]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2019, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
20 import socketserver
as SocketServer
25 from hwsim
import HWSimRadio
27 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
, require_under_vm
28 from wpasupplicant
import WpaSupplicant
29 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
33 openssl_imported
= True
35 openssl_imported
= False
37 def check_hlr_auc_gw_support():
38 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
39 raise HwsimSkip("No hlr_auc_gw available")
41 def check_eap_capa(dev
, method
):
42 res
= dev
.get_capability("eap")
44 raise HwsimSkip("EAP method %s not supported in the build" % method
)
46 def check_subject_match_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
49 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
51 def check_check_cert_subject_support(dev
):
52 tls
= dev
.request("GET tls_library")
53 if not tls
.startswith("OpenSSL"):
54 raise HwsimSkip("check_cert_subject not supported with this TLS library: " + tls
)
56 def check_altsubject_match_support(dev
):
57 tls
= dev
.request("GET tls_library")
58 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
59 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
61 def check_domain_match(dev
):
62 tls
= dev
.request("GET tls_library")
63 if tls
.startswith("internal"):
64 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
66 def check_domain_suffix_match(dev
):
67 tls
= dev
.request("GET tls_library")
68 if tls
.startswith("internal"):
69 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
71 def check_domain_match_full(dev
):
72 tls
= dev
.request("GET tls_library")
73 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
74 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
76 def check_cert_probe_support(dev
):
77 tls
= dev
.request("GET tls_library")
78 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
79 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
81 def check_ext_cert_check_support(dev
):
82 tls
= dev
.request("GET tls_library")
83 if not tls
.startswith("OpenSSL"):
84 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
86 def check_ocsp_support(dev
):
87 tls
= dev
.request("GET tls_library")
88 #if tls.startswith("internal"):
89 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
90 #if "BoringSSL" in tls:
91 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
92 if tls
.startswith("wolfSSL"):
93 raise HwsimSkip("OCSP not supported with this TLS library: " + tls
)
95 def check_pkcs5_v15_support(dev
):
96 tls
= dev
.request("GET tls_library")
97 if "BoringSSL" in tls
or "GnuTLS" in tls
:
98 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
100 def check_ocsp_multi_support(dev
):
101 tls
= dev
.request("GET tls_library")
102 if not tls
.startswith("internal"):
103 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
104 as_hapd
= hostapd
.Hostapd("as")
105 res
= as_hapd
.request("GET tls_library")
107 if not res
.startswith("internal"):
108 raise HwsimSkip("Authentication server does not support ocsp_multi")
110 def check_pkcs12_support(dev
):
111 tls
= dev
.request("GET tls_library")
112 #if tls.startswith("internal"):
113 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
114 if tls
.startswith("wolfSSL"):
115 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls
)
117 def check_dh_dsa_support(dev
):
118 tls
= dev
.request("GET tls_library")
119 if tls
.startswith("internal"):
120 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
123 with
open(fname
, "r") as f
:
124 lines
= f
.readlines()
132 if "-----BEGIN" in l
:
134 return base64
.b64decode(cert
)
136 def eap_connect(dev
, hapd
, method
, identity
,
137 sha256
=False, expect_failure
=False, local_error_report
=False,
138 maybe_local_error
=False, report_failure
=False,
139 expect_cert_error
=None, **kwargs
):
140 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
141 eap
=method
, identity
=identity
,
142 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
144 eap_check_auth(dev
, method
, True, sha256
=sha256
,
145 expect_failure
=expect_failure
,
146 local_error_report
=local_error_report
,
147 maybe_local_error
=maybe_local_error
,
148 report_failure
=report_failure
,
149 expect_cert_error
=expect_cert_error
)
153 ev
= hapd
.wait_event(["AP-STA-CONNECTED"], timeout
=5)
155 raise Exception("No connection event received from hostapd")
158 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
159 expect_failure
=False, local_error_report
=False,
160 maybe_local_error
=False, report_failure
=False,
161 expect_cert_error
=None):
162 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
164 raise Exception("Association and EAP start timed out")
165 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
166 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
168 raise Exception("EAP method selection timed out")
169 if "CTRL-EVENT-EAP-FAILURE" in ev
:
170 if maybe_local_error
:
172 raise Exception("Could not select EAP method")
174 raise Exception("Unexpected EAP method")
175 if expect_cert_error
is not None:
176 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
177 "CTRL-EVENT-EAP-FAILURE",
178 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
179 if ev
is None or "reason=%d " % expect_cert_error
not in ev
:
180 raise Exception("Expected certificate error not reported")
182 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE",
183 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
185 raise Exception("EAP failure timed out")
186 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
187 raise Exception("Unexpected EAP success")
188 ev
= dev
.wait_disconnected(timeout
=10)
189 if maybe_local_error
and "locally_generated=1" in ev
:
191 if not local_error_report
:
192 if "reason=23" not in ev
:
193 raise Exception("Proper reason code for disconnection not reported")
196 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
197 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
199 raise Exception("EAP success timed out")
200 if "CTRL-EVENT-EAP-SUCCESS" not in ev
:
201 raise Exception("EAP failed")
203 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
205 raise Exception("EAP success timed out")
208 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
210 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
212 raise Exception("Association with the AP timed out")
213 status
= dev
.get_status()
214 if status
["wpa_state"] != "COMPLETED":
215 raise Exception("Connection not completed")
217 if status
["suppPortStatus"] != "Authorized":
218 raise Exception("Port not authorized")
219 if "selectedMethod" not in status
:
220 logger
.info("Status: " + str(status
))
221 raise Exception("No selectedMethod in status")
222 if method
not in status
["selectedMethod"]:
223 raise Exception("Incorrect EAP method status")
225 e
= "WPA2-EAP-SHA256"
227 e
= "WPA2/IEEE 802.1X/EAP"
229 e
= "WPA/IEEE 802.1X/EAP"
230 if status
["key_mgmt"] != e
:
231 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
234 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
235 dev
.request("REAUTHENTICATE")
236 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
237 expect_failure
=expect_failure
)
239 def test_ap_wpa2_eap_sim(dev
, apdev
):
240 """WPA2-Enterprise connection using EAP-SIM"""
241 check_hlr_auc_gw_support()
242 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
243 hapd
= hostapd
.add_ap(apdev
[0], params
)
244 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
245 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
246 hwsim_utils
.test_connectivity(dev
[0], hapd
)
247 eap_reauth(dev
[0], "SIM")
249 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
250 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
251 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
252 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
255 logger
.info("Negative test with incorrect key")
256 dev
[0].request("REMOVE_NETWORK all")
257 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
258 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
261 logger
.info("Invalid GSM-Milenage key")
262 dev
[0].request("REMOVE_NETWORK all")
263 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
264 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
267 logger
.info("Invalid GSM-Milenage key(2)")
268 dev
[0].request("REMOVE_NETWORK all")
269 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
270 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
273 logger
.info("Invalid GSM-Milenage key(3)")
274 dev
[0].request("REMOVE_NETWORK all")
275 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
276 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
279 logger
.info("Invalid GSM-Milenage key(4)")
280 dev
[0].request("REMOVE_NETWORK all")
281 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
282 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
285 logger
.info("Missing key configuration")
286 dev
[0].request("REMOVE_NETWORK all")
287 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
290 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
291 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
292 check_hlr_auc_gw_support()
296 raise HwsimSkip("No sqlite3 module available")
297 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
298 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
299 params
['auth_server_port'] = "1814"
300 hapd
= hostapd
.add_ap(apdev
[0], params
)
301 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
302 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
304 logger
.info("SIM fast re-authentication")
305 eap_reauth(dev
[0], "SIM")
307 logger
.info("SIM full auth with pseudonym")
310 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
311 eap_reauth(dev
[0], "SIM")
313 logger
.info("SIM full auth with permanent identity")
316 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
317 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
318 eap_reauth(dev
[0], "SIM")
320 logger
.info("SIM reauth with mismatching MK")
323 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
324 eap_reauth(dev
[0], "SIM", expect_failure
=True)
325 dev
[0].request("REMOVE_NETWORK all")
327 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
328 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
331 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
332 eap_reauth(dev
[0], "SIM")
335 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
336 logger
.info("SIM reauth with mismatching counter")
337 eap_reauth(dev
[0], "SIM")
338 dev
[0].request("REMOVE_NETWORK all")
340 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
341 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
344 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
345 logger
.info("SIM reauth with max reauth count reached")
346 eap_reauth(dev
[0], "SIM")
348 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
349 """EAP-SIM configuration options"""
350 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
351 hapd
= hostapd
.add_ap(apdev
[0], params
)
352 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
353 identity
="1232010000000000",
354 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
355 phase1
="sim_min_num_chal=1",
356 wait_connect
=False, scan_freq
="2412")
357 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
359 raise Exception("No EAP error message seen")
360 dev
[0].request("REMOVE_NETWORK all")
362 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
363 identity
="1232010000000000",
364 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
365 phase1
="sim_min_num_chal=4",
366 wait_connect
=False, scan_freq
="2412")
367 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
369 raise Exception("No EAP error message seen (2)")
370 dev
[0].request("REMOVE_NETWORK all")
372 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
373 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
374 phase1
="sim_min_num_chal=2")
375 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
376 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
377 anonymous_identity
="345678")
379 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
380 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
382 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
384 dev
[0].request("SET external_sim 0")
386 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
387 check_hlr_auc_gw_support()
388 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
389 hostapd
.add_ap(apdev
[0], params
)
390 dev
[0].request("SET external_sim 1")
391 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
392 identity
="1232010000000000",
393 wait_connect
=False, scan_freq
="2412")
394 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
396 raise Exception("Network connected timed out")
398 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
400 raise Exception("Wait for external SIM processing request timed out")
402 if p
[1] != "GSM-AUTH":
403 raise Exception("Unexpected CTRL-REQ-SIM type")
404 rid
= p
[0].split('-')[3]
407 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
408 # This will fail during processing, but the ctrl_iface command succeeds
409 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
410 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
412 raise Exception("EAP failure not reported")
413 dev
[0].request("DISCONNECT")
414 dev
[0].wait_disconnected()
417 dev
[0].select_network(id, freq
="2412")
418 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
420 raise Exception("Wait for external SIM processing request timed out")
422 if p
[1] != "GSM-AUTH":
423 raise Exception("Unexpected CTRL-REQ-SIM type")
424 rid
= p
[0].split('-')[3]
425 # This will fail during GSM auth validation
426 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
427 raise Exception("CTRL-RSP-SIM failed")
428 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
430 raise Exception("EAP failure not reported")
431 dev
[0].request("DISCONNECT")
432 dev
[0].wait_disconnected()
435 dev
[0].select_network(id, freq
="2412")
436 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
438 raise Exception("Wait for external SIM processing request timed out")
440 if p
[1] != "GSM-AUTH":
441 raise Exception("Unexpected CTRL-REQ-SIM type")
442 rid
= p
[0].split('-')[3]
443 # This will fail during GSM auth validation
444 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
445 raise Exception("CTRL-RSP-SIM failed")
446 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
448 raise Exception("EAP failure not reported")
449 dev
[0].request("DISCONNECT")
450 dev
[0].wait_disconnected()
453 dev
[0].select_network(id, freq
="2412")
454 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
456 raise Exception("Wait for external SIM processing request timed out")
458 if p
[1] != "GSM-AUTH":
459 raise Exception("Unexpected CTRL-REQ-SIM type")
460 rid
= p
[0].split('-')[3]
461 # This will fail during GSM auth validation
462 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
463 raise Exception("CTRL-RSP-SIM failed")
464 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
466 raise Exception("EAP failure not reported")
467 dev
[0].request("DISCONNECT")
468 dev
[0].wait_disconnected()
471 dev
[0].select_network(id, freq
="2412")
472 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
474 raise Exception("Wait for external SIM processing request timed out")
476 if p
[1] != "GSM-AUTH":
477 raise Exception("Unexpected CTRL-REQ-SIM type")
478 rid
= p
[0].split('-')[3]
479 # This will fail during GSM auth validation
480 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
481 raise Exception("CTRL-RSP-SIM failed")
482 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
484 raise Exception("EAP failure not reported")
485 dev
[0].request("DISCONNECT")
486 dev
[0].wait_disconnected()
489 dev
[0].select_network(id, freq
="2412")
490 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
492 raise Exception("Wait for external SIM processing request timed out")
494 if p
[1] != "GSM-AUTH":
495 raise Exception("Unexpected CTRL-REQ-SIM type")
496 rid
= p
[0].split('-')[3]
497 # This will fail during GSM auth validation
498 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
499 raise Exception("CTRL-RSP-SIM failed")
500 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
502 raise Exception("EAP failure not reported")
503 dev
[0].request("DISCONNECT")
504 dev
[0].wait_disconnected()
507 dev
[0].select_network(id, freq
="2412")
508 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
510 raise Exception("Wait for external SIM processing request timed out")
512 if p
[1] != "GSM-AUTH":
513 raise Exception("Unexpected CTRL-REQ-SIM type")
514 rid
= p
[0].split('-')[3]
515 # This will fail during GSM auth validation
516 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
517 raise Exception("CTRL-RSP-SIM failed")
518 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
520 raise Exception("EAP failure not reported")
522 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
523 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
525 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
527 dev
[0].request("SET external_sim 0")
529 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
530 check_hlr_auc_gw_support()
531 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
532 hostapd
.add_ap(apdev
[0], params
)
533 dev
[0].request("SET external_sim 1")
534 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
535 identity
="1232010000000000",
536 wait_connect
=False, scan_freq
="2412")
538 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
540 raise Exception("Wait for external SIM processing request timed out")
542 if p
[1] != "GSM-AUTH":
543 raise Exception("Unexpected CTRL-REQ-SIM type")
544 rid
= p
[0].split('-')[3]
545 rand
= p
[2].split(' ')[0]
547 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
549 "auth_serv/hlr_auc_gw.milenage_db",
550 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
551 if "GSM-AUTH-RESP" not in res
:
552 raise Exception("Unexpected hlr_auc_gw response")
553 resp
= res
.split(' ')[2].rstrip()
555 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
556 dev
[0].wait_connected(timeout
=15)
557 dev
[0].request("DISCONNECT")
558 dev
[0].wait_disconnected()
560 # Replace SIM, but forget to drop the previous pseudonym identity
561 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
562 dev
[0].select_network(id, freq
="2412")
564 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
566 raise Exception("Wait for external SIM processing request timed out")
568 if p
[1] != "GSM-AUTH":
569 raise Exception("Unexpected CTRL-REQ-SIM type")
570 rid
= p
[0].split('-')[3]
571 rand
= p
[2].split(' ')[0]
573 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
575 "auth_serv/hlr_auc_gw.milenage_db",
576 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
577 if "GSM-AUTH-RESP" not in res
:
578 raise Exception("Unexpected hlr_auc_gw response")
579 resp
= res
.split(' ')[2].rstrip()
581 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
582 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
584 raise Exception("EAP-Failure not reported")
585 dev
[0].request("DISCONNECT")
586 dev
[0].wait_disconnected()
588 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
589 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
591 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
593 dev
[0].request("SET external_sim 0")
595 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
596 check_hlr_auc_gw_support()
597 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
598 hostapd
.add_ap(apdev
[0], params
)
599 dev
[0].request("SET external_sim 1")
600 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
601 identity
="1232010000000000",
602 wait_connect
=False, scan_freq
="2412")
604 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
606 raise Exception("Wait for external SIM processing request timed out")
608 if p
[1] != "GSM-AUTH":
609 raise Exception("Unexpected CTRL-REQ-SIM type")
610 rid
= p
[0].split('-')[3]
611 rand
= p
[2].split(' ')[0]
613 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
615 "auth_serv/hlr_auc_gw.milenage_db",
616 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
617 if "GSM-AUTH-RESP" not in res
:
618 raise Exception("Unexpected hlr_auc_gw response")
619 resp
= res
.split(' ')[2].rstrip()
621 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
622 dev
[0].wait_connected(timeout
=15)
623 dev
[0].request("DISCONNECT")
624 dev
[0].wait_disconnected()
626 # Replace SIM and drop the previous pseudonym identity
627 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
628 dev
[0].set_network(id, "anonymous_identity", "NULL")
629 dev
[0].select_network(id, freq
="2412")
631 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
633 raise Exception("Wait for external SIM processing request timed out")
635 if p
[1] != "GSM-AUTH":
636 raise Exception("Unexpected CTRL-REQ-SIM type")
637 rid
= p
[0].split('-')[3]
638 rand
= p
[2].split(' ')[0]
640 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
642 "auth_serv/hlr_auc_gw.milenage_db",
643 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
644 if "GSM-AUTH-RESP" not in res
:
645 raise Exception("Unexpected hlr_auc_gw response")
646 resp
= res
.split(' ')[2].rstrip()
648 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
649 dev
[0].wait_connected()
650 dev
[0].request("DISCONNECT")
651 dev
[0].wait_disconnected()
653 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
654 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
656 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
658 dev
[0].request("SET external_sim 0")
660 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
661 check_hlr_auc_gw_support()
662 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
663 hostapd
.add_ap(apdev
[0], params
)
664 dev
[0].request("SET external_sim 1")
665 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
666 wait_connect
=False, scan_freq
="2412")
668 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
670 raise Exception("Request for identity timed out")
671 rid
= ev
.split(':')[0].split('-')[-1]
672 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
674 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
676 raise Exception("Wait for external SIM processing request timed out")
678 if p
[1] != "GSM-AUTH":
679 raise Exception("Unexpected CTRL-REQ-SIM type")
680 rid
= p
[0].split('-')[3]
681 rand
= p
[2].split(' ')[0]
683 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
685 "auth_serv/hlr_auc_gw.milenage_db",
686 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
687 if "GSM-AUTH-RESP" not in res
:
688 raise Exception("Unexpected hlr_auc_gw response")
689 resp
= res
.split(' ')[2].rstrip()
691 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
692 dev
[0].wait_connected(timeout
=15)
693 dev
[0].request("DISCONNECT")
694 dev
[0].wait_disconnected()
696 # Replace SIM and drop the previous permanent and pseudonym identities
697 dev
[0].set_network(id, "identity", "NULL")
698 dev
[0].set_network(id, "anonymous_identity", "NULL")
699 dev
[0].select_network(id, freq
="2412")
701 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
703 raise Exception("Request for identity timed out")
704 rid
= ev
.split(':')[0].split('-')[-1]
705 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
707 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
709 raise Exception("Wait for external SIM processing request timed out")
711 if p
[1] != "GSM-AUTH":
712 raise Exception("Unexpected CTRL-REQ-SIM type")
713 rid
= p
[0].split('-')[3]
714 rand
= p
[2].split(' ')[0]
716 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
718 "auth_serv/hlr_auc_gw.milenage_db",
719 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
720 if "GSM-AUTH-RESP" not in res
:
721 raise Exception("Unexpected hlr_auc_gw response")
722 resp
= res
.split(' ')[2].rstrip()
724 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
725 dev
[0].wait_connected()
726 dev
[0].request("DISCONNECT")
727 dev
[0].wait_disconnected()
729 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
730 """EAP-SIM with external GSM auth and auth failing"""
732 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
734 dev
[0].request("SET external_sim 0")
736 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
737 check_hlr_auc_gw_support()
738 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
739 hostapd
.add_ap(apdev
[0], params
)
740 dev
[0].request("SET external_sim 1")
741 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
742 identity
="1232010000000000",
743 wait_connect
=False, scan_freq
="2412")
745 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
747 raise Exception("Wait for external SIM processing request timed out")
749 rid
= p
[0].split('-')[3]
750 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
751 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
753 raise Exception("EAP failure not reported")
754 dev
[0].request("REMOVE_NETWORK all")
755 dev
[0].wait_disconnected()
757 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
758 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
760 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
762 dev
[0].request("SET external_sim 0")
764 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
765 check_hlr_auc_gw_support()
766 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
767 hostapd
.add_ap(apdev
[0], params
)
768 dev
[0].request("SET external_sim 1")
769 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
770 identity
="1232010000000000",
771 wait_connect
=False, scan_freq
="2412")
773 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
775 raise Exception("Wait for external SIM processing request timed out")
777 if p
[1] != "GSM-AUTH":
778 raise Exception("Unexpected CTRL-REQ-SIM type")
779 rid
= p
[0].split('-')[3]
780 rand
= p
[2].split(' ')[0]
782 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
784 "auth_serv/hlr_auc_gw.milenage_db",
785 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
786 if "GSM-AUTH-RESP" not in res
:
787 raise Exception("Unexpected hlr_auc_gw response")
788 resp
= res
.split(' ')[2].rstrip()
790 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
791 dev
[0].wait_connected(timeout
=15)
793 # Verify that EAP-SIM Reauthentication can be used after a profile change
794 # that does not affect EAP parameters.
