user.pkcs12",
4533 private_key_passwd
="whatever",
4534 domain_suffix_match
="erver3.w1.fi",
4537 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4539 raise Exception("Timeout on EAP failure report")
4540 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4542 raise Exception("Timeout on EAP failure report (2)")
4544 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4545 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4546 check_domain_match(dev
[0])
4547 check_pkcs12_support(dev
[0])
4548 params
= int_eap_server_params()
4549 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4550 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4551 hostapd
.add_ap(apdev
[0], params
)
4552 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4553 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4554 private_key
="auth_serv/user.pkcs12",
4555 private_key_passwd
="whatever",
4556 domain_match
="example.com",
4559 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4560 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4561 private_key
="auth_serv/user.pkcs12",
4562 private_key_passwd
="whatever",
4563 domain_match
="w1.fi",
4566 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4568 raise Exception("Timeout on EAP failure report")
4569 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4571 raise Exception("Timeout on EAP failure report (2)")
4573 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4574 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4575 skip_with_fips(dev
[0])
4576 params
= int_eap_server_params()
4577 params
["server_cert"] = "auth_serv/server-expired.pem"
4578 params
["private_key"] = "auth_serv/server-expired.key"
4579 hostapd
.add_ap(apdev
[0], params
)
4580 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4581 identity
="mschap user", password
="password",
4582 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4585 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4587 raise Exception("Timeout on EAP certificate error report")
4588 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4589 raise Exception("Unexpected failure reason: " + ev
)
4590 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4592 raise Exception("Timeout on EAP failure report")
4594 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4595 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4596 skip_with_fips(dev
[0])
4597 params
= int_eap_server_params()
4598 params
["server_cert"] = "auth_serv/server-expired.pem"
4599 params
["private_key"] = "auth_serv/server-expired.key"
4600 hostapd
.add_ap(apdev
[0], params
)
4601 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4602 identity
="mschap user", password
="password",
4603 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4604 phase1
="tls_disable_time_checks=1",
4607 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4608 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4609 skip_with_fips(dev
[0])
4610 params
= int_eap_server_params()
4611 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4612 params
["private_key"] = "auth_serv/server-long-duration.key"
4613 hostapd
.add_ap(apdev
[0], params
)
4614 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4615 identity
="mschap user", password
="password",
4616 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4619 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4620 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4621 skip_with_fips(dev
[0])
4622 params
= int_eap_server_params()
4623 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4624 params
["private_key"] = "auth_serv/server-eku-client.key"
4625 hostapd
.add_ap(apdev
[0], params
)
4626 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4627 identity
="mschap user", password
="password",
4628 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4631 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4633 raise Exception("Timeout on EAP failure report")
4635 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4636 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4637 skip_with_fips(dev
[0])
4638 params
= int_eap_server_params()
4639 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4640 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4641 hostapd
.add_ap(apdev
[0], params
)
4642 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4643 identity
="mschap user", password
="password",
4644 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4647 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4648 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4649 skip_with_fips(dev
[0])
4650 params
= int_eap_server_params()
4651 del params
["server_cert"]
4652 params
["private_key"] = "auth_serv/server.pkcs12"
4653 hostapd
.add_ap(apdev
[0], params
)
4654 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4655 identity
="mschap user", password
="password",
4656 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4659 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
4660 """EAP-TTLS and server PKCS#12 file with extra certs"""
4661 skip_with_fips(dev
[0])
4662 params
= int_eap_server_params()
4663 del params
["server_cert"]
4664 params
["private_key"] = "auth_serv/server-extra.pkcs12"
4665 params
["private_key_passwd"] = "whatever"
4666 hostapd
.add_ap(apdev
[0], params
)
4667 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4668 identity
="mschap user", password
="password",
4669 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4672 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
4673 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4674 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4675 hapd
= hostapd
.add_ap(apdev
[0], params
)
4676 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4677 anonymous_identity
="ttls", password
="password",
4678 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4679 dh_file
="auth_serv/dh.conf")
4681 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
4682 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4683 check_dh_dsa_support(dev
[0])
4684 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4685 hapd
= hostapd
.add_ap(apdev
[0], params
)
4686 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4687 anonymous_identity
="ttls", password
="password",
4688 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4689 dh_file
="auth_serv/dsaparam.pem")
4691 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4692 """EAP-TTLS and DH params file not found"""
4693 skip_with_fips(dev
[0])
4694 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4695 hostapd
.add_ap(apdev
[0], params
)
4696 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4697 identity
="mschap user", password
="password",
4698 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4699 dh_file
="auth_serv/dh-no-such-file.conf",
4700 scan_freq
="2412", wait_connect
=False)
4701 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4703 raise Exception("EAP failure timed out")
4704 dev
[0].request("REMOVE_NETWORK all")
4705 dev
[0].wait_disconnected()
4707 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4708 """EAP-TTLS and invalid DH params file"""
4709 skip_with_fips(dev
[0])
4710 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4711 hostapd
.add_ap(apdev
[0], params
)
4712 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4713 identity
="mschap user", password
="password",
4714 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4715 dh_file
="auth_serv/ca.pem",
4716 scan_freq
="2412", wait_connect
=False)
4717 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4719 raise Exception("EAP failure timed out")
4720 dev
[0].request("REMOVE_NETWORK all")
4721 dev
[0].wait_disconnected()
4723 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
4724 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4725 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4726 hapd
= hostapd
.add_ap(apdev
[0], params
)
4727 dh
= read_pem("auth_serv/dh2.conf")
4728 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
4729 raise Exception("Could not set dhparams blob")
4730 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4731 anonymous_identity
="ttls", password
="password",
4732 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4733 dh_file
="blob://dhparams")
4735 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
4736 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4737 params
= int_eap_server_params()
4738 params
["dh_file"] = "auth_serv/dh2.conf"
4739 hapd
= hostapd
.add_ap(apdev
[0], params
)
4740 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4741 anonymous_identity
="ttls", password
="password",
4742 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4744 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
4745 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4746 params
= int_eap_server_params()
4747 params
["dh_file"] = "auth_serv/dsaparam.pem"
4748 hapd
= hostapd
.add_ap(apdev
[0], params
)
4749 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4750 anonymous_identity
="ttls", password
="password",
4751 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4753 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4754 """EAP-TLS server and dhparams file not found"""
4755 params
= int_eap_server_params()
4756 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
4757 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4758 if "FAIL" not in hapd
.request("ENABLE"):
4759 raise Exception("Invalid configuration accepted")
4761 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4762 """EAP-TLS server and invalid dhparams file"""
4763 params
= int_eap_server_params()
4764 params
["dh_file"] = "auth_serv/ca.pem"
4765 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4766 if "FAIL" not in hapd
.request("ENABLE"):
4767 raise Exception("Invalid configuration accepted")
4769 def test_ap_wpa2_eap_reauth(dev
, apdev
):
4770 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4771 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4772 params
['eap_reauth_period'] = '2'
4773 hapd
= hostapd
.add_ap(apdev
[0], params
)
4774 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4775 password_hex
="0123456789abcdef0123456789abcdef")
4776 logger
.info("Wait for reauthentication")
4777 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
4779 raise Exception("Timeout on reauthentication")
4780 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4782 raise Exception("Timeout on reauthentication")
4783 for i
in range(0, 20):
4784 state
= dev
[0].get_status_field("wpa_state")
4785 if state
== "COMPLETED":
4788 if state
!= "COMPLETED":
4789 raise Exception("Reauthentication did not complete")
4791 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
4792 """Optional displayable message in EAP Request-Identity"""
4793 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4794 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4795 hapd
= hostapd
.add_ap(apdev
[0], params
)
4796 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4797 password_hex
="0123456789abcdef0123456789abcdef")
4799 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
4800 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4801 check_hlr_auc_gw_support()
4802 params
= int_eap_server_params()
4803 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4804 params
['eap_sim_aka_result_ind'] = "1"
4805 hapd
= hostapd
.add_ap(apdev
[0], params
)
4807 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
4808 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4809 phase1
="result_ind=1")
4810 eap_reauth(dev
[0], "SIM")
4811 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
4812 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4814 dev
[0].request("REMOVE_NETWORK all")
4815 dev
[1].request("REMOVE_NETWORK all")
4817 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
4818 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4819 phase1
="result_ind=1")
4820 eap_reauth(dev
[0], "AKA")
4821 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
4822 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4824 dev
[0].request("REMOVE_NETWORK all")
4825 dev
[1].request("REMOVE_NETWORK all")
4827 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
4828 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4829 phase1
="result_ind=1")
4830 eap_reauth(dev
[0], "AKA'")
4831 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
4832 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4834 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
4835 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4836 check_hlr_auc_gw_support()
4837 params
= int_eap_server_params()
4838 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4839 params
['eap_sim_db_timeout'] = "0"
4840 params
['disable_pmksa_caching'] = '1'
4841 hapd
= hostapd
.add_ap(apdev
[0], params
)
4843 # Run multiple iterations to make it more likely to hit the case where the
4844 # DB request times out and response is lost.
