]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
20 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
21 from wpasupplicant
import WpaSupplicant
22 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
24 def check_hlr_auc_gw_support():
25 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
26 raise HwsimSkip("No hlr_auc_gw available")
28 def check_eap_capa(dev
, method
):
29 res
= dev
.get_capability("eap")
31 raise HwsimSkip("EAP method %s not supported in the build" % method
)
33 def check_subject_match_support(dev
):
34 tls
= dev
.request("GET tls_library")
35 if not tls
.startswith("OpenSSL"):
36 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
38 def check_altsubject_match_support(dev
):
39 tls
= dev
.request("GET tls_library")
40 if not tls
.startswith("OpenSSL"):
41 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
43 def check_domain_match_full(dev
):
44 tls
= dev
.request("GET tls_library")
45 if not tls
.startswith("OpenSSL"):
46 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
48 def check_cert_probe_support(dev
):
49 tls
= dev
.request("GET tls_library")
50 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
51 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
53 def check_ocsp_support(dev
):
54 tls
= dev
.request("GET tls_library")
55 if tls
.startswith("internal"):
56 raise HwsimSkip("OCSP not supported with this TLS library: " + tls
)
57 #if "BoringSSL" in tls:
58 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
61 with
open(fname
, "r") as f
:
72 return base64
.b64decode(cert
)
74 def eap_connect(dev
, ap
, method
, identity
,
75 sha256
=False, expect_failure
=False, local_error_report
=False,
76 maybe_local_error
=False, **kwargs
):
77 hapd
= hostapd
.Hostapd(ap
['ifname'])
78 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
79 eap
=method
, identity
=identity
,
80 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
82 eap_check_auth(dev
, method
, True, sha256
=sha256
,
83 expect_failure
=expect_failure
,
84 local_error_report
=local_error_report
,
85 maybe_local_error
=maybe_local_error
)
88 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
90 raise Exception("No connection event received from hostapd")
93 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
94 expect_failure
=False, local_error_report
=False,
95 maybe_local_error
=False):
96 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
98 raise Exception("Association and EAP start timed out")
99 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
100 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
102 raise Exception("EAP method selection timed out")
103 if "CTRL-EVENT-EAP-FAILURE" in ev
:
104 if maybe_local_error
:
106 raise Exception("Could not select EAP method")
108 raise Exception("Unexpected EAP method")
110 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
112 raise Exception("EAP failure timed out")
113 ev
= dev
.wait_disconnected(timeout
=10)
114 if maybe_local_error
and "locally_generated=1" in ev
:
116 if not local_error_report
:
117 if "reason=23" not in ev
:
118 raise Exception("Proper reason code for disconnection not reported")
120 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
122 raise Exception("EAP success timed out")
125 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
127 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
129 raise Exception("Association with the AP timed out")
130 status
= dev
.get_status()
131 if status
["wpa_state"] != "COMPLETED":
132 raise Exception("Connection not completed")
134 if status
["suppPortStatus"] != "Authorized":
135 raise Exception("Port not authorized")
136 if method
not in status
["selectedMethod"]:
137 raise Exception("Incorrect EAP method status")
139 e
= "WPA2-EAP-SHA256"
141 e
= "WPA2/IEEE 802.1X/EAP"
143 e
= "WPA/IEEE 802.1X/EAP"
144 if status
["key_mgmt"] != e
:
145 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
148 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
149 dev
.request("REAUTHENTICATE")
150 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
151 expect_failure
=expect_failure
)
153 def test_ap_wpa2_eap_sim(dev
, apdev
):
154 """WPA2-Enterprise connection using EAP-SIM"""
155 check_hlr_auc_gw_support()
156 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
157 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
158 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
159 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
160 hwsim_utils
.test_connectivity(dev
[0], hapd
)
161 eap_reauth(dev
[0], "SIM")
163 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000001",
164 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
165 eap_connect(dev
[2], apdev
[0], "SIM", "1232010000000002",
166 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
169 logger
.info("Negative test with incorrect key")
170 dev
[0].request("REMOVE_NETWORK all")
171 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
172 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
175 logger
.info("Invalid GSM-Milenage key")
176 dev
[0].request("REMOVE_NETWORK all")
177 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
178 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
181 logger
.info("Invalid GSM-Milenage key(2)")
182 dev
[0].request("REMOVE_NETWORK all")
183 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
184 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
187 logger
.info("Invalid GSM-Milenage key(3)")
188 dev
[0].request("REMOVE_NETWORK all")
189 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
190 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
193 logger
.info("Invalid GSM-Milenage key(4)")
194 dev
[0].request("REMOVE_NETWORK all")
195 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
196 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
199 logger
.info("Missing key configuration")
200 dev
[0].request("REMOVE_NETWORK all")
201 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
204 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
205 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
206 check_hlr_auc_gw_support()
210 raise HwsimSkip("No sqlite3 module available")
211 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
212 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
213 params
['auth_server_port'] = "1814"
214 hostapd
.add_ap(apdev
[0]['ifname'], params
)
215 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
216 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
218 logger
.info("SIM fast re-authentication")
219 eap_reauth(dev
[0], "SIM")
221 logger
.info("SIM full auth with pseudonym")
224 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
225 eap_reauth(dev
[0], "SIM")
227 logger
.info("SIM full auth with permanent identity")
230 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
231 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
232 eap_reauth(dev
[0], "SIM")
234 logger
.info("SIM reauth with mismatching MK")
237 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
238 eap_reauth(dev
[0], "SIM", expect_failure
=True)
239 dev
[0].request("REMOVE_NETWORK all")
241 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
242 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
245 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
246 eap_reauth(dev
[0], "SIM")
249 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
250 logger
.info("SIM reauth with mismatching counter")
251 eap_reauth(dev
[0], "SIM")
252 dev
[0].request("REMOVE_NETWORK all")
254 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
255 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
258 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
259 logger
.info("SIM reauth with max reauth count reached")
260 eap_reauth(dev
[0], "SIM")
262 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
263 """EAP-SIM configuration options"""
264 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
265 hostapd
.add_ap(apdev
[0]['ifname'], params
)
266 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
267 identity
="1232010000000000",
268 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
269 phase1
="sim_min_num_chal=1",
270 wait_connect
=False, scan_freq
="2412")
271 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
273 raise Exception("No EAP error message seen")
274 dev
[0].request("REMOVE_NETWORK all")
276 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
277 identity
="1232010000000000",
278 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
279 phase1
="sim_min_num_chal=4",
280 wait_connect
=False, scan_freq
="2412")
281 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
283 raise Exception("No EAP error message seen (2)")
284 dev
[0].request("REMOVE_NETWORK all")
286 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
287 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
288 phase1
="sim_min_num_chal=2")
289 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
290 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
291 anonymous_identity
="345678")
293 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
294 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
296 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
298 dev
[0].request("SET external_sim 0")
300 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
301 check_hlr_auc_gw_support()
302 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
303 hostapd
.add_ap(apdev
[0]['ifname'], params
)
304 dev
[0].request("SET external_sim 1")
305 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
306 identity
="1232010000000000",
307 wait_connect
=False, scan_freq
="2412")
308 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
310 raise Exception("Network connected timed out")
312 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
314 raise Exception("Wait for external SIM processing request timed out")
316 if p
[1] != "GSM-AUTH":
317 raise Exception("Unexpected CTRL-REQ-SIM type")
318 rid
= p
[0].split('-')[3]
321 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
322 # This will fail during processing, but the ctrl_iface command succeeds
323 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
324 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
326 raise Exception("EAP failure not reported")
327 dev
[0].request("DISCONNECT")
328 dev
[0].wait_disconnected()
331 dev
[0].select_network(id, freq
="2412")
332 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
334 raise Exception("Wait for external SIM processing request timed out")
336 if p
[1] != "GSM-AUTH":
337 raise Exception("Unexpected CTRL-REQ-SIM type")
338 rid
= p
[0].split('-')[3]
339 # This will fail during GSM auth validation
340 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
341 raise Exception("CTRL-RSP-SIM failed")
342 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
344 raise Exception("EAP failure not reported")
345 dev
[0].request("DISCONNECT")
346 dev
[0].wait_disconnected()
349 dev
[0].select_network(id, freq
="2412")
350 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
352 raise Exception("Wait for external SIM processing request timed out")
354 if p
[1] != "GSM-AUTH":
355 raise Exception("Unexpected CTRL-REQ-SIM type")
356 rid
= p
[0].split('-')[3]
357 # This will fail during GSM auth validation
358 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
359 raise Exception("CTRL-RSP-SIM failed")
360 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
362 raise Exception("EAP failure not reported")
363 dev
[0].request("DISCONNECT")
364 dev
[0].wait_disconnected()
367 dev
[0].select_network(id, freq
="2412")
368 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
370 raise Exception("Wait for external SIM processing request timed out")
372 if p
[1] != "GSM-AUTH":
373 raise Exception("Unexpected CTRL-REQ-SIM type")
374 rid
= p
[0].split('-')[3]
375 # This will fail during GSM auth validation
376 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
377 raise Exception("CTRL-RSP-SIM failed")
378 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
380 raise Exception("EAP failure not reported")
381 dev
[0].request("DISCONNECT")
382 dev
[0].wait_disconnected()
385 dev
[0].select_network(id, freq
="2412")
386 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
388 raise Exception("Wait for external SIM processing request timed out")
390 if p
[1] != "GSM-AUTH":
391 raise Exception("Unexpected CTRL-REQ-SIM type")
392 rid
= p
[0].split('-')[3]
393 # This will fail during GSM auth validation
394 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
395 raise Exception("CTRL-RSP-SIM failed")
396 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
398 raise Exception("EAP failure not reported")
399 dev
[0].request("DISCONNECT")
400 dev
[0].wait_disconnected()
403 dev
[0].select_network(id, freq
="2412")
404 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
406 raise Exception("Wait for external SIM processing request timed out")
408 if p
[1] != "GSM-AUTH":
409 raise Exception("Unexpected CTRL-REQ-SIM type")
410 rid
= p
[0].split('-')[3]
411 # This will fail during GSM auth validation
412 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
413 raise Exception("CTRL-RSP-SIM failed")
414 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
416 raise Exception("EAP failure not reported")
417 dev
[0].request("DISCONNECT")
418 dev
[0].wait_disconnected()
421 dev
[0].select_network(id, freq
="2412")
422 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
424 raise Exception("Wait for external SIM processing request timed out")
426 if p
[1] != "GSM-AUTH":
427 raise Exception("Unexpected CTRL-REQ-SIM type")
428 rid
= p
[0].split('-')[3]
429 # This will fail during GSM auth validation
430 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
431 raise Exception("CTRL-RSP-SIM failed")
432 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
434 raise Exception("EAP failure not reported")
436 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
437 """EAP-SIM and OOM"""
438 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
439 hostapd
.add_ap(apdev
[0]['ifname'], params
)
440 tests
= [ (1, "milenage_f2345"),
441 (2, "milenage_f2345"),
442 (3, "milenage_f2345"),
443 (4, "milenage_f2345"),
444 (5, "milenage_f2345"),
445 (6, "milenage_f2345"),
446 (7, "milenage_f2345"),
447 (8, "milenage_f2345"),
448 (9, "milenage_f2345"),
449 (10, "milenage_f2345"),
450 (11, "milenage_f2345"),
451 (12, "milenage_f2345") ]
452 for count
, func
in tests
:
453 with
alloc_fail(dev
[0], count
, func
):
454 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
455 identity
="1232010000000000",
456 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
457 wait_connect
=False, scan_freq
="2412")
458 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
460 raise Exception("EAP method not selected")
461 dev
[0].wait_disconnected()
462 dev
[0].request("REMOVE_NETWORK all")
464 def test_ap_wpa2_eap_aka(dev
, apdev
):
465 """WPA2-Enterprise connection using EAP-AKA"""
466 check_hlr_auc_gw_support()
467 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
468 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
469 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
470 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
471 hwsim_utils
.test_connectivity(dev
[0], hapd
)
472 eap_reauth(dev
[0], "AKA")
474 logger
.info("Negative test with incorrect key")
475 dev
[0].request("REMOVE_NETWORK all")
476 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
477 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
480 logger
.info("Invalid Milenage key")
481 dev
[0].request("REMOVE_NETWORK all")
482 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
483 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
486 logger
.info("Invalid Milenage key(2)")
487 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
488 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
491 logger
.info("Invalid Milenage key(3)")
492 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
493 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
496 logger
.info("Invalid Milenage key(4)")
497 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
498 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
501 logger
.info("Invalid Milenage key(5)")
502 dev
[0].request("REMOVE_NETWORK all")
503 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
504 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
507 logger
.info("Invalid Milenage key(6)")
508 dev
[0].request("REMOVE_NETWORK all")
509 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
510 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
513 logger
.info("Missing key configuration")
514 dev
[0].request("REMOVE_NETWORK all")
515 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
518 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
519 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
520 check_hlr_auc_gw_support()
524 raise HwsimSkip("No sqlite3 module available")
525 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
526 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
527 params
['auth_server_port'] = "1814"
528 hostapd
.add_ap(apdev
[0]['ifname'], params
)
529 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
530 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
532 logger
.info("AKA fast re-authentication")
533 eap_reauth(dev
[0], "AKA")
535 logger
.info("AKA full auth with pseudonym")
538 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
539 eap_reauth(dev
[0], "AKA")
541 logger
.info("AKA full auth with permanent identity")
544 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
545 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
546 eap_reauth(dev
[0], "AKA")
548 logger
.info("AKA reauth with mismatching MK")
551 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
552 eap_reauth(dev
[0], "AKA", expect_failure
=True)
553 dev
[0].request("REMOVE_NETWORK all")
555 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
556 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
559 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
560 eap_reauth(dev
[0], "AKA")
563 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
564 logger
.info("AKA reauth with mismatching counter")
565 eap_reauth(dev
[0], "AKA")
566 dev
[0].request("REMOVE_NETWORK all")
568 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
569 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
572 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
573 logger
.info("AKA reauth with max reauth count reached")
574 eap_reauth(dev
[0], "AKA")
576 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
577 """EAP-AKA configuration options"""
578 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
579 hostapd
.add_ap(apdev
[0]['ifname'], params
)
580 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
581 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
582 anonymous_identity
="2345678")
584 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
585 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
587 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
589 dev
[0].request("SET external_sim 0")
591 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
592 check_hlr_auc_gw_support()
593 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
594 hostapd
.add_ap(apdev
[0]['ifname'], params
)
595 dev
[0].request("SET external_sim 1")
596 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
597 identity
="0232010000000000",
598 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
599 wait_connect
=False, scan_freq
="2412")
600 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
602 raise Exception("Network connected timed out")
604 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
606 raise Exception("Wait for external SIM processing request timed out")
608 if p
[1] != "UMTS-AUTH":
609 raise Exception("Unexpected CTRL-REQ-SIM type")
610 rid
= p
[0].split('-')[3]
613 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
614 # This will fail during processing, but the ctrl_iface command succeeds
615 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
616 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
618 raise Exception("EAP failure not reported")
619 dev
[0].request("DISCONNECT")
620 dev
[0].wait_disconnected()
622 dev
[0].dump_monitor()
624 dev
[0].select_network(id, freq
="2412")
625 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
627 raise Exception("Wait for external SIM processing request timed out")
629 if p
[1] != "UMTS-AUTH":
630 raise Exception("Unexpected CTRL-REQ-SIM type")
631 rid
= p
[0].split('-')[3]
632 # This will fail during UMTS auth validation
633 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
634 raise Exception("CTRL-RSP-SIM failed")
635 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
637 raise Exception("Wait for external SIM processing request timed out")
639 if p
[1] != "UMTS-AUTH":
640 raise Exception("Unexpected CTRL-REQ-SIM type")
641 rid
= p
[0].split('-')[3]
642 # This will fail during UMTS auth validation
643 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
644 raise Exception("CTRL-RSP-SIM failed")
645 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
647 raise Exception("EAP failure not reported")
648 dev
[0].request("DISCONNECT")
649 dev
[0].wait_disconnected()
651 dev
[0].dump_monitor()
653 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