795 dev
[0].set_network(id, "bssid", "any")
796 eap_reauth(dev
[0], "SIM")
798 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
799 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
801 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
803 dev
[0].request("SET external_sim 0")
805 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
806 check_hlr_auc_gw_support()
807 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
808 hostapd
.add_ap(apdev
[0], params
)
809 dev
[0].request("SET external_sim 1")
810 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
811 identity
="1232010000000000",
812 wait_connect
=False, scan_freq
="2412")
814 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
816 raise Exception("Wait for external SIM processing request timed out")
818 if p
[1] != "GSM-AUTH":
819 raise Exception("Unexpected CTRL-REQ-SIM type")
820 rid
= p
[0].split('-')[3]
821 rand
= p
[2].split(' ')[0]
823 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
825 "auth_serv/hlr_auc_gw.milenage_db",
826 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
827 if "GSM-AUTH-RESP" not in res
:
828 raise Exception("Unexpected hlr_auc_gw response")
829 resp
= res
.split(' ')[2].rstrip()
831 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
832 dev
[0].wait_connected(timeout
=15)
834 # Verify that EAP-SIM Reauthentication can be used after network profile
835 # SET_NETWORK commands that do not actually change previously set
837 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
838 dev
[0].set_network(id, "eap", "SIM")
839 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
840 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
841 eap_reauth(dev
[0], "SIM")
843 def test_ap_wpa2_eap_sim_ext_anonymous(dev
, apdev
):
844 """EAP-SIM with external GSM auth and anonymous identity"""
845 check_hlr_auc_gw_support()
846 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
847 hostapd
.add_ap(apdev
[0], params
)
849 run_ap_wpa2_eap_sim_ext_anonymous(dev
, "anonymous@example.org")
850 run_ap_wpa2_eap_sim_ext_anonymous(dev
, "@example.org")
852 dev
[0].request("SET external_sim 0")
854 def run_ap_wpa2_eap_sim_ext_anonymous(dev
, anon
):
855 dev
[0].request("SET external_sim 1")
856 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
857 identity
="1232010000000000",
858 anonymous_identity
=anon
,
859 wait_connect
=False, scan_freq
="2412")
861 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
863 raise Exception("Wait for external SIM processing request timed out")
865 if p
[1] != "GSM-AUTH":
866 raise Exception("Unexpected CTRL-REQ-SIM type")
867 rid
= p
[0].split('-')[3]
868 rand
= p
[2].split(' ')[0]
870 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
872 "auth_serv/hlr_auc_gw.milenage_db",
873 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
874 if "GSM-AUTH-RESP" not in res
:
875 raise Exception("Unexpected hlr_auc_gw response")
876 resp
= res
.split(' ')[2].rstrip()
878 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
879 dev
[0].wait_connected(timeout
=5)
880 dev
[0].request("REMOVE_NETWORK all")
881 dev
[0].wait_disconnected()
882 dev
[0].dump_monitor()
884 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
885 """EAP-SIM and OOM"""
886 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
887 hostapd
.add_ap(apdev
[0], params
)
888 tests
= [(1, "milenage_f2345"),
889 (2, "milenage_f2345"),
890 (3, "milenage_f2345"),
891 (4, "milenage_f2345"),
892 (5, "milenage_f2345"),
893 (6, "milenage_f2345"),
894 (7, "milenage_f2345"),
895 (8, "milenage_f2345"),
896 (9, "milenage_f2345"),
897 (10, "milenage_f2345"),
898 (11, "milenage_f2345"),
899 (12, "milenage_f2345")]
900 for count
, func
in tests
:
901 with
fail_test(dev
[0], count
, func
):
902 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
903 identity
="1232010000000000",
904 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
905 wait_connect
=False, scan_freq
="2412")
906 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
908 raise Exception("EAP method not selected")
909 dev
[0].wait_disconnected()
910 dev
[0].request("REMOVE_NETWORK all")
912 def test_ap_wpa2_eap_aka(dev
, apdev
):
913 """WPA2-Enterprise connection using EAP-AKA"""
914 check_hlr_auc_gw_support()
915 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
916 hapd
= hostapd
.add_ap(apdev
[0], params
)
917 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
918 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
919 hwsim_utils
.test_connectivity(dev
[0], hapd
)
920 eap_reauth(dev
[0], "AKA")
922 logger
.info("Negative test with incorrect key")
923 dev
[0].request("REMOVE_NETWORK all")
924 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
925 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
928 logger
.info("Invalid Milenage key")
929 dev
[0].request("REMOVE_NETWORK all")
930 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
931 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
934 logger
.info("Invalid Milenage key(2)")
935 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
936 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
939 logger
.info("Invalid Milenage key(3)")
940 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
941 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
944 logger
.info("Invalid Milenage key(4)")
945 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
946 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
949 logger
.info("Invalid Milenage key(5)")
950 dev
[0].request("REMOVE_NETWORK all")
951 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
952 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
955 logger
.info("Invalid Milenage key(6)")
956 dev
[0].request("REMOVE_NETWORK all")
957 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
958 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
961 logger
.info("Missing key configuration")
962 dev
[0].request("REMOVE_NETWORK all")
963 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
966 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
967 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
968 check_hlr_auc_gw_support()
972 raise HwsimSkip("No sqlite3 module available")
973 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
974 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
975 params
['auth_server_port'] = "1814"
976 hapd
= hostapd
.add_ap(apdev
[0], params
)
977 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
978 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
980 logger
.info("AKA fast re-authentication")
981 eap_reauth(dev
[0], "AKA")
983 logger
.info("AKA full auth with pseudonym")
986 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
987 eap_reauth(dev
[0], "AKA")
989 logger
.info("AKA full auth with permanent identity")
992 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
993 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
994 eap_reauth(dev
[0], "AKA")
996 logger
.info("AKA reauth with mismatching MK")
999 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
1000 eap_reauth(dev
[0], "AKA", expect_failure
=True)
1001 dev
[0].request("REMOVE_NETWORK all")
1003 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1004 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1007 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
1008 eap_reauth(dev
[0], "AKA")
1011 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
1012 logger
.info("AKA reauth with mismatching counter")
1013 eap_reauth(dev
[0], "AKA")
1014 dev
[0].request("REMOVE_NETWORK all")
1016 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1017 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1020 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
1021 logger
.info("AKA reauth with max reauth count reached")
1022 eap_reauth(dev
[0], "AKA")
1024 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
1025 """EAP-AKA configuration options"""
1026 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1027 hapd
= hostapd
.add_ap(apdev
[0], params
)
1028 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1029 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1030 anonymous_identity
="2345678")
1032 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
1033 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
1035 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
1037 dev
[0].request("SET external_sim 0")
1039 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
1040 check_hlr_auc_gw_support()
1041 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1042 hostapd
.add_ap(apdev
[0], params
)
1043 dev
[0].request("SET external_sim 1")
1044 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1045 identity
="0232010000000000",
1046 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1047 wait_connect
=False, scan_freq
="2412")
1048 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1050 raise Exception("Network connected timed out")
1052 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1054 raise Exception("Wait for external SIM processing request timed out")
1055 p
= ev
.split(':', 2)
1056 if p
[1] != "UMTS-AUTH":
1057 raise Exception("Unexpected CTRL-REQ-SIM type")
1058 rid
= p
[0].split('-')[3]
1061 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
1062 # This will fail during processing, but the ctrl_iface command succeeds
1063 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1064 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1066 raise Exception("EAP failure not reported")
1067 dev
[0].request("DISCONNECT")
1068 dev
[0].wait_disconnected()
1070 dev
[0].dump_monitor()
1072 dev
[0].select_network(id, freq
="2412")
1073 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1075 raise Exception("Wait for external SIM processing request timed out")
1076 p
= ev
.split(':', 2)
1077 if p
[1] != "UMTS-AUTH":
1078 raise Exception("Unexpected CTRL-REQ-SIM type")
1079 rid
= p
[0].split('-')[3]
1080 # This will fail during UMTS auth validation
1081 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1082 raise Exception("CTRL-RSP-SIM failed")
1083 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1085 raise Exception("Wait for external SIM processing request timed out")
1086 p
= ev
.split(':', 2)
1087 if p
[1] != "UMTS-AUTH":
1088 raise Exception("Unexpected CTRL-REQ-SIM type")
1089 rid
= p
[0].split('-')[3]
1090 # This will fail during UMTS auth validation
1091 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1092 raise Exception("CTRL-RSP-SIM failed")
1093 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1095 raise Exception("EAP failure not reported")
1096 dev
[0].request("DISCONNECT")
1097 dev
[0].wait_disconnected()
1099 dev
[0].dump_monitor()
1101 tests
= [":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1103 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1104 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1105 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1106 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1107 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q"]
1109 dev
[0].select_network(id, freq
="2412")
1110 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1112 raise Exception("Wait for external SIM processing request timed out")
1113 p
= ev
.split(':', 2)
1114 if p
[1] != "UMTS-AUTH":
1115 raise Exception("Unexpected CTRL-REQ-SIM type")
1116 rid
= p
[0].split('-')[3]
1117 # This will fail during UMTS auth validation
1118 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1119 raise Exception("CTRL-RSP-SIM failed")
1120 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1122 raise Exception("EAP failure not reported")
1123 dev
[0].request("DISCONNECT")
1124 dev
[0].wait_disconnected()
1126 dev
[0].dump_monitor()
1128 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1129 """EAP-AKA with external UMTS auth and auth failing"""
1131 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1133 dev
[0].request("SET external_sim 0")
1135 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1136 check_hlr_auc_gw_support()
1137 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1138 hostapd
.add_ap(apdev
[0], params
)
1139 dev
[0].request("SET external_sim 1")
1140 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1141 identity
="0232010000000000",
1142 wait_connect
=False, scan_freq
="2412")
1144 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1146 raise Exception("Wait for external SIM processing request timed out")
1147 p
= ev
.split(':', 2)
1148 rid
= p
[0].split('-')[3]
1149 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1150 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1152 raise Exception("EAP failure not reported")
1153 dev
[0].request("REMOVE_NETWORK all")
1154 dev
[0].wait_disconnected()
1156 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1157 """WPA2-Enterprise connection using EAP-AKA'"""
1158 check_hlr_auc_gw_support()
1159 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1160 hapd
= hostapd
.add_ap(apdev
[0], params
)
1161 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1162 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1163 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1164 eap_reauth(dev
[0], "AKA'")
1166 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1167 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1168 identity
="6555444333222111@both",
1169 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1170 wait_connect
=False, scan_freq
="2412")
1171 dev
[1].wait_connected(timeout
=15)
1173 logger
.info("Negative test with incorrect key")
1174 dev
[0].request("REMOVE_NETWORK all")
1175 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1176 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1177 expect_failure
=True)
1179 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1180 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1181 check_hlr_auc_gw_support()
1185 raise HwsimSkip("No sqlite3 module available")
1186 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1187 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1188 params
['auth_server_port'] = "1814"
1189 hapd
= hostapd
.add_ap(apdev
[0], params
)
1190 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1191 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1193 logger
.info("AKA' fast re-authentication")
1194 eap_reauth(dev
[0], "AKA'")
1196 logger
.info("AKA' full auth with pseudonym")
1199 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1200 eap_reauth(dev
[0], "AKA'")
1202 logger
.info("AKA' full auth with permanent identity")
1205 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1206 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1207 eap_reauth(dev
[0], "AKA'")
1209 logger
.info("AKA' reauth with mismatching k_aut")
1212 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1213 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1214 dev
[0].request("REMOVE_NETWORK all")
1216 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1217 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1220 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1221 eap_reauth(dev
[0], "AKA'")
1224 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1225 logger
.info("AKA' reauth with mismatching counter")
1226 eap_reauth(dev
[0], "AKA'")
1227 dev
[0].request("REMOVE_NETWORK all")
1229 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1230 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1233 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1234 logger
.info("AKA' reauth with max reauth count reached")
1235 eap_reauth(dev
[0], "AKA'")
1237 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1238 """EAP-AKA' with external UMTS auth and auth failing"""
1240 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1242 dev
[0].request("SET external_sim 0")
1244 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1245 check_hlr_auc_gw_support()
1246 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1247 hostapd
.add_ap(apdev
[0], params
)
1248 dev
[0].request("SET external_sim 1")
1249 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1250 identity
="6555444333222111",
1251 wait_connect
=False, scan_freq
="2412")
1253 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1255 raise Exception("Wait for external SIM processing request timed out")
1256 p
= ev
.split(':', 2)
1257 rid
= p
[0].split('-')[3]
1258 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1259 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1261 raise Exception("EAP failure not reported")
1262 dev
[0].request("REMOVE_NETWORK all")
1263 dev
[0].wait_disconnected()
1265 def test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1266 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1268 _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
)
1270 dev
[0].request("SET external_sim 0")
1272 def _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1273 check_hlr_auc_gw_support()
1274 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1275 hostapd
.add_ap(apdev
[0], params
)
1276 dev
[0].request("SET external_sim 1")
1277 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1278 identity
="6555444333222111",
1279 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1280 wait_connect
=False, scan_freq
="2412")
1281 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1283 raise Exception("Network connected timed out")
1285 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1287 raise Exception("Wait for external SIM processing request timed out")
1288 p
= ev
.split(':', 2)
1289 if p
[1] != "UMTS-AUTH":
1290 raise Exception("Unexpected CTRL-REQ-SIM type")
1291 rid
= p
[0].split('-')[3]
1292 # This will fail during UMTS auth validation
1293 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1294 raise Exception("CTRL-RSP-SIM failed")
1295 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1297 raise Exception("Wait for external SIM processing request timed out")
1299 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1300 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1301 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1302 hapd
= hostapd
.add_ap(apdev
[0], params
)
1303 key_mgmt
= hapd
.get_config()['key_mgmt']
1304 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1305 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1306 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1307 anonymous_identity
="ttls", password
="password",
1308 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1309 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1310 eap_reauth(dev
[0], "TTLS")
1311 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1312 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1")])
1314 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1315 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1316 check_subject_match_support(dev
[0])
1317 check_altsubject_match_support(dev
[0])
1318 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1319 hapd
= hostapd
.add_ap(apdev
[0], params
)
1320 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1321 anonymous_identity
="ttls", password
="password",
1322 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1323 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1324 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1325 eap_reauth(dev
[0], "TTLS")
1327 def test_ap_wpa2_eap_ttls_pap_check_cert_subject(dev
, apdev
):
1328 """EAP-TTLS/PAP and check_cert_subject"""
1329 check_check_cert_subject_support(dev
[0])
1330 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1331 hapd
= hostapd
.add_ap(apdev
[0], params
)
1332 tests
= ["C=FI/O=w1.fi/CN=server.w1.fi",
1334 "C=FI/CN=server.w1.fi",
1335 "O=w1.fi/CN=server.w1.fi",
1342 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1343 anonymous_identity
="ttls", password
="password",
1344 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1345 check_cert_subject
=test
)
1346 dev
[0].request("REMOVE_NETWORK all")
1347 dev
[0].wait_disconnected()
1348 dev
[0].dump_monitor()
1350 def test_ap_wpa2_eap_ttls_pap_check_cert_subject_neg(dev
, apdev
):
1351 """EAP-TTLS/PAP and check_cert_subject (negative)"""
1352 check_check_cert_subject_support(dev
[0])
1353 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1354 hapd
= hostapd
.add_ap(apdev
[0], params
)
1364 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1365 anonymous_identity
="ttls", password
="password",
1366 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1367 expect_failure
=True, expect_cert_error
=12,
1368 check_cert_subject
=test
)
1369 dev
[0].request("REMOVE_NETWORK all")
1370 dev
[0].dump_monitor()
1372 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1373 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1374 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1375 hapd
= hostapd
.add_ap(apdev
[0], params
)
1376 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1377 anonymous_identity
="ttls", password
="wrong",
1378 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1379 expect_failure
=True)
1380 eap_connect(dev
[1], hapd
, "TTLS", "user",
1381 anonymous_identity
="ttls", password
="password",
1382 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1383 expect_failure
=True)
1385 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1386 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1387 skip_with_fips(dev
[0])
1388 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1389 hapd
= hostapd
.add_ap(apdev
[0], params
)
1390 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1391 anonymous_identity
="ttls", password
="password",
1392 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1393 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1394 eap_reauth(dev
[0], "TTLS")
1396 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1397 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1398 skip_with_fips(dev
[0])
1399 check_altsubject_match_support(dev
[0])
1400 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1401 hapd
= hostapd
.add_ap(apdev
[0], params
)
1402 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1403 anonymous_identity
="ttls", password
="password",
1404 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1405 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1406 eap_reauth(dev
[0], "TTLS")
1408 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1409 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1410 skip_with_fips(dev
[0])
1411 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1412 hapd
= hostapd
.add_ap(apdev
[0], params
)
1413 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1414 anonymous_identity
="ttls", password
="wrong",
1415 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1416 expect_failure
=True)
1417 eap_connect(dev
[1], hapd
, "TTLS", "user",
1418 anonymous_identity
="ttls", password
="password",
1419 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1420 expect_failure
=True)
1422 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1423 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1424 skip_with_fips(dev
[0])
1425 check_domain_suffix_match(dev
[0])
1426 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1427 hapd
= hostapd
.add_ap(apdev
[0], params
)
1428 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1429 anonymous_identity
="ttls", password
="password",
1430 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1431 domain_suffix_match
="server.w1.fi")
1432 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1433 eap_reauth(dev
[0], "TTLS")
1434 dev
[0].request("REMOVE_NETWORK all")
1435 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1436 anonymous_identity
="ttls", password
="password",
1437 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1438 fragment_size
="200")
1439 dev
[0].request("REMOVE_NETWORK all")
1440 dev
[0].wait_disconnected()
1441 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1442 anonymous_identity
="ttls",
1443 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1444 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1446 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1447 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1448 skip_with_fips(dev
[0])
1449 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1450 hapd
= hostapd
.add_ap(apdev
[0], params
)
1451 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1452 anonymous_identity
="ttls", password
="wrong",
1453 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1454 expect_failure
=True)
1455 eap_connect(dev
[1], hapd
, "TTLS", "user",
1456 anonymous_identity
="ttls", password
="password",
1457 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1458 expect_failure
=True)
1459 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1460 anonymous_identity
="ttls", password
="password",
1461 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1462 expect_failure
=True)
1464 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1465 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1466 check_domain_suffix_match(dev
[0])
1467 check_eap_capa(dev
[0], "MSCHAPV2")
1468 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1469 hapd
= hostapd
.add_ap(apdev
[0], params
)
1470 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1471 anonymous_identity
="ttls", password
="password",
1472 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1473 domain_suffix_match
="server.w1.fi")
1474 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1475 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1476 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1477 eap_reauth(dev
[0], "TTLS")
1478 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1479 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1480 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1481 raise Exception("dot1xAuthEapolFramesRx did not increase")
1482 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1483 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1484 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1485 raise Exception("backendAuthSuccesses did not increase")
1487 logger
.info("Password as hash value")
1488 dev
[0].request("REMOVE_NETWORK all")
1489 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1490 anonymous_identity
="ttls",
1491 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1492 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1494 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1495 """EAP-TTLS with invalid phase2 parameter values"""
1496 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1497 hostapd
.add_ap(apdev
[0], params
)
1498 tests
= ["auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1499 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1500 "autheap=MD5 autheap=FOO autheap=MSCHAPV2"]
1502 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1503 identity
="DOMAIN\mschapv2 user",
1504 anonymous_identity
="ttls", password
="password",
1505 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1506 wait_connect
=False, scan_freq
="2412")
1507 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1508 if ev
is None or "method=21" not in ev
:
1509 raise Exception("EAP-TTLS not started")
1510 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1511 "CTRL-EVENT-CONNECTED"], timeout
=5)
1512 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1513 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1514 dev
[0].request("REMOVE_NETWORK all")
1515 dev
[0].wait_disconnected()
1516 dev
[0].dump_monitor()
1518 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1519 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1520 check_domain_match_full(dev
[0])
1521 skip_with_fips(dev
[0])
1522 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1523 hapd
= hostapd
.add_ap(apdev
[0], params
)
1524 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1525 anonymous_identity
="ttls", password
="password",
1526 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1527 domain_suffix_match
="w1.fi")
1528 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1529 eap_reauth(dev
[0], "TTLS")
1531 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1532 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1533 check_domain_match(dev
[0])
1534 skip_with_fips(dev
[0])
1535 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1536 hapd
= hostapd
.add_ap(apdev
[0], params
)
1537 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1538 anonymous_identity
="ttls", password
="password",
1539 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1540 domain_match
="Server.w1.fi")
1541 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1542 eap_reauth(dev
[0], "TTLS")
1544 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1545 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1546 skip_with_fips(dev
[0])
1547 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1548 hapd
= hostapd
.add_ap(apdev
[0], params
)
1549 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1550 anonymous_identity
="ttls", password
="password1",
1551 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1552 expect_failure
=True)
1553 eap_connect(dev
[1], hapd
, "TTLS", "user",
1554 anonymous_identity
="ttls", password
="password",
1555 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1556 expect_failure
=True)
1558 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1559 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1560 skip_with_fips(dev
[0])
1561 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1562 hapd
= hostapd
.add_ap(apdev
[0], params
)
1563 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1564 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1565 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1566 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1567 anonymous_identity
="ttls",
1568 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1569 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1570 for p
in ["80", "41c041e04141e041", 257*"41"]:
1571 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1572 eap
="TTLS", identity
="utf8-user-hash",
1573 anonymous_identity
="ttls", password_hex
=p
,
1574 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1575 wait_connect
=False, scan_freq
="2412")
1576 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1578 raise Exception("No failure reported")
1579 dev
[2].request("REMOVE_NETWORK all")
1580 dev
[2].wait_disconnected()
1582 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1583 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1584 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1585 hapd
= hostapd
.add_ap(apdev
[0], params
)
1586 eap_connect(dev
[0], hapd
, "TTLS", "user",
1587 anonymous_identity
="ttls", password
="password",
1588 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1589 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1590 eap_reauth(dev
[0], "TTLS")
1592 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1593 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1594 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1595 hapd
= hostapd
.add_ap(apdev
[0], params
)
1596 eap_connect(dev
[0], hapd
, "TTLS", "user",
1597 anonymous_identity
="ttls", password
="wrong",
1598 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1599 expect_failure
=True)
1601 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1602 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1603 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1604 hapd
= hostapd
.add_ap(apdev
[0], params
)
1605 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1606 anonymous_identity
="ttls", password
="password",
1607 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1608 expect_failure
=True)
1610 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1611 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1612 params
= int_eap_server_params()
1613 hapd
= hostapd
.add_ap(apdev
[0], params
)
1614 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1615 eap_connect(dev
[0], hapd
, "TTLS", "user",
1616 anonymous_identity
="ttls", password
="password",
1617 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1618 expect_failure
=True)
1619 dev
[0].request("REMOVE_NETWORK all")
1621 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1622 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1623 eap
="TTLS", identity
="user",
1624 anonymous_identity
="ttls", password
="password",
1625 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1626 wait_connect
=False, scan_freq
="2412")
1627 # This would eventually time out, but we can stop after having reached
1628 # the allocation failure.
1631 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1634 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1635 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1636 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1637 hapd
= hostapd
.add_ap(apdev
[0], params
)
1639 tests
= ["eap_gtc_init",
1640 "eap_msg_alloc;eap_gtc_process"]
1642 with
alloc_fail(dev
[0], 1, func
):
1643 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1645 eap
="TTLS", identity
="user",
1646 anonymous_identity
="ttls", password
="password",
1647 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1649 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1650 dev
[0].request("REMOVE_NETWORK all")
1651 dev
[0].wait_disconnected()
1653 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1654 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1655 check_eap_capa(dev
[0], "MD5")
1656 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1657 hapd
= hostapd
.add_ap(apdev
[0], params
)
1658 eap_connect(dev
[0], hapd
, "TTLS", "user",
1659 anonymous_identity
="ttls", password
="password",
1660 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1661 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1662 eap_reauth(dev
[0], "TTLS")
1664 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1665 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1666 check_eap_capa(dev
[0], "MD5")
1667 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1668 hapd
= hostapd
.add_ap(apdev
[0], params
)
1669 eap_connect(dev
[0], hapd
, "TTLS", "user",
1670 anonymous_identity
="ttls", password
="wrong",
1671 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1672 expect_failure
=True)
1674 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1675 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1676 check_eap_capa(dev
[0], "MD5")
1677 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1678 hapd
= hostapd
.add_ap(apdev
[0], params
)
1679 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1680 anonymous_identity
="ttls", password
="password",
1681 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1682 expect_failure
=True)
1684 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1685 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1686 check_eap_capa(dev
[0], "MD5")
1687 params
= int_eap_server_params()
1688 hapd
= hostapd
.add_ap(apdev
[0], params
)
1689 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1690 eap_connect(dev
[0], hapd
, "TTLS", "user",
1691 anonymous_identity
="ttls", password
="password",
1692 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1693 expect_failure
=True)
1694 dev
[0].request("REMOVE_NETWORK all")
1696 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1697 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1698 eap
="TTLS", identity
="user",
1699 anonymous_identity
="ttls", password
="password",
1700 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1701 wait_connect
=False, scan_freq
="2412")
1702 # This would eventually time out, but we can stop after having reached
1703 # the allocation failure.
1706 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1709 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1710 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1711 check_eap_capa(dev
[0], "MSCHAPV2")
1712 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1713 hapd
= hostapd
.add_ap(apdev
[0], params
)
1714 eap_connect(dev
[0], hapd
, "TTLS", "user",
1715 anonymous_identity
="ttls", password
="password",
1716 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1717 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1718 eap_reauth(dev
[0], "TTLS")
1720 logger
.info("Negative test with incorrect password")
1721 dev
[0].request("REMOVE_NETWORK all")
1722 eap_connect(dev
[0], hapd
, "TTLS", "user",
1723 anonymous_identity
="ttls", password
="password1",
1724 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1725 expect_failure
=True)
1727 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1728 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1729 check_eap_capa(dev
[0], "MSCHAPV2")
1730 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1731 hapd
= hostapd
.add_ap(apdev
[0], params
)
1732 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1733 anonymous_identity
="ttls", password
="password",
1734 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1735 expect_failure
=True)
1737 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1738 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1739 check_eap_capa(dev
[0], "MSCHAPV2")
1740 params
= int_eap_server_params()
1741 hapd
= hostapd
.add_ap(apdev
[0], params
)
1742 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1743 eap_connect(dev
[0], hapd
, "TTLS", "user",
1744 anonymous_identity
="ttls", password
="password",
1745 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1746 expect_failure
=True)
1747 dev
[0].request("REMOVE_NETWORK all")
1749 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1750 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1751 eap
="TTLS", identity
="user",
1752 anonymous_identity
="ttls", password
="password",
1753 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1754 wait_connect
=False, scan_freq
="2412")
1755 # This would eventually time out, but we can stop after having reached
1756 # the allocation failure.
1759 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1761 dev
[0].request("REMOVE_NETWORK all")
1763 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1764 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1765 eap
="TTLS", identity
="user",
1766 anonymous_identity
="ttls", password
="password",
1767 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1768 wait_connect
=False, scan_freq
="2412")
1769 # This would eventually time out, but we can stop after having reached
1770 # the allocation failure.
1773 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1775 dev
[0].request("REMOVE_NETWORK all")
1777 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1778 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1779 eap
="TTLS", identity
="user",
1780 anonymous_identity
="ttls", password
="wrong",
1781 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1782 wait_connect
=False, scan_freq
="2412")
1783 # This would eventually time out, but we can stop after having reached
1784 # the allocation failure.
1787 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1789 dev
[0].request("REMOVE_NETWORK all")
1791 def test_ap_wpa2_eap_ttls_eap_sim(dev
, apdev
):
1792 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1793 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1794 hapd
= hostapd
.add_ap(apdev
[0], params
)
1795 eap_connect(dev
[0], hapd
, "TTLS", "1232010000000000",
1796 anonymous_identity
="1232010000000000@ttls",
1797 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1798 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM")
1799 eap_reauth(dev
[0], "TTLS")
1801 def run_ext_sim_auth(dev
):
1802 ev
= dev
.wait_event(["CTRL-REQ-SIM"], timeout
=15)
1804 raise Exception("Wait for external SIM processing request timed out")
1805 p
= ev
.split(':', 2)
1806 if p
[1] != "GSM-AUTH":
1807 raise Exception("Unexpected CTRL-REQ-SIM type")
1808 rid
= p
[0].split('-')[3]
1809 rand
= p
[2].split(' ')[0]
1811 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
1813 "auth_serv/hlr_auc_gw.milenage_db",
1814 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
1815 if "GSM-AUTH-RESP" not in res
:
1816 raise Exception("Unexpected hlr_auc_gw response")
1817 resp
= res
.split(' ')[2].rstrip()
1819 dev
.request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1820 dev
.wait_connected(timeout
=15)
1823 dev
.request("REAUTHENTICATE")
1824 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1826 raise Exception("EAP reauthentication did not succeed")
1827 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=5)
1829 raise Exception("Key negotiation did not complete")
1832 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1833 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1834 check_hlr_auc_gw_support()
1836 run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
)
1838 dev
[0].request("SET external_sim 0")
1840 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1841 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1842 hapd
= hostapd
.add_ap(apdev
[0], params
)
1843 dev
[0].request("SET external_sim 1")
1844 dev
[0].connect("test-wpa2-eap", eap
="TTLS", key_mgmt
="WPA-EAP",
1845 identity
="1232010000000000",
1846 anonymous_identity
="1232010000000000@ttls",
1847 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1848 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM",
1849 wait_connect
=False, scan_freq
="2412")
1850 run_ext_sim_auth(dev
[0])
1852 def test_ap_wpa2_eap_peap_eap_sim(dev
, apdev
):
1853 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1854 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1855 hapd
= hostapd
.add_ap(apdev
[0], params
)
1856 eap_connect(dev
[0], hapd
, "PEAP", "1232010000000000",
1857 anonymous_identity
="1232010000000000@peap",
1858 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1859 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1860 eap_reauth(dev
[0], "PEAP")
1862 def test_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1863 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1864 check_hlr_auc_gw_support()
1866 run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
)
1868 dev
[0].request("SET external_sim 0")
1870 def run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1871 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1872 hapd
= hostapd
.add_ap(apdev
[0], params
)
1873 dev
[0].request("SET external_sim 1")
1874 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1875 identity
="1232010000000000",
1876 anonymous_identity
="1232010000000000@peap",
1877 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1878 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1879 wait_connect
=False, scan_freq
="2412")
1880 run_ext_sim_auth(dev
[0])
1882 def test_ap_wpa2_eap_fast_eap_sim(dev
, apdev
):
1883 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1884 check_eap_capa(dev
[0], "FAST")
1885 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1886 hapd
= hostapd
.add_ap(apdev
[0], params
)
1887 eap_connect(dev
[0], hapd
, "FAST", "1232010000000000",
1888 anonymous_identity
="1232010000000000@fast",
1889 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1890 phase1
="fast_provisioning=2",
1891 pac_file
="blob://fast_pac_auth_sim",
1892 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1893 eap_reauth(dev
[0], "FAST")
1895 def test_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1896 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1897 check_hlr_auc_gw_support()
1899 run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
)
1901 dev
[0].request("SET external_sim 0")
1903 def run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1904 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1905 hapd
= hostapd
.add_ap(apdev
[0], params
)
1906 dev
[0].request("SET external_sim 1")
1907 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1908 identity
="1232010000000000",
1909 anonymous_identity
="1232010000000000@peap",
1910 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1911 phase1
="fast_provisioning=2",
1912 pac_file
="blob://fast_pac_auth_sim",
1913 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1914 wait_connect
=False, scan_freq
="2412")
1915 run_ext_sim_auth(dev
[0])
1917 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1918 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1919 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1920 hapd
= hostapd
.add_ap(apdev
[0], params
)
1921 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1922 anonymous_identity
="0232010000000000@ttls",
1923 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1924 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1925 eap_reauth(dev
[0], "TTLS")
1927 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1928 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1929 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1930 hapd
= hostapd
.add_ap(apdev
[0], params
)
1931 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1932 anonymous_identity
="0232010000000000@peap",
1933 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1934 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1935 eap_reauth(dev
[0], "PEAP")
1937 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1938 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1939 check_eap_capa(dev
[0], "FAST")
1940 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1941 hapd
= hostapd
.add_ap(apdev
[0], params
)
1942 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
1943 anonymous_identity
="0232010000000000@fast",
1944 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1945 phase1
="fast_provisioning=2",
1946 pac_file
="blob://fast_pac_auth_aka",
1947 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1948 eap_reauth(dev
[0], "FAST")
1950 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1951 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1952 check_eap_capa(dev
[0], "MSCHAPV2")
1953 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1954 hapd
= hostapd
.add_ap(apdev
[0], params
)
1955 eap_connect(dev
[0], hapd
, "PEAP", "user",
1956 anonymous_identity
="peap", password
="password",
1957 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1958 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1959 eap_reauth(dev
[0], "PEAP")
1960 dev
[0].request("REMOVE_NETWORK all")
1961 eap_connect(dev
[0], hapd
, "PEAP", "user",
1962 anonymous_identity
="peap", password
="password",
1963 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1964 fragment_size
="200")
1966 logger
.info("Password as hash value")
1967 dev
[0].request("REMOVE_NETWORK all")
1968 eap_connect(dev
[0], hapd
, "PEAP", "user",
1969 anonymous_identity
="peap",
1970 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1971 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1973 logger
.info("Negative test with incorrect password")
1974 dev
[0].request("REMOVE_NETWORK all")
1975 eap_connect(dev
[0], hapd
, "PEAP", "user",
1976 anonymous_identity
="peap", password
="password1",
1977 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1978 expect_failure
=True)
1980 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1981 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1982 check_eap_capa(dev
[0], "MSCHAPV2")
1983 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1984 hapd
= hostapd
.add_ap(apdev
[0], params
)
1985 eap_connect(dev
[0], hapd
, "PEAP", r
"DOMAIN\user3",
1986 anonymous_identity
="peap", password
="password",
1987 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1988 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1989 eap_reauth(dev
[0], "PEAP")
1991 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1992 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1993 check_eap_capa(dev
[0], "MSCHAPV2")
1994 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1995 hapd
= hostapd
.add_ap(apdev
[0], params
)
1996 eap_connect(dev
[0], hapd
, "PEAP", "user",
1997 anonymous_identity
="peap", password
="wrong",
1998 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1999 expect_failure
=True)
2001 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
2002 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
2003 check_eap_capa(dev
[0], "MSCHAPV2")
2004 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2005 hapd
= hostapd
.add_ap(apdev
[0], params
)
2006 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2007 ca_cert
="auth_serv/ca.pem",
2008 phase1
="peapver=0 crypto_binding=2",
2009 phase2
="auth=MSCHAPV2")
2010 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2011 eap_reauth(dev
[0], "PEAP")
2013 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
2014 ca_cert
="auth_serv/ca.pem",
2015 phase1
="peapver=0 crypto_binding=1",
2016 phase2
="auth=MSCHAPV2")
2017 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
2018 ca_cert
="auth_serv/ca.pem",
2019 phase1
="peapver=0 crypto_binding=0",
2020 phase2
="auth=MSCHAPV2")
2022 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
2023 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
2024 check_eap_capa(dev
[0], "MSCHAPV2")
2025 params
= int_eap_server_params()
2026 hapd
= hostapd
.add_ap(apdev
[0], params
)
2027 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
2028 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2029 ca_cert
="auth_serv/ca.pem",
2030 phase1
="peapver=0 crypto_binding=2",
2031 phase2
="auth=MSCHAPV2",
2032 expect_failure
=True, local_error_report
=True)
2034 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
2035 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
2036 check_eap_capa(dev
[0], "MSCHAPV2")
2037 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2038 hapd
= hostapd
.add_ap(apdev
[0], params
)
2039 eap_connect(dev
[0], hapd
, "PEAP", "user",
2040 anonymous_identity
="peap", password
="password",
2041 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2042 phase1
="peapver=0 peaplabel=1",
2043 expect_failure
=True)
2044 dev
[0].request("REMOVE_NETWORK all")
2045 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2047 anonymous_identity
="peap", password
="password",
2048 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2049 phase1
="peap_outer_success=0",
2050 wait_connect
=False, scan_freq
="2412")
2051 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2053 raise Exception("No EAP success seen")
2054 # This won't succeed to connect with peap_outer_success=0, so stop here.