4846 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
4847 identity
="1232010000000000",
4848 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4849 wait_connect
=False, scan_freq
="2412")
4850 ev
= dev
[0].wait_event([ "CTRL-EVENT-CONNECTED",
4851 "CTRL-EVENT-DISCONNECTED" ],
4854 raise Exception("No connection result")
4855 dev
[0].request("REMOVE_NETWORK all")
4856 if "CTRL-EVENT-DISCONNECTED" in ev
:
4858 dev
[0].wait_disconnected()
4861 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
4862 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4863 skip_with_fips(dev
[0])
4864 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4865 hostapd
.add_ap(apdev
[0], params
)
4866 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4867 eap
="TTLS", identity
="mschap user",
4868 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
4869 anonymous_identity
="ttls", password
="password",
4870 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4872 ev
= dev
[0].wait_event(["EAP: more than",
4873 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
4874 if ev
is None or "EAP: more than" not in ev
:
4875 raise Exception("EAP roundtrip limit not reached")
4877 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
4878 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4879 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4880 hostapd
.add_ap(apdev
[0], params
)
4881 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4882 eap
="PSK", identity
="vendor-test",
4883 password_hex
="ff23456789abcdef0123456789abcdef",
4887 for i
in range(0, 5):
4888 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
4890 raise Exception("Association and EAP start timed out")
4891 if "refuse proposed method" in ev
:
4895 raise Exception("Unexpected EAP status: " + ev
)
4897 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4899 raise Exception("EAP failure timed out")
4901 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
4902 """WPA2-Enterprise connection using SQLite for user DB"""
4903 skip_with_fips(dev
[0])
4907 raise HwsimSkip("No sqlite3 module available")
4908 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
4913 con
= sqlite3
.connect(dbfile
)
4916 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4917 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4918 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4919 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4920 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4921 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4922 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4923 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4926 params
= int_eap_server_params()
4927 params
["eap_user_file"] = "sqlite:" + dbfile
4928 hapd
= hostapd
.add_ap(apdev
[0], params
)
4929 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
4930 anonymous_identity
="ttls", password
="password",
4931 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4932 dev
[0].request("REMOVE_NETWORK all")
4933 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
4934 anonymous_identity
="ttls", password
="password",
4935 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
4936 dev
[1].request("REMOVE_NETWORK all")
4937 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
4938 anonymous_identity
="ttls", password
="password",
4939 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
4940 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
4941 anonymous_identity
="ttls", password
="password",
4942 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4946 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
4947 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4948 params
= int_eap_server_params()
4949 hostapd
.add_ap(apdev
[0], params
)
4950 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4951 identity
="\x80", password
="password", wait_connect
=False)
4952 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4953 identity
="a\x80", password
="password", wait_connect
=False)
4954 for i
in range(0, 2):
4955 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4957 raise Exception("Association and EAP start timed out")
4958 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4960 raise Exception("EAP method selection timed out")
4962 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
4963 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4964 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4965 hostapd
.add_ap(apdev
[0], params
)
4966 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4967 identity
="\x80", password
="password", wait_connect
=False)
4968 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4969 identity
="a\x80", password
="password", wait_connect
=False)
4970 for i
in range(0, 2):
4971 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4973 raise Exception("Association and EAP start timed out")
4974 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4976 raise Exception("EAP method selection timed out")
4978 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
4979 """OpenSSL cipher suite configuration on wpa_supplicant"""
4980 tls
= dev
[0].request("GET tls_library")
4981 if not tls
.startswith("OpenSSL"):
4982 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
4983 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4984 hapd
= hostapd
.add_ap(apdev
[0], params
)
4985 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4986 anonymous_identity
="ttls", password
="password",
4987 openssl_ciphers
="AES128",
4988 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4989 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
4990 anonymous_identity
="ttls", password
="password",
4991 openssl_ciphers
="EXPORT",
4992 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4993 expect_failure
=True, maybe_local_error
=True)
4994 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4995 identity
="pap user", anonymous_identity
="ttls",
4996 password
="password",
4997 openssl_ciphers
="FOO",
4998 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5000 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5002 raise Exception("EAP failure after invalid openssl_ciphers not reported")
5003 dev
[2].request("DISCONNECT")
5005 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
5006 """OpenSSL cipher suite configuration on hostapd"""
5007 tls
= dev
[0].request("GET tls_library")
5008 if not tls
.startswith("OpenSSL"):
5009 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
5010 params
= int_eap_server_params()
5011 params
['openssl_ciphers'] = "AES256"
5012 hapd
= hostapd
.add_ap(apdev
[0], params
)
5013 tls
= hapd
.request("GET tls_library")
5014 if not tls
.startswith("OpenSSL"):
5015 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5016 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5017 anonymous_identity
="ttls", password
="password",
5018 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5019 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5020 anonymous_identity
="ttls", password
="password",
5021 openssl_ciphers
="AES128",
5022 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5023 expect_failure
=True)
5024 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
5025 anonymous_identity
="ttls", password
="password",
5026 openssl_ciphers
="HIGH:!ADH",
5027 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5029 params
['openssl_ciphers'] = "FOO"
5030 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
5031 if "FAIL" not in hapd2
.request("ENABLE"):
5032 if "run=OpenSSL 1.1.1" in tls
:
5033 logger
.info("Ignore acceptance of an invalid openssl_ciphers value with OpenSSL 1.1.1")
5035 raise Exception("Invalid openssl_ciphers value accepted")
5037 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
5038 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5039 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5040 hapd
= hostapd
.add_ap(apdev
[0], p
)
5041 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5042 pid
= find_wpas_process(dev
[0])
5043 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
5044 anonymous_identity
="ttls", password
=password
,
5045 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5046 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5047 # event has been delivered, so verify that wpa_supplicant has returned to
5048 # eloop before reading process memory.