655 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
656 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
657 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
658 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
659 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
661 dev
[0].select_network(id, freq
="2412")
662 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
664 raise Exception("Wait for external SIM processing request timed out")
666 if p
[1] != "UMTS-AUTH":
667 raise Exception("Unexpected CTRL-REQ-SIM type")
668 rid
= p
[0].split('-')[3]
669 # This will fail during UMTS auth validation
670 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
671 raise Exception("CTRL-RSP-SIM failed")
672 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
674 raise Exception("EAP failure not reported")
675 dev
[0].request("DISCONNECT")
676 dev
[0].wait_disconnected()
678 dev
[0].dump_monitor()
680 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
681 """WPA2-Enterprise connection using EAP-AKA'"""
682 check_hlr_auc_gw_support()
683 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
684 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
685 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
686 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
687 hwsim_utils
.test_connectivity(dev
[0], hapd
)
688 eap_reauth(dev
[0], "AKA'")
690 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
691 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
692 identity
="6555444333222111@both",
693 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
694 wait_connect
=False, scan_freq
="2412")
695 dev
[1].wait_connected(timeout
=15)
697 logger
.info("Negative test with incorrect key")
698 dev
[0].request("REMOVE_NETWORK all")
699 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
700 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
703 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
704 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
705 check_hlr_auc_gw_support()
709 raise HwsimSkip("No sqlite3 module available")
710 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
711 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
712 params
['auth_server_port'] = "1814"
713 hostapd
.add_ap(apdev
[0]['ifname'], params
)
714 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
715 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
717 logger
.info("AKA' fast re-authentication")
718 eap_reauth(dev
[0], "AKA'")
720 logger
.info("AKA' full auth with pseudonym")
723 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
724 eap_reauth(dev
[0], "AKA'")
726 logger
.info("AKA' full auth with permanent identity")
729 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
730 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
731 eap_reauth(dev
[0], "AKA'")
733 logger
.info("AKA' reauth with mismatching k_aut")
736 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
737 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
738 dev
[0].request("REMOVE_NETWORK all")
740 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
741 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
744 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
745 eap_reauth(dev
[0], "AKA'")
748 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
749 logger
.info("AKA' reauth with mismatching counter")
750 eap_reauth(dev
[0], "AKA'")
751 dev
[0].request("REMOVE_NETWORK all")
753 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
754 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
757 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
758 logger
.info("AKA' reauth with max reauth count reached")
759 eap_reauth(dev
[0], "AKA'")
761 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
762 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
763 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
764 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
765 key_mgmt
= hapd
.get_config()['key_mgmt']
766 if key_mgmt
.split(' ')[0] != "WPA-EAP":
767 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
768 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
769 anonymous_identity
="ttls", password
="password",
770 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
771 hwsim_utils
.test_connectivity(dev
[0], hapd
)
772 eap_reauth(dev
[0], "TTLS")
773 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
774 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
776 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
777 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
778 check_subject_match_support(dev
[0])
779 check_altsubject_match_support(dev
[0])
780 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
781 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
782 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
783 anonymous_identity
="ttls", password
="password",
784 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
785 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
786 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
787 eap_reauth(dev
[0], "TTLS")
789 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
790 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
791 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
792 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
793 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
794 anonymous_identity
="ttls", password
="wrong",
795 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
797 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
798 anonymous_identity
="ttls", password
="password",
799 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
802 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
803 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
804 skip_with_fips(dev
[0])
805 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
806 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
807 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
808 anonymous_identity
="ttls", password
="password",
809 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
810 hwsim_utils
.test_connectivity(dev
[0], hapd
)
811 eap_reauth(dev
[0], "TTLS")
813 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
814 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
815 skip_with_fips(dev
[0])
816 check_altsubject_match_support(dev
[0])
817 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
818 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
819 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
820 anonymous_identity
="ttls", password
="password",
821 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
822 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
823 eap_reauth(dev
[0], "TTLS")
825 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
826 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
827 skip_with_fips(dev
[0])
828 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
829 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
830 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
831 anonymous_identity
="ttls", password
="wrong",
832 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
834 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
835 anonymous_identity
="ttls", password
="password",
836 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
839 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
840 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
841 skip_with_fips(dev
[0])
842 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
843 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
844 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
845 anonymous_identity
="ttls", password
="password",
846 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
847 domain_suffix_match
="server.w1.fi")
848 hwsim_utils
.test_connectivity(dev
[0], hapd
)
849 eap_reauth(dev
[0], "TTLS")
850 dev
[0].request("REMOVE_NETWORK all")
851 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
852 anonymous_identity
="ttls", password
="password",
853 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
856 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
857 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
858 skip_with_fips(dev
[0])
859 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
860 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
861 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
862 anonymous_identity
="ttls", password
="wrong",
863 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
865 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
866 anonymous_identity
="ttls", password
="password",
867 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
869 eap_connect(dev
[2], apdev
[0], "TTLS", "no such user",
870 anonymous_identity
="ttls", password
="password",
871 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
874 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
875 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
876 check_eap_capa(dev
[0], "MSCHAPV2")
877 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
878 hostapd
.add_ap(apdev
[0]['ifname'], params
)
879 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
880 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
881 anonymous_identity
="ttls", password
="password",
882 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
883 domain_suffix_match
="server.w1.fi")
884 hwsim_utils
.test_connectivity(dev
[0], hapd
)
885 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
886 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
887 eap_reauth(dev
[0], "TTLS")
888 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
889 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
890 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
891 raise Exception("dot1xAuthEapolFramesRx did not increase")
892 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
893 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
894 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
895 raise Exception("backendAuthSuccesses did not increase")
897 logger
.info("Password as hash value")
898 dev
[0].request("REMOVE_NETWORK all")
899 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
900 anonymous_identity
="ttls",
901 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
902 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
904 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
905 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
906 check_domain_match_full(dev
[0])
907 skip_with_fips(dev
[0])
908 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
909 hostapd
.add_ap(apdev
[0]['ifname'], params
)
910 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
911 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
912 anonymous_identity
="ttls", password
="password",
913 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
914 domain_suffix_match
="w1.fi")
915 hwsim_utils
.test_connectivity(dev
[0], hapd
)
916 eap_reauth(dev
[0], "TTLS")
918 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
919 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
920 skip_with_fips(dev
[0])
921 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
922 hostapd
.add_ap(apdev
[0]['ifname'], params
)
923 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
924 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
925 anonymous_identity
="ttls", password
="password",
926 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
927 domain_match
="Server.w1.fi")
928 hwsim_utils
.test_connectivity(dev
[0], hapd
)
929 eap_reauth(dev
[0], "TTLS")
931 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
932 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
933 skip_with_fips(dev
[0])
934 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
935 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
936 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
937 anonymous_identity
="ttls", password
="password1",
938 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
940 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
941 anonymous_identity
="ttls", password
="password",
942 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
945 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
946 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
947 skip_with_fips(dev
[0])
948 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
949 hostapd
.add_ap(apdev
[0]['ifname'], params
)
950 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
951 eap_connect(dev
[0], apdev
[0], "TTLS", "utf8-user-hash",
952 anonymous_identity
="ttls", password
="secret-åäö-€-password",
953 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
954 eap_connect(dev
[1], apdev
[0], "TTLS", "utf8-user",
955 anonymous_identity
="ttls",
956 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
957 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
958 for p
in [ "80", "41c041e04141e041", 257*"41" ]:
959 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
960 eap
="TTLS", identity
="utf8-user-hash",
961 anonymous_identity
="ttls", password_hex
=p
,
962 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
963 wait_connect
=False, scan_freq
="2412")
964 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
966 raise Exception("No failure reported")
967 dev
[2].request("REMOVE_NETWORK all")
968 dev
[2].wait_disconnected()
970 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
971 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
972 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
973 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
974 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
975 anonymous_identity
="ttls", password
="password",
976 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
977 hwsim_utils
.test_connectivity(dev
[0], hapd
)
978 eap_reauth(dev
[0], "TTLS")
980 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
981 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
982 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
983 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
984 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
985 anonymous_identity
="ttls", password
="wrong",
986 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
989 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
990 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
991 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
992 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
993 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
994 anonymous_identity
="ttls", password
="password",
995 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
998 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
999 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1000 params
= int_eap_server_params()
1001 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1002 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1003 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1004 anonymous_identity
="ttls", password
="password",
1005 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1006 expect_failure
=True)
1007 dev
[0].request("REMOVE_NETWORK all")
1009 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1010 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1011 eap
="TTLS", identity
="user",
1012 anonymous_identity
="ttls", password
="password",
1013 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1014 wait_connect
=False, scan_freq
="2412")
1015 # This would eventually time out, but we can stop after having reached
1016 # the allocation failure.
1019 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1022 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1023 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1024 check_eap_capa(dev
[0], "MD5")
1025 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1026 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1027 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1028 anonymous_identity
="ttls", password
="password",
1029 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1030 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1031 eap_reauth(dev
[0], "TTLS")
1033 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1034 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1035 check_eap_capa(dev
[0], "MD5")
1036 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1037 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1038 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1039 anonymous_identity
="ttls", password
="wrong",
1040 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1041 expect_failure
=True)
1043 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1044 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1045 check_eap_capa(dev
[0], "MD5")
1046 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1047 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1048 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
1049 anonymous_identity
="ttls", password
="password",
1050 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1051 expect_failure
=True)
1053 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1054 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1055 check_eap_capa(dev
[0], "MD5")
1056 params
= int_eap_server_params()
1057 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1058 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1059 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1060 anonymous_identity
="ttls", password
="password",
1061 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1062 expect_failure
=True)
1063 dev
[0].request("REMOVE_NETWORK all")
1065 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1066 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1067 eap
="TTLS", identity
="user",
1068 anonymous_identity
="ttls", password
="password",
1069 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1070 wait_connect
=False, scan_freq
="2412")
1071 # This would eventually time out, but we can stop after having reached
1072 # the allocation failure.
1075 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1078 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1079 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1080 check_eap_capa(dev
[0], "MSCHAPV2")
1081 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1082 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1083 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1084 anonymous_identity
="ttls", password
="password",
1085 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1086 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1087 eap_reauth(dev
[0], "TTLS")
1089 logger
.info("Negative test with incorrect password")
1090 dev
[0].request("REMOVE_NETWORK all")
1091 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1092 anonymous_identity
="ttls", password
="password1",
1093 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1094 expect_failure
=True)
1096 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1097 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1098 check_eap_capa(dev
[0], "MSCHAPV2")
1099 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1100 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1101 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
1102 anonymous_identity
="ttls", password
="password",
1103 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1104 expect_failure
=True)
1106 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1107 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1108 check_eap_capa(dev
[0], "MSCHAPV2")
1109 params
= int_eap_server_params()
1110 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1111 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1112 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1113 anonymous_identity
="ttls", password
="password",
1114 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1115 expect_failure
=True)
1116 dev
[0].request("REMOVE_NETWORK all")
1118 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1119 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1120 eap
="TTLS", identity
="user",
1121 anonymous_identity
="ttls", password
="password",
1122 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1123 wait_connect
=False, scan_freq
="2412")
1124 # This would eventually time out, but we can stop after having reached
1125 # the allocation failure.
1128 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1130 dev
[0].request("REMOVE_NETWORK all")
1132 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1133 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1134 eap
="TTLS", identity
="user",
1135 anonymous_identity
="ttls", password
="password",
1136 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1137 wait_connect
=False, scan_freq
="2412")
1138 # This would eventually time out, but we can stop after having reached
1139 # the allocation failure.
1142 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1144 dev
[0].request("REMOVE_NETWORK all")
1146 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1147 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1148 eap
="TTLS", identity
="user",
1149 anonymous_identity
="ttls", password
="wrong",
1150 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1151 wait_connect
=False, scan_freq
="2412")
1152 # This would eventually time out, but we can stop after having reached
1153 # the allocation failure.