2055 dev
[0].request("REMOVE_NETWORK all")
2056 dev
[0].wait_disconnected()
2057 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
2058 ca_cert
="auth_serv/ca.pem",
2059 phase1
="peap_outer_success=1",
2060 phase2
="auth=MSCHAPV2")
2061 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
2062 ca_cert
="auth_serv/ca.pem",
2063 phase1
="peap_outer_success=2",
2064 phase2
="auth=MSCHAPV2")
2065 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2067 anonymous_identity
="peap", password
="password",
2068 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2069 phase1
="peapver=1 peaplabel=1",
2070 wait_connect
=False, scan_freq
="2412")
2071 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2073 raise Exception("No EAP success seen")
2074 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2075 "CTRL-EVENT-DISCONNECTED"], timeout
=1)
2076 if ev
and "CTRL-EVENT-CONNECTED" in ev
:
2077 raise Exception("Unexpected connection")
2078 dev
[0].request("REMOVE_NETWORK all")
2079 dev
[0].disconnect_and_stop_scan()
2081 tests
= [("peap-ver0", ""),
2083 ("peap-ver0", "peapver=0"),
2084 ("peap-ver1", "peapver=1")]
2085 for anon
, phase1
in tests
:
2086 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2087 identity
="user", anonymous_identity
=anon
,
2088 password
="password", phase1
=phase1
,
2089 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2091 dev
[0].request("REMOVE_NETWORK all")
2092 dev
[0].wait_disconnected()
2094 tests
= [("peap-ver0", "peapver=1"),
2095 ("peap-ver1", "peapver=0")]
2096 for anon
, phase1
in tests
:
2097 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2098 identity
="user", anonymous_identity
=anon
,
2099 password
="password", phase1
=phase1
,
2100 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2101 wait_connect
=False, scan_freq
="2412")
2102 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
2104 raise Exception("No EAP-Failure seen")
2105 dev
[0].request("REMOVE_NETWORK all")
2106 dev
[0].wait_disconnected()
2108 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2109 ca_cert
="auth_serv/ca.pem",
2110 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
2111 phase2
="auth=MSCHAPV2")
2113 def test_ap_wpa2_eap_peap_eap_gtc(dev
, apdev
, params
):
2114 """WPA2-Enterprise connection using EAP-PEAP/EAP-GTC"""
2115 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2116 hapd
= hostapd
.add_ap(apdev
[0], p
)
2117 eap_connect(dev
[0], hapd
, "PEAP", "user", phase1
="peapver=1",
2118 anonymous_identity
="peap", password
="password",
2119 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
2121 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
2122 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
2123 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2124 hapd
= hostapd
.add_ap(apdev
[0], params
)
2125 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
2126 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
2127 ca_cert2
="auth_serv/ca.pem",
2128 client_cert2
="auth_serv/user.pem",
2129 private_key2
="auth_serv/user.key")
2130 eap_reauth(dev
[0], "PEAP")
2132 def test_ap_wpa2_eap_tls(dev
, apdev
):
2133 """WPA2-Enterprise connection using EAP-TLS"""
2134 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2135 hapd
= hostapd
.add_ap(apdev
[0], params
)
2136 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2137 client_cert
="auth_serv/user.pem",
2138 private_key
="auth_serv/user.key")
2139 eap_reauth(dev
[0], "TLS")
2141 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
2142 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2143 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2144 hapd
= hostapd
.add_ap(apdev
[0], params
)
2145 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2146 client_cert
="auth_serv/user.pem",
2147 private_key
="auth_serv/user.key.pkcs8",
2148 private_key_passwd
="whatever")
2150 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
2151 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
2152 check_pkcs5_v15_support(dev
[0])
2153 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2154 hapd
= hostapd
.add_ap(apdev
[0], params
)
2155 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2156 client_cert
="auth_serv/user.pem",
2157 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
2158 private_key_passwd
="whatever")
2160 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
2161 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2162 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2163 hapd
= hostapd
.add_ap(apdev
[0], params
)
2164 cert
= read_pem("auth_serv/ca.pem")
2165 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2166 raise Exception("Could not set cacert blob")
2167 cert
= read_pem("auth_serv/user.pem")
2168 if "OK" not in dev
[0].request("SET blob usercert " + binascii
.hexlify(cert
).decode()):
2169 raise Exception("Could not set usercert blob")
2170 key
= read_pem("auth_serv/user.rsa-key")
2171 if "OK" not in dev
[0].request("SET blob userkey " + binascii
.hexlify(key
).decode()):
2172 raise Exception("Could not set cacert blob")
2173 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2174 client_cert
="blob://usercert",
2175 private_key
="blob://userkey")
2177 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
2178 """EAP-TLS and config blob missing"""
2179 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2180 hostapd
.add_ap(apdev
[0], params
)
2181 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2182 identity
="tls user",
2183 ca_cert
="blob://testing-blob-does-not-exist",
2184 client_cert
="blob://testing-blob-does-not-exist",
2185 private_key
="blob://testing-blob-does-not-exist",
2186 wait_connect
=False, scan_freq
="2412")
2187 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
2189 raise Exception("EAP failure not reported")
2190 dev
[0].request("REMOVE_NETWORK all")
2191 dev
[0].wait_disconnected()
2193 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
2194 """EAP-TLS and TLS Message Length in unfragmented packets"""
2195 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2196 hapd
= hostapd
.add_ap(apdev
[0], params
)
2197 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2198 phase1
="include_tls_length=1",
2199 client_cert
="auth_serv/user.pem",
2200 private_key
="auth_serv/user.key")
2202 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
2203 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2204 check_pkcs12_support(dev
[0])
2205 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2206 hapd
= hostapd
.add_ap(apdev
[0], params
)
2207 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2208 private_key
="auth_serv/user.pkcs12",
2209 private_key_passwd
="whatever")
2210 dev
[0].request("REMOVE_NETWORK all")
2211 dev
[0].wait_disconnected()
2213 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2214 identity
="tls user",
2215 ca_cert
="auth_serv/ca.pem",
2216 private_key
="auth_serv/user.pkcs12",
2217 wait_connect
=False, scan_freq
="2412")
2218 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2220 raise Exception("Request for private key passphrase timed out")
2221 id = ev
.split(':')[0].split('-')[-1]
2222 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2223 dev
[0].wait_connected(timeout
=10)
2224 dev
[0].request("REMOVE_NETWORK all")
2225 dev
[0].wait_disconnected()
2227 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2228 # different files to cover both cases of the extra certificate being the
2229 # one that signed the client certificate and it being unrelated to the
2230 # client certificate.
2231 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2233 eap_connect(dev
[0], hapd
, "TLS", "tls user",
2234 ca_cert
="auth_serv/ca.pem",
2236 private_key_passwd
="whatever")
2237 dev
[0].request("REMOVE_NETWORK all")
2238 dev
[0].wait_disconnected()
2240 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
2241 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2242 cert
= read_pem("auth_serv/ca.pem")
2243 cacert
= binascii
.hexlify(cert
).decode()
2244 run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
)
2246 def test_ap_wpa2_eap_tls_pkcs12_blob_pem(dev
, apdev
):
2247 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob and PEM ca_cert blob"""
2248 with
open("auth_serv/ca.pem", "r") as f
:
2249 lines
= f
.readlines()
2253 if "-----BEGIN" in l
:
2260 cacert
= binascii
.hexlify(cert
.encode()).decode()
2261 run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
)
2263 def run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
):
2264 check_pkcs12_support(dev
[0])
2265 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2266 hapd
= hostapd
.add_ap(apdev
[0], params
)
2267 if "OK" not in dev
[0].request("SET blob cacert " + cacert
):
2268 raise Exception("Could not set cacert blob")
2269 with
open("auth_serv/user.pkcs12", "rb") as f
:
2270 if "OK" not in dev
[0].request("SET blob pkcs12 " + binascii
.hexlify(f
.read()).decode()):
2271 raise Exception("Could not set pkcs12 blob")
2272 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2273 private_key
="blob://pkcs12",
2274 private_key_passwd
="whatever")
2276 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
2277 """WPA2-Enterprise negative test - incorrect trust root"""
2278 check_eap_capa(dev
[0], "MSCHAPV2")
2279 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2280 hostapd
.add_ap(apdev
[0], params
)
2281 cert
= read_pem("auth_serv/ca-incorrect.pem")
2282 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2283 raise Exception("Could not set cacert blob")
2284 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2285 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2286 password
="password", phase2
="auth=MSCHAPV2",
2287 ca_cert
="blob://cacert",
2288 wait_connect
=False, scan_freq
="2412")
2289 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2290 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2291 password
="password", phase2
="auth=MSCHAPV2",
2292 ca_cert
="auth_serv/ca-incorrect.pem",
2293 wait_connect
=False, scan_freq
="2412")
2295 for dev
in (dev
[0], dev
[1]):
2296 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2298 raise Exception("Association and EAP start timed out")
2300 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2302 raise Exception("EAP method selection timed out")
2303 if "TTLS" not in ev
:
2304 raise Exception("Unexpected EAP method")
2306 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2307 "CTRL-EVENT-EAP-SUCCESS",
2308 "CTRL-EVENT-EAP-FAILURE",
2309 "CTRL-EVENT-CONNECTED",
2310 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2312 raise Exception("EAP result timed out")
2313 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2314 raise Exception("TLS certificate error not reported")
2316 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2317 "CTRL-EVENT-EAP-FAILURE",
2318 "CTRL-EVENT-CONNECTED",
2319 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2321 raise Exception("EAP result(2) timed out")
2322 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2323 raise Exception("EAP failure not reported")
2325 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2326 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2328 raise Exception("EAP result(3) timed out")
2329 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2330 raise Exception("Disconnection not reported")
2332 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2334 raise Exception("Network block disabling not reported")
2336 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2337 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2338 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2339 hapd
= hostapd
.add_ap(apdev
[0], params
)
2340 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2341 identity
="pap user", anonymous_identity
="ttls",
2342 password
="password", phase2
="auth=PAP",
2343 ca_cert
="auth_serv/ca.pem",
2344 wait_connect
=True, scan_freq
="2412")
2345 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2346 identity
="pap user", anonymous_identity
="ttls",
2347 password
="password", phase2
="auth=PAP",
2348 ca_cert
="auth_serv/ca-incorrect.pem",
2349 only_add_network
=True, scan_freq
="2412")
2351 dev
[0].request("DISCONNECT")
2352 dev
[0].wait_disconnected()
2353 dev
[0].dump_monitor()
2354 dev
[0].select_network(id, freq
="2412")
2356 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2358 raise Exception("EAP-TTLS not re-started")
2360 ev
= dev
[0].wait_disconnected(timeout
=15)
2361 if "reason=23" not in ev
:
2362 raise Exception("Proper reason code for disconnection not reported")
2364 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2365 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2366 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2367 hapd
= hostapd
.add_ap(apdev
[0], params
)
2368 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2369 identity
="pap user", anonymous_identity
="ttls",
2370 password
="password", phase2
="auth=PAP",
2371 wait_connect
=True, scan_freq
="2412")
2372 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2373 identity
="pap user", anonymous_identity
="ttls",
2374 password
="password", phase2
="auth=PAP",
2375 ca_cert
="auth_serv/ca-incorrect.pem",
2376 only_add_network
=True, scan_freq
="2412")
2378 dev
[0].request("DISCONNECT")
2379 dev
[0].wait_disconnected()
2380 dev
[0].dump_monitor()
2381 dev
[0].select_network(id, freq
="2412")
2383 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2385 raise Exception("EAP-TTLS not re-started")
2387 ev
= dev
[0].wait_disconnected(timeout
=15)
2388 if "reason=23" not in ev
:
2389 raise Exception("Proper reason code for disconnection not reported")
2391 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2392 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2393 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2394 hapd
= hostapd
.add_ap(apdev
[0], params
)
2395 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2396 identity
="pap user", anonymous_identity
="ttls",
2397 password
="password", phase2
="auth=PAP",
2398 ca_cert
="auth_serv/ca.pem",
2399 wait_connect
=True, scan_freq
="2412")
2400 dev
[0].request("DISCONNECT")
2401 dev
[0].wait_disconnected()
2402 dev
[0].dump_monitor()
2403 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2404 dev
[0].select_network(id, freq
="2412")
2406 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2408 raise Exception("EAP-TTLS not re-started")
2410 ev
= dev
[0].wait_disconnected(timeout
=15)
2411 if "reason=23" not in ev
:
2412 raise Exception("Proper reason code for disconnection not reported")
2414 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2415 """WPA2-Enterprise negative test - domain suffix mismatch"""
2416 check_domain_suffix_match(dev
[0])
2417 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2418 hostapd
.add_ap(apdev
[0], params
)
2419 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2420 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2421 password
="password", phase2
="auth=MSCHAPV2",
2422 ca_cert
="auth_serv/ca.pem",
2423 domain_suffix_match
="incorrect.example.com",
2424 wait_connect
=False, scan_freq
="2412")
2426 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2428 raise Exception("Association and EAP start timed out")
2430 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2432 raise Exception("EAP method selection timed out")
2433 if "TTLS" not in ev
:
2434 raise Exception("Unexpected EAP method")
2436 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2437 "CTRL-EVENT-EAP-SUCCESS",
2438 "CTRL-EVENT-EAP-FAILURE",
2439 "CTRL-EVENT-CONNECTED",
2440 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2442 raise Exception("EAP result timed out")
2443 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2444 raise Exception("TLS certificate error not reported")
2445 if "Domain suffix mismatch" not in ev
:
2446 raise Exception("Domain suffix mismatch not reported")
2448 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2449 "CTRL-EVENT-EAP-FAILURE",
2450 "CTRL-EVENT-CONNECTED",
2451 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2453 raise Exception("EAP result(2) timed out")
2454 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2455 raise Exception("EAP failure not reported")
2457 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2458 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2460 raise Exception("EAP result(3) timed out")
2461 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2462 raise Exception("Disconnection not reported")
2464 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2466 raise Exception("Network block disabling not reported")
2468 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2469 """WPA2-Enterprise negative test - domain mismatch"""
2470 check_domain_match(dev
[0])
2471 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2472 hostapd
.add_ap(apdev
[0], params
)
2473 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2474 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2475 password
="password", phase2
="auth=MSCHAPV2",
2476 ca_cert
="auth_serv/ca.pem",
2477 domain_match
="w1.fi",
2478 wait_connect
=False, scan_freq
="2412")
2480 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2482 raise Exception("Association and EAP start timed out")
2484 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2486 raise Exception("EAP method selection timed out")
2487 if "TTLS" not in ev
:
2488 raise Exception("Unexpected EAP method")
2490 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2491 "CTRL-EVENT-EAP-SUCCESS",
2492 "CTRL-EVENT-EAP-FAILURE",
2493 "CTRL-EVENT-CONNECTED",
2494 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2496 raise Exception("EAP result timed out")
2497 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2498 raise Exception("TLS certificate error not reported")
2499 if "Domain mismatch" not in ev
:
2500 raise Exception("Domain mismatch not reported")
2502 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2503 "CTRL-EVENT-EAP-FAILURE",
2504 "CTRL-EVENT-CONNECTED",
2505 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2507 raise Exception("EAP result(2) timed out")
2508 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2509 raise Exception("EAP failure not reported")
2511 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2512 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2514 raise Exception("EAP result(3) timed out")
2515 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2516 raise Exception("Disconnection not reported")
2518 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2520 raise Exception("Network block disabling not reported")
2522 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2523 """WPA2-Enterprise negative test - subject mismatch"""
2524 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2525 hostapd
.add_ap(apdev
[0], params
)
2526 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2527 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2528 password
="password", phase2
="auth=MSCHAPV2",
2529 ca_cert
="auth_serv/ca.pem",
2530 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2531 wait_connect
=False, scan_freq
="2412")
2533 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2535 raise Exception("Association and EAP start timed out")
2537 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2538 "EAP: Failed to initialize EAP method"], timeout
=10)
2540 raise Exception("EAP method selection timed out")
2541 if "EAP: Failed to initialize EAP method" in ev
:
2542 tls
= dev
[0].request("GET tls_library")
2543 if tls
.startswith("OpenSSL"):
2544 raise Exception("Failed to select EAP method")
2545 logger
.info("subject_match not supported - connection failed, so test succeeded")
2547 if "TTLS" not in ev
:
2548 raise Exception("Unexpected EAP method")
2550 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2551 "CTRL-EVENT-EAP-SUCCESS",
2552 "CTRL-EVENT-EAP-FAILURE",
2553 "CTRL-EVENT-CONNECTED",
2554 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2556 raise Exception("EAP result timed out")
2557 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2558 raise Exception("TLS certificate error not reported")
2559 if "Subject mismatch" not in ev
:
2560 raise Exception("Subject mismatch not reported")
2562 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2563 "CTRL-EVENT-EAP-FAILURE",
2564 "CTRL-EVENT-CONNECTED",
2565 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2567 raise Exception("EAP result(2) timed out")
2568 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2569 raise Exception("EAP failure not reported")
2571 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2572 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2574 raise Exception("EAP result(3) timed out")
2575 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2576 raise Exception("Disconnection not reported")
2578 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2580 raise Exception("Network block disabling not reported")
2582 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2583 """WPA2-Enterprise negative test - altsubject mismatch"""
2584 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2585 hostapd
.add_ap(apdev
[0], params
)
2587 tests
= ["incorrect.example.com",
2588 "DNS:incorrect.example.com",
2592 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2594 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2595 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2596 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2597 password
="password", phase2
="auth=MSCHAPV2",
2598 ca_cert
="auth_serv/ca.pem",
2599 altsubject_match
=match
,
2600 wait_connect
=False, scan_freq
="2412")
2602 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2604 raise Exception("Association and EAP start timed out")
2606 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2607 "EAP: Failed to initialize EAP method"], timeout
=10)
2609 raise Exception("EAP method selection timed out")
2610 if "EAP: Failed to initialize EAP method" in ev
:
2611 tls
= dev
[0].request("GET tls_library")
2612 if tls
.startswith("OpenSSL"):
2613 raise Exception("Failed to select EAP method")
2614 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2616 if "TTLS" not in ev
:
2617 raise Exception("Unexpected EAP method")
2619 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2620 "CTRL-EVENT-EAP-SUCCESS",
2621 "CTRL-EVENT-EAP-FAILURE",
2622 "CTRL-EVENT-CONNECTED",
2623 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2625 raise Exception("EAP result timed out")
2626 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2627 raise Exception("TLS certificate error not reported")
2628 if "AltSubject mismatch" not in ev
:
2629 raise Exception("altsubject mismatch not reported")
2631 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2632 "CTRL-EVENT-EAP-FAILURE",
2633 "CTRL-EVENT-CONNECTED",
2634 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2636 raise Exception("EAP result(2) timed out")
2637 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2638 raise Exception("EAP failure not reported")
2640 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2641 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2643 raise Exception("EAP result(3) timed out")
2644 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2645 raise Exception("Disconnection not reported")
2647 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2649 raise Exception("Network block disabling not reported")
2651 dev
[0].request("REMOVE_NETWORK all")
2653 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2654 """WPA2-Enterprise connection using UNAUTH-TLS"""
2655 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2656 hapd
= hostapd
.add_ap(apdev
[0], params
)
2657 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2658 ca_cert
="auth_serv/ca.pem")
2659 eap_reauth(dev
[0], "UNAUTH-TLS")
2661 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2662 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2663 check_cert_probe_support(dev
[0])
2664 skip_with_fips(dev
[0])
2665 srv_cert_hash
= "4704e62784f36cc5fd964c6410402f4938773bb471dce9d42939bf22fdbdb2dd"
2666 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2667 hapd
= hostapd
.add_ap(apdev
[0], params
)
2668 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2669 identity
="probe", ca_cert
="probe://",
2670 wait_connect
=False, scan_freq
="2412")
2671 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2673 raise Exception("Association and EAP start timed out")
2674 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2676 raise Exception("No peer server certificate event seen")
2677 if "hash=" + srv_cert_hash
not in ev
:
2678 raise Exception("Expected server certificate hash not reported")
2679 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2681 raise Exception("EAP result timed out")
2682 if "Server certificate chain probe" not in ev
:
2683 raise Exception("Server certificate probe not reported")
2684 dev
[0].wait_disconnected(timeout
=10)
2685 dev
[0].request("REMOVE_NETWORK all")
2687 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2688 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2689 password
="password", phase2
="auth=MSCHAPV2",
2690 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2691 wait_connect
=False, scan_freq
="2412")
2692 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2694 raise Exception("Association and EAP start timed out")
2695 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2697 raise Exception("EAP result timed out")
2698 if "Server certificate mismatch" not in ev
:
2699 raise Exception("Server certificate mismatch not reported")
2700 dev
[0].wait_disconnected(timeout
=10)
2701 dev
[0].request("REMOVE_NETWORK all")
2703 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2704 anonymous_identity
="ttls", password
="password",
2705 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2706 phase2
="auth=MSCHAPV2")
2708 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2709 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2710 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2711 hostapd
.add_ap(apdev
[0], params
)
2712 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2713 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2714 password
="password", phase2
="auth=MSCHAPV2",
2715 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2716 wait_connect
=False, scan_freq
="2412")
2717 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2718 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2719 password
="password", phase2
="auth=MSCHAPV2",
2720 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2721 wait_connect
=False, scan_freq
="2412")
2722 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2723 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2724 password
="password", phase2
="auth=MSCHAPV2",
2725 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2726 wait_connect
=False, scan_freq
="2412")
2727 for i
in range(0, 3):
2728 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2730 raise Exception("Association and EAP start timed out")
2731 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2733 raise Exception("Did not report EAP method initialization failure")
2735 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2736 """WPA2-Enterprise connection using EAP-pwd"""
2737 check_eap_capa(dev
[0], "PWD")
2738 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2739 hapd
= hostapd
.add_ap(apdev
[0], params
)
2740 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2741 eap_reauth(dev
[0], "PWD")
2742 dev
[0].request("REMOVE_NETWORK all")
2744 eap_connect(dev
[1], hapd
, "PWD",
2745 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2746 password
="secret password",
2749 logger
.info("Negative test with incorrect password")
2750 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2751 expect_failure
=True, local_error_report
=True)
2753 eap_connect(dev
[0], hapd
, "PWD",
2754 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2755 password
="secret password",
2758 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2759 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2760 check_eap_capa(dev
[0], "PWD")
2761 skip_with_fips(dev
[0])
2762 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2763 hapd
= hostapd
.add_ap(apdev
[0], params
)
2764 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2765 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2766 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2767 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2768 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2769 expect_failure
=True, local_error_report
=True)
2771 def test_ap_wpa2_eap_pwd_salt_sha1(dev
, apdev
):
2772 """WPA2-Enterprise connection using EAP-pwd and salted password SHA-1"""
2773 check_eap_capa(dev
[0], "PWD")
2774 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2775 hapd
= hostapd
.add_ap(apdev
[0], params
)
2776 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha1",
2777 password
="secret password")
2779 def test_ap_wpa2_eap_pwd_salt_sha256(dev
, apdev
):
2780 """WPA2-Enterprise connection using EAP-pwd and salted password SHA256"""
2781 check_eap_capa(dev
[0], "PWD")
2782 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2783 hapd
= hostapd
.add_ap(apdev
[0], params
)
2784 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha256",
2785 password
="secret password")
2787 def test_ap_wpa2_eap_pwd_salt_sha512(dev
, apdev
):
2788 """WPA2-Enterprise connection using EAP-pwd and salted password SHA512"""
2789 check_eap_capa(dev
[0], "PWD")
2790 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2791 hapd
= hostapd
.add_ap(apdev
[0], params
)
2792 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha512",
2793 password
="secret password")
2795 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2796 """WPA2-Enterprise connection using various EAP-pwd groups"""
2797 check_eap_capa(dev
[0], "PWD")
2798 tls
= dev
[0].request("GET tls_library")
2799 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2800 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2801 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2802 groups
= [19, 20, 21]
2803 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2804 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2805 groups
+= [28, 29, 30]
2806 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.1" in tls
and "run=OpenSSL 1.1" in tls
:
2807 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2808 groups
+= [28, 29, 30]
2810 logger
.info("Group %d" % i
)
2811 params
['pwd_group'] = str(i
)
2812 hapd
= hostapd
.add_ap(apdev
[0], params
)
2813 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2814 password
="secret password")
2815 dev
[0].request("REMOVE_NETWORK all")
2816 dev
[0].wait_disconnected()
2817 dev
[0].dump_monitor()
2820 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2821 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2822 check_eap_capa(dev
[0], "PWD")
2823 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2824 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2825 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2826 for i
in [0, 25, 26, 27]:
2827 logger
.info("Group %d" % i
)
2828 params
['pwd_group'] = str(i
)
2829 hapd
= hostapd
.add_ap(apdev
[0], params
)
2830 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2831 identity
="pwd user", password
="secret password",
2832 scan_freq
="2412", wait_connect
=False)
2833 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2835 raise Exception("Timeout on EAP failure report (group %d)" % i
)
2836 dev
[0].request("REMOVE_NETWORK all")
2837 dev
[0].wait_disconnected()
2838 dev
[0].dump_monitor()
2841 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2842 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2843 check_eap_capa(dev
[0], "PWD")
2844 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2845 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2846 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2847 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2848 "pwd_group": "19", "fragment_size": "40"}
2849 hapd
= hostapd
.add_ap(apdev
[0], params
)
2850 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2852 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2853 """WPA2-Enterprise connection using EAP-GPSK"""
2854 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2855 hapd
= hostapd
.add_ap(apdev
[0], params
)
2856 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2857 password
="abcdefghijklmnop0123456789abcdef")
2858 eap_reauth(dev
[0], "GPSK")
2860 logger
.info("Test forced algorithm selection")
2861 for phase1
in ["cipher=1", "cipher=2"]:
2862 dev
[0].set_network_quoted(id, "phase1", phase1
)
2863 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2865 raise Exception("EAP success timed out")
2866 dev
[0].wait_connected(timeout
=10)
2868 logger
.info("Test failed algorithm negotiation")
2869 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2870 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2872 raise Exception("EAP failure timed out")
2874 logger
.info("Negative test with incorrect password")
2875 dev
[0].request("REMOVE_NETWORK all")
2876 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2877 password
="ffcdefghijklmnop0123456789abcdef",
2878 expect_failure
=True)
2880 def test_ap_wpa2_eap_sake(dev
, apdev
):
2881 """WPA2-Enterprise connection using EAP-SAKE"""
2882 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2883 hapd
= hostapd
.add_ap(apdev
[0], params
)
2884 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2885 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2886 eap_reauth(dev
[0], "SAKE")
2888 logger
.info("Negative test with incorrect password")
2889 dev
[0].request("REMOVE_NETWORK all")
2890 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2891 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2892 expect_failure
=True)
2894 def test_ap_wpa2_eap_eke(dev
, apdev
):
2895 """WPA2-Enterprise connection using EAP-EKE"""
2896 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2897 hapd
= hostapd
.add_ap(apdev
[0], params
)
2898 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2899 eap_reauth(dev
[0], "EKE")
2901 logger
.info("Test forced algorithm selection")
2902 for phase1
in ["dhgroup=5 encr=1 prf=2 mac=2",
2903 "dhgroup=4 encr=1 prf=2 mac=2",
2904 "dhgroup=3 encr=1 prf=2 mac=2",
2905 "dhgroup=3 encr=1 prf=1 mac=1"]:
2906 dev
[0].set_network_quoted(id, "phase1", phase1
)
2907 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2909 raise Exception("EAP success timed out")
2910 dev
[0].wait_connected(timeout
=10)
2911 dev
[0].dump_monitor()
2913 logger
.info("Test failed algorithm negotiation")
2914 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2915 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2917 raise Exception("EAP failure timed out")
2918 dev
[0].dump_monitor()
2920 logger
.info("Test unsupported algorithm proposals")
2921 dev
[0].request("REMOVE_NETWORK all")
2922 dev
[0].dump_monitor()
2923 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2924 phase1
="dhgroup=2 encr=1 prf=1 mac=1", expect_failure
=True)
2925 dev
[0].request("REMOVE_NETWORK all")
2926 dev
[0].dump_monitor()
2927 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2928 phase1
="dhgroup=1 encr=1 prf=1 mac=1", expect_failure
=True)
2930 logger
.info("Negative test with incorrect password")
2931 dev
[0].request("REMOVE_NETWORK all")
2932 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
2933 expect_failure
=True)
2935 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2936 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2937 if not params
['long']:
2938 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2939 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2940 hostapd
.add_ap(apdev
[0], params
)
2943 for i
in range(100):
2945 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2946 identity
="eke user", password
="hello",
2947 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2948 scan_freq
="2412", wait_connect
=False)
2950 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2951 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2953 raise Exception("No connected/disconnected event")
2954 if "CTRL-EVENT-DISCONNECTED" in ev
:
2956 # The RADIUS server limits on active sessions can be hit when
2957 # going through this test case, so try to give some more time
2958 # for the server to remove sessions.