5051 buf
= read_process_memory(pid
, password
)
5053 dev
[0].request("DISCONNECT")
5054 dev
[0].wait_disconnected()
5062 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
5063 for l
in f
.readlines():
5064 if "EAP-TTLS: Derived key - hexdump" in l
:
5065 val
= l
.strip().split(':')[3].replace(' ', '')
5066 msk
= binascii
.unhexlify(val
)
5067 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
5068 val
= l
.strip().split(':')[3].replace(' ', '')
5069 emsk
= binascii
.unhexlify(val
)
5070 if "WPA: PMK - hexdump" in l
:
5071 val
= l
.strip().split(':')[3].replace(' ', '')
5072 pmk
= binascii
.unhexlify(val
)
5073 if "WPA: PTK - hexdump" in l
:
5074 val
= l
.strip().split(':')[3].replace(' ', '')
5075 ptk
= binascii
.unhexlify(val
)
5076 if "WPA: Group Key - hexdump" in l
:
5077 val
= l
.strip().split(':')[3].replace(' ', '')
5078 gtk
= binascii
.unhexlify(val
)
5079 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
5080 raise Exception("Could not find keys from debug log")
5082 raise Exception("Unexpected GTK length")
5088 fname
= os
.path
.join(params
['logdir'],
5089 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5091 logger
.info("Checking keys in memory while associated")
5092 get_key_locations(buf
, password
, "Password")
5093 get_key_locations(buf
, pmk
, "PMK")
5094 get_key_locations(buf
, msk
, "MSK")
5095 get_key_locations(buf
, emsk
, "EMSK")
5096 if password
not in buf
:
5097 raise HwsimSkip("Password not found while associated")
5099 raise HwsimSkip("PMK not found while associated")
5101 raise Exception("KCK not found while associated")
5103 raise Exception("KEK not found while associated")
5105 # raise Exception("TK found from memory")
5107 logger
.info("Checking keys in memory after disassociation")
5108 buf
= read_process_memory(pid
, password
)
5110 # Note: Password is still present in network configuration
5111 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5113 get_key_locations(buf
, password
, "Password")
5114 get_key_locations(buf
, pmk
, "PMK")
5115 get_key_locations(buf
, msk
, "MSK")
5116 get_key_locations(buf
, emsk
, "EMSK")
5117 verify_not_present(buf
, kck
, fname
, "KCK")
5118 verify_not_present(buf
, kek
, fname
, "KEK")
5119 verify_not_present(buf
, tk
, fname
, "TK")
5121 get_key_locations(buf
, gtk
, "GTK")
5122 verify_not_present(buf
, gtk
, fname
, "GTK")
5124 dev
[0].request("PMKSA_FLUSH")
5125 dev
[0].set_network_quoted(id, "identity", "foo")
5126 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5127 buf
= read_process_memory(pid
, password
)
5128 get_key_locations(buf
, password
, "Password")
5129 get_key_locations(buf
, pmk
, "PMK")
5130 get_key_locations(buf
, msk
, "MSK")
5131 get_key_locations(buf
, emsk
, "EMSK")
5132 verify_not_present(buf
, pmk
, fname
, "PMK")
5134 dev
[0].request("REMOVE_NETWORK all")
5136 logger
.info("Checking keys in memory after network profile removal")
5137 buf
= read_process_memory(pid
, password
)
5139 get_key_locations(buf
, password
, "Password")
5140 get_key_locations(buf
, pmk
, "PMK")
5141 get_key_locations(buf
, msk
, "MSK")
5142 get_key_locations(buf
, emsk
, "EMSK")
5143 verify_not_present(buf
, password
, fname
, "password")
5144 verify_not_present(buf
, pmk
, fname
, "PMK")
5145 verify_not_present(buf
, kck
, fname
, "KCK")
5146 verify_not_present(buf
, kek
, fname
, "KEK")
5147 verify_not_present(buf
, tk
, fname
, "TK")
5148 verify_not_present(buf
, gtk
, fname
, "GTK")
5149 verify_not_present(buf
, msk
, fname
, "MSK")
5150 verify_not_present(buf
, emsk
, fname
, "EMSK")
5152 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
5153 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5154 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5155 hapd
= hostapd
.add_ap(apdev
[0], params
)
5156 bssid
= apdev
[0]['bssid']
5157 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5158 anonymous_identity
="ttls", password
="password",
5159 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5161 # Send unexpected WEP EAPOL-Key; this gets dropped
5162 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5164 raise Exception("EAPOL_RX to wpa_supplicant failed")
5166 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5167 """WPA2-EAP and wpas interface in a bridge"""
5171 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
5173 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
5174 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
5175 subprocess
.call(['brctl', 'delbr', br_ifname
])
5176 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
5178 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5179 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5180 hapd
= hostapd
.add_ap(apdev
[0], params
)
5184 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
5185 subprocess
.call(['brctl', 'addbr', br_ifname
])
5186 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
5187 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
5188 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
5189 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
5190 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
5193 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
5194 password_hex
="0123456789abcdef0123456789abcdef")
5196 eap_reauth(wpas
, "PAX")
5198 # Try again as a regression test for packet socket workaround
5199 eap_reauth(wpas
, "PAX")
5201 wpas
.request("DISCONNECT")
5202 wpas
.wait_disconnected()
5204 wpas
.request("RECONNECT")
5205 wpas
.wait_connected()
5208 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
5209 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5210 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5211 hapd
= hostapd
.add_ap(apdev
[0], params
)
5212 key_mgmt
= hapd
.get_config()['key_mgmt']
5213 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5214 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5215 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5216 anonymous_identity
="ttls", password
="password",
5217 ca_cert
="auth_serv/ca.pem",
5218 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
5219 eap_reauth(dev
[0], "TTLS")
5221 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
5222 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5223 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5224 hapd
= hostapd
.add_ap(apdev
[0], params
)
5225 key_mgmt
= hapd
.get_config()['key_mgmt']
5226 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5227 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5228 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5229 anonymous_identity
="ttls", password
="password",
5230 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5232 eap_reauth(dev
[0], "TTLS")
5234 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
5235 """EAP-TLS and server checking CRL"""
5236 params
= int_eap_server_params()
5237 params
['check_crl'] = '1'
5238 hapd
= hostapd
.add_ap(apdev
[0], params
)
5240 # check_crl=1 and no CRL available --> reject connection
5241 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5242 client_cert
="auth_serv/user.pem",
5243 private_key
="auth_serv/user.key", expect_failure
=True)
5244 dev
[0].request("REMOVE_NETWORK all")
5247 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
5250 # check_crl=1 and valid CRL --> accept
5251 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5252 client_cert
="auth_serv/user.pem",
5253 private_key
="auth_serv/user.key")
5254 dev
[0].request("REMOVE_NETWORK all")
5257 hapd
.set("check_crl", "2")
5260 # check_crl=2 and valid CRL --> accept
5261 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5262 client_cert
="auth_serv/user.pem",
5263 private_key
="auth_serv/user.key")
5264 dev
[0].request("REMOVE_NETWORK all")
5266 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5267 """EAP-TLS and OOM"""
5268 check_subject_match_support(dev
[0])
5269 check_altsubject_match_support(dev
[0])
5270 check_domain_match(dev
[0])
5271 check_domain_match_full(dev
[0])
5273 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5274 hostapd
.add_ap(apdev
[0], params
)
5276 tests
= [ (1, "tls_connection_set_subject_match"),
5277 (2, "tls_connection_set_subject_match"),
5278 (3, "tls_connection_set_subject_match"),
5279 (4, "tls_connection_set_subject_match") ]
5280 for count
, func
in tests
:
5281 with
alloc_fail(dev
[0], count
, func
):
5282 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5283 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5284 client_cert
="auth_serv/user.pem",
5285 private_key
="auth_serv/user.key",
5286 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5287 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5288 domain_suffix_match
="server.w1.fi",
5289 domain_match
="server.w1.fi",
5290 wait_connect
=False, scan_freq
="2412")
5291 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5292 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5294 raise Exception("No passphrase request")
5295 dev
[0].request("REMOVE_NETWORK all")
5296 dev
[0].wait_disconnected()