1156 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1158 dev
[0].request("REMOVE_NETWORK all")
1160 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1161 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1162 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1163 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1164 eap_connect(dev
[0], apdev
[0], "TTLS", "0232010000000000",
1165 anonymous_identity
="0232010000000000@ttls",
1166 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1167 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1169 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1170 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1171 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1172 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1173 eap_connect(dev
[0], apdev
[0], "PEAP", "0232010000000000",
1174 anonymous_identity
="0232010000000000@peap",
1175 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1176 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1178 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1179 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1180 check_eap_capa(dev
[0], "FAST")
1181 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1182 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1183 eap_connect(dev
[0], apdev
[0], "FAST", "0232010000000000",
1184 anonymous_identity
="0232010000000000@fast",
1185 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1186 phase1
="fast_provisioning=2",
1187 pac_file
="blob://fast_pac_auth_aka",
1188 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1190 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1191 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1192 check_eap_capa(dev
[0], "MSCHAPV2")
1193 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1194 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1195 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1196 anonymous_identity
="peap", password
="password",
1197 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1198 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1199 eap_reauth(dev
[0], "PEAP")
1200 dev
[0].request("REMOVE_NETWORK all")
1201 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1202 anonymous_identity
="peap", password
="password",
1203 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1204 fragment_size
="200")
1206 logger
.info("Password as hash value")
1207 dev
[0].request("REMOVE_NETWORK all")
1208 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1209 anonymous_identity
="peap",
1210 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1211 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1213 logger
.info("Negative test with incorrect password")
1214 dev
[0].request("REMOVE_NETWORK all")
1215 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1216 anonymous_identity
="peap", password
="password1",
1217 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1218 expect_failure
=True)
1220 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1221 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1222 check_eap_capa(dev
[0], "MSCHAPV2")
1223 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1224 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1225 eap_connect(dev
[0], apdev
[0], "PEAP", "DOMAIN\user3",
1226 anonymous_identity
="peap", password
="password",
1227 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1228 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1229 eap_reauth(dev
[0], "PEAP")
1231 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1232 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1233 check_eap_capa(dev
[0], "MSCHAPV2")
1234 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1235 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1236 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1237 anonymous_identity
="peap", password
="wrong",
1238 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1239 expect_failure
=True)
1241 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1242 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1243 check_eap_capa(dev
[0], "MSCHAPV2")
1244 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1245 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1246 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1247 ca_cert
="auth_serv/ca.pem",
1248 phase1
="peapver=0 crypto_binding=2",
1249 phase2
="auth=MSCHAPV2")
1250 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1251 eap_reauth(dev
[0], "PEAP")
1253 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1254 ca_cert
="auth_serv/ca.pem",
1255 phase1
="peapver=0 crypto_binding=1",
1256 phase2
="auth=MSCHAPV2")
1257 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1258 ca_cert
="auth_serv/ca.pem",
1259 phase1
="peapver=0 crypto_binding=0",
1260 phase2
="auth=MSCHAPV2")
1262 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1263 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1264 check_eap_capa(dev
[0], "MSCHAPV2")
1265 params
= int_eap_server_params()
1266 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1267 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1268 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1269 ca_cert
="auth_serv/ca.pem",
1270 phase1
="peapver=0 crypto_binding=2",
1271 phase2
="auth=MSCHAPV2",
1272 expect_failure
=True, local_error_report
=True)
1274 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1275 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1276 check_eap_capa(dev
[0], "MSCHAPV2")
1277 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1278 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1279 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1280 anonymous_identity
="peap", password
="password",
1281 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1282 phase1
="peapver=0 peaplabel=1",
1283 expect_failure
=True)
1284 dev
[0].request("REMOVE_NETWORK all")
1285 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1286 ca_cert
="auth_serv/ca.pem",
1287 phase1
="peap_outer_success=1",
1288 phase2
="auth=MSCHAPV2")
1289 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1290 ca_cert
="auth_serv/ca.pem",
1291 phase1
="peap_outer_success=2",
1292 phase2
="auth=MSCHAPV2")
1293 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1295 anonymous_identity
="peap", password
="password",
1296 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1297 phase1
="peapver=1 peaplabel=1",
1298 wait_connect
=False, scan_freq
="2412")
1299 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1301 raise Exception("No EAP success seen")
1302 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1304 raise Exception("Unexpected connection")
1306 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
1307 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1308 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1309 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1310 eap_connect(dev
[0], apdev
[0], "PEAP", "cert user",
1311 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
1312 ca_cert2
="auth_serv/ca.pem",
1313 client_cert2
="auth_serv/user.pem",
1314 private_key2
="auth_serv/user.key")
1315 eap_reauth(dev
[0], "PEAP")
1317 def test_ap_wpa2_eap_tls(dev
, apdev
):
1318 """WPA2-Enterprise connection using EAP-TLS"""
1319 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1320 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1321 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1322 client_cert
="auth_serv/user.pem",
1323 private_key
="auth_serv/user.key")
1324 eap_reauth(dev
[0], "TLS")
1326 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
1327 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1328 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1329 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1330 cert
= read_pem("auth_serv/ca.pem")
1331 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1332 raise Exception("Could not set cacert blob")
1333 cert
= read_pem("auth_serv/user.pem")
1334 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
1335 raise Exception("Could not set usercert blob")
1336 key
= read_pem("auth_serv/user.rsa-key")
1337 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
1338 raise Exception("Could not set cacert blob")
1339 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1340 client_cert
="blob://usercert",
1341 private_key
="blob://userkey")
1343 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
1344 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1345 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1346 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1347 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1348 private_key
="auth_serv/user.pkcs12",
1349 private_key_passwd
="whatever")
1350 dev
[0].request("REMOVE_NETWORK all")
1351 dev
[0].wait_disconnected()
1353 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1354 identity
="tls user",
1355 ca_cert
="auth_serv/ca.pem",
1356 private_key
="auth_serv/user.pkcs12",
1357 wait_connect
=False, scan_freq
="2412")
1358 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1360 raise Exception("Request for private key passphrase timed out")
1361 id = ev
.split(':')[0].split('-')[-1]
1362 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1363 dev
[0].wait_connected(timeout
=10)
1364 dev
[0].request("REMOVE_NETWORK all")
1365 dev
[0].wait_disconnected()
1367 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1368 # different files to cover both cases of the extra certificate being the
1369 # one that signed the client certificate and it being unrelated to the
1370 # client certificate.
1371 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1373 eap_connect(dev
[0], apdev
[0], "TLS", "tls user",
1374 ca_cert
="auth_serv/ca.pem",
1376 private_key_passwd
="whatever")
1377 dev
[0].request("REMOVE_NETWORK all")
1378 dev
[0].wait_disconnected()
1380 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
1381 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1382 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1383 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1384 cert
= read_pem("auth_serv/ca.pem")
1385 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1386 raise Exception("Could not set cacert blob")
1387 with
open("auth_serv/user.pkcs12", "rb") as f
:
1388 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
1389 raise Exception("Could not set pkcs12 blob")
1390 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1391 private_key
="blob://pkcs12",
1392 private_key_passwd
="whatever")
1394 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
1395 """WPA2-Enterprise negative test - incorrect trust root"""
1396 check_eap_capa(dev
[0], "MSCHAPV2")
1397 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1398 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1399 cert
= read_pem("auth_serv/ca-incorrect.pem")
1400 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1401 raise Exception("Could not set cacert blob")
1402 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1403 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1404 password
="password", phase2
="auth=MSCHAPV2",
1405 ca_cert
="blob://cacert",
1406 wait_connect
=False, scan_freq
="2412")
1407 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1408 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1409 password
="password", phase2
="auth=MSCHAPV2",
1410 ca_cert
="auth_serv/ca-incorrect.pem",
1411 wait_connect
=False, scan_freq
="2412")
1413 for dev
in (dev
[0], dev
[1]):
1414 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1416 raise Exception("Association and EAP start timed out")
1418 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1420 raise Exception("EAP method selection timed out")
1421 if "TTLS" not in ev
:
1422 raise Exception("Unexpected EAP method")
1424 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1425 "CTRL-EVENT-EAP-SUCCESS",
1426 "CTRL-EVENT-EAP-FAILURE",
1427 "CTRL-EVENT-CONNECTED",
1428 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1430 raise Exception("EAP result timed out")
1431 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1432 raise Exception("TLS certificate error not reported")
1434 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1435 "CTRL-EVENT-EAP-FAILURE",
1436 "CTRL-EVENT-CONNECTED",
1437 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1439 raise Exception("EAP result(2) timed out")
1440 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1441 raise Exception("EAP failure not reported")
1443 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
1444 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1446 raise Exception("EAP result(3) timed out")
1447 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1448 raise Exception("Disconnection not reported")
1450 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1452 raise Exception("Network block disabling not reported")
1454 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
1455 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1456 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1457 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1458 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1459 identity
="pap user", anonymous_identity
="ttls",
1460 password
="password", phase2
="auth=PAP",
1461 ca_cert
="auth_serv/ca.pem",
1462 wait_connect
=True, scan_freq
="2412")
1463 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1464 identity
="pap user", anonymous_identity
="ttls",
1465 password
="password", phase2
="auth=PAP",
1466 ca_cert
="auth_serv/ca-incorrect.pem",
1467 only_add_network
=True, scan_freq
="2412")
1469 dev
[0].request("DISCONNECT")
1470 dev
[0].wait_disconnected()
1471 dev
[0].dump_monitor()
1472 dev
[0].select_network(id, freq
="2412")
1474 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1476 raise Exception("EAP-TTLS not re-started")
1478 ev
= dev
[0].wait_disconnected(timeout
=15)
1479 if "reason=23" not in ev
:
1480 raise Exception("Proper reason code for disconnection not reported")
1482 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
1483 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1484 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1485 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1486 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1487 identity
="pap user", anonymous_identity
="ttls",
1488 password
="password", phase2
="auth=PAP",
1489 wait_connect
=True, scan_freq
="2412")
1490 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1491 identity
="pap user", anonymous_identity
="ttls",
1492 password
="password", phase2
="auth=PAP",
1493 ca_cert
="auth_serv/ca-incorrect.pem",
1494 only_add_network
=True, scan_freq
="2412")
1496 dev
[0].request("DISCONNECT")
1497 dev
[0].wait_disconnected()
1498 dev
[0].dump_monitor()
1499 dev
[0].select_network(id, freq
="2412")
1501 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1503 raise Exception("EAP-TTLS not re-started")
1505 ev
= dev
[0].wait_disconnected(timeout
=15)
1506 if "reason=23" not in ev
:
1507 raise Exception("Proper reason code for disconnection not reported")
1509 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
1510 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1511 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1512 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1513 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1514 identity
="pap user", anonymous_identity
="ttls",
1515 password
="password", phase2
="auth=PAP",
1516 ca_cert
="auth_serv/ca.pem",
1517 wait_connect
=True, scan_freq
="2412")
1518 dev
[0].request("DISCONNECT")
1519 dev
[0].wait_disconnected()
1520 dev
[0].dump_monitor()
1521 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1522 dev
[0].select_network(id, freq
="2412")
1524 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1526 raise Exception("EAP-TTLS not re-started")
1528 ev
= dev
[0].wait_disconnected(timeout
=15)
1529 if "reason=23" not in ev
:
1530 raise Exception("Proper reason code for disconnection not reported")
1532 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
1533 """WPA2-Enterprise negative test - domain suffix mismatch"""
1534 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1535 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1536 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1537 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1538 password
="password", phase2
="auth=MSCHAPV2",
1539 ca_cert
="auth_serv/ca.pem",
1540 domain_suffix_match
="incorrect.example.com",
1541 wait_connect
=False, scan_freq
="2412")
1543 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1545 raise Exception("Association and EAP start timed out")
1547 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1549 raise Exception("EAP method selection timed out")
1550 if "TTLS" not in ev
:
1551 raise Exception("Unexpected EAP method")
1553 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1554 "CTRL-EVENT-EAP-SUCCESS",
1555 "CTRL-EVENT-EAP-FAILURE",
1556 "CTRL-EVENT-CONNECTED",
1557 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1559 raise Exception("EAP result timed out")
1560 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1561 raise Exception("TLS certificate error not reported")
1562 if "Domain suffix mismatch" not in ev
:
1563 raise Exception("Domain suffix mismatch not reported")
1565 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1566 "CTRL-EVENT-EAP-FAILURE",
1567 "CTRL-EVENT-CONNECTED",
1568 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1570 raise Exception("EAP result(2) timed out")
1571 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1572 raise Exception("EAP failure not reported")
1574 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1575 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1577 raise Exception("EAP result(3) timed out")
1578 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1579 raise Exception("Disconnection not reported")
1581 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1583 raise Exception("Network block disabling not reported")
1585 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
1586 """WPA2-Enterprise negative test - domain mismatch"""
1587 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1588 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1589 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1590 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1591 password
="password", phase2
="auth=MSCHAPV2",
1592 ca_cert
="auth_serv/ca.pem",
1593 domain_match
="w1.fi",
1594 wait_connect
=False, scan_freq
="2412")
1596 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1598 raise Exception("Association and EAP start timed out")
1600 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1602 raise Exception("EAP method selection timed out")
1603 if "TTLS" not in ev
:
1604 raise Exception("Unexpected EAP method")