2959 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2960 dev
[j
].request("REMOVE_NETWORK all")
2964 dev
[j
].request("REMOVE_NETWORK all")
2965 dev
[j
].wait_disconnected()
2966 dev
[j
].dump_monitor()
2967 logger
.info("Total success=%d failure=%d" % (success
, fail
))
2969 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2970 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2971 params
= int_eap_server_params()
2972 params
['server_id'] = 'example.server@w1.fi'
2973 hapd
= hostapd
.add_ap(apdev
[0], params
)
2974 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2976 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2977 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2978 params
= int_eap_server_params()
2979 hapd
= hostapd
.add_ap(apdev
[0], params
)
2980 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2982 for count
, func
in [(1, "eap_eke_build_commit"),
2983 (2, "eap_eke_build_commit"),
2984 (3, "eap_eke_build_commit"),
2985 (1, "eap_eke_build_confirm"),
2986 (2, "eap_eke_build_confirm"),
2987 (1, "eap_eke_process_commit"),
2988 (2, "eap_eke_process_commit"),
2989 (1, "eap_eke_process_confirm"),
2990 (1, "eap_eke_process_identity"),
2991 (2, "eap_eke_process_identity"),
2992 (3, "eap_eke_process_identity"),
2993 (4, "eap_eke_process_identity")]:
2994 with
alloc_fail(hapd
, count
, func
):
2995 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2996 expect_failure
=True)
2997 dev
[0].request("REMOVE_NETWORK all")
2999 for count
, func
, pw
in [(1, "eap_eke_init", "hello"),
3000 (1, "eap_eke_get_session_id", "hello"),
3001 (1, "eap_eke_getKey", "hello"),
3002 (1, "eap_eke_build_msg", "hello"),
3003 (1, "eap_eke_build_failure", "wrong"),
3004 (1, "eap_eke_build_identity", "hello"),
3005 (2, "eap_eke_build_identity", "hello")]:
3006 with
alloc_fail(hapd
, count
, func
):
3007 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3008 eap
="EKE", identity
="eke user", password
=pw
,
3009 wait_connect
=False, scan_freq
="2412")
3010 # This would eventually time out, but we can stop after having
3011 # reached the allocation failure.
3014 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
3016 dev
[0].request("REMOVE_NETWORK all")
3018 for count
in range(1, 1000):
3020 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
3021 dev
[0].connect("test-wpa2-eap",
3022 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3023 eap
="EKE", identity
="eke user", password
=pw
,
3024 wait_connect
=False, scan_freq
="2412")
3025 # This would eventually time out, but we can stop after having
3026 # reached the allocation failure.
3029 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
3031 dev
[0].request("REMOVE_NETWORK all")
3032 except Exception as e
:
3033 if str(e
) == "Allocation failure did not trigger":
3035 raise Exception("Too few allocation failures")
3036 logger
.info("%d allocation failures tested" % (count
- 1))
3040 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
3041 """WPA2-Enterprise connection using EAP-IKEv2"""
3042 check_eap_capa(dev
[0], "IKEV2")
3043 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3044 hapd
= hostapd
.add_ap(apdev
[0], params
)
3045 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3046 password
="ike password")
3047 eap_reauth(dev
[0], "IKEV2")
3048 dev
[0].request("REMOVE_NETWORK all")
3049 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3050 password
="ike password", fragment_size
="50")
3052 logger
.info("Negative test with incorrect password")
3053 dev
[0].request("REMOVE_NETWORK all")
3054 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3055 password
="ike-password", expect_failure
=True)
3056 dev
[0].request("REMOVE_NETWORK all")
3058 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3059 password
="ike password", fragment_size
="0")
3060 dev
[0].request("REMOVE_NETWORK all")
3061 dev
[0].wait_disconnected()
3063 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
3064 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
3065 check_eap_capa(dev
[0], "IKEV2")
3066 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3067 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3068 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3069 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3070 "fragment_size": "50"}
3071 hapd
= hostapd
.add_ap(apdev
[0], params
)
3072 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3073 password
="ike password")
3074 eap_reauth(dev
[0], "IKEV2")
3076 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
3077 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
3078 check_eap_capa(dev
[0], "IKEV2")
3079 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3080 hostapd
.add_ap(apdev
[0], params
)
3082 tests
= [(1, "dh_init"),
3084 (1, "dh_derive_shared")]
3085 for count
, func
in tests
:
3086 with
alloc_fail(dev
[0], count
, func
):
3087 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3088 identity
="ikev2 user", password
="ike password",
3089 wait_connect
=False, scan_freq
="2412")
3090 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3092 raise Exception("EAP method not selected")
3094 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
3097 dev
[0].request("REMOVE_NETWORK all")
3099 tls
= dev
[0].request("GET tls_library")
3100 if not tls
.startswith("wolfSSL"):
3101 tests
= [(1, "os_get_random;dh_init")]
3103 tests
= [(1, "crypto_dh_init;dh_init")]
3104 for count
, func
in tests
:
3105 with
fail_test(dev
[0], count
, func
):
3106 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3107 identity
="ikev2 user", password
="ike password",
3108 wait_connect
=False, scan_freq
="2412")
3109 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3111 raise Exception("EAP method not selected")
3113 if "0:" in dev
[0].request("GET_FAIL"):
3116 dev
[0].request("REMOVE_NETWORK all")
3118 def test_ap_wpa2_eap_pax(dev
, apdev
):
3119 """WPA2-Enterprise connection using EAP-PAX"""
3120 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3121 hapd
= hostapd
.add_ap(apdev
[0], params
)
3122 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3123 password_hex
="0123456789abcdef0123456789abcdef")
3124 eap_reauth(dev
[0], "PAX")
3126 logger
.info("Negative test with incorrect password")
3127 dev
[0].request("REMOVE_NETWORK all")
3128 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3129 password_hex
="ff23456789abcdef0123456789abcdef",
3130 expect_failure
=True)
3132 def test_ap_wpa2_eap_psk(dev
, apdev
):
3133 """WPA2-Enterprise connection using EAP-PSK"""
3134 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3135 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
3136 params
["ieee80211w"] = "2"
3137 hapd
= hostapd
.add_ap(apdev
[0], params
)
3138 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3139 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
3140 eap_reauth(dev
[0], "PSK", sha256
=True)
3141 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
3142 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5")])
3144 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
3145 if 'flags' not in bss
:
3146 raise Exception("Could not get BSS flags from BSS table")
3147 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
3148 raise Exception("Unexpected BSS flags: " + bss
['flags'])
3150 logger
.info("Negative test with incorrect password")
3151 dev
[0].request("REMOVE_NETWORK all")
3152 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3153 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
3154 expect_failure
=True)
3156 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
3157 """WPA2-Enterprise connection using EAP-PSK and OOM"""
3158 skip_with_fips(dev
[0])
3159 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3160 hostapd
.add_ap(apdev
[0], params
)
3161 tests
= [(1, "=aes_128_eax_encrypt"),
3162 (1, "=aes_128_eax_decrypt")]
3163 for count
, func
in tests
:
3164 with
alloc_fail(dev
[0], count
, func
):
3165 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3166 identity
="psk.user@example.com",
3167 password_hex
="0123456789abcdef0123456789abcdef",
3168 wait_connect
=False, scan_freq
="2412")
3169 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3171 raise Exception("EAP method not selected")
3172 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
3173 note
="Failure not triggered: %d:%s" % (count
, func
))
3174 dev
[0].request("REMOVE_NETWORK all")
3175 dev
[0].wait_disconnected()
3177 tests
= [(1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
3178 (1, "omac1_aes_128;aes_128_eax_encrypt"),
3179 (2, "omac1_aes_128;aes_128_eax_encrypt"),
3180 (3, "omac1_aes_128;aes_128_eax_encrypt"),
3181 (1, "omac1_aes_vector"),
3182 (1, "omac1_aes_128;aes_128_eax_decrypt"),
3183 (2, "omac1_aes_128;aes_128_eax_decrypt"),
3184 (3, "omac1_aes_128;aes_128_eax_decrypt"),
3185 (1, "aes_ctr_encrypt;aes_128_eax_decrypt")]
3186 for count
, func
in tests
:
3187 with
fail_test(dev
[0], count
, func
):
3188 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3189 identity
="psk.user@example.com",
3190 password_hex
="0123456789abcdef0123456789abcdef",
3191 wait_connect
=False, scan_freq
="2412")
3192 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3194 raise Exception("EAP method not selected")
3195 wait_fail_trigger(dev
[0], "GET_FAIL",
3196 note
="Failure not triggered: %d:%s" % (count
, func
))
3197 dev
[0].request("REMOVE_NETWORK all")
3198 dev
[0].wait_disconnected()
3200 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
3201 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3202 identity
="psk.user@example.com",
3203 password_hex
="0123456789abcdef0123456789abcdef",
3204 wait_connect
=False, scan_freq
="2412")
3205 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3207 raise Exception("EAP method failure not reported")
3208 dev
[0].request("REMOVE_NETWORK all")
3209 dev
[0].wait_disconnected()
3211 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
3212 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
3213 check_eap_capa(dev
[0], "MSCHAPV2")
3214 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
3215 hapd
= hostapd
.add_ap(apdev
[0], params
)
3216 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
3217 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
3218 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
3220 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
3221 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3222 eap_reauth(dev
[0], "PEAP", rsn
=False)
3223 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3224 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1")])
3225 status
= dev
[0].get_status(extra
="VERBOSE")
3226 if 'portControl' not in status
:
3227 raise Exception("portControl missing from STATUS-VERBOSE")
3228 if status
['portControl'] != 'Auto':
3229 raise Exception("Unexpected portControl value: " + status
['portControl'])
3230 if 'eap_session_id' not in status
:
3231 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3232 if not status
['eap_session_id'].startswith("19"):
3233 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
3235 def test_ap_wpa2_eap_interactive(dev
, apdev
):
3236 """WPA2-Enterprise connection using interactive identity/password entry"""
3237 check_eap_capa(dev
[0], "MSCHAPV2")
3238 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3239 hapd
= hostapd
.add_ap(apdev
[0], params
)
3241 tests
= [("Connection with dynamic TTLS/MSCHAPv2 password entry",
3242 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3244 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3245 "TTLS", "ttls", None, "auth=MSCHAPV2",
3246 "DOMAIN\mschapv2 user", "password"),
3247 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3248 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3249 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3250 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3251 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3252 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3253 ("Connection with dynamic PEAP/EAP-GTC password entry",
3254 "PEAP", None, "user", "auth=GTC", None, "password")]
3255 for [desc
, eap
, anon
, identity
, phase2
, req_id
, req_pw
] in tests
:
3257 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
3258 anonymous_identity
=anon
, identity
=identity
,
3259 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
3260 wait_connect
=False, scan_freq
="2412")
3262 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3264 raise Exception("Request for identity timed out")
3265 id = ev
.split(':')[0].split('-')[-1]
3266 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3267 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD", "CTRL-REQ-OTP"])
3269 raise Exception("Request for password timed out")
3270 id = ev
.split(':')[0].split('-')[-1]
3271 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
3272 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
3273 dev
[0].wait_connected(timeout
=10)
3274 dev
[0].request("REMOVE_NETWORK all")
3276 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
3277 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3278 check_eap_capa(dev
[0], "MSCHAPV2")
3279 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3280 hapd
= hostapd
.add_ap(apdev
[0], params
)
3282 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
3283 only_add_network
=True)
3285 req_id
= "DOMAIN\mschapv2 user"
3286 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3287 anonymous_identity
="ttls", identity
=None,
3288 password
="password",
3289 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3290 wait_connect
=False, scan_freq
="2412")
3291 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3293 raise Exception("Request for identity timed out")
3294 id = ev
.split(':')[0].split('-')[-1]
3295 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3296 dev
[0].wait_connected(timeout
=10)
3298 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
3299 raise Exception("Failed to enable network")
3300 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
3302 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3303 dev
[0].request("REMOVE_NETWORK all")
3305 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
3306 """WPA2-Enterprise connection using EAP vendor test"""
3307 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3308 hapd
= hostapd
.add_ap(apdev
[0], params
)
3309 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
3310 eap_reauth(dev
[0], "VENDOR-TEST")
3311 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
3314 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
3315 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3316 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3317 hostapd
.add_ap(apdev
[0], params
)
3319 tests
= ["eap_vendor_test_init",
3320 "eap_msg_alloc;eap_vendor_test_process",
3321 "eap_vendor_test_getKey"]
3323 with
alloc_fail(dev
[0], 1, func
):
3324 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
3326 eap
="VENDOR-TEST", identity
="vendor-test",
3328 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3329 dev
[0].request("REMOVE_NETWORK all")
3330 dev
[0].wait_disconnected()
3332 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
3333 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3334 check_eap_capa(dev
[0], "FAST")
3335 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3336 hapd
= hostapd
.add_ap(apdev
[0], params
)
3337 eap_connect(dev
[0], hapd
, "FAST", "user",
3338 anonymous_identity
="FAST", password
="password",
3339 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3340 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
3341 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3342 res
= eap_reauth(dev
[0], "FAST")
3343 if res
['tls_session_reused'] != '1':
3344 raise Exception("EAP-FAST could not use PAC session ticket")
3346 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
3347 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3348 check_eap_capa(dev
[0], "FAST")
3349 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
3350 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
3351 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3352 hapd
= hostapd
.add_ap(apdev
[0], params
)
3355 eap_connect(dev
[0], hapd
, "FAST", "user",
3356 anonymous_identity
="FAST", password
="password",
3357 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3358 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3359 with
open(pac_file
, "r") as f
:
3361 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3362 raise Exception("PAC file header missing")
3363 if "PAC-Key=" not in data
:
3364 raise Exception("PAC-Key missing from PAC file")
3365 dev
[0].request("REMOVE_NETWORK all")
3366 eap_connect(dev
[0], hapd
, "FAST", "user",
3367 anonymous_identity
="FAST", password
="password",
3368 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3371 eap_connect(dev
[1], hapd
, "FAST", "user",
3372 anonymous_identity
="FAST", password
="password",
3373 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3374 phase1
="fast_provisioning=1 fast_pac_format=binary",
3376 dev
[1].request("REMOVE_NETWORK all")
3377 eap_connect(dev
[1], hapd
, "FAST", "user",
3378 anonymous_identity
="FAST", password
="password",
3379 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3380 phase1
="fast_pac_format=binary",
3388 os
.remove(pac_file2
)
3392 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3393 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3394 check_eap_capa(dev
[0], "FAST")
3395 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3396 hapd
= hostapd
.add_ap(apdev
[0], params
)
3397 eap_connect(dev
[0], hapd
, "FAST", "user",
3398 anonymous_identity
="FAST", password
="password",
3399 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3400 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3401 pac_file
="blob://fast_pac_bin")
3402 res
= eap_reauth(dev
[0], "FAST")
3403 if res
['tls_session_reused'] != '1':
3404 raise Exception("EAP-FAST could not use PAC session ticket")
3406 # Verify fast_max_pac_list_len=0 special case
3407 dev
[0].request("REMOVE_NETWORK all")
3408 dev
[0].wait_disconnected()
3409 eap_connect(dev
[0], hapd
, "FAST", "user",
3410 anonymous_identity
="FAST", password
="password",
3411 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3412 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3413 pac_file
="blob://fast_pac_bin")
3415 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3416 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3417 check_eap_capa(dev
[0], "FAST")
3418 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3419 hostapd
.add_ap(apdev
[0], params
)
3421 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3422 identity
="user", anonymous_identity
="FAST",
3423 password
="password",
3424 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3425 pac_file
="blob://fast_pac_not_in_use",
3426 wait_connect
=False, scan_freq
="2412")
3427 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3429 raise Exception("Timeout on EAP failure report")
3430 dev
[0].request("REMOVE_NETWORK all")
3432 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3433 identity
="user", anonymous_identity
="FAST",
3434 password
="password",
3435 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3436 wait_connect
=False, scan_freq
="2412")
3437 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3439 raise Exception("Timeout on EAP failure report")
3441 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3442 """EAP-FAST and binary PAC errors"""
3443 check_eap_capa(dev
[0], "FAST")
3444 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3445 hapd
= hostapd
.add_ap(apdev
[0], params
)
3447 tests
= [(1, "=eap_fast_save_pac_bin"),
3448 (1, "eap_fast_write_pac"),
3449 (2, "eap_fast_write_pac"),]
3450 for count
, func
in tests
:
3451 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3452 raise Exception("Could not set blob")
3454 with
alloc_fail(dev
[0], count
, func
):
3455 eap_connect(dev
[0], hapd
, "FAST", "user",
3456 anonymous_identity
="FAST", password
="password",
3457 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3458 phase1
="fast_provisioning=1 fast_pac_format=binary",
3459 pac_file
="blob://fast_pac_bin_errors")
3460 dev
[0].request("REMOVE_NETWORK all")
3461 dev
[0].wait_disconnected()
3463 tests
= ["00", "000000000000", "6ae4920c0001",
3465 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3466 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3467 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3468 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3470 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3471 raise Exception("Could not set blob")
3473 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3474 identity
="user", anonymous_identity
="FAST",
3475 password
="password",
3476 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3477 phase1
="fast_provisioning=1 fast_pac_format=binary",
3478 pac_file
="blob://fast_pac_bin_errors",
3479 scan_freq
="2412", wait_connect
=False)
3480 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3483 raise Exception("Failure not reported")
3484 dev
[0].request("REMOVE_NETWORK all")
3485 dev
[0].wait_disconnected()
3487 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3488 tests
= [(1, "eap_fast_load_pac_bin"),
3489 (2, "eap_fast_load_pac_bin"),
3490 (3, "eap_fast_load_pac_bin")]
3491 for count
, func
in tests
:
3492 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3493 raise Exception("Could not set blob")
3495 with
alloc_fail(dev
[0], count
, func
):
3496 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3497 identity
="user", anonymous_identity
="FAST",
3498 password
="password",
3499 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3500 phase1
="fast_provisioning=1 fast_pac_format=binary",
3501 pac_file
="blob://fast_pac_bin_errors",
3502 scan_freq
="2412", wait_connect
=False)
3503 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3506 raise Exception("Failure not reported")
3507 dev
[0].request("REMOVE_NETWORK all")
3508 dev
[0].wait_disconnected()
3510 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3511 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3512 raise Exception("Could not set blob")
3514 eap_connect(dev
[0], hapd
, "FAST", "user",
3515 anonymous_identity
="FAST", password
="password",
3516 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3517 phase1
="fast_provisioning=1 fast_pac_format=binary",
3518 pac_file
="blob://fast_pac_bin_errors")
3519 dev
[0].request("REMOVE_NETWORK all")
3520 dev
[0].wait_disconnected()
3522 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3523 tests
= [(1, "eap_fast_pac_get_a_id"),
3524 (2, "eap_fast_pac_get_a_id")]
3525 for count
, func
in tests
:
3526 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3527 raise Exception("Could not set blob")
3528 with
alloc_fail(dev
[0], count
, func
):
3529 eap_connect(dev
[0], hapd
, "FAST", "user",
3530 anonymous_identity
="FAST", password
="password",
3531 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3532 phase1
="fast_provisioning=1 fast_pac_format=binary",
3533 pac_file
="blob://fast_pac_bin_errors")
3534 dev
[0].request("REMOVE_NETWORK all")
3535 dev
[0].wait_disconnected()
3537 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3538 """EAP-FAST and text PAC errors"""
3539 check_eap_capa(dev
[0], "FAST")
3540 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3541 hostapd
.add_ap(apdev
[0], params
)
3543 tests
= [(1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3544 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3545 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3546 (1, "eap_fast_parse_start"),
3547 (1, "eap_fast_save_pac")]
3548 for count
, func
in tests
:
3549 dev
[0].request("FLUSH")
3550 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3551 raise Exception("Could not set blob")
3553 with
alloc_fail(dev
[0], count
, func
):
3554 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3555 identity
="user", anonymous_identity
="FAST",
3556 password
="password",
3557 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3558 phase1
="fast_provisioning=1",
3559 pac_file
="blob://fast_pac_text_errors",
3560 scan_freq
="2412", wait_connect
=False)
3561 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3562 dev
[0].request("REMOVE_NETWORK all")
3563 dev
[0].wait_disconnected()
3565 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3569 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + binascii
.hexlify(pac
.encode()).decode()):
3570 raise Exception("Could not set blob")
3572 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3573 identity
="user", anonymous_identity
="FAST",
3574 password
="password",
3575 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3576 phase1
="fast_provisioning=1",
3577 pac_file
="blob://fast_pac_text_errors",
3578 scan_freq
="2412", wait_connect
=False)
3579 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3581 raise Exception("Failure not reported")
3582 dev
[0].request("REMOVE_NETWORK all")
3583 dev
[0].wait_disconnected()
3585 dev
[0].request("FLUSH")
3586 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3587 raise Exception("Could not set blob")
3589 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3591 params
= int_eap_server_params()
3592 params
['ssid'] = "test-wpa2-eap-2"
3593 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3594 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3595 params
['eap_fast_a_id_info'] = "test server %d" % i
3597 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3599 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3600 identity
="user", anonymous_identity
="FAST",
3601 password
="password",
3602 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3603 phase1
="fast_provisioning=1",
3604 pac_file
="blob://fast_pac_text_errors",
3605 scan_freq
="2412", wait_connect
=False)
3606 dev
[0].wait_connected()
3607 dev
[0].request("REMOVE_NETWORK all")
3608 dev
[0].wait_disconnected()
3612 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3613 """EAP-FAST and PAC list truncation"""
3614 check_eap_capa(dev
[0], "FAST")
3615 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3616 raise Exception("Could not set blob")
3618 params
= int_eap_server_params()
3619 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3620 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3621 params
['eap_fast_a_id_info'] = "test server %d" % i
3622 hapd
= hostapd
.add_ap(apdev
[0], params
)
3624 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3625 identity
="user", anonymous_identity
="FAST",
3626 password
="password",
3627 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3628 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3629 pac_file
="blob://fast_pac_truncate",
3630 scan_freq
="2412", wait_connect
=False)
3631 dev
[0].wait_connected()
3632 dev
[0].request("REMOVE_NETWORK all")
3633 dev
[0].wait_disconnected()
3637 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3638 """EAP-FAST and PAC refresh"""
3639 check_eap_capa(dev
[0], "FAST")
3640 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3641 raise Exception("Could not set blob")
3643 params
= int_eap_server_params()
3644 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3645 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3646 params
['eap_fast_a_id_info'] = "test server %d" % i
3647 params
['pac_key_refresh_time'] = "1"
3648 params
['pac_key_lifetime'] = "10"
3649 hapd
= hostapd
.add_ap(apdev
[0], params
)
3651 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3652 identity
="user", anonymous_identity
="FAST",
3653 password
="password",
3654 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3655 phase1
="fast_provisioning=1",
3656 pac_file
="blob://fast_pac_refresh",
3657 scan_freq
="2412", wait_connect
=False)
3658 dev
[0].wait_connected()
3659 dev
[0].request("REMOVE_NETWORK all")
3660 dev
[0].wait_disconnected()
3665 params
= int_eap_server_params()
3666 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3667 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3668 params
['eap_fast_a_id_info'] = "test server %d" % i
3669 params
['pac_key_refresh_time'] = "10"
3670 params
['pac_key_lifetime'] = "10"
3671 hapd
= hostapd
.add_ap(apdev
[0], params
)
3673 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3674 identity
="user", anonymous_identity
="FAST",
3675 password
="password",
3676 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3677 phase1
="fast_provisioning=1",
3678 pac_file
="blob://fast_pac_refresh",
3679 scan_freq
="2412", wait_connect
=False)
3680 dev
[0].wait_connected()
3681 dev
[0].request("REMOVE_NETWORK all")
3682 dev
[0].wait_disconnected()
3686 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3687 """EAP-FAST and PAC lifetime"""
3688 check_eap_capa(dev
[0], "FAST")
3689 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3690 raise Exception("Could not set blob")
3693 params
= int_eap_server_params()
3694 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3695 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3696 params
['eap_fast_a_id_info'] = "test server %d" % i
3697 params
['pac_key_refresh_time'] = "0"
3698 params
['pac_key_lifetime'] = "2"
3699 hapd
= hostapd
.add_ap(apdev
[0], params
)
3701 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3702 identity
="user", anonymous_identity
="FAST",
3703 password
="password",
3704 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3705 phase1
="fast_provisioning=2",
3706 pac_file
="blob://fast_pac_refresh",
3707 scan_freq
="2412", wait_connect
=False)
3708 dev
[0].wait_connected()
3709 dev
[0].request("DISCONNECT")
3710 dev
[0].wait_disconnected()
3713 dev
[0].request("PMKSA_FLUSH")
3714 dev
[0].request("RECONNECT")
3715 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3717 raise Exception("No EAP-Failure seen after expired PAC")
3718 dev
[0].request("DISCONNECT")
3719 dev
[0].wait_disconnected()
3721 dev
[0].select_network(id)
3722 dev
[0].wait_connected()
3723 dev
[0].request("REMOVE_NETWORK all")
3724 dev
[0].wait_disconnected()
3726 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3727 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3728 check_eap_capa(dev
[0], "FAST")
3729 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3730 hapd
= hostapd
.add_ap(apdev
[0], params
)
3731 eap_connect(dev
[0], hapd
, "FAST", "user",
3732 anonymous_identity
="FAST", password
="password",
3733 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3734 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3735 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3736 res