5298 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5299 """WPA2-Enterprise connection using MAC ACL"""
5300 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5301 params
["macaddr_acl"] = "2"
5302 hapd
= hostapd
.add_ap(apdev
[0], params
)
5303 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5304 client_cert
="auth_serv/user.pem",
5305 private_key
="auth_serv/user.key")
5307 def test_ap_wpa2_eap_oom(dev
, apdev
):
5308 """EAP server and OOM"""
5309 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5310 hapd
= hostapd
.add_ap(apdev
[0], params
)
5311 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5313 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5314 # The first attempt fails, but STA will send EAPOL-Start to retry and
5316 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5317 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5318 client_cert
="auth_serv/user.pem",
5319 private_key
="auth_serv/user.key",
5322 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5323 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5324 client_cert
="auth_serv/user.pem",
5325 private_key
="auth_serv/user.key",
5327 ver
= dev
.get_status_field("eap_tls_version")
5329 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5331 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5332 """EAP-TLS and TLS version configuration"""
5333 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5334 hapd
= hostapd
.add_ap(apdev
[0], params
)
5336 tls
= dev
[0].request("GET tls_library")
5337 if tls
.startswith("OpenSSL"):
5338 if "build=OpenSSL 1.0.1" not in tls
and "run=OpenSSL 1.0.1" not in tls
:
5339 check_tls_ver(dev
[0], hapd
,
5340 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5342 if tls
.startswith("wolfSSL"):
5343 if ("build=3.10.0" in tls
and "run=3.10.0" in tls
) or \
5344 ("build=3.13.0" in tls
and "run=3.13.0" in tls
):
5345 check_tls_ver(dev
[0], hapd
,
5346 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5348 elif tls
.startswith("internal"):
5349 check_tls_ver(dev
[0], hapd
,
5350 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5351 check_tls_ver(dev
[1], hapd
,
5352 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5353 check_tls_ver(dev
[2], hapd
,
5354 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5356 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
5357 """RSN element protocol testing for EAP cases on STA side"""
5358 bssid
= apdev
[0]['bssid']
5359 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5360 # This is the RSN element used normally by hostapd
5361 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5362 hapd
= hostapd
.add_ap(apdev
[0], params
)
5363 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5364 identity
="gpsk user",
5365 password
="abcdefghijklmnop0123456789abcdef",
5368 tests
= [ ('No RSN Capabilities field',
5369 '30120100000fac040100000fac040100000fac01'),
5370 ('No AKM Suite fields',
5371 '300c0100000fac040100000fac04'),
5372 ('No Pairwise Cipher Suite fields',
5373 '30060100000fac04'),
5374 ('No Group Data Cipher Suite field',
5376 for txt
,ie
in tests
:
5377 dev
[0].request("DISCONNECT")
5378 dev
[0].wait_disconnected()
5381 hapd
.set('own_ie_override', ie
)
5383 dev
[0].request("BSS_FLUSH 0")
5384 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
5385 dev
[0].select_network(id, freq
=2412)
5386 dev
[0].wait_connected()
5388 dev
[0].request("DISCONNECT")
5389 dev
[0].wait_disconnected()
5390 dev
[0].flush_scan_cache()
5392 def check_tls_session_resumption_capa(dev
, hapd
):
5393 tls
= hapd
.request("GET tls_library")
5394 if not tls
.startswith("OpenSSL"):
5395 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls
)
5397 tls
= dev
.request("GET tls_library")
5398 if not tls
.startswith("OpenSSL"):
5399 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
5401 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
5402 """EAP-TTLS/PAP session resumption"""
5403 params
= int_eap_server_params()
5404 params
['tls_session_lifetime'] = '60'
5405 hapd
= hostapd
.add_ap(apdev
[0], params
)
5406 check_tls_session_resumption_capa(dev
[0], hapd
)
5407 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5408 anonymous_identity
="ttls", password
="password",
5409 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5411 if dev
[0].get_status_field("tls_session_reused") != '0':
5412 raise Exception("Unexpected session resumption on the first connection")
5414 dev
[0].request("REAUTHENTICATE")
5415 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5417 raise Exception("EAP success timed out")
5418 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5420 raise Exception("Key handshake with the AP timed out")
5421 if dev
[0].get_status_field("tls_session_reused") != '1':
5422 raise Exception("Session resumption not used on the second connection")
5424 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
5425 """EAP-TTLS/CHAP session resumption"""
5426 params
= int_eap_server_params()
5427 params
['tls_session_lifetime'] = '60'
5428 hapd
= hostapd
.add_ap(apdev
[0], params
)
5429 check_tls_session_resumption_capa(dev
[0], hapd
)
5430 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
5431 anonymous_identity
="ttls", password
="password",
5432 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
5433 if dev
[0].get_status_field("tls_session_reused") != '0':
5434 raise Exception("Unexpected session resumption on the first connection")
5436 dev
[0].request("REAUTHENTICATE")
5437 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5439 raise Exception("EAP success timed out")
5440 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5442 raise Exception("Key handshake with the AP timed out")
5443 if dev
[0].get_status_field("tls_session_reused") != '1':
5444 raise Exception("Session resumption not used on the second connection")
5446 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
5447 """EAP-TTLS/MSCHAP session resumption"""
5448 check_domain_suffix_match(dev
[0])
5449 params
= int_eap_server_params()
5450 params
['tls_session_lifetime'] = '60'
5451 hapd
= hostapd
.add_ap(apdev
[0], params
)
5452 check_tls_session_resumption_capa(dev
[0], hapd
)
5453 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
5454 anonymous_identity
="ttls", password
="password",
5455 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5456 domain_suffix_match
="server.w1.fi")
5457 if dev
[0].get_status_field("tls_session_reused") != '0':
5458 raise Exception("Unexpected session resumption on the first connection")
5460 dev
[0].request("REAUTHENTICATE")
5461 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5463 raise Exception("EAP success timed out")
5464 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5466 raise Exception("Key handshake with the AP timed out")
5467 if dev
[0].get_status_field("tls_session_reused") != '1':
5468 raise Exception("Session resumption not used on the second connection")
5470 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
5471 """EAP-TTLS/MSCHAPv2 session resumption"""
5472 check_domain_suffix_match(dev
[0])
5473 check_eap_capa(dev
[0], "MSCHAPV2")
5474 params
= int_eap_server_params()
5475 params
['tls_session_lifetime'] = '60'
5476 hapd
= hostapd
.add_ap(apdev
[0], params
)
5477 check_tls_session_resumption_capa(dev
[0], hapd
)
5478 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
5479 anonymous_identity
="ttls", password
="password",
5480 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5481 domain_suffix_match
="server.w1.fi")
5482 if dev
[0].get_status_field("tls_session_reused") != '0':
5483 raise Exception("Unexpected session resumption on the first connection")
5485 dev
[0].request("REAUTHENTICATE")
5486 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5488 raise Exception("EAP success timed out")
5489 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5491 raise Exception("Key handshake with the AP timed out")
5492 if dev
[0].get_status_field("tls_session_reused") != '1':
5493 raise Exception("Session resumption not used on the second connection")
5495 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
5496 """EAP-TTLS/EAP-GTC session resumption"""
5497 params
= int_eap_server_params()
5498 params
['tls_session_lifetime'] = '60'
5499 hapd
= hostapd
.add_ap(apdev
[0], params
)
5500 check_tls_session_resumption_capa(dev
[0], hapd
)
5501 eap_connect(dev
[0], hapd
, "TTLS", "user",
5502 anonymous_identity
="ttls", password
="password",
5503 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
5504 if dev
[0].get_status_field("tls_session_reused") != '0':
5505 raise Exception("Unexpected session resumption on the first connection")
5507 dev
[0].request("REAUTHENTICATE")
5508 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5510 raise Exception("EAP success timed out")
5511 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5513 raise Exception("Key handshake with the AP timed out")
5514 if dev
[0].get_status_field("tls_session_reused") != '1':
5515 raise Exception("Session resumption not used on the second connection")
5517 def test_eap_ttls_no_session_resumption(dev