1606 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1607 "CTRL-EVENT-EAP-SUCCESS",
1608 "CTRL-EVENT-EAP-FAILURE",
1609 "CTRL-EVENT-CONNECTED",
1610 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1612 raise Exception("EAP result timed out")
1613 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1614 raise Exception("TLS certificate error not reported")
1615 if "Domain mismatch" not in ev
:
1616 raise Exception("Domain mismatch not reported")
1618 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1619 "CTRL-EVENT-EAP-FAILURE",
1620 "CTRL-EVENT-CONNECTED",
1621 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1623 raise Exception("EAP result(2) timed out")
1624 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1625 raise Exception("EAP failure not reported")
1627 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1628 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1630 raise Exception("EAP result(3) timed out")
1631 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1632 raise Exception("Disconnection not reported")
1634 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1636 raise Exception("Network block disabling not reported")
1638 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
1639 """WPA2-Enterprise negative test - subject mismatch"""
1640 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1641 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1642 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1643 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1644 password
="password", phase2
="auth=MSCHAPV2",
1645 ca_cert
="auth_serv/ca.pem",
1646 subject_match
="/C=FI/O=w1.fi/CN=example.com",
1647 wait_connect
=False, scan_freq
="2412")
1649 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1651 raise Exception("Association and EAP start timed out")
1653 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1654 "EAP: Failed to initialize EAP method"], timeout
=10)
1656 raise Exception("EAP method selection timed out")
1657 if "EAP: Failed to initialize EAP method" in ev
:
1658 tls
= dev
[0].request("GET tls_library")
1659 if tls
.startswith("OpenSSL"):
1660 raise Exception("Failed to select EAP method")
1661 logger
.info("subject_match not supported - connection failed, so test succeeded")
1663 if "TTLS" not in ev
:
1664 raise Exception("Unexpected EAP method")
1666 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1667 "CTRL-EVENT-EAP-SUCCESS",
1668 "CTRL-EVENT-EAP-FAILURE",
1669 "CTRL-EVENT-CONNECTED",
1670 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1672 raise Exception("EAP result timed out")
1673 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1674 raise Exception("TLS certificate error not reported")
1675 if "Subject mismatch" not in ev
:
1676 raise Exception("Subject mismatch not reported")
1678 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1679 "CTRL-EVENT-EAP-FAILURE",
1680 "CTRL-EVENT-CONNECTED",
1681 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1683 raise Exception("EAP result(2) timed out")
1684 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1685 raise Exception("EAP failure not reported")
1687 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1688 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1690 raise Exception("EAP result(3) timed out")
1691 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1692 raise Exception("Disconnection not reported")
1694 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1696 raise Exception("Network block disabling not reported")
1698 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
1699 """WPA2-Enterprise negative test - altsubject mismatch"""
1700 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1701 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1703 tests
= [ "incorrect.example.com",
1704 "DNS:incorrect.example.com",
1708 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
1710 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
1711 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1712 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1713 password
="password", phase2
="auth=MSCHAPV2",
1714 ca_cert
="auth_serv/ca.pem",
1715 altsubject_match
=match
,
1716 wait_connect
=False, scan_freq
="2412")
1718 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1720 raise Exception("Association and EAP start timed out")
1722 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1723 "EAP: Failed to initialize EAP method"], timeout
=10)
1725 raise Exception("EAP method selection timed out")
1726 if "EAP: Failed to initialize EAP method" in ev
:
1727 tls
= dev
[0].request("GET tls_library")
1728 if tls
.startswith("OpenSSL"):
1729 raise Exception("Failed to select EAP method")
1730 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
1732 if "TTLS" not in ev
:
1733 raise Exception("Unexpected EAP method")
1735 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1736 "CTRL-EVENT-EAP-SUCCESS",
1737 "CTRL-EVENT-EAP-FAILURE",
1738 "CTRL-EVENT-CONNECTED",
1739 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1741 raise Exception("EAP result timed out")
1742 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1743 raise Exception("TLS certificate error not reported")
1744 if "AltSubject mismatch" not in ev
:
1745 raise Exception("altsubject mismatch not reported")
1747 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1748 "CTRL-EVENT-EAP-FAILURE",
1749 "CTRL-EVENT-CONNECTED",
1750 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1752 raise Exception("EAP result(2) timed out")
1753 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1754 raise Exception("EAP failure not reported")
1756 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1757 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1759 raise Exception("EAP result(3) timed out")
1760 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1761 raise Exception("Disconnection not reported")
1763 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1765 raise Exception("Network block disabling not reported")
1767 dev
[0].request("REMOVE_NETWORK all")
1769 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
1770 """WPA2-Enterprise connection using UNAUTH-TLS"""
1771 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1772 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1773 eap_connect(dev
[0], apdev
[0], "UNAUTH-TLS", "unauth-tls",
1774 ca_cert
="auth_serv/ca.pem")
1775 eap_reauth(dev
[0], "UNAUTH-TLS")
1777 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
1778 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1779 check_cert_probe_support(dev
[0])
1780 skip_with_fips(dev
[0])
1781 srv_cert_hash
= "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
1782 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1783 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1784 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1785 identity
="probe", ca_cert
="probe://",
1786 wait_connect
=False, scan_freq
="2412")
1787 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1789 raise Exception("Association and EAP start timed out")
1790 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
1792 raise Exception("No peer server certificate event seen")
1793 if "hash=" + srv_cert_hash
not in ev
:
1794 raise Exception("Expected server certificate hash not reported")
1795 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1797 raise Exception("EAP result timed out")
1798 if "Server certificate chain probe" not in ev
:
1799 raise Exception("Server certificate probe not reported")
1800 dev
[0].wait_disconnected(timeout
=10)
1801 dev
[0].request("REMOVE_NETWORK all")
1803 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1804 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1805 password
="password", phase2
="auth=MSCHAPV2",
1806 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1807 wait_connect
=False, scan_freq
="2412")
1808 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1810 raise Exception("Association and EAP start timed out")
1811 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1813 raise Exception("EAP result timed out")
1814 if "Server certificate mismatch" not in ev
:
1815 raise Exception("Server certificate mismatch not reported")
1816 dev
[0].wait_disconnected(timeout
=10)
1817 dev
[0].request("REMOVE_NETWORK all")
1819 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
1820 anonymous_identity
="ttls", password
="password",
1821 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
1822 phase2
="auth=MSCHAPV2")
1824 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
1825 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1826 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1827 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1828 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1829 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1830 password
="password", phase2
="auth=MSCHAPV2",
1831 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1832 wait_connect
=False, scan_freq
="2412")
1833 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1834 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1835 password
="password", phase2
="auth=MSCHAPV2",
1836 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1837 wait_connect
=False, scan_freq
="2412")
1838 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1839 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1840 password
="password", phase2
="auth=MSCHAPV2",
1841 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1842 wait_connect
=False, scan_freq
="2412")
1843 for i
in range(0, 3):
1844 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1846 raise Exception("Association and EAP start timed out")
1847 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
1849 raise Exception("Did not report EAP method initialization failure")
1851 def test_ap_wpa2_eap_pwd(dev
, apdev
):
1852 """WPA2-Enterprise connection using EAP-pwd"""
1853 check_eap_capa(dev
[0], "PWD")
1854 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1855 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1856 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1857 eap_reauth(dev
[0], "PWD")
1858 dev
[0].request("REMOVE_NETWORK all")
1860 eap_connect(dev
[1], apdev
[0], "PWD",
1861 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1862 password
="secret password",
1865 logger
.info("Negative test with incorrect password")
1866 eap_connect(dev
[2], apdev
[0], "PWD", "pwd user", password
="secret-password",
1867 expect_failure
=True, local_error_report
=True)
1869 eap_connect(dev
[0], apdev
[0], "PWD",
1870 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1871 password
="secret password",
1874 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
1875 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1876 check_eap_capa(dev
[0], "PWD")
1877 skip_with_fips(dev
[0])
1878 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1879 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1880 eap_connect(dev
[0], apdev
[0], "PWD", "pwd-hash", password
="secret password")
1881 eap_connect(dev
[1], apdev
[0], "PWD", "pwd-hash",
1882 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
1883 eap_connect(dev
[2], apdev
[0], "PWD", "pwd user",
1884 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
1885 expect_failure
=True, local_error_report
=True)
1887 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
1888 """WPA2-Enterprise connection using various EAP-pwd groups"""
1889 check_eap_capa(dev
[0], "PWD")
1890 tls
= dev
[0].request("GET tls_library")
1891 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1892 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1893 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1894 groups
= [ 19, 20, 21, 25, 26 ]
1895 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
1896 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
1897 groups
+= [ 27, 28, 29, 30 ]
1899 logger
.info("Group %d" % i
)
1900 params
['pwd_group'] = str(i
)
1901 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1903 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user",
1904 password
="secret password")
1905 dev
[0].request("REMOVE_NETWORK all")
1906 dev
[0].wait_disconnected()
1907 dev
[0].dump_monitor()
1909 if "BoringSSL" in tls
and i
in [ 25 ]:
1910 logger
.info("Ignore connection failure with group %d with BoringSSL" % i
)
1911 dev
[0].request("DISCONNECT")
1913 dev
[0].request("REMOVE_NETWORK all")
1914 dev
[0].dump_monitor()
1918 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
1919 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1920 check_eap_capa(dev
[0], "PWD")
1921 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1922 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1923 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1924 params
['pwd_group'] = "0"
1925 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1926 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
1927 identity
="pwd user", password
="secret password",
1928 scan_freq
="2412", wait_connect
=False)
1929 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1931 raise Exception("Timeout on EAP failure report")
1933 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
1934 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1935 check_eap_capa(dev
[0], "PWD")
1936 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1937 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1938 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1939 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1940 "pwd_group": "19", "fragment_size": "40" }
1941 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1942 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1944 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
1945 """WPA2-Enterprise connection using EAP-GPSK"""
1946 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1947 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1948 id = eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
1949 password
="abcdefghijklmnop0123456789abcdef")
1950 eap_reauth(dev
[0], "GPSK")
1952 logger
.info("Test forced algorithm selection")
1953 for phase1
in [ "cipher=1", "cipher=2" ]:
1954 dev
[0].set_network_quoted(id, "phase1", phase1
)
1955 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
1957 raise Exception("EAP success timed out")
1958 dev
[0].wait_connected(timeout
=10)
1960 logger
.info("Test failed algorithm negotiation")
1961 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
1962 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
1964 raise Exception("EAP failure timed out")
1966 logger
.info("Negative test with incorrect password")
1967 dev
[0].request("REMOVE_NETWORK all")
1968 eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
1969 password
="ffcdefghijklmnop0123456789abcdef",
1970 expect_failure
=True)
1972 def test_ap_wpa2_eap_sake(dev
, apdev
):
1973 """WPA2-Enterprise connection using EAP-SAKE"""
1974 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1975 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1976 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
1977 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1978 eap_reauth(dev
[0], "SAKE")
1980 logger
.info("Negative test with incorrect password")
1981 dev
[0].request("REMOVE_NETWORK all")
1982 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
1983 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1984 expect_failure
=True)
1986 def test_ap_wpa2_eap_eke(dev
, apdev
):
1987 """WPA2-Enterprise connection using EAP-EKE"""
1988 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1989 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1990 id = eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
1991 eap_reauth(dev
[0], "EKE")
1993 logger
.info("Test forced algorithm selection")
1994 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
1995 "dhgroup=4 encr=1 prf=2 mac=2",
1996 "dhgroup=3 encr=1 prf=2 mac=2",
1997 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1998 dev
[0].set_network_quoted(id, "phase1", phase1
)
1999 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2001 raise Exception("EAP success timed out")
2002 dev
[0].wait_connected(timeout
=10)
2004 logger
.info("Test failed algorithm negotiation")
2005 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2006 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2008 raise Exception("EAP failure timed out")
2010 logger
.info("Negative test with incorrect password")
2011 dev
[0].request("REMOVE_NETWORK all")
2012 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello1",
2013 expect_failure
=True)
2015 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2016 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2017 params
= int_eap_server_params()
2018 params
['server_id'] = 'example.server@w1.fi'
2019 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2020 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
2022 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2023 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2024 params
= int_eap_server_params()
2025 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2026 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2028 for count
,func
in [ (1, "eap_eke_build_commit"),
2029 (2, "eap_eke_build_commit"),
2030 (3, "eap_eke_build_commit"),
2031 (1, "eap_eke_build_confirm"),
2032 (2, "eap_eke_build_confirm"),
2033 (1, "eap_eke_process_commit"),
2034 (2, "eap_eke_process_commit"),
2035 (1, "eap_eke_process_confirm"),
2036 (1, "eap_eke_process_identity"),
2037 (2, "eap_eke_process_identity"),
2038 (3, "eap_eke_process_identity"),
2039 (4, "eap_eke_process_identity") ]:
2040 with
alloc_fail(hapd
, count
, func
):
2041 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello",
2042 expect_failure
=True)
2043 dev
[0].request("REMOVE_NETWORK all")
2045 for count
,func
,pw
in [ (1, "eap_eke_init", "hello"),
2046 (1, "eap_eke_get_session_id", "hello"),
2047 (1, "eap_eke_getKey", "hello"),
2048 (1, "eap_eke_build_msg", "hello"),
2049 (1, "eap_eke_build_failure", "wrong"),
2050 (1, "eap_eke_build_identity", "hello"),
2051 (2, "eap_eke_build_identity", "hello") ]:
2052 with
alloc_fail(hapd
, count
, func
):
2053 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2054 eap
="EKE", identity
="eke user", password
=pw
,
2055 wait_connect
=False, scan_freq
="2412")
2056 # This would eventually time out, but we can stop after having
2057 # reached the allocation failure.
2060 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2062 dev
[0].request("REMOVE_NETWORK all")
2064 for count
in range(1, 1000):
2066 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2067 dev
[0].connect("test-wpa2-eap",
2068 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2069 eap
="EKE", identity
="eke user", password
=pw
,
2070 wait_connect
=False, scan_freq
="2412")
2071 # This would eventually time out, but we can stop after having
2072 # reached the allocation failure.