= eap_reauth(dev
[0], "FAST")
3737 if res
['tls_session_reused'] != '1':
3738 raise Exception("EAP-FAST could not use PAC session ticket")
3740 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3741 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3742 check_eap_capa(dev
[0], "FAST")
3743 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3744 hapd
= hostapd
.add_ap(apdev
[0], params
)
3745 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3746 anonymous_identity
="FAST", password
="password",
3747 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3748 phase1
="fast_provisioning=2",
3749 pac_file
="blob://fast_pac_auth")
3750 dev
[0].set_network_quoted(id, "identity", "user2")
3751 dev
[0].wait_disconnected()
3752 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3754 raise Exception("EAP-FAST not started")
3755 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3757 raise Exception("EAP failure not reported")
3758 dev
[0].wait_disconnected()
3760 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3761 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3762 check_eap_capa(dev
[0], "FAST")
3763 tls
= dev
[0].request("GET tls_library")
3764 if tls
.startswith("OpenSSL"):
3765 func
= "tls_connection_get_eap_fast_key"
3767 elif tls
.startswith("internal"):
3768 func
= "tls_connection_prf"
3771 raise HwsimSkip("Unsupported TLS library")
3772 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3773 hapd
= hostapd
.add_ap(apdev
[0], params
)
3774 with
alloc_fail(dev
[0], count
, func
):
3775 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3776 identity
="user", anonymous_identity
="FAST",
3777 password
="password", ca_cert
="auth_serv/ca.pem",
3779 phase1
="fast_provisioning=2",
3780 pac_file
="blob://fast_pac_auth",
3781 wait_connect
=False, scan_freq
="2412")
3782 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3784 raise Exception("EAP failure not reported")
3785 dev
[0].request("DISCONNECT")
3787 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3788 """EAP-FAST/MSCHAPv2 and server OOM"""
3789 check_eap_capa(dev
[0], "FAST")
3791 params
= int_eap_server_params()
3792 params
['dh_file'] = 'auth_serv/dh.conf'
3793 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3794 params
['eap_fast_a_id'] = '1011'
3795 params
['eap_fast_a_id_info'] = 'another test server'
3796 hapd
= hostapd
.add_ap(apdev
[0], params
)
3798 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3799 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3800 anonymous_identity
="FAST", password
="password",
3801 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3802 phase1
="fast_provisioning=1",
3803 pac_file
="blob://fast_pac",
3804 expect_failure
=True)
3805 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3807 raise Exception("No EAP failure reported")
3808 dev
[0].wait_disconnected()
3809 dev
[0].request("DISCONNECT")
3811 dev
[0].select_network(id, freq
="2412")
3813 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3814 """EAP-FAST and different TLS cipher suites"""
3815 check_eap_capa(dev
[0], "FAST")
3816 tls
= dev
[0].request("GET tls_library")
3817 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
3818 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls
)
3820 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3821 hapd
= hostapd
.add_ap(apdev
[0], params
)
3823 dev
[0].request("SET blob fast_pac_ciphers ")
3824 eap_connect(dev
[0], hapd
, "FAST", "user",
3825 anonymous_identity
="FAST", password
="password",
3826 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3827 phase1
="fast_provisioning=2",
3828 pac_file
="blob://fast_pac_ciphers")
3829 res
= dev
[0].get_status_field('EAP TLS cipher')
3830 dev
[0].request("REMOVE_NETWORK all")
3831 dev
[0].wait_disconnected()
3832 if res
!= "DHE-RSA-AES256-SHA":
3833 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3835 tests
= ["DHE-RSA-AES128-SHA",
3839 "DHE-RSA-AES256-SHA"]
3840 for cipher
in tests
:
3841 dev
[0].dump_monitor()
3842 logger
.info("Testing " + cipher
)
3844 eap_connect(dev
[0], hapd
, "FAST", "user",
3845 openssl_ciphers
=cipher
,
3846 anonymous_identity
="FAST", password
="password",
3847 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3848 pac_file
="blob://fast_pac_ciphers",
3849 report_failure
=True)
3850 except Exception as e
:
3851 if cipher
== "RC4-SHA" and \
3852 ("Could not select EAP method" in str(e
) or \
3853 "EAP failed" in str(e
)):
3854 if "run=OpenSSL 1.1" in tls
:
3855 logger
.info("Allow failure due to missing TLS library support")
3856 dev
[0].request("REMOVE_NETWORK all")
3857 dev
[0].wait_disconnected()
3860 res
= dev
[0].get_status_field('EAP TLS cipher')
3861 dev
[0].request("REMOVE_NETWORK all")
3862 dev
[0].wait_disconnected()
3864 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3866 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3867 """EAP-FAST and provisioning options"""
3868 check_eap_capa(dev
[0], "FAST")
3869 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3870 raise Exception("Could not set blob")
3873 params
= int_eap_server_params()
3874 params
['disable_pmksa_caching'] = '1'
3875 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3876 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3877 params
['eap_fast_a_id_info'] = "test server %d" % i
3878 params
['eap_fast_prov'] = "0"
3879 hapd
= hostapd
.add_ap(apdev
[0], params
)
3881 logger
.info("Provisioning attempt while server has provisioning disabled")
3882 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3883 identity
="user", anonymous_identity
="FAST",
3884 password
="password",
3885 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3886 phase1
="fast_provisioning=2",
3887 pac_file
="blob://fast_pac_prov",
3888 scan_freq
="2412", wait_connect
=False)
3889 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3892 raise Exception("EAP result not reported")
3893 if "parameter='failure'" not in ev
:
3894 raise Exception("Unexpected EAP result: " + ev
)
3895 dev
[0].wait_disconnected()
3896 dev
[0].request("DISCONNECT")
3897 dev
[0].dump_monitor()
3900 logger
.info("Authenticated provisioning")
3901 hapd
.set("eap_fast_prov", "2")
3904 dev
[0].select_network(id, freq
="2412")
3905 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3908 raise Exception("EAP result not reported")
3909 if "parameter='success'" not in ev
:
3910 raise Exception("Unexpected EAP result: " + ev
)
3911 dev
[0].wait_connected()
3912 dev
[0].request("DISCONNECT")
3913 dev
[0].wait_disconnected()
3914 dev
[0].dump_monitor()
3917 logger
.info("Provisioning disabled - using previously provisioned PAC")
3918 hapd
.set("eap_fast_prov", "0")
3921 dev
[0].select_network(id, freq
="2412")
3922 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3925 raise Exception("EAP result not reported")
3926 if "parameter='success'" not in ev
:
3927 raise Exception("Unexpected EAP result: " + ev
)
3928 dev
[0].wait_connected()
3929 dev
[0].request("DISCONNECT")
3930 dev
[0].wait_disconnected()
3931 dev
[0].dump_monitor()
3933 logger
.info("Drop PAC and verify connection failure")
3934 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3935 raise Exception("Could not set blob")
3937 dev
[0].select_network(id, freq
="2412")
3938 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3941 raise Exception("EAP result not reported")
3942 if "parameter='failure'" not in ev
:
3943 raise Exception("Unexpected EAP result: " + ev
)
3944 dev
[0].wait_disconnected()
3945 dev
[0].request("DISCONNECT")
3946 dev
[0].dump_monitor()
3949 logger
.info("Anonymous provisioning")
3950 hapd
.set("eap_fast_prov", "1")
3952 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3953 dev
[0].select_network(id, freq
="2412")
3954 # Anonymous provisioning results in EAP-Failure first
3955 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3958 raise Exception("EAP result not reported")
3959 if "parameter='failure'" not in ev
:
3960 raise Exception("Unexpected EAP result: " + ev
)
3961 dev
[0].wait_disconnected()
3962 # And then the actual data connection
3963 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3966 raise Exception("EAP result not reported")
3967 if "parameter='success'" not in ev
:
3968 raise Exception("Unexpected EAP result: " + ev
)
3969 dev
[0].wait_connected()
3970 dev
[0].request("DISCONNECT")
3971 dev
[0].wait_disconnected()
3972 dev
[0].dump_monitor()
3975 logger
.info("Provisioning disabled - using previously provisioned PAC")
3976 hapd
.set("eap_fast_prov", "0")
3979 dev
[0].select_network(id, freq
="2412")
3980 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3983 raise Exception("EAP result not reported")
3984 if "parameter='success'" not in ev
:
3985 raise Exception("Unexpected EAP result: " + ev
)
3986 dev
[0].wait_connected()
3987 dev
[0].request("DISCONNECT")
3988 dev
[0].wait_disconnected()
3989 dev
[0].dump_monitor()
3991 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
3992 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3993 check_ocsp_support(dev
[0])
3994 check_pkcs12_support(dev
[0])
3995 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3996 hapd
= hostapd
.add_ap(apdev
[0], params
)
3997 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3998 private_key
="auth_serv/user.pkcs12",
3999 private_key_passwd
="whatever", ocsp
=2)
4001 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
4002 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
4003 check_ocsp_multi_support(dev
[0])
4004 check_pkcs12_support(dev
[0])
4006 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4007 hapd
= hostapd
.add_ap(apdev
[0], params
)
4008 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4009 private_key
="auth_serv/user.pkcs12",
4010 private_key_passwd
="whatever", ocsp
=2)
4012 def int_eap_server_params():
4013 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
4014 "rsn_pairwise": "CCMP", "ieee8021x": "1",
4015 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
4016 "ca_cert": "auth_serv/ca.pem",
4017 "server_cert": "auth_serv/server.pem",
4018 "private_key": "auth_serv/server.key",
4019 "dh_file": "auth_serv/dh.conf"}
4022 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
4023 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
4024 check_ocsp_support(dev
[0])
4025 check_pkcs12_support(dev
[0])
4026 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
4027 if not os
.path
.exists(ocsp
):
4028 raise HwsimSkip("No OCSP response available")
4029 params
= int_eap_server_params()
4030 params
["ocsp_stapling_response"] = ocsp
4031 hostapd
.add_ap(apdev
[0], params
)
4032 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4033 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4034 private_key
="auth_serv/user.pkcs12",
4035 private_key_passwd
="whatever", ocsp
=2,
4038 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
4039 """EAP-TLS and CA signed OCSP response (good)"""
4040 check_ocsp_support(dev
[0])
4041 check_pkcs12_support(dev
[0])
4042 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
4043 if not os
.path
.exists(ocsp
):
4044 raise HwsimSkip("No OCSP response available")
4045 params
= int_eap_server_params()
4046 params
["ocsp_stapling_response"] = ocsp
4047 hostapd
.add_ap(apdev
[0], params
)
4048 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4049 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4050 private_key
="auth_serv/user.pkcs12",
4051 private_key_passwd
="whatever", ocsp
=2,
4054 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
4055 """EAP-TLS and CA signed OCSP response (revoked)"""
4056 check_ocsp_support(dev
[0])
4057 check_pkcs12_support(dev
[0])
4058 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
4059 if not os
.path
.exists(ocsp
):
4060 raise HwsimSkip("No OCSP response available")
4061 params
= int_eap_server_params()
4062 params
["ocsp_stapling_response"] = ocsp
4063 hostapd
.add_ap(apdev
[0], params
)
4064 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4065 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4066 private_key
="auth_serv/user.pkcs12",
4067 private_key_passwd
="whatever", ocsp
=2,
4068 wait_connect
=False, scan_freq
="2412")
4071 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4073 raise Exception("Timeout on EAP status")
4074 if 'bad certificate status response' in ev
:
4076 if 'certificate revoked' in ev
:
4080 raise Exception("Unexpected number of EAP status messages")
4082 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4084 raise Exception("Timeout on EAP failure report")
4086 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
4087 """EAP-TLS and CA signed OCSP response (unknown)"""
4088 check_ocsp_support(dev
[0])
4089 check_pkcs12_support(dev
[0])
4090 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
4091 if not os
.path
.exists(ocsp
):
4092 raise HwsimSkip("No OCSP response available")
4093 params
= int_eap_server_params()
4094 params
["ocsp_stapling_response"] = ocsp
4095 hostapd
.add_ap(apdev
[0], params
)
4096 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4097 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4098 private_key
="auth_serv/user.pkcs12",
4099 private_key_passwd
="whatever", ocsp
=2,
4100 wait_connect
=False, scan_freq
="2412")
4103 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4105 raise Exception("Timeout on EAP status")
4106 if 'bad certificate status response' in ev
:
4110 raise Exception("Unexpected number of EAP status messages")
4112 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4114 raise Exception("Timeout on EAP failure report")
4116 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
4117 """EAP-TLS and server signed OCSP response"""
4118 check_ocsp_support(dev
[0])
4119 check_pkcs12_support(dev
[0])
4120 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
4121 if not os
.path
.exists(ocsp
):
4122 raise HwsimSkip("No OCSP response available")
4123 params
= int_eap_server_params()
4124 params
["ocsp_stapling_response"] = ocsp
4125 hostapd
.add_ap(apdev
[0], params
)
4126 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4127 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4128 private_key
="auth_serv/user.pkcs12",
4129 private_key_passwd
="whatever", ocsp
=2,
4130 wait_connect
=False, scan_freq
="2412")
4133 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4135 raise Exception("Timeout on EAP status")
4136 if 'bad certificate status response' in ev
:
4140 raise Exception("Unexpected number of EAP status messages")
4142 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4144 raise Exception("Timeout on EAP failure report")
4146 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
4147 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
4148 check_ocsp_support(dev
[0])
4149 check_pkcs12_support(dev
[0])
4150 params
= int_eap_server_params()
4151 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
4152 hostapd
.add_ap(apdev
[0], params
)
4153 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4154 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4155 private_key
="auth_serv/user.pkcs12",
4156 private_key_passwd
="whatever", ocsp
=2,
4157 wait_connect
=False, scan_freq
="2412")
4160 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4162 raise Exception("Timeout on EAP status")
4163 if 'bad certificate status response' in ev
:
4167 raise Exception("Unexpected number of EAP status messages")
4169 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4171 raise Exception("Timeout on EAP failure report")
4173 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
4174 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
4175 check_ocsp_support(dev
[0])
4176 check_pkcs12_support(dev
[0])
4177 params
= int_eap_server_params()
4178 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
4179 hostapd
.add_ap(apdev
[0], params
)
4180 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4181 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4182 private_key
="auth_serv/user.pkcs12",
4183 private_key_passwd
="whatever", ocsp
=2,
4184 wait_connect
=False, scan_freq
="2412")
4187 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4189 raise Exception("Timeout on EAP status")
4190 if 'bad certificate status response' in ev
:
4194 raise Exception("Unexpected number of EAP status messages")
4196 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4198 raise Exception("Timeout on EAP failure report")
4200 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
4201 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
4202 check_ocsp_support(dev
[0])
4203 check_pkcs12_support(dev
[0])
4204 params
= int_eap_server_params()
4205 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
4206 hostapd
.add_ap(apdev
[0], params
)
4207 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4208 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4209 private_key
="auth_serv/user.pkcs12",
4210 private_key_passwd
="whatever", ocsp
=2,
4211 wait_connect
=False, scan_freq
="2412")
4214 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4216 raise Exception("Timeout on EAP status")
4217 if 'bad certificate status response' in ev
:
4221 raise Exception("Unexpected number of EAP status messages")
4223 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4225 raise Exception("Timeout on EAP failure report")
4227 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
4228 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4229 check_ocsp_support(dev
[0])
4230 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
4231 if not os
.path
.exists(ocsp
):
4232 raise HwsimSkip("No OCSP response available")
4233 params
= int_eap_server_params()
4234 params
["ocsp_stapling_response"] = ocsp
4235 hostapd
.add_ap(apdev
[0], params
)
4236 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4237 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4238 anonymous_identity
="ttls", password
="password",
4239 phase2
="auth=PAP", ocsp
=2,
4240 wait_connect
=False, scan_freq
="2412")
4243 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4245 raise Exception("Timeout on EAP status")
4246 if 'bad certificate status response' in ev
:
4248 if 'certificate revoked' in ev
:
4252 raise Exception("Unexpected number of EAP status messages")
4254 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4256 raise Exception("Timeout on EAP failure report")
4258 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
4259 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4260 check_ocsp_support(dev
[0])
4261 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4262 if not os
.path
.exists(ocsp
):
4263 raise HwsimSkip("No OCSP response available")
4264 params
= int_eap_server_params()
4265 params
["ocsp_stapling_response"] = ocsp
4266 hostapd
.add_ap(apdev
[0], params
)
4267 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4268 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4269 anonymous_identity
="ttls", password
="password",
4270 phase2
="auth=PAP", ocsp
=2,
4271 wait_connect
=False, scan_freq
="2412")
4274 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4276 raise Exception("Timeout on EAP status")
4277 if 'bad certificate status response' in ev
:
4281 raise Exception("Unexpected number of EAP status messages")
4283 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4285 raise Exception("Timeout on EAP failure report")
4287 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
4288 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4289 check_ocsp_support(dev
[0])
4290 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4291 if not os
.path
.exists(ocsp
):
4292 raise HwsimSkip("No OCSP response available")
4293 params
= int_eap_server_params()
4294 params
["ocsp_stapling_response"] = ocsp
4295 hostapd
.add_ap(apdev
[0], params
)
4296 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4297 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4298 anonymous_identity
="ttls", password
="password",
4299 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
4301 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
4302 """EAP-TLS with intermediate server/user CA"""
4303 params
= int_eap_server_params()
4304 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4305 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4306 params
["private_key"] = "auth_serv/iCA-server/server.key"
4307 hostapd
.add_ap(apdev
[0], params
)
4308 tls
= dev
[0].request("GET tls_library")
4309 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4310 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4311 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4313 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4314 client_cert
= "auth_serv/iCA-user/user.pem"
4315 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4316 identity
="tls user",
4318 client_cert
=client_cert
,
4319 private_key
="auth_serv/iCA-user/user.key",
4322 def root_ocsp(cert
):
4323 ca
= "auth_serv/ca.pem"
4325 fd2
, fn2
= tempfile
.mkstemp()
4328 arg
= ["openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-sha256",
4329 "-cert", cert
, "-no_nonce", "-text"]
4330 logger
.info(' '.join(arg
))
4331 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4332 stderr
=subprocess
.PIPE
)
4333 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4337 if cmd
.returncode
!= 0:
4338 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4339 logger
.info("OCSP request:\n" + res
)
4341 fd
, fn
= tempfile
.mkstemp()
4343 arg
= ["openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4344 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
4345 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4346 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4348 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4349 stderr
=subprocess
.PIPE
)
4350 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4354 if cmd
.returncode
!= 0:
4355 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4356 logger
.info("OCSP response:\n" + res
)
4360 def ica_ocsp(cert
, md
="-sha256"):
4361 prefix
= "auth_serv/iCA-server/"
4362 ca
= prefix
+ "cacert.pem"
4363 cert
= prefix
+ cert
4365 fd2
, fn2
= tempfile
.mkstemp()
4368 arg
= ["openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, md
,
4369 "-cert", cert
, "-no_nonce", "-text"]
4370 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4371 stderr
=subprocess
.PIPE
)
4372 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4376 if cmd
.returncode
!= 0:
4377 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4378 logger
.info("OCSP request:\n" + res
)
4380 fd
, fn
= tempfile
.mkstemp()
4382 arg
= ["openssl", "ocsp", "-index", prefix
+ "index.txt",
4383 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
4384 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4385 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4387 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4388 stderr
=subprocess
.PIPE
)
4389 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4393 if cmd
.returncode
!= 0:
4394 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4395 logger
.info("OCSP response:\n" + res
)
4399 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4400 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4401 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha256")
4403 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev
, apdev
, params
):
4404 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4405 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha1")
4407 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, md
):
4408 params
= int_eap_server_params()
4409 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4410 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4411 params
["private_key"] = "auth_serv/iCA-server/server.key"
4412 fn
= ica_ocsp("server.pem", md
)
4413 params
["ocsp_stapling_response"] = fn
4415 hostapd
.add_ap(apdev
[0], params
)
4416 tls
= dev
[0].request("GET tls_library")
4417 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4418 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4419 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4421 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4422 client_cert
= "auth_serv/iCA-user/user.pem"
4423 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4424 identity
="tls user",
4426 client_cert
=client_cert
,
4427 private_key
="auth_serv/iCA-user/user.key",
4428 scan_freq
="2412", ocsp
=2)
4432 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4433 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4434 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4437 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev
, apdev
, params
):
4438 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4439 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4442 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
, md
):
4443 check_ocsp_support(dev
[0])
4444 params
= int_eap_server_params()
4445 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4446 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4447 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4448 fn
= ica_ocsp("server-revoked.pem", md
)
4449 params
["ocsp_stapling_response"] = fn
4451 hostapd
.add_ap(apdev
[0], params
)
4452 tls
= dev
[0].request("GET tls_library")
4453 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4454 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4455 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4457 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4458 client_cert
= "auth_serv/iCA-user/user.pem"
4459 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4460 identity
="tls user",
4462 client_cert
=client_cert
,
4463 private_key
="auth_serv/iCA-user/user.key",
4464 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4467 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4468 "CTRL-EVENT-EAP-SUCCESS"])
4470 raise Exception("Timeout on EAP status")
4471 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4472 raise Exception("Unexpected EAP-Success")
4473 if 'bad certificate status response' in ev
:
4475 if 'certificate revoked' in ev
:
4479 raise Exception("Unexpected number of EAP status messages")
4481 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4483 raise Exception("Timeout on EAP failure report")
4484 dev
[0].request("REMOVE_NETWORK all")
4485 dev
[0].wait_disconnected()
4489 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4490 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4491 check_ocsp_support(dev
[0])
4492 check_ocsp_multi_support(dev
[0])
4494 params
= int_eap_server_params()
4495 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4496 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4497 params
["private_key"] = "auth_serv/iCA-server/server.key"
4498 fn
= ica_ocsp("server.pem")
4499 params
["ocsp_stapling_response"] = fn
4501 hostapd
.add_ap(apdev
[0], params
)
4502 tls
= dev
[0].request("GET tls_library")
4503 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4504 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4505 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4507 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4508 client_cert
= "auth_serv/iCA-user/user.pem"
4509 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4510 identity
="tls user",
4512 client_cert
=client_cert
,
4513 private_key
="auth_serv/iCA-user/user.key",
4514 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4517 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4518 "CTRL-EVENT-EAP-SUCCESS"])
4520 raise Exception("Timeout on EAP status")
4521 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4522 raise Exception("Unexpected EAP-Success")
4523 if 'bad certificate status response' in ev
:
4525 if 'certificate revoked' in ev
:
4529 raise Exception("Unexpected number of EAP status messages")
4531 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4533 raise Exception("Timeout on EAP failure report")
4534 dev
[0].request("REMOVE_NETWORK all")
4535 dev
[0].wait_disconnected()
4539 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4540 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4541 check_ocsp_support(dev
[0])
4542 check_ocsp_multi_support(dev
[0])
4544 params
= int_eap_server_params()
4545 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4546 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4547 params
["private_key"] = "auth_serv/iCA-server/server.key"
4548 fn
= ica_ocsp("server.pem")
4549 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4550 params
["ocsp_stapling_response"] = fn
4552 with
open(fn
, "rb") as f
:
4553 resp_server
= f
.read()
4554 with
open(fn2
, "rb") as f
:
4557 fd3
, fn3
= tempfile
.mkstemp()
4559 f
= os
.fdopen(fd3
, 'wb')
4560 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4561 f
.write(resp_server
)
4562 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4566 params
["ocsp_stapling_response_multi"] = fn3
4568 hostapd
.add_ap(apdev
[0], params
)
4569 tls
= dev
[0].request("GET tls_library")
4570 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4571 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4572 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4574 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4575 client_cert
= "auth_serv/iCA-user/user.pem"
4576 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4577 identity
="tls user",
4579 client_cert
=client_cert
,
4580 private_key
="auth_serv/iCA-user/user.key",
4581 scan_freq
="2412", ocsp
=3)
4582 dev
[0].request("REMOVE_NETWORK all")
4583 dev
[0].wait_disconnected()
4589 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4590 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4591 check_ocsp_support(dev
[0])
4592 check_ocsp_multi_support(dev
[0])
4593 check_pkcs12_support(dev
[0])
4595 ocsp_revoked
= os
.path
.join(params
['logdir'],
4596 "ocsp-resp-ca-signed-revoked.der")
4597 if not os
.path
.exists(ocsp_revoked
):
4598 raise HwsimSkip("No OCSP response (revoked) available")
4599 ocsp_unknown
= os
.path
.join(params
['logdir'],
4600 "ocsp-resp-ca-signed-unknown.der")
4601 if not os
.path
.exists(ocsp_unknown
):
4602 raise HwsimSkip("No OCSP response(unknown) available")
4604 with
open(ocsp_revoked
, "rb") as f
:
4605 resp_revoked
= f
.read()
4606 with
open(ocsp_unknown
, "rb") as f
:
4607 resp_unknown
= f
.read()
4609 fd
, fn
= tempfile
.mkstemp()
4611 # This is not really a valid order of the OCSPResponse items in the
4612 # list, but this works for now to verify parsing and processing of
4613 # multiple responses.