, apdev
):
5518 """EAP-TTLS session resumption disabled on server"""
5519 params
= int_eap_server_params()
5520 params
['tls_session_lifetime'] = '0'
5521 hapd
= hostapd
.add_ap(apdev
[0], params
)
5522 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5523 anonymous_identity
="ttls", password
="password",
5524 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5526 if dev
[0].get_status_field("tls_session_reused") != '0':
5527 raise Exception("Unexpected session resumption on the first connection")
5529 dev
[0].request("REAUTHENTICATE")
5530 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5532 raise Exception("EAP success timed out")
5533 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5535 raise Exception("Key handshake with the AP timed out")
5536 if dev
[0].get_status_field("tls_session_reused") != '0':
5537 raise Exception("Unexpected session resumption on the second connection")
5539 def test_eap_peap_session_resumption(dev
, apdev
):
5540 """EAP-PEAP session resumption"""
5541 check_eap_capa(dev
[0], "MSCHAPV2")
5542 params
= int_eap_server_params()
5543 params
['tls_session_lifetime'] = '60'
5544 hapd
= hostapd
.add_ap(apdev
[0], params
)
5545 check_tls_session_resumption_capa(dev
[0], hapd
)
5546 eap_connect(dev
[0], hapd
, "PEAP", "user",
5547 anonymous_identity
="peap", password
="password",
5548 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5549 if dev
[0].get_status_field("tls_session_reused") != '0':
5550 raise Exception("Unexpected session resumption on the first connection")
5552 dev
[0].request("REAUTHENTICATE")
5553 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5555 raise Exception("EAP success timed out")
5556 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5558 raise Exception("Key handshake with the AP timed out")
5559 if dev
[0].get_status_field("tls_session_reused") != '1':
5560 raise Exception("Session resumption not used on the second connection")
5562 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
5563 """EAP-PEAP session resumption with crypto binding"""
5564 params
= int_eap_server_params()
5565 params
['tls_session_lifetime'] = '60'
5566 hapd
= hostapd
.add_ap(apdev
[0], params
)
5567 check_tls_session_resumption_capa(dev
[0], hapd
)
5568 eap_connect(dev
[0], hapd
, "PEAP", "user",
5569 anonymous_identity
="peap", password
="password",
5570 phase1
="peapver=0 crypto_binding=2",
5571 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5572 if dev
[0].get_status_field("tls_session_reused") != '0':
5573 raise Exception("Unexpected session resumption on the first connection")
5575 dev
[0].request("REAUTHENTICATE")
5576 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5578 raise Exception("EAP success timed out")
5579 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5581 raise Exception("Key handshake with the AP timed out")
5582 if dev
[0].get_status_field("tls_session_reused") != '1':
5583 raise Exception("Session resumption not used on the second connection")
5585 def test_eap_peap_no_session_resumption(dev
, apdev
):
5586 """EAP-PEAP session resumption disabled on server"""
5587 params
= int_eap_server_params()
5588 hapd
= hostapd
.add_ap(apdev
[0], params
)
5589 eap_connect(dev
[0], hapd
, "PEAP", "user",
5590 anonymous_identity
="peap", password
="password",
5591 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5592 if dev
[0].get_status_field("tls_session_reused") != '0':
5593 raise Exception("Unexpected session resumption on the first connection")
5595 dev
[0].request("REAUTHENTICATE")
5596 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5598 raise Exception("EAP success timed out")
5599 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5601 raise Exception("Key handshake with the AP timed out")
5602 if dev
[0].get_status_field("tls_session_reused") != '0':
5603 raise Exception("Unexpected session resumption on the second connection")
5605 def test_eap_tls_session_resumption(dev
, apdev
):
5606 """EAP-TLS session resumption"""
5607 params
= int_eap_server_params()
5608 params
['tls_session_lifetime'] = '60'
5609 hapd
= hostapd
.add_ap(apdev
[0], params
)
5610 check_tls_session_resumption_capa(dev
[0], hapd
)
5611 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5612 client_cert
="auth_serv/user.pem",
5613 private_key
="auth_serv/user.key")
5614 if dev
[0].get_status_field("tls_session_reused") != '0':
5615 raise Exception("Unexpected session resumption on the first connection")
5617 dev
[0].request("REAUTHENTICATE")
5618 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5620 raise Exception("EAP success timed out")
5621 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5623 raise Exception("Key handshake with the AP timed out")
5624 if dev
[0].get_status_field("tls_session_reused") != '1':
5625 raise Exception("Session resumption not used on the second connection")
5627 dev
[0].request("REAUTHENTICATE")
5628 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5630 raise Exception("EAP success timed out")
5631 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5633 raise Exception("Key handshake with the AP timed out")
5634 if dev
[0].get_status_field("tls_session_reused") != '1':
5635 raise Exception("Session resumption not used on the third connection")
5637 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
5638 """EAP-TLS session resumption"""
5639 params
= int_eap_server_params()
5640 params
['tls_session_lifetime'] = '1'
5641 hapd
= hostapd
.add_ap(apdev
[0], params
)
5642 check_tls_session_resumption_capa(dev
[0], hapd
)
5643 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5644 client_cert
="auth_serv/user.pem",
5645 private_key
="auth_serv/user.key")
5646 if dev
[0].get_status_field("tls_session_reused") != '0':
5647 raise Exception("Unexpected session resumption on the first connection")
5649 # Allow multiple attempts since OpenSSL may not expire the cached entry
5654 dev
[0].request("REAUTHENTICATE")
5655 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5657 raise Exception("EAP success timed out")
5658 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5660 raise Exception("Key handshake with the AP timed out")
5661 if dev
[0].get_status_field("tls_session_reused") == '0':
5663 if dev
[0].get_status_field("tls_session_reused") != '0':
5664 raise Exception("Session resumption used after lifetime expiration")
5666 def test_eap_tls_no_session_resumption(dev
, apdev
):
5667 """EAP-TLS session resumption disabled on server"""
5668 params
= int_eap_server_params()
5669 hapd
= hostapd
.add_ap(apdev
[0], params
)
5670 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5671 client_cert
="auth_serv/user.pem",
5672 private_key
="auth_serv/user.key")
5673 if dev
[0].get_status_field("tls_session_reused") != '0':
5674 raise Exception("Unexpected session resumption on the first connection")
5676 dev
[0].request("REAUTHENTICATE")
5677 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5679 raise Exception("EAP success timed out")
5680 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5682 raise Exception("Key handshake with the AP timed out")
5683 if dev
[0].get_status_field("tls_session_reused") != '0':
5684 raise Exception("Unexpected session resumption on the second connection")
5686 def test_eap_tls_session_resumption_radius(dev
, apdev
):
5687 """EAP-TLS session resumption (RADIUS)"""
5688 params
= { "ssid": "as", "beacon_int": "2000",
5689 "radius_server_clients": "auth_serv/radius_clients.conf",
5690 "radius_server_auth_port": '18128',
5692 "eap_user_file": "auth_serv/eap_user.conf",
5693 "ca_cert": "auth_serv/ca.pem",
5694 "server_cert": "auth_serv/server.pem",
5695 "private_key": "auth_serv/server.key",
5696 "tls_session_lifetime": "60" }
5697 authsrv
= hostapd
.add_ap(apdev
[1], params
)
5698 check_tls_session_resumption_capa(dev
[0], authsrv
)
5700 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5701 params
['auth_server_port'] = "18128"
5702 hapd
= hostapd
.add_ap(apdev
[0], params
)
5703 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5704 client_cert
="auth_serv/user.pem",
5705 private_key
="auth_serv/user.key")
5706 if dev
[0].get_status_field("tls_session_reused") != '0':
5707 raise Exception("Unexpected session resumption on the first connection")
5709 dev
[0].request("REAUTHENTICATE")
5710 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5712 raise Exception("EAP success timed out")
5713 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5715 raise Exception("Key handshake with the AP timed out")
5716 if dev
[0].get_status_field("tls_session_reused") != '1':
5717 raise Exception("Session resumption not used on the second connection")
5719 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
5720 """EAP-TLS session resumption disabled (RADIUS)"""
5721 params
= { "ssid": "as", "beacon_int": "2000",
5722 "radius_server_clients": "auth_serv/radius_clients.conf",
5723 "radius_server_auth_port": '18128',
5725 "eap_user_file": "auth_serv/eap_user.conf",
5726 "ca_cert": "auth_serv/ca.pem",
5727 "server_cert": "auth_serv/server.pem",