2075 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2077 dev
[0].request("REMOVE_NETWORK all")
2078 except Exception, e
:
2079 if str(e
) == "Allocation failure did not trigger":
2081 raise Exception("Too few allocation failures")
2082 logger
.info("%d allocation failures tested" % (count
- 1))
2086 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
2087 """WPA2-Enterprise connection using EAP-IKEv2"""
2088 check_eap_capa(dev
[0], "IKEV2")
2089 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2090 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2091 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2092 password
="ike password")
2093 eap_reauth(dev
[0], "IKEV2")
2094 dev
[0].request("REMOVE_NETWORK all")
2095 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2096 password
="ike password", fragment_size
="50")
2098 logger
.info("Negative test with incorrect password")
2099 dev
[0].request("REMOVE_NETWORK all")
2100 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2101 password
="ike-password", expect_failure
=True)
2103 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
2104 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2105 check_eap_capa(dev
[0], "IKEV2")
2106 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2107 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2108 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2109 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2110 "fragment_size": "50" }
2111 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2112 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2113 password
="ike password")
2114 eap_reauth(dev
[0], "IKEV2")
2116 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
2117 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2118 check_eap_capa(dev
[0], "IKEV2")
2119 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2120 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2122 tests
= [ (1, "dh_init"),
2124 (1, "dh_derive_shared") ]
2125 for count
, func
in tests
:
2126 with
alloc_fail(dev
[0], count
, func
):
2127 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2128 identity
="ikev2 user", password
="ike password",
2129 wait_connect
=False, scan_freq
="2412")
2130 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2132 raise Exception("EAP method not selected")
2134 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2137 dev
[0].request("REMOVE_NETWORK all")
2139 tests
= [ (1, "os_get_random;dh_init") ]
2140 for count
, func
in tests
:
2141 with
fail_test(dev
[0], count
, func
):
2142 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2143 identity
="ikev2 user", password
="ike password",
2144 wait_connect
=False, scan_freq
="2412")
2145 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2147 raise Exception("EAP method not selected")
2149 if "0:" in dev
[0].request("GET_FAIL"):
2152 dev
[0].request("REMOVE_NETWORK all")
2154 def test_ap_wpa2_eap_pax(dev
, apdev
):
2155 """WPA2-Enterprise connection using EAP-PAX"""
2156 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2157 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2158 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2159 password_hex
="0123456789abcdef0123456789abcdef")
2160 eap_reauth(dev
[0], "PAX")
2162 logger
.info("Negative test with incorrect password")
2163 dev
[0].request("REMOVE_NETWORK all")
2164 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2165 password_hex
="ff23456789abcdef0123456789abcdef",
2166 expect_failure
=True)
2168 def test_ap_wpa2_eap_psk(dev
, apdev
):
2169 """WPA2-Enterprise connection using EAP-PSK"""
2170 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2171 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2172 params
["ieee80211w"] = "2"
2173 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2174 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
2175 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
2176 eap_reauth(dev
[0], "PSK", sha256
=True)
2177 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2178 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2180 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
2181 if 'flags' not in bss
:
2182 raise Exception("Could not get BSS flags from BSS table")
2183 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
2184 raise Exception("Unexpected BSS flags: " + bss
['flags'])
2186 logger
.info("Negative test with incorrect password")
2187 dev
[0].request("REMOVE_NETWORK all")
2188 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
2189 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
2190 expect_failure
=True)
2192 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
2193 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2194 skip_with_fips(dev
[0])
2195 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2196 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2197 tests
= [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2198 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2199 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2200 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2201 (1, "=aes_128_eax_encrypt"),
2202 (1, "omac1_aes_vector"),
2203 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2204 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2205 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2206 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2207 (1, "=aes_128_eax_decrypt") ]
2208 for count
, func
in tests
:
2209 with
alloc_fail(dev
[0], count
, func
):
2210 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2211 identity
="psk.user@example.com",
2212 password_hex
="0123456789abcdef0123456789abcdef",
2213 wait_connect
=False, scan_freq
="2412")
2214 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2216 raise Exception("EAP method not selected")
2218 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2221 dev
[0].request("REMOVE_NETWORK all")
2223 with
alloc_fail(dev
[0], 1, "aes_128_encrypt_block"):
2224 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2225 identity
="psk.user@example.com",
2226 password_hex
="0123456789abcdef0123456789abcdef",
2227 wait_connect
=False, scan_freq
="2412")
2228 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2230 raise Exception("EAP method failure not reported")
2231 dev
[0].request("REMOVE_NETWORK all")
2233 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
2234 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2235 check_eap_capa(dev
[0], "MSCHAPV2")
2236 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
2237 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2238 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2239 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
2240 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
2242 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
2243 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2244 eap_reauth(dev
[0], "PEAP", rsn
=False)
2245 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2246 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2247 status
= dev
[0].get_status(extra
="VERBOSE")
2248 if 'portControl' not in status
:
2249 raise Exception("portControl missing from STATUS-VERBOSE")
2250 if status
['portControl'] != 'Auto':
2251 raise Exception("Unexpected portControl value: " + status
['portControl'])
2252 if 'eap_session_id' not in status
:
2253 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2254 if not status
['eap_session_id'].startswith("19"):
2255 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
2257 def test_ap_wpa2_eap_interactive(dev
, apdev
):
2258 """WPA2-Enterprise connection using interactive identity/password entry"""
2259 check_eap_capa(dev
[0], "MSCHAPV2")
2260 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2261 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2262 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
2264 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2265 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2267 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2268 "TTLS", "ttls", None, "auth=MSCHAPV2",
2269 "DOMAIN\mschapv2 user", "password"),
2270 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2271 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2272 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2273 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2274 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2275 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2276 ("Connection with dynamic PEAP/EAP-GTC password entry",
2277 "PEAP", None, "user", "auth=GTC", None, "password") ]
2278 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
2280 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
2281 anonymous_identity
=anon
, identity
=identity
,
2282 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
2283 wait_connect
=False, scan_freq
="2412")
2285 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
2287 raise Exception("Request for identity timed out")
2288 id = ev
.split(':')[0].split('-')[-1]
2289 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
2290 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2292 raise Exception("Request for password timed out")
2293 id = ev
.split(':')[0].split('-')[-1]
2294 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
2295 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
2296 dev
[0].wait_connected(timeout
=10)
2297 dev
[0].request("REMOVE_NETWORK all")
2299 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
2300 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2301 check_eap_capa(dev
[0], "MSCHAPV2")
2302 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2303 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2304 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
2306 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
2307 only_add_network
=True)
2309 req_id
= "DOMAIN\mschapv2 user"
2310 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2311 anonymous_identity
="ttls", identity
=None,
2312 password
="password",
2313 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2314 wait_connect
=False, scan_freq
="2412")
2315 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
2317 raise Exception("Request for identity timed out")
2318 id = ev
.split(':')[0].split('-')[-1]
2319 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
2320 dev
[0].wait_connected(timeout
=10)
2322 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
2323 raise Exception("Failed to enable network")
2324 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
2326 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2327 dev
[0].request("REMOVE_NETWORK all")
2329 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
2330 """WPA2-Enterprise connection using EAP vendor test"""
2331 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2332 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2333 eap_connect(dev
[0], apdev
[0], "VENDOR-TEST", "vendor-test")
2334 eap_reauth(dev
[0], "VENDOR-TEST")
2335 eap_connect(dev
[1], apdev
[0], "VENDOR-TEST", "vendor-test",
2338 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
2339 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2340 check_eap_capa(dev
[0], "FAST")
2341 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2342 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2343 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2344 anonymous_identity
="FAST", password
="password",
2345 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2346 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
2347 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2348 res
= eap_reauth(dev
[0], "FAST")
2349 if res
['tls_session_reused'] != '1':
2350 raise Exception("EAP-FAST could not use PAC session ticket")
2352 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
2353 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2354 check_eap_capa(dev
[0], "FAST")
2355 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
2356 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
2357 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2358 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2361 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2362 anonymous_identity
="FAST", password
="password",
2363 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2364 phase1
="fast_provisioning=1", pac_file
=pac_file
)
2365 with
open(pac_file
, "r") as f
:
2367 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
2368 raise Exception("PAC file header missing")
2369 if "PAC-Key=" not in data
:
2370 raise Exception("PAC-Key missing from PAC file")
2371 dev
[0].request("REMOVE_NETWORK all")
2372 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2373 anonymous_identity
="FAST", password
="password",
2374 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2377 eap_connect(dev
[1], apdev
[0], "FAST", "user",
2378 anonymous_identity
="FAST", password
="password",
2379 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2380 phase1
="fast_provisioning=1 fast_pac_format=binary",
2382 dev
[1].request("REMOVE_NETWORK all")
2383 eap_connect(dev
[1], apdev
[0], "FAST", "user",
2384 anonymous_identity
="FAST", password
="password",
2385 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2386 phase1
="fast_pac_format=binary",
2394 os
.remove(pac_file2
)
2398 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
2399 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2400 check_eap_capa(dev
[0], "FAST")
2401 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2402 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2403 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2404 anonymous_identity
="FAST", password
="password",
2405 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2406 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2407 pac_file
="blob://fast_pac_bin")
2408 res
= eap_reauth(dev
[0], "FAST")
2409 if res
['tls_session_reused'] != '1':
2410 raise Exception("EAP-FAST could not use PAC session ticket")
2412 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
2413 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2414 check_eap_capa(dev
[0], "FAST")
2415 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2416 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2418 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2419 identity
="user", anonymous_identity
="FAST",
2420 password
="password",
2421 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2422 pac_file
="blob://fast_pac_not_in_use",
2423 wait_connect
=False, scan_freq
="2412")
2424 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2426 raise Exception("Timeout on EAP failure report")
2427 dev
[0].request("REMOVE_NETWORK all")
2429 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2430 identity
="user", anonymous_identity
="FAST",
2431 password
="password",
2432 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2433 wait_connect
=False, scan_freq
="2412")
2434 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2436 raise Exception("Timeout on EAP failure report")
2438 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
2439 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2440 check_eap_capa(dev
[0], "FAST")
2441 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2442 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2443 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2444 anonymous_identity
="FAST", password
="password",
2445 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
2446 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
2447 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2448 res
= eap_reauth(dev
[0], "FAST")
2449 if res
['tls_session_reused'] != '1':
2450 raise Exception("EAP-FAST could not use PAC session ticket")
2452 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
2453 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2454 check_eap_capa(dev
[0], "FAST")
2455 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2456 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2457 id = eap_connect(dev
[0], apdev
[0], "FAST", "user",
2458 anonymous_identity
="FAST", password
="password",
2459 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
2460 phase1
="fast_provisioning=2",
2461 pac_file
="blob://fast_pac_auth")
2462 dev
[0].set_network_quoted(id, "identity", "user2")
2463 dev
[0].wait_disconnected()
2464 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
2466 raise Exception("EAP-FAST not started")
2467 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
2469 raise Exception("EAP failure not reported")
2470 dev
[0].wait_disconnected()
2472 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
2473 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2474 check_eap_capa(dev
[0], "FAST")
2475 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2476 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2477 with
alloc_fail(dev
[0], 2, "openssl_tls_prf"):
2478 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2479 identity
="user", anonymous_identity
="FAST",
2480 password
="password", ca_cert
="auth_serv/ca.pem",
2482 phase1
="fast_provisioning=2",
2483 pac_file
="blob://fast_pac_auth",
2484 wait_connect
=False, scan_freq
="2412")
2485 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
2487 raise Exception("EAP failure not reported")
2488 dev
[0].request("DISCONNECT")
2490 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
2491 """EAP-FAST/MSCHAPv2 and server OOM"""
2492 check_eap_capa(dev
[0], "FAST")
2494 params
= int_eap_server_params()
2495 params
['dh_file'] = 'auth_serv/dh.conf'
2496 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2497 params
['eap_fast_a_id'] = '1011'
2498 params
['eap_fast_a_id_info'] = 'another test server'
2499 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2501 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
2502 id = eap_connect(dev
[0], apdev
[0], "FAST", "user",
2503 anonymous_identity
="FAST", password
="password",
2504 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2505 phase1
="fast_provisioning=1",
2506 pac_file
="blob://fast_pac",
2507 expect_failure
=True)
2508 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2510 raise Exception("No EAP failure reported")
2511 dev
[0].wait_disconnected()
2512 dev
[0].request("DISCONNECT")
2514 dev
[0].select_network(id, freq
="2412")
2516 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
2517 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2518 check_ocsp_support(dev
[0])
2519 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2520 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2521 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2522 private_key
="auth_serv/user.pkcs12",
2523 private_key_passwd
="whatever", ocsp
=2)
2525 def int_eap_server_params():
2526 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2527 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2528 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2529 "ca_cert": "auth_serv/ca.pem",
2530 "server_cert": "auth_serv/server.pem",
2531 "private_key": "auth_serv/server.key" }
2534 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
2535 """EAP-TLS and CA signed OCSP response (good)"""
2536 check_ocsp_support(dev
[0])
2537 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
2538 if not os
.path
.exists(ocsp
):
2539 raise HwsimSkip("No OCSP response available")
2540 params
= int_eap_server_params()
2541 params
["ocsp_stapling_response"] = ocsp
2542 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2543 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2544 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2545 private_key
="auth_serv/user.pkcs12",
2546 private_key_passwd
="whatever", ocsp
=2,
2549 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
2550 """EAP-TLS and CA signed OCSP response (revoked)"""
2551 check_ocsp_support(dev
[0])
2552 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
2553 if not os
.path
.exists(ocsp
):
2554 raise HwsimSkip("No OCSP response available")
2555 params
= int_eap_server_params()
2556 params
["ocsp_stapling_response"] = ocsp
2557 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2558 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2559 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2560 private_key
="auth_serv/user.pkcs12",
2561 private_key_passwd
="whatever", ocsp
=2,
2562 wait_connect
=False, scan_freq
="2412")
2565 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2567 raise Exception("Timeout on EAP status")
2568 if 'bad certificate status response' in ev
:
2570 if 'certificate revoked' in ev
:
2574 raise Exception("Unexpected number of EAP status messages")
2576 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2578 raise Exception("Timeout on EAP failure report")
2580 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
2581 """EAP-TLS and CA signed OCSP response (unknown)"""
2582 check_ocsp_support(dev
[0])
2583 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
2584 if not os
.path
.exists(ocsp
):
2585 raise HwsimSkip("No OCSP response available")
2586 params
= int_eap_server_params()
2587 params
["ocsp_stapling_response"] = ocsp
2588 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2589 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2590 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2591 private_key