4614 f
= os
.fdopen(fd
, 'wb')
4615 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4616 f
.write(resp_unknown
)
4617 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4618 f
.write(resp_revoked
)
4619 f
.write(struct
.pack(">L", 0)[1:4])
4620 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4621 f
.write(resp_unknown
)
4624 params
= int_eap_server_params()
4625 params
["ocsp_stapling_response_multi"] = fn
4626 hostapd
.add_ap(apdev
[0], params
)
4627 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4628 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4629 private_key
="auth_serv/user.pkcs12",
4630 private_key_passwd
="whatever", ocsp
=1,
4631 wait_connect
=False, scan_freq
="2412")
4634 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4635 "CTRL-EVENT-EAP-SUCCESS"])
4637 raise Exception("Timeout on EAP status")
4638 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4639 raise Exception("Unexpected EAP-Success")
4640 if 'bad certificate status response' in ev
:
4642 if 'certificate revoked' in ev
:
4646 raise Exception("Unexpected number of EAP status messages")
4650 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4651 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4652 check_domain_match_full(dev
[0])
4653 check_pkcs12_support(dev
[0])
4654 params
= int_eap_server_params()
4655 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4656 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4657 hostapd
.add_ap(apdev
[0], params
)
4658 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4659 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4660 private_key
="auth_serv/user.pkcs12",
4661 private_key_passwd
="whatever",
4662 domain_suffix_match
="server3.w1.fi",
4665 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4666 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4667 check_domain_match(dev
[0])
4668 check_pkcs12_support(dev
[0])
4669 params
= int_eap_server_params()
4670 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4671 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4672 hostapd
.add_ap(apdev
[0], params
)
4673 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4674 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4675 private_key
="auth_serv/user.pkcs12",
4676 private_key_passwd
="whatever",
4677 domain_match
="server3.w1.fi",
4680 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4681 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4682 check_domain_match_full(dev
[0])
4683 check_pkcs12_support(dev
[0])
4684 params
= int_eap_server_params()
4685 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4686 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4687 hostapd
.add_ap(apdev
[0], params
)
4688 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4689 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4690 private_key
="auth_serv/user.pkcs12",
4691 private_key_passwd
="whatever",
4692 domain_suffix_match
="w1.fi",
4695 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4696 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4697 check_domain_suffix_match(dev
[0])
4698 check_pkcs12_support(dev
[0])
4699 params
= int_eap_server_params()
4700 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4701 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4702 hostapd
.add_ap(apdev
[0], params
)
4703 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4704 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4705 private_key
="auth_serv/user.pkcs12",
4706 private_key_passwd
="whatever",
4707 domain_suffix_match
="example.com",
4710 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4711 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4712 private_key
="auth_serv/user.pkcs12",
4713 private_key_passwd
="whatever",
4714 domain_suffix_match
="erver3.w1.fi",
4717 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4719 raise Exception("Timeout on EAP failure report")
4720 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4722 raise Exception("Timeout on EAP failure report (2)")
4724 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4725 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4726 check_domain_match(dev
[0])
4727 check_pkcs12_support(dev
[0])
4728 params
= int_eap_server_params()
4729 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4730 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4731 hostapd
.add_ap(apdev
[0], params
)
4732 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4733 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4734 private_key
="auth_serv/user.pkcs12",
4735 private_key_passwd
="whatever",
4736 domain_match
="example.com",
4739 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4740 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4741 private_key
="auth_serv/user.pkcs12",
4742 private_key_passwd
="whatever",
4743 domain_match
="w1.fi",
4746 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4748 raise Exception("Timeout on EAP failure report")
4749 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4751 raise Exception("Timeout on EAP failure report (2)")
4753 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4754 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4755 skip_with_fips(dev
[0])
4756 params
= int_eap_server_params()
4757 params
["server_cert"] = "auth_serv/server-expired.pem"
4758 params
["private_key"] = "auth_serv/server-expired.key"
4759 hostapd
.add_ap(apdev
[0], params
)
4760 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4761 identity
="mschap user", password
="password",
4762 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4765 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4767 raise Exception("Timeout on EAP certificate error report")
4768 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4769 raise Exception("Unexpected failure reason: " + ev
)
4770 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4772 raise Exception("Timeout on EAP failure report")
4774 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4775 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4776 skip_with_fips(dev
[0])
4777 params
= int_eap_server_params()
4778 params
["server_cert"] = "auth_serv/server-expired.pem"
4779 params
["private_key"] = "auth_serv/server-expired.key"
4780 hostapd
.add_ap(apdev
[0], params
)
4781 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4782 identity
="mschap user", password
="password",
4783 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4784 phase1
="tls_disable_time_checks=1",
4787 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4788 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4789 skip_with_fips(dev
[0])
4790 params
= int_eap_server_params()
4791 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4792 params
["private_key"] = "auth_serv/server-long-duration.key"
4793 hostapd
.add_ap(apdev
[0], params
)
4794 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4795 identity
="mschap user", password
="password",
4796 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4799 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4800 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4801 skip_with_fips(dev
[0])
4802 params
= int_eap_server_params()
4803 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4804 params
["private_key"] = "auth_serv/server-eku-client.key"
4805 hostapd
.add_ap(apdev
[0], params
)
4806 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4807 identity
="mschap user", password
="password",
4808 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4811 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4813 raise Exception("Timeout on EAP failure report")
4815 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4816 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4817 skip_with_fips(dev
[0])
4818 params
= int_eap_server_params()
4819 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4820 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4821 hostapd
.add_ap(apdev
[0], params
)
4822 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4823 identity
="mschap user", password
="password",
4824 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4827 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4828 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4829 skip_with_fips(dev
[0])
4830 params
= int_eap_server_params()
4831 del params
["server_cert"]
4832 params
["private_key"] = "auth_serv/server.pkcs12"
4833 hostapd
.add_ap(apdev
[0], params
)
4834 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4835 identity
="mschap user", password
="password",
4836 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4839 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
4840 """EAP-TTLS and server PKCS#12 file with extra certs"""
4841 skip_with_fips(dev
[0])
4842 params
= int_eap_server_params()
4843 del params
["server_cert"]
4844 params
["private_key"] = "auth_serv/server-extra.pkcs12"
4845 params
["private_key_passwd"] = "whatever"
4846 hostapd
.add_ap(apdev
[0], params
)
4847 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4848 identity
="mschap user", password
="password",
4849 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4852 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
4853 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4854 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4855 hapd
= hostapd
.add_ap(apdev
[0], params
)
4856 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4857 anonymous_identity
="ttls", password
="password",
4858 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4859 dh_file
="auth_serv/dh.conf")
4861 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
4862 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4863 check_dh_dsa_support(dev
[0])
4864 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4865 hapd
= hostapd
.add_ap(apdev
[0], params
)
4866 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4867 anonymous_identity
="ttls", password
="password",
4868 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4869 dh_file
="auth_serv/dsaparam.pem")
4871 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4872 """EAP-TTLS and DH params file not found"""
4873 skip_with_fips(dev
[0])
4874 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4875 hostapd
.add_ap(apdev
[0], params
)
4876 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4877 identity
="mschap user", password
="password",
4878 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4879 dh_file
="auth_serv/dh-no-such-file.conf",
4880 scan_freq
="2412", wait_connect
=False)
4881 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4883 raise Exception("EAP failure timed out")
4884 dev
[0].request("REMOVE_NETWORK all")
4885 dev
[0].wait_disconnected()
4887 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4888 """EAP-TTLS and invalid DH params file"""
4889 skip_with_fips(dev
[0])
4890 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4891 hostapd
.add_ap(apdev
[0], params
)
4892 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4893 identity
="mschap user", password
="password",
4894 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4895 dh_file
="auth_serv/ca.pem",
4896 scan_freq
="2412", wait_connect
=False)
4897 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4899 raise Exception("EAP failure timed out")
4900 dev
[0].request("REMOVE_NETWORK all")
4901 dev
[0].wait_disconnected()
4903 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
4904 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4905 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4906 hapd
= hostapd
.add_ap(apdev
[0], params
)
4907 dh
= read_pem("auth_serv/dh2.conf")
4908 if "OK" not in dev
[0].request("SET blob dhparams " + binascii
.hexlify(dh
).decode()):
4909 raise Exception("Could not set dhparams blob")
4910 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4911 anonymous_identity
="ttls", password
="password",
4912 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4913 dh_file
="blob://dhparams")
4915 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
4916 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4917 params
= int_eap_server_params()
4918 params
["dh_file"] = "auth_serv/dh2.conf"
4919 hapd
= hostapd
.add_ap(apdev
[0], params
)
4920 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4921 anonymous_identity
="ttls", password
="password",
4922 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4924 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
4925 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4926 params
= int_eap_server_params()
4927 params
["dh_file"] = "auth_serv/dsaparam.pem"
4928 hapd
= hostapd
.add_ap(apdev
[0], params
)
4929 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4930 anonymous_identity
="ttls", password
="password",
4931 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4933 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4934 """EAP-TLS server and dhparams file not found"""
4935 params
= int_eap_server_params()
4936 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
4937 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4938 if "FAIL" not in hapd
.request("ENABLE"):
4939 raise Exception("Invalid configuration accepted")
4941 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4942 """EAP-TLS server and invalid dhparams file"""
4943 params
= int_eap_server_params()
4944 params
["dh_file"] = "auth_serv/ca.pem"
4945 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4946 if "FAIL" not in hapd
.request("ENABLE"):
4947 raise Exception("Invalid configuration accepted")
4949 def test_ap_wpa2_eap_reauth(dev
, apdev
):
4950 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4951 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4952 params
['eap_reauth_period'] = '2'
4953 hapd
= hostapd
.add_ap(apdev
[0], params
)
4954 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4955 password_hex
="0123456789abcdef0123456789abcdef")
4956 logger
.info("Wait for reauthentication")
4957 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
4959 raise Exception("Timeout on reauthentication")
4960 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4962 raise Exception("Timeout on reauthentication")
4963 for i
in range(0, 20):
4964 state
= dev
[0].get_status_field("wpa_state")
4965 if state
== "COMPLETED":
4968 if state
!= "COMPLETED":
4969 raise Exception("Reauthentication did not complete")
4971 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
4972 """Optional displayable message in EAP Request-Identity"""
4973 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4974 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4975 hapd
= hostapd
.add_ap(apdev
[0], params
)
4976 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4977 password_hex
="0123456789abcdef0123456789abcdef")
4979 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
4980 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4981 check_hlr_auc_gw_support()
4982 params
= int_eap_server_params()
4983 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4984 params
['eap_sim_aka_result_ind'] = "1"
4985 hapd
= hostapd
.add_ap(apdev
[0], params
)
4987 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
4988 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4989 phase1
="result_ind=1")
4990 eap_reauth(dev
[0], "SIM")
4991 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
4992 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4994 dev
[0].request("REMOVE_NETWORK all")
4995 dev
[1].request("REMOVE_NETWORK all")
4997 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
4998 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4999 phase1
="result_ind=1")
5000 eap_reauth(dev
[0], "AKA")
5001 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
5002 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
5004 dev
[0].request("REMOVE_NETWORK all")
5005 dev
[1].request("REMOVE_NETWORK all")
5007 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
5008 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
5009 phase1
="result_ind=1")
5010 eap_reauth(dev
[0], "AKA'")
5011 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
5012 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
5014 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
5015 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
5016 check_hlr_auc_gw_support()
5017 params
= int_eap_server_params()
5018 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
5019 params
['eap_sim_db_timeout'] = "0"
5020 params
['disable_pmksa_caching'] = '1'
5021 hapd
= hostapd
.add_ap(apdev
[0], params
)
5023 # Run multiple iterations to make it more likely to hit the case where the
5024 # DB request times out and response is lost.
5026 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
5027 identity
="1232010000000000",
5028 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5029 wait_connect
=False, scan_freq
="2412")
5030 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
5031 "CTRL-EVENT-DISCONNECTED"],
5034 raise Exception("No connection result")
5035 dev
[0].request("REMOVE_NETWORK all")
5036 if "CTRL-EVENT-DISCONNECTED" in ev
:
5038 dev
[0].wait_disconnected()
5041 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
5042 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
5043 skip_with_fips(dev
[0])
5044 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5045 hostapd
.add_ap(apdev
[0], params
)
5046 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5047 eap
="TTLS", identity
="mschap user",
5048 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
5049 anonymous_identity
="ttls", password
="password",
5050 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5052 ev
= dev
[0].wait_event(["EAP: more than",
5053 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
5054 if ev
is None or "EAP: more than" not in ev
:
5055 raise Exception("EAP roundtrip limit not reached")
5057 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
5058 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
5059 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5060 hostapd
.add_ap(apdev
[0], params
)
5061 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5062 eap
="PSK", identity
="vendor-test",
5063 password_hex
="ff23456789abcdef0123456789abcdef",
5067 for i
in range(0, 5):
5068 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
5070 raise Exception("Association and EAP start timed out")
5071 if "refuse proposed method" in ev
:
5075 raise Exception("Unexpected EAP status: " + ev
)
5077 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
5079 raise Exception("EAP failure timed out")
5081 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
5082 """WPA2-Enterprise connection using SQLite for user DB"""
5083 skip_with_fips(dev
[0])
5087 raise HwsimSkip("No sqlite3 module available")
5088 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
5093 con
= sqlite3
.connect(dbfile
)
5096 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
5097 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
5098 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
5099 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
5100 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
5101 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
5102 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
5103 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
5106 params
= int_eap_server_params()
5107 params
["eap_user_file"] = "sqlite:" + dbfile
5108 hapd
= hostapd
.add_ap(apdev
[0], params
)
5109 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
5110 anonymous_identity
="ttls", password
="password",
5111 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5112 dev
[0].request("REMOVE_NETWORK all")
5113 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
5114 anonymous_identity
="ttls", password
="password",
5115 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
5116 dev
[1].request("REMOVE_NETWORK all")
5117 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
5118 anonymous_identity
="ttls", password
="password",
5119 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
5120 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
5121 anonymous_identity
="ttls", password
="password",
5122 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5126 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
5127 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5128 params
= int_eap_server_params()
5129 hostapd
.add_ap(apdev
[0], params
)
5130 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5131 identity
="\x80", password
="password", wait_connect
=False)
5132 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5133 identity
="a\x80", password
="password", wait_connect
=False)
5134 for i
in range(0, 2):
5135 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5137 raise Exception("Association and EAP start timed out")
5138 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5140 raise Exception("EAP method selection timed out")
5142 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
5143 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5144 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5145 hostapd
.add_ap(apdev
[0], params
)
5146 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5147 identity
="\x80", password
="password", wait_connect
=False)
5148 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5149 identity
="a\x80", password
="password", wait_connect
=False)
5150 for i
in range(0, 2):
5151 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5153 raise Exception("Association and EAP start timed out")
5154 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5156 raise Exception("EAP method selection timed out")
5158 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
5159 """OpenSSL cipher suite configuration on wpa_supplicant"""
5160 tls
= dev
[0].request("GET tls_library")
5161 if not tls
.startswith("OpenSSL"):
5162 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
5163 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5164 hapd
= hostapd
.add_ap(apdev
[0], params
)
5165 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5166 anonymous_identity
="ttls", password
="password",
5167 openssl_ciphers
="AES128",
5168 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5169 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5170 anonymous_identity
="ttls", password
="password",
5171 openssl_ciphers
="EXPORT",
5172 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5173 expect_failure
=True, maybe_local_error
=True)
5174 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5175 identity
="pap user", anonymous_identity
="ttls",
5176 password
="password",
5177 openssl_ciphers
="FOO",
5178 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5180 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5182 raise Exception("EAP failure after invalid openssl_ciphers not reported")
5183 dev
[2].request("DISCONNECT")
5185 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
5186 """OpenSSL cipher suite configuration on hostapd"""
5187 tls
= dev
[0].request("GET tls_library")
5188 if not tls
.startswith("OpenSSL"):
5189 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
5190 params
= int_eap_server_params()
5191 params
['openssl_ciphers'] = "AES256"
5192 hapd
= hostapd
.add_ap(apdev
[0], params
)
5193 tls
= hapd
.request("GET tls_library")
5194 if not tls
.startswith("OpenSSL"):
5195 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5196 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5197 anonymous_identity
="ttls", password
="password",
5198 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5199 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5200 anonymous_identity
="ttls", password
="password",
5201 openssl_ciphers
="AES128",
5202 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5203 expect_failure
=True)
5204 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
5205 anonymous_identity
="ttls", password
="password",
5206 openssl_ciphers
="HIGH:!ADH",
5207 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5209 params
['openssl_ciphers'] = "FOO"
5210 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
5211 if "FAIL" not in hapd2
.request("ENABLE"):
5212 if "run=OpenSSL 1.1.1" in tls
:
5213 logger
.info("Ignore acceptance of an invalid openssl_ciphers value with OpenSSL 1.1.1")
5215 raise Exception("Invalid openssl_ciphers value accepted")
5217 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
5218 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5219 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5220 hapd
= hostapd
.add_ap(apdev
[0], p
)
5221 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5222 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
5223 anonymous_identity
="ttls", password
=password
,
5224 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5225 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5227 def test_wpa2_eap_peap_gtc_key_lifetime_in_memory(dev
, apdev
, params
):
5228 """Key lifetime in memory with WPA2-Enterprise using PEAP/GTC"""
5229 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5230 hapd
= hostapd
.add_ap(apdev
[0], p
)
5231 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5232 id = eap_connect(dev
[0], hapd
, "PEAP", "user-secret",
5233 anonymous_identity
="peap", password
=password
,
5234 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
5235 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5237 def run_eap_key_lifetime_in_memory(dev
, params
, id, password
):
5238 pid
= find_wpas_process(dev
[0])
5240 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5241 # event has been delivered, so verify that wpa_supplicant has returned to
5242 # eloop before reading process memory.