5728 "private_key": "auth_serv/server.key",
5729 "tls_session_lifetime": "0" }
5730 hostapd
.add_ap(apdev
[1], params
)
5732 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5733 params
['auth_server_port'] = "18128"
5734 hapd
= hostapd
.add_ap(apdev
[0], params
)
5735 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5736 client_cert
="auth_serv/user.pem",
5737 private_key
="auth_serv/user.key")
5738 if dev
[0].get_status_field("tls_session_reused") != '0':
5739 raise Exception("Unexpected session resumption on the first connection")
5741 dev
[0].request("REAUTHENTICATE")
5742 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5744 raise Exception("EAP success timed out")
5745 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5747 raise Exception("Key handshake with the AP timed out")
5748 if dev
[0].get_status_field("tls_session_reused") != '0':
5749 raise Exception("Unexpected session resumption on the second connection")
5751 def test_eap_mschapv2_errors(dev
, apdev
):
5752 """EAP-MSCHAPv2 error cases"""
5753 check_eap_capa(dev
[0], "MSCHAPV2")
5754 check_eap_capa(dev
[0], "FAST")
5756 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5757 hapd
= hostapd
.add_ap(apdev
[0], params
)
5758 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5759 identity
="phase1-user", password
="password",
5761 dev
[0].request("REMOVE_NETWORK all")
5762 dev
[0].wait_disconnected()
5764 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5765 (1, "nt_password_hash;mschapv2_derive_response"),
5766 (1, "nt_password_hash;=mschapv2_derive_response"),
5767 (1, "generate_nt_response;mschapv2_derive_response"),
5768 (1, "generate_authenticator_response;mschapv2_derive_response"),
5769 (1, "nt_password_hash;=mschapv2_derive_response"),
5770 (1, "get_master_key;mschapv2_derive_response"),
5771 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5772 for count
, func
in tests
:
5773 with
fail_test(dev
[0], count
, func
):
5774 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5775 identity
="phase1-user", password
="password",
5776 wait_connect
=False, scan_freq
="2412")
5777 wait_fail_trigger(dev
[0], "GET_FAIL")
5778 dev
[0].request("REMOVE_NETWORK all")
5779 dev
[0].wait_disconnected()
5781 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5782 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5783 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5784 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5785 for count
, func
in tests
:
5786 with
fail_test(dev
[0], count
, func
):
5787 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5788 identity
="phase1-user",
5789 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
5790 wait_connect
=False, scan_freq
="2412")
5791 wait_fail_trigger(dev
[0], "GET_FAIL")
5792 dev
[0].request("REMOVE_NETWORK all")
5793 dev
[0].wait_disconnected()
5795 tests
= [ (1, "eap_mschapv2_init"),
5796 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5797 (1, "eap_msg_alloc;eap_mschapv2_success"),
5798 (1, "eap_mschapv2_getKey") ]
5799 for count
, func
in tests
:
5800 with
alloc_fail(dev
[0], count
, func
):
5801 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5802 identity
="phase1-user", password
="password",
5803 wait_connect
=False, scan_freq
="2412")
5804 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5805 dev
[0].request("REMOVE_NETWORK all")
5806 dev
[0].wait_disconnected()
5808 tests
= [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5809 for count
, func
in tests
:
5810 with
alloc_fail(dev
[0], count
, func
):
5811 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5812 identity
="phase1-user", password
="wrong password",
5813 wait_connect
=False, scan_freq
="2412")
5814 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5815 dev
[0].request("REMOVE_NETWORK all")
5816 dev
[0].wait_disconnected()
5818 tests
= [ (2, "eap_mschapv2_init"),
5819 (3, "eap_mschapv2_init") ]
5820 for count
, func
in tests
:
5821 with
alloc_fail(dev
[0], count
, func
):
5822 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
5823 anonymous_identity
="FAST", identity
="user",
5824 password
="password",
5825 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5826 phase1
="fast_provisioning=1",
5827 pac_file
="blob://fast_pac",
5828 wait_connect
=False, scan_freq
="2412")
5829 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5830 dev
[0].request("REMOVE_NETWORK all")
5831 dev
[0].wait_disconnected()
5833 def test_eap_gpsk_errors(dev
, apdev
):
5834 """EAP-GPSK error cases"""
5835 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5836 hapd
= hostapd
.add_ap(apdev
[0], params
)
5837 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5838 identity
="gpsk user",
5839 password
="abcdefghijklmnop0123456789abcdef",
5841 dev
[0].request("REMOVE_NETWORK all")
5842 dev
[0].wait_disconnected()
5844 tests
= [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5845 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5847 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5849 (1, "eap_gpsk_derive_keys_helper", None),
5850 (2, "eap_gpsk_derive_keys_helper", None),
5851 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5853 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5855 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5856 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5857 (1, "eap_gpsk_derive_mid_helper", None) ]
5858 for count
, func
, phase1
in tests
:
5859 with
fail_test(dev
[0], count
, func
):
5860 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5861 identity
="gpsk user",
5862 password
="abcdefghijklmnop0123456789abcdef",
5864 wait_connect
=False, scan_freq
="2412")
5865 wait_fail_trigger(dev
[0], "GET_FAIL")
5866 dev
[0].request("REMOVE_NETWORK all")
5867 dev
[0].wait_disconnected()
5869 tests
= [ (1, "eap_gpsk_init"),
5870 (2, "eap_gpsk_init"),
5871 (3, "eap_gpsk_init"),
5872 (1, "eap_gpsk_process_id_server"),
5873 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5874 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5875 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5876 (1, "eap_gpsk_derive_keys"),
5877 (1, "eap_gpsk_derive_keys_helper"),
5878 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5879 (1, "eap_gpsk_getKey"),
5880 (1, "eap_gpsk_get_emsk"),
5881 (1, "eap_gpsk_get_session_id") ]
5882 for count
, func
in tests
:
5883 with
alloc_fail(dev
[0], count
, func
):
5884 dev
[0].request("ERP_FLUSH")
5885 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5886 identity
="gpsk user@domain", erp
="1",
5887 password
="abcdefghijklmnop0123456789abcdef",
5888 wait_connect
=False, scan_freq
="2412")
5889 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5890 dev
[0].request("REMOVE_NETWORK all")
5891 dev
[0].wait_disconnected()
5893 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
5894 """EAP-SIM DB error cases"""
5895 sockpath
= '/tmp/hlr_auc_gw.sock-test'
5900 hparams
= int_eap_server_params()
5901 hparams
['eap_sim_db'] = 'unix:' + sockpath
5902 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
5904 # Initial test with hlr_auc_gw socket not available
5905 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5906 eap
="SIM", identity
="1232010000000000",
5907 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5908 scan_freq
="2412", wait_connect
=False)
5909 ev
= dev
[0].wait_event(["EAP-ERROR-CODE"], timeout
=10)
5911 raise Exception("EAP method specific error code not reported")
5912 if int(ev
.split()[1]) != 16384:
5913 raise Exception("Unexpected EAP method specific error code: " + ev
)
5914 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5916 raise Exception("EAP-Failure not reported")
5917 dev
[0].wait_disconnected()
5918 dev
[0].request("DISCONNECT")
5920 # Test with invalid responses and response timeout
5922 class test_handler(SocketServer
.DatagramRequestHandler
):
5924 data
= self
.request
[0].strip()
5925 socket
= self
.request
[1]
5926 logger
.debug("Received hlr_auc_gw request: " + data
)
5927 # EAP-SIM DB: Failed to parse response string
5928 socket
.sendto("FOO", self
.client_address
)
5929 # EAP-SIM DB: Failed to parse response string
5930 socket
.sendto("FOO 1", self
.client_address
)
5931 # EAP-SIM DB: Unknown external response
5932 socket
.sendto("FOO 1 2", self
.client_address
)
5933 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
5935 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
5938 dev
[0].select_network(id)
5939 server
.handle_request()
5940 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5942 raise Exception("EAP-Failure not reported")
5943 dev
[0].wait_disconnected()
5944 dev
[0].request("DISCONNECT")
5946 # Test with a valid response
5948 class test_handler2(SocketServer
.DatagramRequestHandler
):
5950 data
= self
.request
[0].strip()
5951 socket
= self
.request
[1]
5952 logger
.debug("Received hlr_auc_gw request: " + data
)
5953 fname
= os
.path
.join(params
['logdir'],
5954 'hlr_auc_gw.milenage_db')
5955 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
5957 stdout
=subprocess
.PIPE
)
5958 res