="auth_serv/user.pkcs12",
2592 private_key_passwd
="whatever", ocsp
=2,
2593 wait_connect
=False, scan_freq
="2412")
2596 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2598 raise Exception("Timeout on EAP status")
2599 if 'bad certificate status response' in ev
:
2603 raise Exception("Unexpected number of EAP status messages")
2605 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2607 raise Exception("Timeout on EAP failure report")
2609 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
2610 """EAP-TLS and server signed OCSP response"""
2611 check_ocsp_support(dev
[0])
2612 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
2613 if not os
.path
.exists(ocsp
):
2614 raise HwsimSkip("No OCSP response available")
2615 params
= int_eap_server_params()
2616 params
["ocsp_stapling_response"] = ocsp
2617 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2618 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2619 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2620 private_key
="auth_serv/user.pkcs12",
2621 private_key_passwd
="whatever", ocsp
=2,
2622 wait_connect
=False, scan_freq
="2412")
2625 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2627 raise Exception("Timeout on EAP status")
2628 if 'bad certificate status response' in ev
:
2632 raise Exception("Unexpected number of EAP status messages")
2634 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2636 raise Exception("Timeout on EAP failure report")
2638 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
2639 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2640 check_ocsp_support(dev
[0])
2641 params
= int_eap_server_params()
2642 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2643 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2644 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2645 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2646 private_key
="auth_serv/user.pkcs12",
2647 private_key_passwd
="whatever", ocsp
=2,
2648 wait_connect
=False, scan_freq
="2412")
2651 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2653 raise Exception("Timeout on EAP status")
2654 if 'bad certificate status response' in ev
:
2658 raise Exception("Unexpected number of EAP status messages")
2660 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2662 raise Exception("Timeout on EAP failure report")
2664 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
2665 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2666 check_ocsp_support(dev
[0])
2667 params
= int_eap_server_params()
2668 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2669 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2670 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2671 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2672 private_key
="auth_serv/user.pkcs12",
2673 private_key_passwd
="whatever", ocsp
=2,
2674 wait_connect
=False, scan_freq
="2412")
2677 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2679 raise Exception("Timeout on EAP status")
2680 if 'bad certificate status response' in ev
:
2684 raise Exception("Unexpected number of EAP status messages")
2686 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2688 raise Exception("Timeout on EAP failure report")
2690 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
2691 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2692 check_ocsp_support(dev
[0])
2693 params
= int_eap_server_params()
2694 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2695 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2696 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2697 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2698 private_key
="auth_serv/user.pkcs12",
2699 private_key_passwd
="whatever", ocsp
=2,
2700 wait_connect
=False, scan_freq
="2412")
2703 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2705 raise Exception("Timeout on EAP status")
2706 if 'bad certificate status response' in ev
:
2710 raise Exception("Unexpected number of EAP status messages")
2712 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2714 raise Exception("Timeout on EAP failure report")
2716 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
2717 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2718 check_ocsp_support(dev
[0])
2719 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
2720 if not os
.path
.exists(ocsp
):
2721 raise HwsimSkip("No OCSP response available")
2722 params
= int_eap_server_params()
2723 params
["ocsp_stapling_response"] = ocsp
2724 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2725 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2726 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2727 anonymous_identity
="ttls", password
="password",
2728 phase2
="auth=PAP", ocsp
=2,
2729 wait_connect
=False, scan_freq
="2412")
2732 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2734 raise Exception("Timeout on EAP status")
2735 if 'bad certificate status response' in ev
:
2737 if 'certificate revoked' in ev
:
2741 raise Exception("Unexpected number of EAP status messages")
2743 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2745 raise Exception("Timeout on EAP failure report")
2747 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
2748 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2749 check_ocsp_support(dev
[0])
2750 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2751 if not os
.path
.exists(ocsp
):
2752 raise HwsimSkip("No OCSP response available")
2753 params
= int_eap_server_params()
2754 params
["ocsp_stapling_response"] = ocsp
2755 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2756 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2757 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2758 anonymous_identity
="ttls", password
="password",
2759 phase2
="auth=PAP", ocsp
=2,
2760 wait_connect
=False, scan_freq
="2412")
2763 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2765 raise Exception("Timeout on EAP status")
2766 if 'bad certificate status response' in ev
:
2770 raise Exception("Unexpected number of EAP status messages")
2772 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2774 raise Exception("Timeout on EAP failure report")
2776 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
2777 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2778 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2779 if not os
.path
.exists(ocsp
):
2780 raise HwsimSkip("No OCSP response available")
2781 params
= int_eap_server_params()
2782 params
["ocsp_stapling_response"] = ocsp
2783 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2784 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2785 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2786 anonymous_identity
="ttls", password
="password",
2787 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
2789 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
2790 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2791 params
= int_eap_server_params()
2792 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2793 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2794 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2795 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2796 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2797 private_key
="auth_serv/user.pkcs12",
2798 private_key_passwd
="whatever",
2799 domain_suffix_match
="server3.w1.fi",
2802 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
2803 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2804 params
= int_eap_server_params()
2805 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2806 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2807 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2808 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2809 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2810 private_key
="auth_serv/user.pkcs12",
2811 private_key_passwd
="whatever",
2812 domain_match
="server3.w1.fi",
2815 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
2816 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2817 check_domain_match_full(dev
[0])
2818 params
= int_eap_server_params()
2819 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2820 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2821 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2822 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2823 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2824 private_key
="auth_serv/user.pkcs12",
2825 private_key_passwd
="whatever",
2826 domain_suffix_match
="w1.fi",
2829 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
2830 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2831 params
= int_eap_server_params()
2832 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2833 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2834 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2835 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2836 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2837 private_key
="auth_serv/user.pkcs12",
2838 private_key_passwd
="whatever",
2839 domain_suffix_match
="example.com",
2842 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2843 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2844 private_key
="auth_serv/user.pkcs12",
2845 private_key_passwd
="whatever",
2846 domain_suffix_match
="erver3.w1.fi",
2849 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2851 raise Exception("Timeout on EAP failure report")
2852 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2854 raise Exception("Timeout on EAP failure report (2)")
2856 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
2857 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2858 params
= int_eap_server_params()
2859 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2860 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2861 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2862 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2863 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2864 private_key
="auth_serv/user.pkcs12",
2865 private_key_passwd
="whatever",
2866 domain_match
="example.com",
2869 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2870 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2871 private_key
="auth_serv/user.pkcs12",
2872 private_key_passwd
="whatever",
2873 domain_match
="w1.fi",
2876 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2878 raise Exception("Timeout on EAP failure report")
2879 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2881 raise Exception("Timeout on EAP failure report (2)")
2883 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
2884 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2885 skip_with_fips(dev
[0])
2886 params
= int_eap_server_params()
2887 params
["server_cert"] = "auth_serv/server-expired.pem"
2888 params
["private_key"] = "auth_serv/server-expired.key"
2889 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2890 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2891 identity
="mschap user", password
="password",
2892 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2895 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2897 raise Exception("Timeout on EAP certificate error report")
2898 if "reason=4" not in ev
or "certificate has expired" not in ev
:
2899 raise Exception("Unexpected failure reason: " + ev
)
2900 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2902 raise Exception("Timeout on EAP failure report")
2904 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
2905 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2906 skip_with_fips(dev
[0])
2907 params
= int_eap_server_params()
2908 params
["server_cert"] = "auth_serv/server-expired.pem"
2909 params
["private_key"] = "auth_serv/server-expired.key"
2910 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2911 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2912 identity
="mschap user", password
="password",
2913 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2914 phase1
="tls_disable_time_checks=1",
2917 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
2918 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2919 skip_with_fips(dev
[0])
2920 params
= int_eap_server_params()
2921 params
["server_cert"] = "auth_serv/server-long-duration.pem"
2922 params
["private_key"] = "auth_serv/server-long-duration.key"
2923 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2924 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2925 identity
="mschap user", password
="password",
2926 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2929 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
2930 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2931 skip_with_fips(dev
[0])
2932 params
= int_eap_server_params()
2933 params
["server_cert"] = "auth_serv/server-eku-client.pem"
2934 params
["private_key"] = "auth_serv/server-eku-client.key"
2935 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2936 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2937 identity
="mschap user", password
="password",
2938 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2941 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2943 raise Exception("Timeout on EAP failure report")
2945 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
2946 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2947 skip_with_fips(dev
[0])
2948 params
= int_eap_server_params()
2949 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
2950 params
["private_key"] = "auth_serv/server-eku-client-server.key"
2951 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2952 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2953 identity
="mschap user", password
="password",
2954 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2957 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
2958 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2959 skip_with_fips(dev
[0])
2960 params
= int_eap_server_params()
2961 del params
["server_cert"]
2962 params
["private_key"] = "auth_serv/server.pkcs12"
2963 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2964 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2965 identity
="mschap user", password
="password",
2966 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2969 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
2970 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2971 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2972 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2973 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
2974 anonymous_identity
="ttls", password
="password",
2975 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
2976 dh_file
="auth_serv/dh.conf")
2978 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
2979 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2980 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2981 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2982 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
2983 anonymous_identity
="ttls", password
="password",
2984 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
2985 dh_file
="auth_serv/dsaparam.pem")
2987 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
2988 """EAP-TTLS and DH params file not found"""
2989 skip_with_fips(dev
[0])
2990 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2991 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2992 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2993 identity
="mschap user", password
="password",
2994 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2995 dh_file
="auth_serv/dh-no-such-file.conf",
2996 scan_freq
="2412", wait_connect
=False)
2997 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2999 raise Exception("EAP failure timed out")
3000 dev
[0].request("REMOVE_NETWORK all")
3001 dev
[0].wait_disconnected()
3003 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
3004 """EAP-TTLS and invalid DH params file"""
3005 skip_with_fips(dev
[0])
3006 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3007 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3008 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3009 identity
="mschap user", password
="password",
3010 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3011 dh_file
="auth_serv/ca.pem",
3012 scan_freq
="2412", wait_connect
=False)
3013 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3015 raise Exception("EAP failure timed out")
3016 dev
[0].request("REMOVE_NETWORK all")
3017 dev
[0].wait_disconnected()
3019 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
3020 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3021 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3022 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3023 dh
= read_pem("auth_serv/dh2.conf")
3024 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
3025 raise Exception("Could not set dhparams blob")
3026 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3027 anonymous_identity
="ttls", password
="password",
3028 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
3029 dh_file
="blob://dhparams")
3031 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
3032 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3033 params
= int_eap_server_params()
3034 params
["dh_file"] = "auth_serv/dh2.conf"
3035 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3036 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3037 anonymous_identity
="ttls", password
="password",
3038 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
3040 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
3041 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3042 params
= int_eap_server_params()
3043 params
["dh_file"] = "auth_serv/dsaparam.pem"
3044 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3045 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3046 anonymous_identity
="ttls", password
="password",
3047 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
3049 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
3050 """EAP-TLS server and dhparams file not found"""
3051 params
= int_eap_server_params()
3052 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
3053 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
, no_enable
=True)
3054 if "FAIL" not in hapd
.request("ENABLE"):
3055 raise Exception("Invalid configuration accepted")
3057 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
3058 """EAP-TLS server and invalid dhparams file"""
3059 params
= int_eap_server_params()
3060 params
["dh_file"] = "auth_serv/ca.pem"
3061 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
, no_enable
=True)
3062 if "FAIL" not in hapd
.request("ENABLE"):
3063 raise Exception("Invalid configuration accepted")
3065 def test_ap_wpa2_eap_reauth(dev
, apdev
):
3066 """WPA2-Enterprise and Authenticator forcing reauthentication"""
3067 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3068 params
['eap_reauth_period'] = '2'
3069 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3070 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
3071 password_hex
="0123456789abcdef0123456789abcdef")
3072 logger
.info("Wait for reauthentication")
3073 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
3075 raise Exception("Timeout on reauthentication")
3076 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3078 raise Exception("Timeout on reauthentication")
3079 for i
in range(0, 20):
3080 state
= dev
[0].get_status_field("wpa_state")
3081 if state
== "COMPLETED":
3084 if state
!= "COMPLETED":
3085 raise Exception("Reauthentication did not complete")
3087 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
3088 """Optional displayable message in EAP Request-Identity"""
3089 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3090 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3091 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3092 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
3093 password_hex
="0123456789abcdef0123456789abcdef")
3095 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
3096 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
3097 check_hlr_auc_gw_support()
3098 params
= int_eap_server_params()
3099 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
3100 params
['eap_sim_aka_result_ind'] = "1"
3101 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3103 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
3104 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3105 phase1
="result_ind=1")
3106 eap_reauth(dev
[0], "SIM")
3107 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
3108 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3110 dev
[0].request("REMOVE_NETWORK all")
3111 dev
[1].request("REMOVE_NETWORK all")
3113 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
3114 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3115 phase1
="result_ind=1")
3116 eap_reauth(dev
[0], "AKA")
3117 eap_connect(dev
[1], apdev
[0], "AKA", "0232010000000000",
3118 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
3120 dev
[0].request("REMOVE_NETWORK all")
3121 dev
[1].request("REMOVE_NETWORK all")
3123 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
3124 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3125 phase1
="result_ind=1")
3126 eap_reauth(dev
[0], "AKA'")
3127 eap_connect(dev
[1], apdev
[0], "AKA'", "6555444333222111",