5245 password
= password
.encode()
5246 buf
= read_process_memory(pid
, password
)
5248 dev
[0].request("DISCONNECT")
5249 dev
[0].wait_disconnected()
5257 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
5258 for l
in f
.readlines():
5259 if "EAP-TTLS: Derived key - hexdump" in l
or \
5260 "EAP-PEAP: Derived key - hexdump" in l
:
5261 val
= l
.strip().split(':')[3].replace(' ', '')
5262 msk
= binascii
.unhexlify(val
)
5263 if "EAP-TTLS: Derived EMSK - hexdump" in l
or \
5264 "EAP-PEAP: Derived EMSK - hexdump" in l
:
5265 val
= l
.strip().split(':')[3].replace(' ', '')
5266 emsk
= binascii
.unhexlify(val
)
5267 if "WPA: PMK - hexdump" in l
:
5268 val
= l
.strip().split(':')[3].replace(' ', '')
5269 pmk
= binascii
.unhexlify(val
)
5270 if "WPA: PTK - hexdump" in l
:
5271 val
= l
.strip().split(':')[3].replace(' ', '')
5272 ptk
= binascii
.unhexlify(val
)
5273 if "WPA: Group Key - hexdump" in l
:
5274 val
= l
.strip().split(':')[3].replace(' ', '')
5275 gtk
= binascii
.unhexlify(val
)
5276 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
5277 raise Exception("Could not find keys from debug log")
5279 raise Exception("Unexpected GTK length")
5285 fname
= os
.path
.join(params
['logdir'],
5286 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5288 logger
.info("Checking keys in memory while associated")
5289 get_key_locations(buf
, password
, "Password")
5290 get_key_locations(buf
, pmk
, "PMK")
5291 get_key_locations(buf
, msk
, "MSK")
5292 get_key_locations(buf
, emsk
, "EMSK")
5293 if password
not in buf
:
5294 raise HwsimSkip("Password not found while associated")
5296 raise HwsimSkip("PMK not found while associated")
5298 raise Exception("KCK not found while associated")
5300 raise Exception("KEK not found while associated")
5302 # raise Exception("TK found from memory")
5304 logger
.info("Checking keys in memory after disassociation")
5305 buf
= read_process_memory(pid
, password
)
5307 # Note: Password is still present in network configuration
5308 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5310 get_key_locations(buf
, password
, "Password")
5311 get_key_locations(buf
, pmk
, "PMK")
5312 get_key_locations(buf
, msk
, "MSK")
5313 get_key_locations(buf
, emsk
, "EMSK")
5314 verify_not_present(buf
, kck
, fname
, "KCK")
5315 verify_not_present(buf
, kek
, fname
, "KEK")
5316 verify_not_present(buf
, tk
, fname
, "TK")
5318 get_key_locations(buf
, gtk
, "GTK")
5319 verify_not_present(buf
, gtk
, fname
, "GTK")
5321 dev
[0].request("PMKSA_FLUSH")
5322 dev
[0].set_network_quoted(id, "identity", "foo")
5323 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5324 buf
= read_process_memory(pid
, password
)
5325 get_key_locations(buf
, password
, "Password")
5326 get_key_locations(buf
, pmk
, "PMK")
5327 get_key_locations(buf
, msk
, "MSK")
5328 get_key_locations(buf
, emsk
, "EMSK")
5329 verify_not_present(buf
, pmk
, fname
, "PMK")
5331 dev
[0].request("REMOVE_NETWORK all")
5333 logger
.info("Checking keys in memory after network profile removal")
5334 buf
= read_process_memory(pid
, password
)
5336 get_key_locations(buf
, password
, "Password")
5337 get_key_locations(buf
, pmk
, "PMK")
5338 get_key_locations(buf
, msk
, "MSK")
5339 get_key_locations(buf
, emsk
, "EMSK")
5340 verify_not_present(buf
, password
, fname
, "password")
5341 verify_not_present(buf
, pmk
, fname
, "PMK")
5342 verify_not_present(buf
, kck
, fname
, "KCK")
5343 verify_not_present(buf
, kek
, fname
, "KEK")
5344 verify_not_present(buf
, tk
, fname
, "TK")
5345 verify_not_present(buf
, gtk
, fname
, "GTK")
5346 verify_not_present(buf
, msk
, fname
, "MSK")
5347 verify_not_present(buf
, emsk
, fname
, "EMSK")
5349 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
5350 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5351 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5352 hapd
= hostapd
.add_ap(apdev
[0], params
)
5353 bssid
= apdev
[0]['bssid']
5354 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5355 anonymous_identity
="ttls", password
="password",
5356 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5358 # Send unexpected WEP EAPOL-Key; this gets dropped
5359 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5361 raise Exception("EAPOL_RX to wpa_supplicant failed")
5363 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5364 """WPA2-EAP and wpas interface in a bridge"""
5365 br_ifname
= 'sta-br0'
5368 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
5370 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
5371 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
5372 subprocess
.call(['brctl', 'delbr', br_ifname
])
5373 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
5375 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5376 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5377 hapd
= hostapd
.add_ap(apdev
[0], params
)
5379 br_ifname
= 'sta-br0'
5381 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
5382 subprocess
.call(['brctl', 'addbr', br_ifname
])
5383 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
5384 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
5385 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
5386 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
5387 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
5390 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
5391 password_hex
="0123456789abcdef0123456789abcdef")
5393 eap_reauth(wpas
, "PAX")
5395 # Try again as a regression test for packet socket workaround
5396 eap_reauth(wpas
, "PAX")
5398 wpas
.request("DISCONNECT")
5399 wpas
.wait_disconnected()
5401 wpas
.request("RECONNECT")
5402 wpas
.wait_connected()
5405 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
5406 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5407 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5408 hapd
= hostapd
.add_ap(apdev
[0], params
)
5409 key_mgmt
= hapd
.get_config()['key_mgmt']
5410 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5411 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5412 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5413 anonymous_identity
="ttls", password
="password",
5414 ca_cert
="auth_serv/ca.pem",
5415 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
5416 eap_reauth(dev
[0], "TTLS")
5418 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
5419 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5420 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5421 hapd
= hostapd
.add_ap(apdev
[0], params
)
5422 key_mgmt
= hapd
.get_config()['key_mgmt']
5423 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5424 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5425 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5426 anonymous_identity
="ttls", password
="password",
5427 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5429 eap_reauth(dev
[0], "TTLS")
5431 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
5432 """EAP-TLS and server checking CRL"""
5433 params
= int_eap_server_params()
5434 params
['check_crl'] = '1'
5435 hapd
= hostapd
.add_ap(apdev
[0], params
)
5437 # check_crl=1 and no CRL available --> reject connection
5438 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5439 client_cert
="auth_serv/user.pem",
5440 private_key
="auth_serv/user.key", expect_failure
=True)
5441 dev
[0].request("REMOVE_NETWORK all")
5444 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
5447 # check_crl=1 and valid CRL --> accept
5448 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5449 client_cert
="auth_serv/user.pem",
5450 private_key
="auth_serv/user.key")
5451 dev
[0].request("REMOVE_NETWORK all")
5454 hapd
.set("check_crl", "2")
5457 # check_crl=2 and valid CRL --> accept
5458 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5459 client_cert
="auth_serv/user.pem",
5460 private_key
="auth_serv/user.key")
5461 dev
[0].request("REMOVE_NETWORK all")
5463 def test_ap_wpa2_eap_tls_crl_reload(dev
, apdev
, params
):
5464 """EAP-TLS and server reloading CRL from ca_cert"""
5465 ca_cert
= os
.path
.join(params
['logdir'],
5466 "ap_wpa2_eap_tls_crl_reload.ca_cert")
5467 with
open('auth_serv/ca.pem', 'r') as f
:
5468 only_cert
= f
.read()
5469 with
open('auth_serv/ca-and-crl.pem', 'r') as f
:
5470 cert_and_crl
= f
.read()
5471 with
open(ca_cert
, 'w') as f
:
5473 params
= int_eap_server_params()
5474 params
['ca_cert'] = ca_cert
5475 params
['check_crl'] = '1'
5476 params
['crl_reload_interval'] = '1'
5477 hapd
= hostapd
.add_ap(apdev
[0], params
)
5479 # check_crl=1 and no CRL available --> reject connection
5480 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5481 client_cert
="auth_serv/user.pem",
5482 private_key
="auth_serv/user.key", expect_failure
=True)
5483 dev
[0].request("REMOVE_NETWORK all")
5484 dev
[0].dump_monitor()
5486 with
open(ca_cert
, 'w') as f
:
5487 f
.write(cert_and_crl
)
5490 # check_crl=1 and valid CRL --> accept
5491 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5492 client_cert
="auth_serv/user.pem",
5493 private_key
="auth_serv/user.key")
5494 dev
[0].request("REMOVE_NETWORK all")
5495 dev
[0].wait_disconnected()
5497 def test_ap_wpa2_eap_tls_check_cert_subject(dev
, apdev
):
5498 """EAP-TLS and server checking client subject name"""
5499 params
= int_eap_server_params()
5500 params
['check_cert_subject'] = 'C=FI/O=w1.fi/CN=Test User'
5501 hapd
= hostapd
.add_ap(apdev
[0], params
)
5502 check_check_cert_subject_support(hapd
)
5504 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5505 client_cert
="auth_serv/user.pem",
5506 private_key
="auth_serv/user.key")
5508 def test_ap_wpa2_eap_tls_check_cert_subject_neg(dev
, apdev
):
5509 """EAP-TLS and server checking client subject name (negative)"""
5510 params
= int_eap_server_params()
5511 params
['check_cert_subject'] = 'C=FI/O=example'
5512 hapd
= hostapd
.add_ap(apdev
[0], params
)
5513 check_check_cert_subject_support(hapd
)
5515 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5516 client_cert
="auth_serv/user.pem",
5517 private_key
="auth_serv/user.key", expect_failure
=True)
5519 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5520 """EAP-TLS and OOM"""
5521 check_subject_match_support(dev
[0])
5522 check_altsubject_match_support(dev
[0])
5523 check_domain_match(dev
[0])
5524 check_domain_match_full(dev
[0])
5526 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5527 hostapd
.add_ap(apdev
[0], params
)
5529 tests
= [(1, "tls_connection_set_subject_match"),
5530 (2, "tls_connection_set_subject_match"),
5531 (3, "tls_connection_set_subject_match"),
5532 (4, "tls_connection_set_subject_match")]
5533 for count
, func
in tests
:
5534 with
alloc_fail(dev
[0], count
, func
):
5535 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5536 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5537 client_cert
="auth_serv/user.pem",
5538 private_key
="auth_serv/user.key",
5539 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5540 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5541 domain_suffix_match
="server.w1.fi",
5542 domain_match
="server.w1.fi",
5543 wait_connect
=False, scan_freq
="2412")
5544 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5545 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5547 raise Exception("No passphrase request")
5548 dev
[0].request("REMOVE_NETWORK all")
5549 dev
[0].wait_disconnected()
5551 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5552 """WPA2-Enterprise connection using MAC ACL"""
5553 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5554 params
["macaddr_acl"] = "2"
5555 hapd
= hostapd
.add_ap(apdev
[0], params
)
5556 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5557 client_cert
="auth_serv/user.pem",
5558 private_key
="auth_serv/user.key")
5560 def test_ap_wpa2_eap_oom(dev
, apdev
):
5561 """EAP server and OOM"""
5562 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5563 hapd
= hostapd
.add_ap(apdev
[0], params
)
5564 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5566 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5567 # The first attempt fails, but STA will send EAPOL-Start to retry and
5569 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5570 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5571 client_cert
="auth_serv/user.pem",
5572 private_key
="auth_serv/user.key",
5575 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5576 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5577 client_cert
="auth_serv/user.pem",
5578 private_key
="auth_serv/user.key",
5580 ver
= dev
.get_status_field("eap_tls_version")
5582 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5584 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5585 """EAP-TLS and TLS version configuration"""
5586 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5587 hapd
= hostapd
.add_ap(apdev
[0], params
)
5589 tls
= dev
[0].request("GET tls_library")
5590 if tls
.startswith("OpenSSL"):
5591 if "build=OpenSSL 1.0.1" not in tls
and "run=OpenSSL 1.0.1" not in tls
:
5592 check_tls_ver(dev
[0], hapd
,
5593 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5595 if tls
.startswith("wolfSSL"):
5596 if ("build=3.10.0" in tls
and "run=3.10.0" in tls
) or \
5597 ("build=3.13.0" in tls
and "run=3.13.0" in tls
):
5598 check_tls_ver(dev
[0], hapd
,
5599 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5601 elif tls
.startswith("internal"):
5602 check_tls_ver(dev
[0], hapd
,
5603 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5604 check_tls_ver(dev
[1], hapd
,
5605 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5606 check_tls_ver(dev
[2], hapd
,
5607 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5608 if "run=OpenSSL 1.1.1" in tls
:
5609 check_tls_ver(dev
[0], hapd
,
5610 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
5612 def test_ap_wpa2_eap_tls_13(dev
, apdev
):
5613 """EAP-TLS and TLS 1.3"""
5614 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5615 hapd
= hostapd
.add_ap(apdev
[0], params
)
5617 tls
= dev
[0].request("GET tls_library")
5618 if "run=OpenSSL 1.1.1" not in tls
:
5619 raise HwsimSkip("TLS v1.3 not supported")
5620 id = eap_connect(dev
[0], hapd
, "TLS", "tls user",
5621 ca_cert
="auth_serv/ca.pem",
5622 client_cert
="auth_serv/user.pem",
5623 private_key
="auth_serv/user.key",
5624 phase1
="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0")
5625 ver
= dev
[0].get_status_field("eap_tls_version")
5626 if ver
!= "TLSv1.3":
5627 raise Exception("Unexpected TLS version")
5629 eap_reauth(dev
[0], "TLS")
5630 dev
[0].request("DISCONNECT")
5631 dev
[0].wait_disconnected()
5632 dev
[0].request("PMKSA_FLUSH")
5633 dev
[0].request("RECONNECT")
5634 dev
[0].wait_connected()
5636 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
5637 """RSN element protocol testing for EAP cases on STA side"""
5638 bssid
= apdev
[0]['bssid']
5639 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5640 # This is the RSN element used normally by hostapd
5641 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5642 hapd
= hostapd
.add_ap(apdev
[0], params
)
5643 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5644 identity
="gpsk user",
5645 password
="abcdefghijklmnop0123456789abcdef",
5648 tests
= [('No RSN Capabilities field',
5649 '30120100000fac040100000fac040100000fac01'),
5650 ('No AKM Suite fields',
5651 '300c0100000fac040100000fac04'),
5652 ('No Pairwise Cipher Suite fields',
5653 '30060100000fac04'),
5654 ('No Group Data Cipher Suite field',
5656 for txt
, ie
in tests
:
5657 dev
[0].request("DISCONNECT")
5658 dev
[0].wait_disconnected()
5661 hapd
.set('own_ie_override', ie
)
5663 dev
[0].request("BSS_FLUSH 0")
5664 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
5665 dev
[0].select_network(id, freq
=2412)
5666 dev
[0].wait_connected()
5668 dev
[0].request("DISCONNECT")
5669 dev
[0].wait_disconnected()
5670 dev
[0].flush_scan_cache()
5672 def check_tls_session_resumption_capa(dev
, hapd
):
5673 tls
= hapd
.request("GET tls_library")
5674 if not tls
.startswith("OpenSSL"):
5675 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls
)
5677 tls
= dev
.request("GET tls_library")
5678 if not tls
.startswith("OpenSSL"):
5679 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
5681 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
5682 """EAP-TTLS/PAP session resumption"""
5683 params
= int_eap_server_params()
5684 params
['tls_session_lifetime'] = '60'
5685 hapd
= hostapd
.add_ap(apdev
[0], params
)
5686 check_tls_session_resumption_capa(dev
[0], hapd
)
5687 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5688 anonymous_identity
="ttls", password
="password",
5689 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5691 if dev
[0].get_status_field("tls_session_reused") != '0':
5692 raise Exception("Unexpected session resumption on the first connection")
5694 dev
[0].request("REAUTHENTICATE")
5695 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5697 raise Exception("EAP success timed out")
5698 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5700 raise Exception("Key handshake with the AP timed out")
5701 if dev
[0].get_status_field("tls_session_reused") != '1':
5702 raise Exception("Session resumption not used on the second connection")
5703 hwsim_utils
.test_connectivity(dev
[0], hapd
)
5705 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
5706 """EAP-TTLS/CHAP session resumption"""
5707 params
= int_eap_server_params()
5708 params
['tls_session_lifetime'] = '60'
5709 hapd
= hostapd
.add_ap(apdev
[0], params
)
5710 check_tls_session_resumption_capa(dev
[0], hapd
)
5711 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
5712 anonymous_identity
="ttls", password
="password",
5713 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
5714 if dev
[0].get_status_field("tls_session_reused") != '0':
5715 raise Exception("Unexpected session resumption on the first connection")
5717 dev
[0].request("REAUTHENTICATE")
5718 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5720 raise Exception("EAP success timed out")
5721 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5723 raise Exception("Key handshake with the AP timed out")
5724 if dev
[0].get_status_field("tls_session_reused") != '1':
5725 raise Exception("Session resumption not used on the second connection")
5727 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
5728 """EAP-TTLS/MSCHAP session resumption"""
5729 check_domain_suffix_match(dev
[0])
5730 params
= int_eap_server_params()
5731 params
['tls_session_lifetime'] = '60'
5732 hapd
= hostapd
.add_ap(apdev
[0], params
)
5733 check_tls_session_resumption_capa(dev
[0], hapd
)
5734 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
5735 anonymous_identity
="ttls", password
="password",
5736 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5737 domain_suffix_match
="server.w1.fi")
5738 if dev
[0].get_status_field("tls_session_reused") != '0':
5739 raise Exception("Unexpected session resumption on the first connection")
5741 dev
[0].request("REAUTHENTICATE")
5742 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5744 raise Exception("EAP success timed out")
5745 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5747 raise Exception("Key handshake with the AP timed out")
5748 if dev
[0].get_status_field("tls_session_reused") != '1':
5749 raise Exception("Session resumption not used on the second connection")
5751 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
5752 """EAP-TTLS/MSCHAPv2 session resumption"""
5753 check_domain_suffix_match(dev
[0])
5754 check_eap_capa(dev
[0], "MSCHAPV2")
5755 params
= int_eap_server_params()
5756 params
['tls_session_lifetime'] = '60'
5757 hapd
= hostapd
.add_ap(apdev
[0], params
)
5758 check_tls_session_resumption_capa(dev
[0], hapd
)
5759 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
5760 anonymous_identity
="ttls", password
="password",
5761 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5762 domain_suffix_match
="server.w1.fi")
5763 if dev
[0].get_status_field("tls_session_reused") != '0':
5764 raise Exception("Unexpected session resumption on the first connection")
5766 dev
[0].request("REAUTHENTICATE")
5767 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5769 raise Exception("EAP success timed out")
5770 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5772 raise Exception("Key handshake with the AP timed out")
5773 if dev
[0].get_status_field("tls_session_reused") != '1':
5774 raise Exception("Session resumption not used on the second connection")
5776 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
5777 """EAP-TTLS/EAP-GTC session resumption"""
5778 params
= int_eap_server_params()
5779 params
['tls_session_lifetime'] = '60'
5780 hapd
= hostapd
.add_ap(apdev
[0], params
)
5781 check_tls_session_resumption_capa(dev
[0], hapd
)
5782 eap_connect(dev
[0], hapd
, "TTLS", "user",
5783 anonymous_identity
="ttls", password
="password",
5784 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
5785 if dev
[0].get_status_field("tls_session_reused") != '0':
5786 raise Exception("Unexpected session resumption on the first connection")
5788 dev
[0].request("REAUTHENTICATE")
5789 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5791 raise Exception("EAP success timed out")
5792 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5794 raise Exception("Key handshake with the AP timed out")
5795 if dev
[0].get_status_field("tls_session_reused") != '1':
5796 raise Exception("Session resumption not used on the second connection")
5798 def test_eap_ttls_no_session_resumption(dev
, apdev
):
5799 """EAP-TTLS session resumption disabled on server"""
5800 params
= int_eap_server_params()
5801 params
['tls_session_lifetime'] = '0'
5802 hapd
= hostapd
.add_ap(apdev
[0], params
)
5803 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5804 anonymous_identity
="ttls", password
="password",
5805 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5807 if dev
[0].get_status_field("tls_session_reused") != '0':
5808 raise Exception("Unexpected session resumption on the first connection")
5810 dev
[0].request("REAUTHENTICATE")
5811 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5813 raise Exception("EAP success timed out")
5814 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5816 raise Exception("Key handshake with the AP timed out")
5817 if dev
[0].get_status_field("tls_session_reused") != '0':
5818 raise Exception("Unexpected session resumption on the second connection")
5820 def test_eap_peap_session_resumption(dev
, apdev
):
5821 """EAP-PEAP session resumption"""
5822 check_eap_capa(dev
[0], "MSCHAPV2")
5823 params
= int_eap_server_params()
5824 params
['tls_session_lifetime'] = '60'
5825 hapd
= hostapd
.add_ap(apdev
[0], params
)
5826 check_tls_session_resumption_capa(dev
[0], hapd
)
5827 eap_connect(dev
[0], hapd
, "PEAP", "user",
5828 anonymous_identity
="peap", password
="password",
5829 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5830 if dev
[0].get_status_field("tls_session_reused") != '0':
5831 raise Exception("Unexpected session resumption on the first connection")
5833 dev
[0].request("REAUTHENTICATE")
5834 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5836 raise Exception("EAP success timed out")
5837 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5839 raise Exception("Key handshake with the AP timed out")
5840 if dev
[0].get_status_field("tls_session_reused") != '1':
5841 raise Exception("Session resumption not used on the second connection")
5843 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
5844 """EAP-PEAP session resumption with crypto binding"""
5845 params
= int_eap_server_params()
5846 params
['tls_session_lifetime'] = '60'
5847 hapd
= hostapd
.add_ap(apdev
[0], params
)
5848 check_tls_session_resumption_capa(dev
[0], hapd
)
5849 eap_connect(dev
[0], hapd
, "PEAP", "user",
5850 anonymous_identity
="peap", password
="password",
5851 phase1
="peapver=0 crypto_binding=2",
5852 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5853 if dev
[0].get_status_field("tls_session_reused") != '0':
5854 raise Exception("Unexpected session resumption on the first connection")
5856 dev
[0].request("REAUTHENTICATE")
5857 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5859 raise Exception("EAP success timed out")
5860 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5862 raise Exception("Key handshake with the AP timed out")
5863 if dev
[0].get_status_field("tls_session_reused") != '1':
5864 raise Exception("Session resumption not used on the second connection")
5866 def test_eap_peap_no_session_resumption(dev
, apdev
):
5867 """EAP-PEAP session resumption disabled on server"""
5868 params
= int_eap_server_params()
5869 hapd
= hostapd
.add_ap(apdev
[0], params
)
5870 eap_connect(dev
[0], hapd
, "PEAP", "user",
5871 anonymous_identity
="peap", password
="password",
5872 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5873 if dev
[0].get_status_field("tls_session_reused") != '0':
5874 raise Exception("Unexpected session resumption on the first connection")
5876 dev
[0].request("REAUTHENTICATE")
5877 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5879 raise Exception("EAP success timed out")
5880 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5882 raise Exception("Key handshake with the AP timed out")
5883 if dev
[0].get_status_field("tls_session_reused") != '0':
5884 raise Exception("Unexpected session resumption on the second connection")
5886 def test_eap_tls_session_resumption(dev
, apdev
):
5887 """EAP-TLS session resumption"""
5888 params
= int_eap_server_params()
5889 params
['tls_session_lifetime'] = '60'
5890 hapd
= hostapd
.add_ap(apdev
[0], params
)
5891 check_tls_session_resumption_capa(dev
[0], hapd
)
5892 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5893 client_cert
="auth_serv/user.pem",
5894 private_key
="auth_serv/user.key")
5895 if dev
[0].get_status_field("tls_session_reused") != '0':
5896 raise Exception("Unexpected session resumption on the first connection")
5898 dev
[0].request("REAUTHENTICATE")
5899 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5901 raise Exception("EAP success timed out")
5902 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5904 raise Exception("Key handshake with the AP timed out")
5905 if dev
[0].get_status_field("tls_session_reused") != '1':
5906 raise Exception("Session resumption not used on the second connection")
5908 dev
[0].request("REAUTHENTICATE")
5909 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5911 raise Exception("EAP success timed out")
5912 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5914 raise Exception("Key handshake with the AP timed out")
5915 if dev
[0].get_status_field("tls_session_reused") != '1':
5916 raise Exception("Session resumption not used on the third connection")
5918 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
5919 """EAP-TLS session resumption"""
5920 params
= int_eap_server_params()
5921 params
['tls_session_lifetime'] = '1'
5922 hapd
= hostapd
.add_ap(apdev
[0], params
)
5923 check_tls_session_resumption_capa(dev
[0], hapd
)
5924 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5925 client_cert
="auth_serv/user.pem",
5926 private_key
="auth_serv/user.key")
5927 if dev
[0].get_status_field("tls_session_reused") != '0':
5928 raise Exception("Unexpected session resumption on the first connection")
5930 # Allow multiple attempts since OpenSSL may not expire the cached entry
5935 dev
[0].request("REAUTHENTICATE")
5936 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5938 raise Exception("EAP success timed out")
5939 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5941 raise Exception("Key handshake with the AP timed out")
5942 if dev
[0].get_status_field("tls_session_reused") == '0':
5944 if dev
[0].get_status_field("tls_session_reused") != '0':
5945 raise Exception("Session resumption used after lifetime expiration")
5947 def test_eap_tls_no_session_resumption(dev
, apdev
):
5948 """EAP-TLS session resumption disabled on server"""
5949 params
= int_eap_server_params()
5950 hapd
= hostapd
.add_ap(apdev
[0], params
)
5951 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5952 client_cert
="auth_serv/user.pem",
5953 private_key
="auth_serv/user.key")
5954 if dev
[0].get_status_field("tls_session_reused") != '0':
5955 raise Exception("Unexpected session resumption on the first connection")
5957 dev
[0].request("REAUTHENTICATE")
5958 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5960 raise Exception("EAP success timed out")
5961 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5963 raise Exception("Key handshake with the AP timed out")
5964 if dev
[0].get_status_field("tls_session_reused") != '0':
5965 raise Exception("Unexpected session resumption on the second connection")
5967 def test_eap_tls_session_resumption_radius(dev
, apdev
):
5968 """EAP-TLS session resumption (RADIUS)"""
5969 params
= {"ssid": "as", "beacon_int": "2000",
5970 "radius_server_clients": "auth_serv/radius_clients.conf",
5971 "radius_server_auth_port": '18128',
5973 "eap_user_file": "auth_serv/eap_user.conf",
5974 "ca_cert": "auth_serv/ca.pem",
5975 "server_cert": "auth_serv/server.pem",
5976 "private_key": "auth_serv/server.key",
5977 "tls_session_lifetime": "60"}
5978 authsrv
= hostapd
.add_ap(apdev
[1], params
)
5979 check_tls_session_resumption_capa(dev
[0], authsrv
)
5981 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5982 params
['auth_server_port'] = "18128"
5983 hapd
= hostapd
.add_ap(apdev
[0], params
)
5984 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5985 client_cert
="auth_serv/user.pem",
5986 private_key
="auth_serv/user.key")
5987 if dev
[0].get_status_field("tls_session_reused") != '0':
5988 raise Exception("Unexpected session resumption on the first connection")
5990 dev
[0].request("REAUTHENTICATE")
5991 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5993 raise Exception("EAP success timed out")
5994 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5996 raise Exception("Key handshake with the AP timed out")
5997 if dev
[0].get_status_field("tls_session_reused") != '1':
5998 raise Exception("Session resumption not used on the second connection")
6000 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
6001 """EAP-TLS session resumption disabled (RADIUS)"""
6002 params
= {"ssid": "as", "beacon_int": "2000",
6003 "radius_server_clients": "auth_serv/radius_clients.conf",
6004 "radius_server_auth_port": '18128',
6006 "eap_user_file": "auth_serv/eap_user.conf",
6007 "ca_cert": "auth_serv/ca.pem",
6008 "server_cert": "auth_serv/server.pem",
6009 "private_key": "auth_serv/server.key",
6010 "tls_session_lifetime": "0"}
6011 hostapd
.add_ap(apdev
[1], params
)
6013 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6014 params
['auth_server_port'] = "18128"
6015 hapd
= hostapd
.add_ap(apdev
[0], params
)
6016 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6017 client_cert
="auth_serv/user.pem",
6018 private_key
="auth_serv/user.key")
6019 if dev
[0].get_status_field("tls_session_reused") != '0':
6020 raise Exception("Unexpected session resumption on the first connection")
6022 dev
[0].request("REAUTHENTICATE")
6023 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6025 raise Exception("EAP success timed out")
6026 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6028 raise Exception("Key handshake with the AP timed out")
6029 if dev
[0].get_status_field("tls_session_reused") != '0':
6030 raise Exception("Unexpected session resumption on the second connection")
6032 def test_eap_mschapv2_errors(dev
, apdev
):
6033 """EAP-MSCHAPv2 error cases"""
6034 check_eap_capa(dev
[0], "MSCHAPV2")
6035 check_eap_capa(dev
[0], "FAST")
6037 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
6038 hapd
= hostapd
.add_ap(apdev
[0], params