= cmd
.stdout
.read().strip()
5960 logger
.debug("hlr_auc_gw response: " + res
)
5961 socket
.sendto(res
, self
.client_address
)
5963 server
.RequestHandlerClass
= test_handler2
5965 dev
[0].select_network(id)
5966 server
.handle_request()
5967 dev
[0].wait_connected()
5968 dev
[0].request("DISCONNECT")
5969 dev
[0].wait_disconnected()
5971 def test_eap_tls_sha512(dev
, apdev
, params
):
5972 """EAP-TLS with SHA512 signature"""
5973 params
= int_eap_server_params()
5974 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5975 params
["server_cert"] = "auth_serv/sha512-server.pem"
5976 params
["private_key"] = "auth_serv/sha512-server.key"
5977 hostapd
.add_ap(apdev
[0], params
)
5979 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5980 identity
="tls user sha512",
5981 ca_cert
="auth_serv/sha512-ca.pem",
5982 client_cert
="auth_serv/sha512-user.pem",
5983 private_key
="auth_serv/sha512-user.key",
5985 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5986 identity
="tls user sha512",
5987 ca_cert
="auth_serv/sha512-ca.pem",
5988 client_cert
="auth_serv/sha384-user.pem",
5989 private_key
="auth_serv/sha384-user.key",
5992 def test_eap_tls_sha384(dev
, apdev
, params
):
5993 """EAP-TLS with SHA384 signature"""
5994 params
= int_eap_server_params()
5995 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5996 params
["server_cert"] = "auth_serv/sha384-server.pem"
5997 params
["private_key"] = "auth_serv/sha384-server.key"
5998 hostapd
.add_ap(apdev
[0], params
)
6000 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6001 identity
="tls user sha512",
6002 ca_cert
="auth_serv/sha512-ca.pem",
6003 client_cert
="auth_serv/sha512-user.pem",
6004 private_key
="auth_serv/sha512-user.key",
6006 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6007 identity
="tls user sha512",
6008 ca_cert
="auth_serv/sha512-ca.pem",
6009 client_cert
="auth_serv/sha384-user.pem",
6010 private_key
="auth_serv/sha384-user.key",
6013 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
6014 """WPA2-Enterprise AP and association request RSN IE differences"""
6015 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6016 hostapd
.add_ap(apdev
[0], params
)
6018 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
6019 params
["ieee80211w"] = "2"
6020 hostapd
.add_ap(apdev
[1], params
)
6022 # Success cases with optional RSN IE fields removed one by one
6023 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
6024 "30140100000fac040100000fac040100000fac010000"),
6025 ("Extra PMKIDCount field in RSN IE",
6026 "30160100000fac040100000fac040100000fac0100000000"),
6027 ("Extra Group Management Cipher Suite in RSN IE",
6028 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6029 ("Extra undefined extension field in RSN IE",
6030 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6031 ("RSN IE without RSN Capabilities",
6032 "30120100000fac040100000fac040100000fac01"),
6033 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6034 ("RSN IE without pairwise", "30060100000fac04"),
6035 ("RSN IE without group", "30020100") ]
6036 for title
, ie
in tests
:
6038 set_test_assoc_ie(dev
[0], ie
)
6039 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6040 identity
="gpsk user",
6041 password
="abcdefghijklmnop0123456789abcdef",
6043 dev
[0].request("REMOVE_NETWORK all")
6044 dev
[0].wait_disconnected()
6046 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
6047 "30140100000fac040100000fac040100000fac01cc00"),
6048 ("Group management cipher included in assoc req RSN IE",
6049 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
6050 for title
, ie
in tests
:
6052 set_test_assoc_ie(dev
[0], ie
)
6053 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6054 eap
="GPSK", identity
="gpsk user",
6055 password
="abcdefghijklmnop0123456789abcdef",
6057 dev
[0].request("REMOVE_NETWORK all")
6058 dev
[0].wait_disconnected()
6060 tests
= [ ("Invalid group cipher", "30060100000fac02", 41),
6061 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
6062 for title
, ie
, status
in tests
:
6064 set_test_assoc_ie(dev
[0], ie
)
6065 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6066 identity
="gpsk user",
6067 password
="abcdefghijklmnop0123456789abcdef",
6068 scan_freq
="2412", wait_connect
=False)
6069 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6071 raise Exception("Association rejection not reported")
6072 if "status_code=" + str(status
) not in ev
:
6073 raise Exception("Unexpected status code: " + ev
)
6074 dev
[0].request("REMOVE_NETWORK all")
6075 dev
[0].dump_monitor()
6077 tests
= [ ("Management frame protection not enabled",
6078 "30140100000fac040100000fac040100000fac010000", 31),
6079 ("Unsupported management group cipher",
6080 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46) ]
6081 for title
, ie
, status
in tests
:
6083 set_test_assoc_ie(dev
[0], ie
)
6084 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6085 eap
="GPSK", identity
="gpsk user",
6086 password
="abcdefghijklmnop0123456789abcdef",
6087 scan_freq
="2412", wait_connect
=False)
6088 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6090 raise Exception("Association rejection not reported")
6091 if "status_code=" + str(status
) not in ev
:
6092 raise Exception("Unexpected status code: " + ev
)
6093 dev
[0].request("REMOVE_NETWORK all")
6094 dev
[0].dump_monitor()
6096 def test_eap_tls_ext_cert_check(dev
, apdev
):
6097 """EAP-TLS and external server certification validation"""
6098 # With internal server certificate chain validation
6099 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6100 identity
="tls user",
6101 ca_cert
="auth_serv/ca.pem",
6102 client_cert
="auth_serv/user.pem",
6103 private_key
="auth_serv/user.key",
6104 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6105 only_add_network
=True)
6106 run_ext_cert_check(dev
, apdev
, id)
6108 def test_eap_ttls_ext_cert_check(dev
, apdev
):
6109 """EAP-TTLS and external server certification validation"""
6110 # Without internal server certificate chain validation
6111 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6112 identity
="pap user", anonymous_identity
="ttls",
6113 password
="password", phase2
="auth=PAP",
6114 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6115 only_add_network
=True)
6116 run_ext_cert_check(dev
, apdev
, id)
6118 def test_eap_peap_ext_cert_check(dev
, apdev
):
6119 """EAP-PEAP and external server certification validation"""
6120 # With internal server certificate chain validation
6121 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6122 identity
="user", anonymous_identity
="peap",
6123 ca_cert
="auth_serv/ca.pem",
6124 password
="password", phase2
="auth=MSCHAPV2",
6125 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6126 only_add_network
=True)
6127 run_ext_cert_check(dev
, apdev
, id)
6129 def test_eap_fast_ext_cert_check(dev
, apdev
):
6130 """EAP-FAST and external server certification validation"""
6131 check_eap_capa(dev
[0], "FAST")
6132 # With internal server certificate chain validation
6133 dev
[0].request("SET blob fast_pac_auth_ext ")
6134 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6135 identity
="user", anonymous_identity
="FAST",
6136 ca_cert
="auth_serv/ca.pem",
6137 password
="password", phase2
="auth=GTC",
6138 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
6139 pac_file
="blob://fast_pac_auth_ext",
6141 only_add_network
=True)
6142 run_ext_cert_check(dev
, apdev
, id)
6144 def run_ext_cert_check(dev
, apdev
, net_id
):
6145 check_ext_cert_check_support(dev
[0])
6146 if not openssl_imported
:
6147 raise HwsimSkip("OpenSSL python method not available")
6149 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6150 hapd
= hostapd
.add_ap(apdev
[0], params
)
6152 dev
[0].select_network(net_id
)
6155 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6156 "CTRL-REQ-EXT_CERT_CHECK",
6157 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6159 raise Exception("No peer server certificate event seen")
6160 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
6163 vals
= ev
.split(' ')
6165 if v
.startswith("depth="):
6166 depth
= int(v
.split('=')[1])
6167 elif v
.startswith("cert="):
6168 cert
= v
.split('=')[1]
6169 if depth
is not None and cert
:
6170 certs
[depth
] = binascii
.unhexlify(cert
)
6171 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
6172 raise Exception("Unexpected EAP-Success")
6173 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
6174 id = ev
.split(':')[0].split('-')[-1]
6177 raise Exception("Server certificate not received")
6179 raise Exception("Server certificate issuer not received")
6181 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6183 cn
= cert
.get_subject().commonName
6184 logger
.info("Server certificate CN=" + cn
)
6186 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6188 icn
= issuer
.get_subject().commonName
6189 logger
.info("Issuer certificate CN=" + icn
)
6191 if cn
!= "server.w1.fi":
6192 raise Exception("Unexpected server certificate CN: " + cn
)
6193 if icn
!= "Root CA":