3128 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
3130 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
3131 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3132 skip_with_fips(dev
[0])
3133 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3134 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3135 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3136 eap
="TTLS", identity
="mschap user",
3137 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
3138 anonymous_identity
="ttls", password
="password",
3139 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3141 ev
= dev
[0].wait_event(["EAP: more than"], timeout
=20)
3143 raise Exception("EAP roundtrip limit not reached")
3145 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
3146 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3147 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3148 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3149 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3150 eap
="PSK", identity
="vendor-test",
3151 password_hex
="ff23456789abcdef0123456789abcdef",
3155 for i
in range(0, 5):
3156 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=10)
3158 raise Exception("Association and EAP start timed out")
3159 if "refuse proposed method" in ev
:
3163 raise Exception("Unexpected EAP status: " + ev
)
3165 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3167 raise Exception("EAP failure timed out")
3169 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
3170 """WPA2-Enterprise connection using SQLite for user DB"""
3171 skip_with_fips(dev
[0])
3175 raise HwsimSkip("No sqlite3 module available")
3176 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
3181 con
= sqlite3
.connect(dbfile
)
3184 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3185 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3186 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3187 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3188 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3189 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3190 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3191 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3194 params
= int_eap_server_params()
3195 params
["eap_user_file"] = "sqlite:" + dbfile
3196 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3197 eap_connect(dev
[0], apdev
[0], "TTLS", "user-mschapv2",
3198 anonymous_identity
="ttls", password
="password",
3199 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
3200 dev
[0].request("REMOVE_NETWORK all")
3201 eap_connect(dev
[1], apdev
[0], "TTLS", "user-mschap",
3202 anonymous_identity
="ttls", password
="password",
3203 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
3204 dev
[1].request("REMOVE_NETWORK all")
3205 eap_connect(dev
[0], apdev
[0], "TTLS", "user-chap",
3206 anonymous_identity
="ttls", password
="password",
3207 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
3208 eap_connect(dev
[1], apdev
[0], "TTLS", "user-pap",
3209 anonymous_identity
="ttls", password
="password",
3210 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3214 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
3215 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3216 params
= int_eap_server_params()
3217 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3218 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3219 identity
="\x80", password
="password", wait_connect
=False)
3220 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3221 identity
="a\x80", password
="password", wait_connect
=False)
3222 for i
in range(0, 2):
3223 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
3225 raise Exception("Association and EAP start timed out")
3226 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
3228 raise Exception("EAP method selection timed out")
3230 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
3231 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3232 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3233 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3234 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3235 identity
="\x80", password
="password", wait_connect
=False)
3236 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3237 identity
="a\x80", password
="password", wait_connect
=False)
3238 for i
in range(0, 2):
3239 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
3241 raise Exception("Association and EAP start timed out")
3242 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
3244 raise Exception("EAP method selection timed out")
3246 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
3247 """OpenSSL cipher suite configuration on wpa_supplicant"""
3248 tls
= dev
[0].request("GET tls_library")
3249 if not tls
.startswith("OpenSSL"):
3250 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
3251 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3252 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3253 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3254 anonymous_identity
="ttls", password
="password",
3255 openssl_ciphers
="AES128",
3256 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3257 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
3258 anonymous_identity
="ttls", password
="password",
3259 openssl_ciphers
="EXPORT",
3260 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
3261 expect_failure
=True, maybe_local_error
=True)
3262 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3263 identity
="pap user", anonymous_identity
="ttls",
3264 password
="password",
3265 openssl_ciphers
="FOO",
3266 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
3268 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3270 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3271 dev
[2].request("DISCONNECT")
3273 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
3274 """OpenSSL cipher suite configuration on hostapd"""
3275 tls
= dev
[0].request("GET tls_library")
3276 if not tls
.startswith("OpenSSL"):
3277 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
3278 params
= int_eap_server_params()
3279 params
['openssl_ciphers'] = "AES256"
3280 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3281 tls
= hapd
.request("GET tls_library")
3282 if not tls
.startswith("OpenSSL"):
3283 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
3284 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3285 anonymous_identity
="ttls", password
="password",
3286 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3287 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
3288 anonymous_identity
="ttls", password
="password",
3289 openssl_ciphers
="AES128",
3290 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
3291 expect_failure
=True)
3292 eap_connect(dev
[2], apdev
[0], "TTLS", "pap user",
3293 anonymous_identity
="ttls", password
="password",
3294 openssl_ciphers
="HIGH:!ADH",
3295 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3297 params
['openssl_ciphers'] = "FOO"
3298 hapd2
= hostapd
.add_ap(apdev
[1]['ifname'], params
, no_enable
=True)
3299 if "FAIL" not in hapd2
.request("ENABLE"):
3300 raise Exception("Invalid openssl_ciphers value accepted")
3302 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
3303 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3304 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3305 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], p
)
3306 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3307 pid
= find_wpas_process(dev
[0])
3308 id = eap_connect(dev
[0], apdev
[0], "TTLS", "pap-secret",
3309 anonymous_identity
="ttls", password
=password
,
3310 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3312 buf
= read_process_memory(pid
, password
)
3314 dev
[0].request("DISCONNECT")
3315 dev
[0].wait_disconnected()
3323 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
3324 for l
in f
.readlines():
3325 if "EAP-TTLS: Derived key - hexdump" in l
:
3326 val
= l
.strip().split(':')[3].replace(' ', '')
3327 msk
= binascii
.unhexlify(val
)
3328 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
3329 val
= l
.strip().split(':')[3].replace(' ', '')
3330 emsk
= binascii
.unhexlify(val
)
3331 if "WPA: PMK - hexdump" in l
:
3332 val
= l
.strip().split(':')[3].replace(' ', '')
3333 pmk
= binascii
.unhexlify(val
)
3334 if "WPA: PTK - hexdump" in l
:
3335 val
= l
.strip().split(':')[3].replace(' ', '')
3336 ptk
= binascii
.unhexlify(val
)
3337 if "WPA: Group Key - hexdump" in l
:
3338 val
= l
.strip().split(':')[3].replace(' ', '')
3339 gtk
= binascii
.unhexlify(val
)
3340 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
3341 raise Exception("Could not find keys from debug log")
3343 raise Exception("Unexpected GTK length")
3349 fname
= os
.path
.join(params
['logdir'],
3350 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3352 logger
.info("Checking keys in memory while associated")
3353 get_key_locations(buf
, password
, "Password")
3354 get_key_locations(buf
, pmk
, "PMK")
3355 get_key_locations(buf
, msk
, "MSK")
3356 get_key_locations(buf
, emsk
, "EMSK")
3357 if password
not in buf
:
3358 raise HwsimSkip("Password not found while associated")
3360 raise HwsimSkip("PMK not found while associated")
3362 raise Exception("KCK not found while associated")
3364 raise Exception("KEK not found while associated")
3366 raise Exception("TK found from memory")
3368 raise Exception("GTK found from memory")
3370 logger
.info("Checking keys in memory after disassociation")
3371 buf
= read_process_memory(pid
, password
)
3373 # Note: Password is still present in network configuration
3374 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3376 get_key_locations(buf
, password
, "Password")
3377 get_key_locations(buf
, pmk
, "PMK")
3378 get_key_locations(buf
, msk
, "MSK")
3379 get_key_locations(buf
, emsk
, "EMSK")
3380 verify_not_present(buf
, kck
, fname
, "KCK")
3381 verify_not_present(buf
, kek
, fname
, "KEK")
3382 verify_not_present(buf
, tk
, fname
, "TK")
3383 verify_not_present(buf
, gtk
, fname
, "GTK")
3385 dev
[0].request("PMKSA_FLUSH")
3386 dev
[0].set_network_quoted(id, "identity", "foo")
3387 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3388 buf
= read_process_memory(pid
, password
)
3389 get_key_locations(buf
, password
, "Password")
3390 get_key_locations(buf
, pmk
, "PMK")
3391 get_key_locations(buf
, msk
, "MSK")
3392 get_key_locations(buf
, emsk
, "EMSK")
3393 verify_not_present(buf
, pmk
, fname
, "PMK")
3395 dev
[0].request("REMOVE_NETWORK all")
3397 logger
.info("Checking keys in memory after network profile removal")
3398 buf
= read_process_memory(pid
, password
)
3400 get_key_locations(buf
, password
, "Password")
3401 get_key_locations(buf
, pmk
, "PMK")
3402 get_key_locations(buf
, msk
, "MSK")
3403 get_key_locations(buf
, emsk
, "EMSK")
3404 verify_not_present(buf
, password
, fname
, "password")
3405 verify_not_present(buf
, pmk
, fname
, "PMK")
3406 verify_not_present(buf
, kck
, fname
, "KCK")
3407 verify_not_present(buf
, kek
, fname
, "KEK")
3408 verify_not_present(buf
, tk
, fname
, "TK")
3409 verify_not_present(buf
, gtk
, fname
, "GTK")
3410 verify_not_present(buf
, msk
, fname
, "MSK")
3411 verify_not_present(buf
, emsk
, fname
, "EMSK")
3413 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
3414 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3415 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3416 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3417 bssid
= apdev
[0]['bssid']
3418 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3419 anonymous_identity
="ttls", password
="password",
3420 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3422 # Send unexpected WEP EAPOL-Key; this gets dropped
3423 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3425 raise Exception("EAPOL_RX to wpa_supplicant failed")
3427 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
3428 """WPA2-EAP and wpas interface in a bridge"""
3432 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
3434 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
3435 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
3436 subprocess
.call(['brctl', 'delbr', br_ifname
])
3437 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
3439 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
3440 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3441 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3445 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
3446 subprocess
.call(['brctl', 'addbr', br_ifname
])
3447 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
3448 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
3449 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
3450 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
3451 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
3454 id = eap_connect(wpas
, apdev
[0], "PAX", "pax.user@example.com",
3455 password_hex
="0123456789abcdef0123456789abcdef")
3457 eap_reauth(wpas
, "PAX")
3459 # Try again as a regression test for packet socket workaround
3460 eap_reauth(wpas
, "PAX")
3462 wpas
.request("DISCONNECT")
3463 wpas
.wait_disconnected()
3465 wpas
.request("RECONNECT")
3466 wpas
.wait_connected()
3469 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
3470 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3471 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3472 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3473 key_mgmt
= hapd
.get_config()['key_mgmt']
3474 if key_mgmt
.split(' ')[0] != "WPA-EAP":
3475 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
3476 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3477 anonymous_identity
="ttls", password
="password",
3478 ca_cert
="auth_serv/ca.pem",
3479 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
3480 eap_reauth(dev
[0], "TTLS")
3482 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
3483 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3484 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3485 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3486 key_mgmt
= hapd
.get_config()['key_mgmt']
3487 if key_mgmt
.split(' ')[0] != "WPA-EAP":
3488 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
3489 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3490 anonymous_identity
="ttls", password
="password",
3491 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
3493 eap_reauth(dev
[0], "TTLS")
3495 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
3496 """EAP-TLS and server checking CRL"""
3497 params
= int_eap_server_params()
3498 params
['check_crl'] = '1'
3499 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3501 # check_crl=1 and no CRL available --> reject connection
3502 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3503 client_cert
="auth_serv/user.pem",
3504 private_key
="auth_serv/user.key", expect_failure
=True)
3505 dev
[0].request("REMOVE_NETWORK all")
3508 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
3511 # check_crl=1 and valid CRL --> accept
3512 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3513 client_cert
="auth_serv/user.pem",
3514 private_key
="auth_serv/user.key")
3515 dev
[0].request("REMOVE_NETWORK all")
3518 hapd
.set("check_crl", "2")
3521 # check_crl=2 and valid CRL --> accept
3522 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3523 client_cert
="auth_serv/user.pem",
3524 private_key
="auth_serv/user.key")
3525 dev
[0].request("REMOVE_NETWORK all")
3527 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
3528 """EAP-TLS and OOM"""
3529 check_subject_match_support(dev
[0])
3530 check_altsubject_match_support(dev
[0])
3531 check_domain_match_full(dev
[0])
3533 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3534 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3536 tests
= [ (1, "tls_connection_set_subject_match"),
3537 (2, "tls_connection_set_subject_match"),
3538 (3, "tls_connection_set_subject_match"),
3539 (4, "tls_connection_set_subject_match") ]
3540 for count
, func
in tests
:
3541 with
alloc_fail(dev
[0], count
, func
):
3542 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3543 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3544 client_cert
="auth_serv/user.pem",
3545 private_key
="auth_serv/user.key",
3546 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
3547 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3548 domain_suffix_match
="server.w1.fi",
3549 domain_match
="server.w1.fi",
3550 wait_connect
=False, scan_freq
="2412")
3551 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3552 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
3554 raise Exception("No passphrase request")
3555 dev
[0].request("REMOVE_NETWORK all")
3556 dev
[0].wait_disconnected()
3558 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
3559 """WPA2-Enterprise connection using MAC ACL"""
3560 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3561 params
["macaddr_acl"] = "2"
3562 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3563 eap_connect(dev
[1], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3564 client_cert
="auth_serv/user.pem",
3565 private_key
="auth_serv/user.key")
3567 def test_ap_wpa2_eap_oom(dev
, apdev
):
3568 """EAP server and OOM"""
3569 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3570 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3571 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
3573 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
3574 # The first attempt fails, but STA will send EAPOL-Start to retry and
3576 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3577 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3578 client_cert
="auth_serv/user.pem",
3579 private_key
="auth_serv/user.key",
3582 def check_tls_ver(dev
, ap
, phase1
, expected
):
3583 eap_connect(dev
, ap
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3584 client_cert
="auth_serv/user.pem",
3585 private_key
="auth_serv/user.key",
3587 ver
= dev
.get_status_field("eap_tls_version")
3589 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
3591 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
3592 """EAP-TLS and TLS version configuration"""
3593 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3594 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3596 tls
= dev
[0].request("GET tls_library")
3597 if tls
.startswith("OpenSSL"):
3598 if "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
3599 check_tls_ver(dev
[0], apdev
[0],
3600 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3602 elif tls
.startswith("internal"):
3603 check_tls_ver(dev
[0], apdev
[0],
3604 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3605 check_tls_ver(dev
[1], apdev
[0],
3606 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3607 check_tls_ver(dev
[2], apdev
[0],
3608 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3610 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
3611 """RSN element protocol testing for EAP cases on STA side"""
3612 bssid
= apdev
[0]['bssid']
3613 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3614 # This is the RSN element used normally by hostapd
3615 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3616 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3617 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
3618 identity
="gpsk user",
3619 password
="abcdefghijklmnop0123456789abcdef",
3622 tests
= [ ('No RSN Capabilities field',
3623 '30120100000fac040100000fac040100000fac01'),
3624 ('No AKM Suite fields',
3625 '300c0100000fac040100000fac04'),
3626 ('No Pairwise Cipher Suite fields',
3627 '30060100000fac04'),
3628 ('No Group Data Cipher Suite field',
3630 for txt
,ie
in tests
:
3631 dev
[0].request("DISCONNECT")
3632 dev
[0].wait_disconnected()
3635 hapd
.set('own_ie_override', ie
)
3637 dev
[0].request("BSS_FLUSH 0")
3638 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
3639 dev
[0].select_network(id, freq
=2412)
3640 dev
[0].wait_connected()
3642 def check_tls_session_resumption_capa(dev
, hapd
):
3643 tls
= hapd
.request("GET tls_library")
3644 if not tls
.startswith("OpenSSL"):
3645 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
3647 tls
= dev
.request("GET tls_library")
3648 if not tls
.startswith("OpenSSL"):
3649 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
3651 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
3652 """EAP-TTLS/PAP session resumption"""
3653 params
= int_eap_server_params()
3654 params
['tls_session_lifetime'] = '60'
3655 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3656 check_tls_session_resumption_capa(dev
[0], hapd
)
3657 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3658 anonymous_identity
="ttls", password
="password",
3659 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
3661 if dev
[0].get_status_field("tls_session_reused") != '0':
3662 raise Exception("Unexpected session resumption on the first connection")
3664 dev
[0].request("REAUTHENTICATE")
3665 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3667 raise Exception("EAP success timed out")
3668 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3670 raise Exception("Key handshake with the AP timed out")
3671 if dev
[0].get_status_field("tls_session_reused") != '1':
3672 raise Exception("Session resumption not used on the second connection")
3674 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