)
6039 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6040 identity
="phase1-user", password
="password",
6042 dev
[0].request("REMOVE_NETWORK all")
6043 dev
[0].wait_disconnected()
6045 tests
= [(1, "hash_nt_password_hash;mschapv2_derive_response"),
6046 (1, "nt_password_hash;mschapv2_derive_response"),
6047 (1, "nt_password_hash;=mschapv2_derive_response"),
6048 (1, "generate_nt_response;mschapv2_derive_response"),
6049 (1, "generate_authenticator_response;mschapv2_derive_response"),
6050 (1, "nt_password_hash;=mschapv2_derive_response"),
6051 (1, "get_master_key;mschapv2_derive_response"),
6052 (1, "os_get_random;eap_mschapv2_challenge_reply")]
6053 for count
, func
in tests
:
6054 with
fail_test(dev
[0], count
, func
):
6055 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6056 identity
="phase1-user", password
="password",
6057 wait_connect
=False, scan_freq
="2412")
6058 wait_fail_trigger(dev
[0], "GET_FAIL")
6059 dev
[0].request("REMOVE_NETWORK all")
6060 dev
[0].wait_disconnected()
6062 tests
= [(1, "hash_nt_password_hash;mschapv2_derive_response"),
6063 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
6064 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
6065 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response")]
6066 for count
, func
in tests
:
6067 with
fail_test(dev
[0], count
, func
):
6068 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6069 identity
="phase1-user",
6070 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
6071 wait_connect
=False, scan_freq
="2412")
6072 wait_fail_trigger(dev
[0], "GET_FAIL")
6073 dev
[0].request("REMOVE_NETWORK all")
6074 dev
[0].wait_disconnected()
6076 tests
= [(1, "eap_mschapv2_init"),
6077 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
6078 (1, "eap_msg_alloc;eap_mschapv2_success"),
6079 (1, "eap_mschapv2_getKey")]
6080 for count
, func
in tests
:
6081 with
alloc_fail(dev
[0], count
, func
):
6082 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6083 identity
="phase1-user", password
="password",
6084 wait_connect
=False, scan_freq
="2412")
6085 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6086 dev
[0].request("REMOVE_NETWORK all")
6087 dev
[0].wait_disconnected()
6089 tests
= [(1, "eap_msg_alloc;eap_mschapv2_failure")]
6090 for count
, func
in tests
:
6091 with
alloc_fail(dev
[0], count
, func
):
6092 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6093 identity
="phase1-user", password
="wrong password",
6094 wait_connect
=False, scan_freq
="2412")
6095 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6096 dev
[0].request("REMOVE_NETWORK all")
6097 dev
[0].wait_disconnected()
6099 tests
= [(2, "eap_mschapv2_init"),
6100 (3, "eap_mschapv2_init")]
6101 for count
, func
in tests
:
6102 with
alloc_fail(dev
[0], count
, func
):
6103 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6104 anonymous_identity
="FAST", identity
="user",
6105 password
="password",
6106 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
6107 phase1
="fast_provisioning=1",
6108 pac_file
="blob://fast_pac",
6109 wait_connect
=False, scan_freq
="2412")
6110 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6111 dev
[0].request("REMOVE_NETWORK all")
6112 dev
[0].wait_disconnected()
6114 def test_eap_gpsk_errors(dev
, apdev
):
6115 """EAP-GPSK error cases"""
6116 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
6117 hapd
= hostapd
.add_ap(apdev
[0], params
)
6118 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6119 identity
="gpsk user",
6120 password
="abcdefghijklmnop0123456789abcdef",
6122 dev
[0].request("REMOVE_NETWORK all")
6123 dev
[0].wait_disconnected()
6125 tests
= [(1, "os_get_random;eap_gpsk_send_gpsk_2", None),
6126 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6128 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6130 (1, "eap_gpsk_derive_keys_helper", None),
6131 (2, "eap_gpsk_derive_keys_helper", None),
6132 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6134 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6136 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
6137 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
6138 (1, "eap_gpsk_derive_mid_helper", None)]
6139 for count
, func
, phase1
in tests
:
6140 with
fail_test(dev
[0], count
, func
):
6141 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6142 identity
="gpsk user",
6143 password
="abcdefghijklmnop0123456789abcdef",
6145 wait_connect
=False, scan_freq
="2412")
6146 wait_fail_trigger(dev
[0], "GET_FAIL")
6147 dev
[0].request("REMOVE_NETWORK all")
6148 dev
[0].wait_disconnected()
6150 tests
= [(1, "eap_gpsk_init"),
6151 (2, "eap_gpsk_init"),
6152 (3, "eap_gpsk_init"),
6153 (1, "eap_gpsk_process_id_server"),
6154 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
6155 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6156 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6157 (1, "eap_gpsk_derive_keys"),
6158 (1, "eap_gpsk_derive_keys_helper"),
6159 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
6160 (1, "eap_gpsk_getKey"),
6161 (1, "eap_gpsk_get_emsk"),
6162 (1, "eap_gpsk_get_session_id")]
6163 for count
, func
in tests
:
6164 with
alloc_fail(dev
[0], count
, func
):
6165 dev
[0].request("ERP_FLUSH")
6166 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6167 identity
="gpsk user@domain", erp
="1",
6168 password
="abcdefghijklmnop0123456789abcdef",
6169 wait_connect
=False, scan_freq
="2412")
6170 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6171 dev
[0].request("REMOVE_NETWORK all")
6172 dev
[0].wait_disconnected()
6174 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
6175 """EAP-SIM DB error cases"""
6176 sockpath
= '/tmp/hlr_auc_gw.sock-test'
6181 hparams
= int_eap_server_params()
6182 hparams
['eap_sim_db'] = 'unix:' + sockpath
6183 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
6185 # Initial test with hlr_auc_gw socket not available
6186 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
6187 eap
="SIM", identity
="1232010000000000",
6188 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
6189 scan_freq
="2412", wait_connect
=False)
6190 ev
= dev
[0].wait_event(["EAP-ERROR-CODE"], timeout
=10)
6192 raise Exception("EAP method specific error code not reported")
6193 if int(ev
.split()[1]) != 16384:
6194 raise Exception("Unexpected EAP method specific error code: " + ev
)
6195 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6197 raise Exception("EAP-Failure not reported")
6198 dev
[0].wait_disconnected()
6199 dev
[0].request("DISCONNECT")
6201 # Test with invalid responses and response timeout
6203 class test_handler(SocketServer
.DatagramRequestHandler
):
6205 data
= self
.request
[0].decode().strip()
6206 socket
= self
.request
[1]
6207 logger
.debug("Received hlr_auc_gw request: " + data
)
6208 # EAP-SIM DB: Failed to parse response string
6209 socket
.sendto(b
"FOO", self
.client_address
)
6210 # EAP-SIM DB: Failed to parse response string
6211 socket
.sendto(b
"FOO 1", self
.client_address
)
6212 # EAP-SIM DB: Unknown external response
6213 socket
.sendto(b
"FOO 1 2", self
.client_address
)
6214 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
6216 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
6219 dev
[0].select_network(id)
6220 server
.handle_request()
6221 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6223 raise Exception("EAP-Failure not reported")
6224 dev
[0].wait_disconnected()
6225 dev
[0].request("DISCONNECT")
6227 # Test with a valid response
6229 class test_handler2(SocketServer
.DatagramRequestHandler
):
6231 data
= self
.request
[0].decode().strip()
6232 socket
= self
.request
[1]
6233 logger
.debug("Received hlr_auc_gw request: " + data
)
6234 fname
= os
.path
.join(params
['logdir'],
6235 'hlr_auc_gw.milenage_db')
6236 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
6238 stdout
=subprocess
.PIPE
)
6239 res
= cmd
.stdout
.read().decode().strip()
6241 logger
.debug("hlr_auc_gw response: " + res
)
6242 socket
.sendto(res
.encode(), self
.client_address
)
6244 server
.RequestHandlerClass
= test_handler2
6246 dev
[0].select_network(id)
6247 server
.handle_request()
6248 dev
[0].wait_connected()
6249 dev
[0].request("DISCONNECT")
6250 dev
[0].wait_disconnected()
6252 def test_eap_tls_sha512(dev
, apdev
, params
):
6253 """EAP-TLS with SHA512 signature"""
6254 params
= int_eap_server_params()
6255 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6256 params
["server_cert"] = "auth_serv/sha512-server.pem"
6257 params
["private_key"] = "auth_serv/sha512-server.key"
6258 hostapd
.add_ap(apdev
[0], params
)
6260 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6261 identity
="tls user sha512",
6262 ca_cert
="auth_serv/sha512-ca.pem",
6263 client_cert
="auth_serv/sha512-user.pem",
6264 private_key
="auth_serv/sha512-user.key",
6266 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6267 identity
="tls user sha512",
6268 ca_cert
="auth_serv/sha512-ca.pem",
6269 client_cert
="auth_serv/sha384-user.pem",
6270 private_key
="auth_serv/sha384-user.key",
6273 def test_eap_tls_sha384(dev
, apdev
, params
):
6274 """EAP-TLS with SHA384 signature"""
6275 params
= int_eap_server_params()
6276 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6277 params
["server_cert"] = "auth_serv/sha384-server.pem"
6278 params
["private_key"] = "auth_serv/sha384-server.key"
6279 hostapd
.add_ap(apdev
[0], params
)
6281 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6282 identity
="tls user sha512",
6283 ca_cert
="auth_serv/sha512-ca.pem",
6284 client_cert
="auth_serv/sha512-user.pem",
6285 private_key
="auth_serv/sha512-user.key",
6287 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6288 identity
="tls user sha512",
6289 ca_cert
="auth_serv/sha512-ca.pem",
6290 client_cert
="auth_serv/sha384-user.pem",
6291 private_key
="auth_serv/sha384-user.key",
6294 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
6295 """WPA2-Enterprise AP and association request RSN IE differences"""
6296 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6297 hostapd
.add_ap(apdev
[0], params
)
6299 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
6300 params
["ieee80211w"] = "2"
6301 hostapd
.add_ap(apdev
[1], params
)
6303 # Success cases with optional RSN IE fields removed one by one
6304 tests
= [("Normal wpa_supplicant assoc req RSN IE",
6305 "30140100000fac040100000fac040100000fac010000"),
6306 ("Extra PMKIDCount field in RSN IE",
6307 "30160100000fac040100000fac040100000fac0100000000"),
6308 ("Extra Group Management Cipher Suite in RSN IE",
6309 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6310 ("Extra undefined extension field in RSN IE",
6311 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6312 ("RSN IE without RSN Capabilities",
6313 "30120100000fac040100000fac040100000fac01"),
6314 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6315 ("RSN IE without pairwise", "30060100000fac04"),
6316 ("RSN IE without group", "30020100")]
6317 for title
, ie
in tests
:
6319 set_test_assoc_ie(dev
[0], ie
)
6320 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6321 identity
="gpsk user",
6322 password
="abcdefghijklmnop0123456789abcdef",
6324 dev
[0].request("REMOVE_NETWORK all")
6325 dev
[0].wait_disconnected()
6327 tests
= [("Normal wpa_supplicant assoc req RSN IE",
6328 "30140100000fac040100000fac040100000fac01cc00"),
6329 ("Group management cipher included in assoc req RSN IE",
6330 "301a0100000fac040100000fac040100000fac01cc000000000fac06")]
6331 for title
, ie
in tests
:
6333 set_test_assoc_ie(dev
[0], ie
)
6334 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6335 eap
="GPSK", identity
="gpsk user",
6336 password
="abcdefghijklmnop0123456789abcdef",
6338 dev
[0].request("REMOVE_NETWORK all")
6339 dev
[0].wait_disconnected()
6341 tests
= [("Invalid group cipher", "30060100000fac02", 41),
6342 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42)]
6343 for title
, ie
, status
in tests
:
6345 set_test_assoc_ie(dev
[0], ie
)
6346 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6347 identity
="gpsk user",
6348 password
="abcdefghijklmnop0123456789abcdef",
6349 scan_freq
="2412", wait_connect
=False)
6350 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6352 raise Exception("Association rejection not reported")
6353 if "status_code=" + str(status
) not in ev
:
6354 raise Exception("Unexpected status code: " + ev
)
6355 dev
[0].request("REMOVE_NETWORK all")
6356 dev
[0].dump_monitor()
6358 tests
= [("Management frame protection not enabled",
6359 "30140100000fac040100000fac040100000fac010000", 31),
6360 ("Unsupported management group cipher",
6361 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46)]
6362 for title
, ie
, status
in tests
:
6364 set_test_assoc_ie(dev
[0], ie
)
6365 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6366 eap
="GPSK", identity
="gpsk user",
6367 password
="abcdefghijklmnop0123456789abcdef",
6368 scan_freq
="2412", wait_connect
=False)
6369 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6371 raise Exception("Association rejection not reported")
6372 if "status_code=" + str(status
) not in ev
:
6373 raise Exception("Unexpected status code: " + ev
)
6374 dev
[0].request("REMOVE_NETWORK all")
6375 dev
[0].dump_monitor()
6377 def test_eap_tls_ext_cert_check(dev
, apdev
):
6378 """EAP-TLS and external server certification validation"""
6379 # With internal server certificate chain validation
6380 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6381 identity
="tls user",
6382 ca_cert
="auth_serv/ca.pem",
6383 client_cert
="auth_serv/user.pem",
6384 private_key
="auth_serv/user.key",
6385 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6386 only_add_network
=True)
6387 run_ext_cert_check(dev
, apdev
, id)
6389 def test_eap_ttls_ext_cert_check(dev
, apdev
):
6390 """EAP-TTLS and external server certification validation"""
6391 # Without internal server certificate chain validation
6392 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6393 identity
="pap user", anonymous_identity
="ttls",
6394 password
="password", phase2
="auth=PAP",
6395 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6396 only_add_network
=True)
6397 run_ext_cert_check(dev
, apdev
, id)
6399 def test_eap_peap_ext_cert_check(dev
, apdev
):
6400 """EAP-PEAP and external server certification validation"""
6401 # With internal server certificate chain validation
6402 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6403 identity
="user", anonymous_identity
="peap",
6404 ca_cert
="auth_serv/ca.pem",
6405 password
="password", phase2
="auth=MSCHAPV2",
6406 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6407 only_add_network
=True)
6408 run_ext_cert_check(dev
, apdev
, id)
6410 def test_eap_fast_ext_cert_check(dev
, apdev
):
6411 """EAP-FAST and external server certification validation"""
6412 check_eap_capa(dev
[0], "FAST")
6413 # With internal server certificate chain validation
6414 dev
[0].request("SET blob fast_pac_auth_ext ")
6415 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6416 identity
="user", anonymous_identity
="FAST",
6417 ca_cert
="auth_serv/ca.pem",
6418 password
="password", phase2
="auth=GTC",
6419 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
6420 pac_file
="blob://fast_pac_auth_ext",
6422 only_add_network
=True)
6423 run_ext_cert_check(dev
, apdev
, id)
6425 def run_ext_cert_check(dev
, apdev
, net_id
):
6426 check_ext_cert_check_support(dev
[0])
6427 if not openssl_imported
:
6428 raise HwsimSkip("OpenSSL python method not available")
6430 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6431 hapd
= hostapd
.add_ap(apdev
[0], params
)
6433 dev
[0].select_network(net_id
)
6436 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6437 "CTRL-REQ-EXT_CERT_CHECK",
6438 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6440 raise Exception("No peer server certificate event seen")
6441 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
6444 vals
= ev
.split(' ')
6446 if v
.startswith("depth="):
6447 depth
= int(v
.split('=')[1])
6448 elif v
.startswith("cert="):
6449 cert
= v
.split('=')[1]
6450 if depth
is not None and cert
:
6451 certs
[depth
] = binascii
.unhexlify(cert
)
6452 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
6453 raise Exception("Unexpected EAP-Success")
6454 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
6455 id = ev
.split(':')[0].split('-')[-1]
6458 raise Exception("Server certificate not received")
6460 raise Exception("Server certificate issuer not received")
6462 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6464 cn
= cert
.get_subject().commonName
6465 logger
.info("Server certificate CN=" + cn
)
6467 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6469 icn
= issuer
.get_subject().commonName
6470 logger
.info("Issuer certificate CN=" + icn
)
6472 if cn
!= "server.w1.fi":
6473 raise Exception("Unexpected server certificate CN: " + cn
)
6474 if icn
!= "Root CA":
6475 raise Exception("Unexpected server certificate issuer CN: " + icn
)
6477 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
6479 raise Exception("Unexpected EAP-Success before external check result indication")
6481 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6482 dev
[0].wait_connected()
6484 dev
[0].request("DISCONNECT")
6485 dev
[0].wait_disconnected()
6486 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
6487 raise Exception("PMKSA_FLUSH failed")
6488 dev
[0].request("SET blob fast_pac_auth_ext ")
6489 dev
[0].request("RECONNECT")
6491 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
6493 raise Exception("No peer server certificate event seen (2)")
6494 id = ev
.split(':')[0].split('-')[-1]
6495 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6496 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
6498 raise Exception("EAP-Failure not reported")
6499 dev
[0].request("REMOVE_NETWORK all")
6500 dev
[0].wait_disconnected()
6502 def test_eap_tls_errors(dev
, apdev
):
6503 """EAP-TLS error cases"""
6504 params
= int_eap_server_params()
6505 params
['fragment_size'] = '100'
6506 hostapd
.add_ap(apdev
[0], params
)
6507 with
alloc_fail(dev
[0], 1,
6508 "eap_peer_tls_reassemble_fragment"):
6509 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6510 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6511 client_cert
="auth_serv/user.pem",
6512 private_key
="auth_serv/user.key",
6513 wait_connect
=False, scan_freq
="2412")
6514 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6515 dev
[0].request("REMOVE_NETWORK all")
6516 dev
[0].wait_disconnected()
6518 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
6519 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6520 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6521 client_cert
="auth_serv/user.pem",
6522 private_key
="auth_serv/user.key",
6523 wait_connect
=False, scan_freq
="2412")
6524 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6525 dev
[0].request("REMOVE_NETWORK all")
6526 dev
[0].wait_disconnected()
6528 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
6529 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6530 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6531 client_cert
="auth_serv/user.pem",
6532 private_key
="auth_serv/user.key",
6534 wait_connect
=False, scan_freq
="2412")
6535 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6536 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
6538 raise Exception("No CTRL-REQ-PIN seen")
6539 dev
[0].request("REMOVE_NETWORK all")
6540 dev
[0].wait_disconnected()
6542 tests
= ["eap_peer_tls_derive_key;eap_tls_success",
6543 "eap_peer_tls_derive_session_id;eap_tls_success",
6546 "eap_tls_get_session_id"]
6548 with
alloc_fail(dev
[0], 1, func
):
6549 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6550 identity
="tls user@domain",
6551 ca_cert
="auth_serv/ca.pem",
6552 client_cert
="auth_serv/user.pem",
6553 private_key
="auth_serv/user.key",
6555 wait_connect
=False, scan_freq
="2412")
6556 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6557 dev
[0].request("REMOVE_NETWORK all")
6558 dev
[0].wait_disconnected()
6560 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6561 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6562 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6563 wait_connect
=False, scan_freq
="2412")
6564 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6565 dev
[0].request("REMOVE_NETWORK all")
6566 dev
[0].wait_disconnected()
6568 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6569 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6570 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6571 wait_connect
=False, scan_freq
="2412")
6572 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6573 dev
[0].request("REMOVE_NETWORK all")
6574 dev
[0].wait_disconnected()
6576 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6577 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6578 eap
="WFA-UNAUTH-TLS",
6579 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6580 wait_connect
=False, scan_freq
="2412")
6581 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6582 dev
[0].request("REMOVE_NETWORK all")
6583 dev
[0].wait_disconnected()
6585 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6586 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6587 eap
="WFA-UNAUTH-TLS",
6588 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6589 wait_connect
=False, scan_freq
="2412")
6590 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6591 dev
[0].request("REMOVE_NETWORK all")
6592 dev
[0].wait_disconnected()
6594 def test_ap_wpa2_eap_status(dev
, apdev
):
6595 """EAP state machine status information"""
6596 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6597 hostapd
.add_ap(apdev
[0], params
)
6598 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6599 identity
="cert user",
6600 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6601 ca_cert2
="auth_serv/ca.pem",
6602 client_cert2
="auth_serv/user.pem",
6603 private_key2
="auth_serv/user.key",
6604 scan_freq
="2412", wait_connect
=False)
6610 selected_methods
= []
6612 for i
in range(100000):
6613 if not connected
and i
% 10 == 9:
6614 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=0.0001)
6617 s
= dev
[0].get_status(extra
="VERBOSE")
6618 if 'EAP state' in s
:
6619 state
= s
['EAP state']
6621 if state
not in states
:
6622 states
.append(state
)
6623 if state
== "SUCCESS":
6626 if 'methodState' in s
:
6627 val
= s
['methodState']
6628 if val
not in method_states
:
6629 method_states
.append(val
)
6632 if val
not in decisions
:
6633 decisions
.append(val
)
6634 if 'reqMethod' in s
:
6635 val
= s
['reqMethod']
6636 if val
not in req_methods
:
6637 req_methods
.append(val
)
6638 if 'selectedMethod' in s
:
6639 val
= s
['selectedMethod']
6640 if val
not in selected_methods
:
6641 selected_methods
.append(val
)
6642 logger
.info("Iterations: %d" % i
)
6643 logger
.info("EAP states: " + str(states
))
6644 logger
.info("methodStates: " + str(method_states
))
6645 logger
.info("decisions: " + str(decisions
))
6646 logger
.info("reqMethods: " + str(req_methods
))
6647 logger
.info("selectedMethods: " + str(selected_methods
))
6649 raise Exception("EAP did not succeed")
6651 dev
[0].wait_connected()
6652 dev
[0].request("REMOVE_NETWORK all")
6653 dev
[0].wait_disconnected()
6655 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
6656 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6657 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6658 params
['wpa_ptk_rekey'] = '2'
6659 hapd
= hostapd
.add_ap(apdev
[0], params
)
6660 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
6661 password
="abcdefghijklmnop0123456789abcdef")
6662 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
6664 raise Exception("PTK rekey timed out")
6665 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6667 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
6668 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6669 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6670 hapd
= hostapd
.add_ap(apdev
[0], params
)
6671 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
6672 identity
="gpsk user",
6673 password
="abcdefghijklmnop0123456789abcdef",
6676 def test_ap_wpa2_eap_psk_mac_addr_change(dev
, apdev
):
6677 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
6678 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6679 hapd
= hostapd
.add_ap(apdev
[0], params
)
6681 cmd
= subprocess
.Popen(['ps', '-eo', 'pid,command'], stdout
=subprocess
.PIPE
)
6682 res
= cmd
.stdout
.read().decode()
6685 for p
in res
.splitlines():
6686 if "wpa_supplicant" not in p
:
6688 if dev
[0].ifname
not in p
:
6690 pid
= int(p
.strip().split(' ')[0])
6692 logger
.info("Could not find wpa_supplicant PID")
6694 logger
.info("wpa_supplicant PID %d" % pid
)
6696 addr
= dev
[0].get_status_field("address")
6697 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6698 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6699 '02:11:22:33:44:55'])
6700 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6701 addr1
= dev
[0].get_status_field("address")
6702 if addr1
!= '02:11:22:33:44:55':
6703 raise Exception("Failed to change MAC address")
6705 # Scan using the externally set MAC address, stop the wpa_supplicant
6706 # process to avoid it from processing the ifdown event before the interface
6707 # is already UP, change the MAC address back, allow the wpa_supplicant
6708 # process to continue. This will result in the ifdown + ifup sequence of
6709 # RTM_NEWLINK events to be processed while the interface is already UP.
6711 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
6712 os
.kill(pid
, signal
.SIGSTOP
)
6715 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6716 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6718 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6720 os
.kill(pid
, signal
.SIGCONT
)
6722 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
6723 password_hex
="0123456789abcdef0123456789abcdef")
6725 addr2
= dev
[0].get_status_field("address")
6727 raise Exception("Failed to restore MAC address")
6729 def test_ap_wpa2_eap_server_get_id(dev
, apdev
):
6730 """Internal EAP server and dot1xAuthSessionUserName"""
6731 params
= int_eap_server_params()
6732 hapd
= hostapd
.add_ap(apdev
[0], params
)
6733 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6734 client_cert
="auth_serv/user.pem",
6735 private_key
="auth_serv/user.key")
6736 sta
= hapd
.get_sta(dev
[0].own_addr())
6737 if 'dot1xAuthSessionUserName' not in sta
:
6738 raise Exception("No dot1xAuthSessionUserName included")
6739 user
= sta
['dot1xAuthSessionUserName']
6740 if user
!= "tls user":
6741 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6743 def test_ap_wpa2_radius_server_get_id(dev
, apdev
):
6744 """External RADIUS server and dot1xAuthSessionUserName"""
6745 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6746 hapd
= hostapd
.add_ap(apdev
[0], params
)
6747 eap_connect(dev
[0], hapd
, "TTLS", "test-user",
6748 anonymous_identity
="ttls", password
="password",
6749 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
6750 sta
= hapd
.get_sta(dev
[0].own_addr())
6751 if 'dot1xAuthSessionUserName' not in sta
:
6752 raise Exception("No dot1xAuthSessionUserName included")
6753 user
= sta
['dot1xAuthSessionUserName']
6754 if user
!= "real-user":
6755 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
6757 def test_openssl_systemwide_policy(dev
, apdev
, test_params
):
6758 """OpenSSL systemwide policy and overrides"""
6759 prefix
= "openssl_systemwide_policy"
6760 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
6762 with
HWSimRadio() as (radio
, iface
):
6763 run_openssl_systemwide_policy(iface
, apdev
, test_params
)
6765 if os
.path
.exists(pidfile
):
6766 with
open(pidfile
, 'r') as f
:
6767 pid
= int(f
.read().strip())
6768 os
.kill(pid
, signal
.SIGTERM
)
6770 def write_openssl_cnf(cnf
, MinProtocol
=None, CipherString
=None):
6771 with
open(cnf
, "w") as f
:
6772 f
.write("""openssl_conf = default_conf
6776 system_default = system_default_sect
6777 [system_default_sect]
6780 f
.write("MinProtocol = %s\n" % MinProtocol
)
6782 f
.write("CipherString = %s\n" % CipherString
)
6784 def run_openssl_systemwide_policy(iface
, apdev
, test_params
):
6785 prefix
= "openssl_systemwide_policy"
6786 logfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.log-wpas')
6787 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
6788 conffile
= os
.path
.join(test_params
['logdir'], prefix
+ '.conf')
6789 openssl_cnf
= os
.path
.join(test_params
['logdir'], prefix
+ '.openssl.cnf')
6791 write_openssl_cnf(openssl_cnf
, "TLSv1.2", "DEFAULT@SECLEVEL=2")
6793 with
open(conffile
, 'w') as f
:
6794 f
.write("ctrl_interface=DIR=/var/run/wpa_supplicant\n")
6796 params
= int_eap_server_params()
6797 params
['tls_flags'] = "[DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"
6799 hapd
= hostapd
.add_ap(apdev
[0], params
)
6801 prg
= os
.path
.join(test_params
['logdir'],
6802 'alt-wpa_supplicant/wpa_supplicant/wpa_supplicant')
6803 if not os
.path
.exists(prg
):
6804 prg
= '../../wpa_supplicant/wpa_supplicant'
6805 arg
= [prg
, '-BddtK', '-P', pidfile
, '-f', logfile
,
6806 '-Dnl80211', '-c', conffile
, '-i', iface
]
6807 logger
.info("Start wpa_supplicant: " + str(arg
))
6808 subprocess
.call(arg
, env
={'OPENSSL_CONF': openssl_cnf
})
6809 wpas
= WpaSupplicant(ifname
=iface
)
6810 if "PONG" not in wpas
.request("PING"):
6811 raise Exception("Could not PING wpa_supplicant")
6812 tls
= wpas
.request("GET tls_library")
6813 if not tls
.startswith("OpenSSL"):
6814 raise HwsimSkip("Not using OpenSSL")
6816 # Use default configuration without any TLS version overrides. This should
6817 # end up using OpenSSL systemwide policy and result in failure to find a
6818 # compatible protocol version.
6819 ca_file
= os
.path
.join(os
.getcwd(), "auth_serv/ca.pem")
6820 id = wpas
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6821 identity
="pap user", anonymous_identity
="ttls",
6822 password
="password", phase2
="auth=PAP",
6824 scan_freq
="2412", wait_connect
=False)
6825 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
6827 raise Exception("EAP not started")
6828 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'"],
6831 raise HwsimSkip("OpenSSL systemwide policy not supported")
6832 wpas
.request("DISCONNECT")
6833 wpas
.wait_disconnected()
6836 # Explicitly allow TLSv1.0 to be used to override OpenSSL systemwide policy
6837 wpas
.set_network_quoted(id, "openssl_ciphers", "DEFAULT@SECLEVEL=1")
6838 wpas
.set_network_quoted(id, "phase1", "tls_disable_tlsv1_0=0")
6839 wpas
.select_network(id, freq
="2412")
6840 wpas
.wait_connected()
6842 wpas
.request("TERMINATE")
6844 def test_ap_wpa2_eap_tls_tod(dev
, apdev
):
6845 """EAP-TLS server certificate validation and TOD"""
6846 params
= int_eap_server_params()
6847 params
["server_cert"] = "auth_serv/server-certpol.pem"
6848 params
["private_key"] = "auth_serv/server-certpol.key"
6849 hapd
= hostapd
.add_ap(apdev
[0], params
)
6851 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6852 eap
="TLS", identity
="tls user",
6853 wait_connect
=False, scan_freq
="2412",
6854 ca_cert
="auth_serv/ca.pem",
6855 client_cert
="auth_serv/user.pem",
6856 private_key
="auth_serv/user.key")
6859 while tod0
is None or tod1
is None:
6860 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT"], timeout
=10)
6862 raise Exception("Peer certificate not reported")
6863 if "depth=1 " in ev
and "hash=" in ev
:
6864 tod1
= " tod=1" in ev
6865 if "depth=0 " in ev
and "hash=" in ev
:
6866 tod0
= " tod=1" in ev
6867 dev
[0].wait_connected()
6869 raise Exception("TOD policy not reported for server certificate")
6871 raise Exception("TOD policy unexpectedly reported for CA certificate")