6194 raise Exception("Unexpected server certificate issuer CN: " + icn
)
6196 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
6198 raise Exception("Unexpected EAP-Success before external check result indication")
6200 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6201 dev
[0].wait_connected()
6203 dev
[0].request("DISCONNECT")
6204 dev
[0].wait_disconnected()
6205 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
6206 raise Exception("PMKSA_FLUSH failed")
6207 dev
[0].request("SET blob fast_pac_auth_ext ")
6208 dev
[0].request("RECONNECT")
6210 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
6212 raise Exception("No peer server certificate event seen (2)")
6213 id = ev
.split(':')[0].split('-')[-1]
6214 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6215 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
6217 raise Exception("EAP-Failure not reported")
6218 dev
[0].request("REMOVE_NETWORK all")
6219 dev
[0].wait_disconnected()
6221 def test_eap_tls_errors(dev
, apdev
):
6222 """EAP-TLS error cases"""
6223 params
= int_eap_server_params()
6224 params
['fragment_size'] = '100'
6225 hostapd
.add_ap(apdev
[0], params
)
6226 with
alloc_fail(dev
[0], 1,
6227 "eap_peer_tls_reassemble_fragment"):
6228 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6229 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6230 client_cert
="auth_serv/user.pem",
6231 private_key
="auth_serv/user.key",
6232 wait_connect
=False, scan_freq
="2412")
6233 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6234 dev
[0].request("REMOVE_NETWORK all")
6235 dev
[0].wait_disconnected()
6237 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
6238 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6239 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6240 client_cert
="auth_serv/user.pem",
6241 private_key
="auth_serv/user.key",
6242 wait_connect
=False, scan_freq
="2412")
6243 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6244 dev
[0].request("REMOVE_NETWORK all")
6245 dev
[0].wait_disconnected()
6247 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
6248 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6249 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6250 client_cert
="auth_serv/user.pem",
6251 private_key
="auth_serv/user.key",
6253 wait_connect
=False, scan_freq
="2412")
6254 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6255 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
6257 raise Exception("No CTRL-REQ-PIN seen")
6258 dev
[0].request("REMOVE_NETWORK all")
6259 dev
[0].wait_disconnected()
6261 tests
= [ "eap_peer_tls_derive_key;eap_tls_success",
6262 "eap_peer_tls_derive_session_id;eap_tls_success",
6265 "eap_tls_get_session_id" ]
6267 with
alloc_fail(dev
[0], 1, func
):
6268 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6269 identity
="tls user@domain",
6270 ca_cert
="auth_serv/ca.pem",
6271 client_cert
="auth_serv/user.pem",
6272 private_key
="auth_serv/user.key",
6274 wait_connect
=False, scan_freq
="2412")
6275 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6276 dev
[0].request("REMOVE_NETWORK all")
6277 dev
[0].wait_disconnected()
6279 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6280 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6281 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6282 wait_connect
=False, scan_freq
="2412")
6283 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6284 dev
[0].request("REMOVE_NETWORK all")
6285 dev
[0].wait_disconnected()
6287 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6288 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6289 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6290 wait_connect
=False, scan_freq
="2412")
6291 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6292 dev
[0].request("REMOVE_NETWORK all")
6293 dev
[0].wait_disconnected()
6295 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6296 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6297 eap
="WFA-UNAUTH-TLS",
6298 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6299 wait_connect
=False, scan_freq
="2412")
6300 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6301 dev
[0].request("REMOVE_NETWORK all")
6302 dev
[0].wait_disconnected()
6304 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6305 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6306 eap
="WFA-UNAUTH-TLS",
6307 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6308 wait_connect
=False, scan_freq
="2412")
6309 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6310 dev
[0].request("REMOVE_NETWORK all")
6311 dev
[0].wait_disconnected()
6313 def test_ap_wpa2_eap_status(dev
, apdev
):
6314 """EAP state machine status information"""
6315 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6316 hostapd
.add_ap(apdev
[0], params
)
6317 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6318 identity
="cert user",
6319 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6320 ca_cert2
="auth_serv/ca.pem",
6321 client_cert2
="auth_serv/user.pem",
6322 private_key2
="auth_serv/user.key",
6323 scan_freq
="2412", wait_connect
=False)
6329 selected_methods
= []
6330 for i
in range(100000):
6331 s
= dev
[0].get_status(extra
="VERBOSE")
6332 if 'EAP state' in s
:
6333 state
= s
['EAP state']
6335 if state
not in states
:
6336 states
.append(state
)
6337 if state
== "SUCCESS":
6340 if 'methodState' in s
:
6341 val
= s
['methodState']
6342 if val
not in method_states
:
6343 method_states
.append(val
)
6346 if val
not in decisions
:
6347 decisions
.append(val
)
6348 if 'reqMethod' in s
:
6349 val
= s
['reqMethod']
6350 if val
not in req_methods
:
6351 req_methods
.append(val
)
6352 if 'selectedMethod' in s
:
6353 val
= s
['selectedMethod']
6354 if val
not in selected_methods
:
6355 selected_methods
.append(val
)
6356 logger
.info("Iterations: %d" % i
)
6357 logger
.info("EAP states: " + str(states
))
6358 logger
.info("methodStates: " + str(method_states
))
6359 logger
.info("decisions: " + str(decisions
))
6360 logger
.info("reqMethods: " + str(req_methods
))
6361 logger
.info("selectedMethods: " + str(selected_methods
))
6363 raise Exception("EAP did not succeed")
6364 dev
[0].wait_connected()
6365 dev
[0].request("REMOVE_NETWORK all")
6366 dev
[0].wait_disconnected()
6368 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
6369 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6370 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6371 params
['wpa_ptk_rekey'] = '2'
6372 hapd
= hostapd
.add_ap(apdev
[0], params
)
6373 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
6374 password
="abcdefghijklmnop0123456789abcdef")
6375 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
6377 raise Exception("PTK rekey timed out")
6378 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6380 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
6381 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6382 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6383 hapd
= hostapd
.add_ap(apdev
[0], params
)
6384 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
6385 identity
="gpsk user",
6386 password
="abcdefghijklmnop0123456789abcdef",
6389 def test_ap_wpa2_eap_psk_mac_addr_change(dev
, apdev
):
6390 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
6391 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6392 hapd
= hostapd
.add_ap(apdev
[0], params
)
6394 cmd
= subprocess
.Popen(['ps', '-eo', 'pid,command'], stdout
=subprocess
.PIPE
)
6395 res
= cmd
.stdout
.read()
6398 for p
in res
.splitlines():
6399 if "wpa_supplicant" not in p
:
6401 if dev
[0].ifname
not in p
:
6403 pid
= int(p
.strip().split(' ')[0])
6405 logger
.info("Could not find wpa_supplicant PID")
6407 logger
.info("wpa_supplicant PID %d" % pid
)
6409 addr
= dev
[0].get_status_field("address")
6410 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6411 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6412 '02:11:22:33:44:55'])
6413 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6414 addr1
= dev
[0].get_status_field("address")
6415 if addr1
!= '02:11:22:33:44:55':
6416 raise Exception("Failed to change MAC address")
6418 # Scan using the externally set MAC address, stop the wpa_supplicant
6419 # process to avoid it from processing the ifdown event before the interface
6420 # is already UP, change the MAC address back, allow the wpa_supplicant
6421 # process to continue. This will result in the ifdown + ifup sequence of
6422 # RTM_NEWLINK events to be processed while the interface is already UP.
6424 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
6425 os
.kill(pid
, signal
.SIGSTOP
)
6428 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6429 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6431 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6433 os
.kill(pid
, signal
.SIGCONT
)
6435 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
6436 password_hex
="0123456789abcdef0123456789abcdef")
6438 addr2
= dev
[0].get_status_field("address")
6440 raise Exception("Failed to restore MAC address")