3675 """EAP-TTLS/CHAP session resumption"""
3676 params
= int_eap_server_params()
3677 params
['tls_session_lifetime'] = '60'
3678 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3679 check_tls_session_resumption_capa(dev
[0], hapd
)
3680 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
3681 anonymous_identity
="ttls", password
="password",
3682 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
3683 if dev
[0].get_status_field("tls_session_reused") != '0':
3684 raise Exception("Unexpected session resumption on the first connection")
3686 dev
[0].request("REAUTHENTICATE")
3687 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3689 raise Exception("EAP success timed out")
3690 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3692 raise Exception("Key handshake with the AP timed out")
3693 if dev
[0].get_status_field("tls_session_reused") != '1':
3694 raise Exception("Session resumption not used on the second connection")
3696 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
3697 """EAP-TTLS/MSCHAP session resumption"""
3698 params
= int_eap_server_params()
3699 params
['tls_session_lifetime'] = '60'
3700 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3701 check_tls_session_resumption_capa(dev
[0], hapd
)
3702 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
3703 anonymous_identity
="ttls", password
="password",
3704 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3705 domain_suffix_match
="server.w1.fi")
3706 if dev
[0].get_status_field("tls_session_reused") != '0':
3707 raise Exception("Unexpected session resumption on the first connection")
3709 dev
[0].request("REAUTHENTICATE")
3710 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3712 raise Exception("EAP success timed out")
3713 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3715 raise Exception("Key handshake with the AP timed out")
3716 if dev
[0].get_status_field("tls_session_reused") != '1':
3717 raise Exception("Session resumption not used on the second connection")
3719 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
3720 """EAP-TTLS/MSCHAPv2 session resumption"""
3721 check_eap_capa(dev
[0], "MSCHAPV2")
3722 params
= int_eap_server_params()
3723 params
['tls_session_lifetime'] = '60'
3724 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3725 check_tls_session_resumption_capa(dev
[0], hapd
)
3726 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
3727 anonymous_identity
="ttls", password
="password",
3728 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3729 domain_suffix_match
="server.w1.fi")
3730 if dev
[0].get_status_field("tls_session_reused") != '0':
3731 raise Exception("Unexpected session resumption on the first connection")
3733 dev
[0].request("REAUTHENTICATE")
3734 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3736 raise Exception("EAP success timed out")
3737 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3739 raise Exception("Key handshake with the AP timed out")
3740 if dev
[0].get_status_field("tls_session_reused") != '1':
3741 raise Exception("Session resumption not used on the second connection")
3743 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
3744 """EAP-TTLS/EAP-GTC session resumption"""
3745 params
= int_eap_server_params()
3746 params
['tls_session_lifetime'] = '60'
3747 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3748 check_tls_session_resumption_capa(dev
[0], hapd
)
3749 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
3750 anonymous_identity
="ttls", password
="password",
3751 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
3752 if dev
[0].get_status_field("tls_session_reused") != '0':
3753 raise Exception("Unexpected session resumption on the first connection")
3755 dev
[0].request("REAUTHENTICATE")
3756 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3758 raise Exception("EAP success timed out")
3759 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3761 raise Exception("Key handshake with the AP timed out")
3762 if dev
[0].get_status_field("tls_session_reused") != '1':
3763 raise Exception("Session resumption not used on the second connection")
3765 def test_eap_ttls_no_session_resumption(dev
, apdev
):
3766 """EAP-TTLS session resumption disabled on server"""
3767 params
= int_eap_server_params()
3768 params
['tls_session_lifetime'] = '0'
3769 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3770 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3771 anonymous_identity
="ttls", password
="password",
3772 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
3774 if dev
[0].get_status_field("tls_session_reused") != '0':
3775 raise Exception("Unexpected session resumption on the first connection")
3777 dev
[0].request("REAUTHENTICATE")
3778 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3780 raise Exception("EAP success timed out")
3781 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3783 raise Exception("Key handshake with the AP timed out")
3784 if dev
[0].get_status_field("tls_session_reused") != '0':
3785 raise Exception("Unexpected session resumption on the second connection")
3787 def test_eap_peap_session_resumption(dev
, apdev
):
3788 """EAP-PEAP session resumption"""
3789 params
= int_eap_server_params()
3790 params
['tls_session_lifetime'] = '60'
3791 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3792 check_tls_session_resumption_capa(dev
[0], hapd
)
3793 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
3794 anonymous_identity
="peap", password
="password",
3795 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
3796 if dev
[0].get_status_field("tls_session_reused") != '0':
3797 raise Exception("Unexpected session resumption on the first connection")
3799 dev
[0].request("REAUTHENTICATE")
3800 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3802 raise Exception("EAP success timed out")
3803 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3805 raise Exception("Key handshake with the AP timed out")
3806 if dev
[0].get_status_field("tls_session_reused") != '1':
3807 raise Exception("Session resumption not used on the second connection")
3809 def test_eap_peap_no_session_resumption(dev
, apdev
):
3810 """EAP-PEAP session resumption disabled on server"""
3811 params
= int_eap_server_params()
3812 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3813 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
3814 anonymous_identity
="peap", password
="password",
3815 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
3816 if dev
[0].get_status_field("tls_session_reused") != '0':
3817 raise Exception("Unexpected session resumption on the first connection")
3819 dev
[0].request("REAUTHENTICATE")
3820 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3822 raise Exception("EAP success timed out")
3823 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3825 raise Exception("Key handshake with the AP timed out")
3826 if dev
[0].get_status_field("tls_session_reused") != '0':
3827 raise Exception("Unexpected session resumption on the second connection")
3829 def test_eap_tls_session_resumption(dev
, apdev
):
3830 """EAP-TLS session resumption"""
3831 params
= int_eap_server_params()
3832 params
['tls_session_lifetime'] = '60'
3833 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3834 check_tls_session_resumption_capa(dev
[0], hapd
)
3835 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3836 client_cert
="auth_serv/user.pem",
3837 private_key
="auth_serv/user.key")
3838 if dev
[0].get_status_field("tls_session_reused") != '0':
3839 raise Exception("Unexpected session resumption on the first connection")
3841 dev
[0].request("REAUTHENTICATE")
3842 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3844 raise Exception("EAP success timed out")
3845 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3847 raise Exception("Key handshake with the AP timed out")
3848 if dev
[0].get_status_field("tls_session_reused") != '1':
3849 raise Exception("Session resumption not used on the second connection")
3851 dev
[0].request("REAUTHENTICATE")
3852 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3854 raise Exception("EAP success timed out")
3855 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3857 raise Exception("Key handshake with the AP timed out")
3858 if dev
[0].get_status_field("tls_session_reused") != '1':
3859 raise Exception("Session resumption not used on the third connection")
3861 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
3862 """EAP-TLS session resumption"""
3863 params
= int_eap_server_params()
3864 params
['tls_session_lifetime'] = '1'
3865 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3866 check_tls_session_resumption_capa(dev
[0], hapd
)
3867 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3868 client_cert
="auth_serv/user.pem",
3869 private_key
="auth_serv/user.key")
3870 if dev
[0].get_status_field("tls_session_reused") != '0':
3871 raise Exception("Unexpected session resumption on the first connection")
3873 # Allow multiple attempts since OpenSSL may not expire the cached entry
3878 dev
[0].request("REAUTHENTICATE")
3879 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3881 raise Exception("EAP success timed out")
3882 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3884 raise Exception("Key handshake with the AP timed out")
3885 if dev
[0].get_status_field("tls_session_reused") == '0':
3887 if dev
[0].get_status_field("tls_session_reused") != '0':
3888 raise Exception("Session resumption used after lifetime expiration")
3890 def test_eap_tls_no_session_resumption(dev
, apdev
):
3891 """EAP-TLS session resumption disabled on server"""
3892 params
= int_eap_server_params()
3893 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3894 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3895 client_cert
="auth_serv/user.pem",
3896 private_key
="auth_serv/user.key")
3897 if dev
[0].get_status_field("tls_session_reused") != '0':
3898 raise Exception("Unexpected session resumption on the first connection")
3900 dev
[0].request("REAUTHENTICATE")
3901 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3903 raise Exception("EAP success timed out")
3904 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3906 raise Exception("Key handshake with the AP timed out")
3907 if dev
[0].get_status_field("tls_session_reused") != '0':
3908 raise Exception("Unexpected session resumption on the second connection")
3910 def test_eap_tls_session_resumption_radius(dev
, apdev
):
3911 """EAP-TLS session resumption (RADIUS)"""
3912 params
= { "ssid": "as", "beacon_int": "2000",
3913 "radius_server_clients": "auth_serv/radius_clients.conf",
3914 "radius_server_auth_port": '18128',
3916 "eap_user_file": "auth_serv/eap_user.conf",
3917 "ca_cert": "auth_serv/ca.pem",
3918 "server_cert": "auth_serv/server.pem",
3919 "private_key": "auth_serv/server.key",
3920 "tls_session_lifetime": "60" }
3921 authsrv
= hostapd
.add_ap(apdev
[1]['ifname'], params
)
3922 check_tls_session_resumption_capa(dev
[0], authsrv
)
3924 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3925 params
['auth_server_port'] = "18128"
3926 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3927 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3928 client_cert
="auth_serv/user.pem",
3929 private_key
="auth_serv/user.key")
3930 if dev
[0].get_status_field("tls_session_reused") != '0':
3931 raise Exception("Unexpected session resumption on the first connection")
3933 dev
[0].request("REAUTHENTICATE")
3934 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3936 raise Exception("EAP success timed out")
3937 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3939 raise Exception("Key handshake with the AP timed out")
3940 if dev
[0].get_status_field("tls_session_reused") != '1':
3941 raise Exception("Session resumption not used on the second connection")
3943 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
3944 """EAP-TLS session resumption disabled (RADIUS)"""
3945 params
= { "ssid": "as", "beacon_int": "2000",
3946 "radius_server_clients": "auth_serv/radius_clients.conf",
3947 "radius_server_auth_port": '18128',
3949 "eap_user_file": "auth_serv/eap_user.conf",
3950 "ca_cert": "auth_serv/ca.pem",
3951 "server_cert": "auth_serv/server.pem",
3952 "private_key": "auth_serv/server.key",
3953 "tls_session_lifetime": "0" }
3954 hostapd
.add_ap(apdev
[1]['ifname'], params
)
3956 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3957 params
['auth_server_port'] = "18128"
3958 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3959 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3960 client_cert
="auth_serv/user.pem",
3961 private_key
="auth_serv/user.key")
3962 if dev
[0].get_status_field("tls_session_reused") != '0':
3963 raise Exception("Unexpected session resumption on the first connection")
3965 dev
[0].request("REAUTHENTICATE")
3966 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3968 raise Exception("EAP success timed out")
3969 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3971 raise Exception("Key handshake with the AP timed out")
3972 if dev
[0].get_status_field("tls_session_reused") != '0':
3973 raise Exception("Unexpected session resumption on the second connection")
3975 def test_eap_mschapv2_errors(dev
, apdev
):
3976 """EAP-MSCHAPv2 error cases"""
3977 check_eap_capa(dev
[0], "MSCHAPV2")
3978 check_eap_capa(dev
[0], "FAST")
3980 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
3981 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3982 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
3983 identity
="phase1-user", password
="password",
3985 dev
[0].request("REMOVE_NETWORK all")
3986 dev
[0].wait_disconnected()
3988 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
3989 (1, "nt_password_hash;mschapv2_derive_response"),
3990 (1, "nt_password_hash;=mschapv2_derive_response"),
3991 (1, "generate_nt_response;mschapv2_derive_response"),
3992 (1, "generate_authenticator_response;mschapv2_derive_response"),
3993 (1, "nt_password_hash;=mschapv2_derive_response"),
3994 (1, "get_master_key;mschapv2_derive_response"),
3995 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
3996 for count
, func
in tests
:
3997 with
fail_test(dev
[0], count
, func
):
3998 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
3999 identity
="phase1-user", password
="password",
4000 wait_connect
=False, scan_freq
="2412")
4001 wait_fail_trigger(dev
[0], "GET_FAIL")
4002 dev
[0].request("REMOVE_NETWORK all")
4003 dev
[0].wait_disconnected()
4005 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4006 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4007 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4008 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4009 for count
, func
in tests
:
4010 with
fail_test(dev
[0], count
, func
):
4011 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4012 identity
="phase1-user",
4013 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
4014 wait_connect
=False, scan_freq
="2412")
4015 wait_fail_trigger(dev
[0], "GET_FAIL")
4016 dev
[0].request("REMOVE_NETWORK all")
4017 dev
[0].wait_disconnected()
4019 tests
= [ (1, "eap_mschapv2_init"),
4020 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4021 (1, "eap_msg_alloc;eap_mschapv2_success"),
4022 (1, "eap_mschapv2_getKey") ]
4023 for count
, func
in tests
:
4024 with
alloc_fail(dev
[0], count
, func
):
4025 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4026 identity
="phase1-user", password
="password",
4027 wait_connect
=False, scan_freq
="2412")
4028 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
4029 dev
[0].request("REMOVE_NETWORK all")
4030 dev
[0].wait_disconnected()
4032 tests
= [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4033 for count
, func
in tests
:
4034 with
alloc_fail(dev
[0], count
, func
):
4035 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4036 identity
="phase1-user", password
="wrong password",
4037 wait_connect
=False, scan_freq
="2412")
4038 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
4039 dev
[0].request("REMOVE_NETWORK all")
4040 dev
[0].wait_disconnected()
4042 tests
= [ (2, "eap_mschapv2_init"),
4043 (3, "eap_mschapv2_init") ]
4044 for count
, func
in tests
:
4045 with
alloc_fail(dev
[0], count
, func
):
4046 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
4047 anonymous_identity
="FAST", identity
="user",
4048 password
="password",
4049 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
4050 phase1
="fast_provisioning=1",
4051 pac_file
="blob://fast_pac",
4052 wait_connect
=False, scan_freq
="2412")
4053 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
4054 dev
[0].request("REMOVE_NETWORK all")
4055 dev
[0].wait_disconnected()
4057 def test_eap_gpsk_errors(dev
, apdev
):
4058 """EAP-GPSK error cases"""
4059 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
4060 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4061 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4062 identity
="gpsk user",
4063 password
="abcdefghijklmnop0123456789abcdef",
4065 dev
[0].request("REMOVE_NETWORK all")
4066 dev
[0].wait_disconnected()
4068 tests
= [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
4069 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4071 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4073 (1, "eap_gpsk_derive_keys_helper", None),
4074 (2, "eap_gpsk_derive_keys_helper", None),
4075 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4077 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4079 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
4080 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
4081 (1, "eap_gpsk_derive_mid_helper", None) ]
4082 for count
, func
, phase1
in tests
:
4083 with
fail_test(dev
[0], count
, func
):
4084 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4085 identity
="gpsk user",
4086 password
="abcdefghijklmnop0123456789abcdef",
4088 wait_connect
=False, scan_freq
="2412")
4089 wait_fail_trigger(dev
[0], "GET_FAIL")
4090 dev
[0].request("REMOVE_NETWORK all")
4091 dev
[0].wait_disconnected()
4093 tests
= [ (1, "eap_gpsk_init"),
4094 (2, "eap_gpsk_init"),
4095 (3, "eap_gpsk_init"),
4096 (1, "eap_gpsk_process_id_server"),
4097 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
4098 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4099 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4100 (1, "eap_gpsk_derive_keys"),
4101 (1, "eap_gpsk_derive_keys_helper"),
4102 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
4103 (1, "eap_gpsk_getKey"),
4104 (1, "eap_gpsk_get_emsk"),
4105 (1, "eap_gpsk_get_session_id") ]
4106 for count
, func
in tests
:
4107 with
alloc_fail(dev
[0], count
, func
):
4108 dev
[0].request("ERP_FLUSH")
4109 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4110 identity
="gpsk user", erp
="1",
4111 password
="abcdefghijklmnop0123456789abcdef",
4112 wait_connect
=False, scan_freq
="2412")
4113 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
4114 dev
[0].request("REMOVE_NETWORK all")
4115 dev
[0].wait_disconnected()
4117 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
4118 """EAP-SIM DB error cases"""
4119 sockpath
= '/tmp/hlr_auc_gw.sock-test'
4124 hparams
= int_eap_server_params()
4125 hparams
['eap_sim_db'] = 'unix:' + sockpath
4126 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], hparams
)
4128 # Initial test with hlr_auc_gw socket not available
4129 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4130 eap
="SIM", identity
="1232010000000000",
4131 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4132 scan_freq
="2412", wait_connect
=False)
4133 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
4135 raise Exception("EAP-Failure not reported")
4136 dev
[0].wait_disconnected()
4137 dev
[0].request("DISCONNECT")
4139 # Test with invalid responses and response timeout
4141 class test_handler(SocketServer
.DatagramRequestHandler
):
4143 data
= self
.request
[0].strip()
4144 socket
= self
.request
[1]
4145 logger
.debug("Received hlr_auc_gw request: " + data
)
4146 # EAP-SIM DB: Failed to parse response string
4147 socket
.sendto("FOO", self
.client_address
)
4148 # EAP-SIM DB: Failed to parse response string
4149 socket
.sendto("FOO 1", self
.client_address
)
4150 # EAP-SIM DB: Unknown external response
4151 socket
.sendto("FOO 1 2", self
.client_address
)
4152 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
4154 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
4157 dev
[0].select_network(id)
4158 server
.handle_request()
4159 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
4161 raise Exception("EAP-Failure not reported")
4162 dev
[0].wait_disconnected()
4163 dev
[0].request("DISCONNECT")
4165 # Test with a valid response
4167 class test_handler2(SocketServer
.DatagramRequestHandler
):
4169 data
= self
.request
[0].strip()
4170 socket
= self
.request
[1]
4171 logger
.debug("Received hlr_auc_gw request: " + data
)
4172 fname
= os
.path
.join(params
['logdir'],
4173 'hlr_auc_gw.milenage_db')
4174 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
4176 stdout
=subprocess
.PIPE
)
4177 res
= cmd
.stdout
.read().strip()
4179 logger
.debug("hlr_auc_gw response: " + res
)
4180 socket
.sendto(res
, self
.client_address
)
4182 server
.RequestHandlerClass
= test_handler2
4184 dev
[0].select_network(id)
4185 server
.handle_request()
4186 dev
[0].wait_connected()
4187 dev
[0].request("DISCONNECT")
4188 dev
[0].wait_disconnected()